diff options
139 files changed, 11328 insertions, 1152 deletions
diff --git a/meta-openbmc-mods/Security.md b/meta-openbmc-mods/Security.md new file mode 100644 index 000000000..d5f1e5eac --- /dev/null +++ b/meta-openbmc-mods/Security.md @@ -0,0 +1,6 @@ +# Security Policy
+Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation.
+
+## Reporting a Vulnerability
+Please report any security vulnerabilities in this project [utilizing the guidelines here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html).
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch new file mode 100644 index 000000000..dc451eac9 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch @@ -0,0 +1,52 @@ +From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH] Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763eca6..3acc1c1e4 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab6834..e66d2416c 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch new file mode 100644 index 000000000..e099bd2b7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch @@ -0,0 +1,68 @@ +From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +CVE-2023-38471 +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index c32637af8..f6a21bb77 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch new file mode 100644 index 000000000..2cd778829 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch @@ -0,0 +1,40 @@ +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c +index b3366d848..ba9799881 100644 +--- a/avahi-client/client-test.c ++++ b/avahi-client/client-test.c +@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c +index 4e879a5ba..aa23d4b6b 100644 +--- a/avahi-daemon/dbus-entry-group.c ++++ b/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch new file mode 100644 index 000000000..8dd8d03e2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch @@ -0,0 +1,104 @@ +From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH] common: derive alternative host name from its unescaped + version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Fixes #451 #487 +CVE-2023-38473 +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435ec..681fc15b8 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0ed..a094e6d76 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend index 06343a29d..7007454b1 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend @@ -2,4 +2,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ file://CVE-2023-1981.patch \ + file://CVE-2023-38470.patch \ + file://CVE-2023-38471.patch \ + file://CVE-2023-38472.patch \ + file://CVE-2023-38473.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh index b9cc24a7a..6f23490c8 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -1 +1,5 @@ export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" +export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" +export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" +export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/" +export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 000000000..502a7aaf3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -0,0 +1,39 @@ +From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Tue, 30 May 2023 09:11:27 -0700 +Subject: [PATCH] Configure: do not tweak mips cflags + +This conflicts with mips machine definitons from yocto, +e.g. +| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> + +Refreshed for openssl-3.1.1 +Signed-off-by: Tim Orling <tim.orling@konsulko.com> +--- + Configure | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/Configure b/Configure +index 4569952..adf019b 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) + push @{$config{shared_ldflag}}, "-mno-cygwin"; + } + +-if ($target =~ /linux.*-mips/ && !$disabled{asm} +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- # minimally required architecture flags for assembly modules +- my $value; +- $value = '-mips2' if ($target =~ /mips32/); +- $value = '-mips3' if ($target =~ /mips64/); +- unshift @{$config{cflags}}, $value; +- unshift @{$config{cxxflags}}, $value if $config{CXX}; +-} +- + # If threads aren't disabled, check how possible they are + unless ($disabled{threads}) { + if ($auto_threads) { diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index 949c78834..bafdbaa46 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -1,4 +1,4 @@ -From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001 +From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com> Date: Tue, 6 Nov 2018 14:50:47 +0100 Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler @@ -21,20 +21,24 @@ https://patchwork.openembedded.org/patch/147229/ Upstream-Status: Inappropriate [OE specific] Signed-off-by: Martin Hundebøll <martin@geanix.com> - Update to fix buildpaths qa issue for '-fmacro-prefix-map'. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update to fix buildpaths qa issue for '-ffile-prefix-map'. + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- - Configurations/unix-Makefile.tmpl | 10 +++++++++- + Configurations/unix-Makefile.tmpl | 12 +++++++++++- crypto/build.info | 2 +- - 2 files changed, 10 insertions(+), 2 deletions(-) + 2 files changed, 12 insertions(+), 2 deletions(-) -diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl -index 16af4d2087..54c162784c 100644 ---- a/Configurations/unix-Makefile.tmpl -+++ b/Configurations/unix-Makefile.tmpl -@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.4/Configurations/unix-Makefile.tmpl +@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) @@ -49,6 +53,7 @@ index 16af4d2087..54c162784c 100644 +CFLAGS_Q={- for (@{$config{CFLAGS}}) { + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; ++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; + } + join(' ', @{$config{CFLAGS}}) -} + @@ -58,19 +63,16 @@ index 16af4d2087..54c162784c 100644 PERLASM_SCHEME= {- $target{perlasm_scheme} -} # For x86 assembler: Set PROCESSOR to 386 if you want to support -diff --git a/crypto/build.info b/crypto/build.info -index b515b7318e..8c9cee2a09 100644 ---- a/crypto/build.info -+++ b/crypto/build.info -@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \ - ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl +Index: openssl-3.0.4/crypto/build.info +=================================================================== +--- openssl-3.0.4.orig/crypto/build.info ++++ openssl-3.0.4/crypto/build.info +@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF + DEPEND[info.o]=buildinf.h DEPEND[cversion.o]=buildinf.h -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)" +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)" - DEPEND[buildinf.h]=../configdata.pm - GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME) --- -2.19.1 - + GENERATE[uplink-x86.S]=../ms/uplink-x86.pl + GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch deleted file mode 100644 index d8d9651b6..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Tue, 2 Oct 2018 23:58:24 +0800 -Subject: [PATCH] skip test_symbol_presence - -We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared' -as INSTALL told us the shared libraries will not be built. - -[INSTALL snip] - Notes on shared libraries - ------------------------- - - For most systems the OpenSSL Configure script knows what is needed to - build shared libraries for libcrypto and libssl. On these systems - the shared libraries will be created by default. This can be suppressed and - only static libraries created by using the "no-shared" option. On systems - where OpenSSL does not know how to build shared libraries the "no-shared" - option will be forced and only static libraries will be created. -[INSTALL snip] - -Hence directly modification the case to skip it. - -Upstream-Status: Inappropriate [OE Specific] - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - test/recipes/01-test_symbol_presence.t | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t -index 7f2a2d7..0b93745 100644 ---- a/test/recipes/01-test_symbol_presence.t -+++ b/test/recipes/01-test_symbol_presence.t -@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils; - - setup("test_symbol_presence"); - --plan skip_all => "Only useful when building shared libraries" -- if disabled("shared"); -+plan skip_all => "The case needs debug symbols then we just disable it"; - - my @libnames = ("crypto", "ssl"); - my $testcount = scalar @libnames; --- -2.7.4 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch deleted file mode 100644 index d62b9344c..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001 -From: Alistair Francis <alistair.francis@wdc.com> -Date: Thu, 29 Aug 2019 13:56:21 -0700 -Subject: [PATCH] Add support for io_pgetevents_time64 syscall - -32-bit architectures that are y2038 safe don't include syscalls that use -32-bit time_t. Instead these architectures have suffixed syscalls that -always use a 64-bit time_t. In the case of the io_getevents syscall the -syscall has been replaced with the io_pgetevents_time64 syscall instead. - -This patch changes the io_getevents() function to use the correct -syscall based on the avaliable syscalls and the time_t size. We will -only use the new 64-bit time_t syscall if the architecture is using a -64-bit time_t. This is to avoid having to deal with 32/64-bit -conversions and relying on a 64-bit timespec struct on 32-bit time_t -platforms. As of Linux 5.3 there are no 32-bit time_t architectures -without __NR_io_getevents. In the future if a 32-bit time_t architecture -wants to use the 64-bit syscalls we can handle the conversion. - -This fixes build failures on 32-bit RISC-V. - -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> - -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Paul Dale <paul.dale@oracle.com> -(Merged from https://github.com/openssl/openssl/pull/9819) -Upstream-Status: Accepted ---- - engines/e_afalg.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/engines/e_afalg.c b/engines/e_afalg.c -index dacbe358cb..99516cb1bb 100644 ---- a/engines/e_afalg.c -+++ b/engines/e_afalg.c -@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, - struct io_event *events, - struct timespec *timeout) - { -+#if defined(__NR_io_getevents) - return syscall(__NR_io_getevents, ctx, min, max, events, timeout); -+#elif defined(__NR_io_pgetevents_time64) -+ /* Let's only support the 64 suffix syscalls for 64-bit time_t. -+ * This simplifies the code for us as we don't need to use a 64-bit -+ * version of timespec with a 32-bit time_t and handle converting -+ * between 64-bit and 32-bit times and check for overflows. -+ */ -+ if (sizeof(timeout->tv_sec) == 8) -+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); -+ else { -+ errno = ENOSYS; -+ return -1; -+ } -+#else -+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." -+#endif - } - - static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, --- -2.30.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch deleted file mode 100644 index c8bc6f5c6..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch +++ /dev/null @@ -1,99 +0,0 @@ -From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001 -From: Alistair Francis <alistair.francis@wdc.com> -Date: Thu, 4 Mar 2021 12:10:11 -0500 -Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall - -This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc -"Add support for io_pgetevents_time64 syscall" that didn't correctly -work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V. - -For a full discussion of the issue see: -https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc - -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> - -Reviewed-by: Tomas Mraz <tomas@openssl.org> -Reviewed-by: Paul Dale <pauli@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/14432) -Upstream-Status: Accepted ---- - engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 42 insertions(+), 13 deletions(-) - -diff --git a/engines/e_afalg.c b/engines/e_afalg.c -index 9480d7c24b..4e9d67db2d 100644 ---- a/engines/e_afalg.c -+++ b/engines/e_afalg.c -@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) - return syscall(__NR_io_submit, ctx, n, iocb); - } - -+/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */ -+struct __timespec32 -+{ -+ __kernel_long_t tv_sec; -+ __kernel_long_t tv_nsec; -+}; -+ - static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, - struct io_event *events, - struct timespec *timeout) - { -+#if defined(__NR_io_pgetevents_time64) -+ /* Check if we are a 32-bit architecture with a 64-bit time_t */ -+ if (sizeof(*timeout) != sizeof(struct __timespec32)) { -+ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events, -+ timeout, NULL); -+ if (ret == 0 || errno != ENOSYS) -+ return ret; -+ } -+#endif -+ - #if defined(__NR_io_getevents) -- return syscall(__NR_io_getevents, ctx, min, max, events, timeout); --#elif defined(__NR_io_pgetevents_time64) -- /* Let's only support the 64 suffix syscalls for 64-bit time_t. -- * This simplifies the code for us as we don't need to use a 64-bit -- * version of timespec with a 32-bit time_t and handle converting -- * between 64-bit and 32-bit times and check for overflows. -- */ -- if (sizeof(timeout->tv_sec) == 8) -- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL); -+ if (sizeof(*timeout) == sizeof(struct __timespec32)) -+ /* -+ * time_t matches our architecture length, we can just use -+ * __NR_io_getevents -+ */ -+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout); - else { -- errno = ENOSYS; -- return -1; -+ /* -+ * We don't have __NR_io_pgetevents_time64, but we are using a -+ * 64-bit time_t on a 32-bit architecture. If we can fit the -+ * timeout value in a 32-bit time_t, then let's do that -+ * and then use the __NR_io_getevents syscall. -+ */ -+ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) { -+ struct __timespec32 ts32; -+ -+ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec; -+ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec; -+ -+ return syscall(__NR_io_getevents, ctx, min, max, events, ts32); -+ } else { -+ return syscall(__NR_io_getevents, ctx, min, max, events, NULL); -+ } - } --#else --# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64." - #endif -+ -+ errno = ENOSYS; -+ return -1; - } - - static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key, --- -2.30.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch deleted file mode 100644 index 1cae7daac..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz <tomas@openssl.org> -Date: Mon, 28 Feb 2022 18:26:21 +0100 -Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() - -The calculation in some cases does not finish for non-prime p. - -This fixes CVE-2022-0778. - -Based on patch by David Benjamin <davidben@google.com>. - -Reviewed-by: Paul Dale <pauli@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> ---- - crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ - 1 file changed, 18 insertions(+), 12 deletions(-) - -diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c -index 1723d5ded5..53b0f55985 100644 ---- a/crypto/bn/bn_sqrt.c -+++ b/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ --- -2.25.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch deleted file mode 100644 index ec4daf015..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch +++ /dev/null @@ -1,76 +0,0 @@ -From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz <tomas@openssl.org> -Date: Tue, 26 Apr 2022 12:40:24 +0200 -Subject: [PATCH] c_rehash: Do not use shell to invoke openssl - -Except on VMS where it is safe. - -This fixes CVE-2022-1292. - -Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> -Reviewed-by: Matt Caswell <matt@openssl.org> ---- - tools/c_rehash.in | 29 +++++++++++++++++++++++++---- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index fa7c6c9fef..83c1cc80e0 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form <hash>.<n> where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; --- -2.25.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch deleted file mode 100644 index 04e75877a..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch +++ /dev/null @@ -1,257 +0,0 @@ -From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001 -From: Daniel Fiala <daniel@openssl.org> -Date: Sun, 29 May 2022 20:11:24 +0200 -Subject: [PATCH] Fix file operations in c_rehash. - -CVE-2022-2068 - -Reviewed-by: Matt Caswell <matt@openssl.org> -Reviewed-by: Richard Levitte <levitte@openssl.org> ---- - tools/c_rehash.in | 216 +++++++++++++++++++++++----------------------- - 1 file changed, 107 insertions(+), 109 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index cfd18f5da1..9d2a6f6db7 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -104,52 +104,78 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -- my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -- my @flist = sort readdir(DIR); -- closedir DIR; -- if ( $removelinks ) { -- # Delete any existing symbolic links -- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -- if (-l $_) { -- print "unlink $_" if $verbose; -- unlink $_ || warn "Can't unlink $_, $!\n"; -- } -- } -- } -- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -- # Check to see if certificates and/or CRLs present. -- my ($cert, $crl) = check_file($fname); -- if (!$cert && !$crl) { -- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -- next; -- } -- link_hash_cert($fname) if ($cert); -- link_hash_crl($fname) if ($crl); -- } -+ my $dir = shift; -+ my %hashlist; -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; -+ my @flist = sort readdir(DIR); -+ closedir DIR; -+ if ( $removelinks ) { -+ # Delete any existing symbolic links -+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -+ if (-l $_) { -+ print "unlink $_\n" if $verbose; -+ unlink $_ || warn "Can't unlink $_, $!\n"; -+ } -+ } -+ } -+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -+ # Check to see if certificates and/or CRLs present. -+ my ($cert, $crl) = check_file($fname); -+ if (!$cert && !$crl) { -+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -+ next; -+ } -+ link_hash_cert($fname) if ($cert); -+ link_hash_crl($fname) if ($crl); -+ } -+ -+ chdir $pwd; - } - - sub check_file { -- my ($is_cert, $is_crl) = (0,0); -- my $fname = $_[0]; -- open IN, $fname; -- while(<IN>) { -- if (/^-----BEGIN (.*)-----/) { -- my $hdr = $1; -- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -- $is_cert = 1; -- last if ($is_crl); -- } elsif ($hdr eq "X509 CRL") { -- $is_crl = 1; -- last if ($is_cert); -- } -- } -- } -- close IN; -- return ($is_cert, $is_crl); -+ my ($is_cert, $is_crl) = (0,0); -+ my $fname = $_[0]; -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { -+ if (/^-----BEGIN (.*)-----/) { -+ my $hdr = $1; -+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -+ $is_cert = 1; -+ last if ($is_crl); -+ } elsif ($hdr eq "X509 CRL") { -+ $is_crl = 1; -+ last if ($is_cert); -+ } -+ } -+ } -+ close $in; -+ return ($is_cert, $is_crl); - } - - sub compute_hash { -@@ -177,76 +203,48 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form <hash>.r<n> - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); -+ chomp $hash; -+ chomp $fprint; -+ return if !$hash; -+ $fprint =~ s/^.*=//; -+ $fprint =~ tr/://d; -+ my $suffix = 0; -+ # Search for an unused hash filename -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { -+ # Hash matches: if fingerprint matches its a duplicate cert -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; -+ return; -+ } -+ $suffix++; -+ } -+ $hash .= ".$crlmark$suffix"; -+ if ($symlink_exists) { -+ print "link $fname -> $hash\n" if $verbose; -+ symlink $fname, $hash || warn "Can't symlink, $!"; -+ } else { -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); -+ } -+ $hashlist{$hash} = $fprint; - } --- -2.25.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch deleted file mode 100644 index aa5bbb604..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky <achernya@google.com> -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro Sedeño <asedeno@google.com> -Co-authored-by: David Benjamin <davidben@google.com> - -Reviewed-by: Paul Dale <pauli@openssl.org> -Reviewed-by: Tomas Mraz <tomas@openssl.org> ---- - crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl -index fe2b26542a..812758e02e 100644 ---- a/crypto/aes/asm/aesni-x86.pl -+++ b/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); --- -2.25.1 - diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch new file mode 100644 index 000000000..8e8d4f2a5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch @@ -0,0 +1,58 @@ +From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tomas@openssl.org> +Date: Tue, 4 Jul 2023 17:30:35 +0200 +Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode + +The AES-SIV mode allows for multiple associated data items +authenticated separately with any of these being 0 length. + +The provided implementation ignores such empty associated data +which is incorrect in regards to the RFC 5297 and is also +a security issue because such empty associated data then become +unauthenticated if an application expects to authenticate them. + +Fixes CVE-2023-2975 + +Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21384] +Reviewed-by: Matt Caswell <matt@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/21384) + +(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) +--- + .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90db..b396c8651a 100644 +--- a/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch new file mode 100644 index 000000000..ff1e415c5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch @@ -0,0 +1,76 @@ +From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Thu, 6 Jul 2023 16:36:35 +0100 +Subject: [PATCH] Fix DH_check() excessive time with over sized modulus + +The DH_check() function checks numerous aspects of the key or parameters +that have been supplied. Some of those checks use the supplied modulus +value even if it is excessively large. + +There is already a maximum DH modulus size (10,000 bits) over which +OpenSSL will not generate or derive keys. DH_check() will however still +perform various tests for validity on such a large modulus. We introduce a +new maximum (32,768) over which DH_check() will just fail. + +An application that calls DH_check() and supplies a key or parameters +obtained from an untrusted source could be vulnerable to a Denial of +Service attack. + +The function DH_check() is itself called by a number of other OpenSSL +functions. An application calling any of those other functions may +similarly be affected. The other functions affected by this are +DH_check_ex() and EVP_PKEY_param_check(). + +CVE-2023-3446 + +Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21451] + +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> +Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/21451) + +(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d) +--- + crypto/dh/dh_check.c | 6 ++++++ + include/openssl/dh.h | 6 +++++- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..84a926998e 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) + if (nid != NID_undef) + return 1; + ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + if (!DH_check_params(dh, ret)) + return 0; + +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index b97871eca7..36420f51d8 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + # include <openssl/dherr.h> + + # ifndef OPENSSL_DH_MAX_MODULUS_BITS +-# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# endif ++ ++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS ++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch new file mode 100644 index 000000000..ded0a0eb1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch @@ -0,0 +1,61 @@ +From 6a1eb62c29db6cb5eec707f9338aee00f44e26f5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tomas@openssl.org> +Date: Tue, 25 Jul 2023 15:22:48 +0200 +Subject: [PATCH] DH_check(): Do not try checking q properties if it is + obviously invalid + +If |q| >= |p| then the q value is obviously wrong as q +is supposed to be a prime divisor of p-1. + +We check if p is overly large so this added test implies that +q is not large either when performing subsequent tests using that +q value. + +Otherwise if it is too large these additional checks of the q value +such as the primality test can then trigger DoS by doing overly long +computations. + +Fixes CVE-2023-3817 + +Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21550] +Reviewed-by: Matt Caswell <matt@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> +Reviewed-by: Todd Short <todd.short@me.com> +(Merged from https://github.com/openssl/openssl/pull/21550) + +(cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de) +--- + crypto/dh/dh_check.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index aef6f9b1b7..fbe2797569 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) + #ifdef FIPS_MODULE + return DH_check_params(dh, ret); + #else +- int ok = 0, r; ++ int ok = 0, r, q_good = 0; + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + int nid = DH_get_nid((DH *)dh); +@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) + goto err; + + if (dh->params.q != NULL) { ++ if (BN_ucmp(dh->params.p, dh->params.q) > 0) ++ q_good = 1; ++ else ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ } ++ ++ if (q_good) { + if (BN_cmp(dh->params.g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->params.g, dh->params.p) >= 0) +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch new file mode 100644 index 000000000..60797cd1a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch @@ -0,0 +1,81 @@ +From 0df40630850fb2740e6be6890bb905d3fc623b2d Mon Sep 17 00:00:00 2001 +From: Pauli <pauli@openssl.org> +Date: Fri, 6 Oct 2023 10:26:23 +1100 +Subject: [PATCH] evp: process key length and iv length early if present + +evp_cipher_init_internal() takes a params array argument and this is processed +late in the initialisation process for some ciphers (AEAD ones). + +This means that changing the IV length as a parameter will either truncate the +IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised +bytes. + +Truncation is very bad if SP 800-38d section 8.2.1 is being used to +contruct a deterministic IV. This leads to an instant loss of confidentiality. + +Grabbing extra bytes isn't so serious, it will most likely result in a bad +decryption. + +Problem reported by Tony Battersby of Cybernetics.com but earlier discovered +and raised as issue #19822. + +Fixes CVE-2023-5363 +Fixes #19822 + +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(cherry picked from commit 5f69f5c65e483928c4b28ed16af6e5742929f1ee) +--- + crypto/evp/evp_enc.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index d2ed3fd378..6a819590e6 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + return 0; + } + ++#ifndef FIPS_MODULE ++ /* ++ * Fix for CVE-2023-5363 ++ * Passing in a size as part of the init call takes effect late ++ * so, force such to occur before the initialisation. ++ * ++ * The FIPS provider's internal library context is used in a manner ++ * such that this is not an issue. ++ */ ++ if (params != NULL) { ++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, ++ OSSL_PARAM_END }; ++ OSSL_PARAM *q = param_lens; ++ const OSSL_PARAM *p; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ /* ++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for ++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. ++ */ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ if (q != param_lens) { ++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ } ++ } ++#endif ++ + if (enc) { + if (ctx->cipher->einit == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch new file mode 100644 index 000000000..afb23ade3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch @@ -0,0 +1,177 @@ +From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 +From: Richard Levitte <levitte@openssl.org> +Date: Fri, 20 Oct 2023 09:18:19 +0200 +Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet + +We already check for an excessively large P in DH_generate_key(), but not in +DH_check_pub_key(), and none of them check for an excessively large Q. + +This change adds all the missing excessive size checks of P and Q. + +It's to be noted that behaviours surrounding excessively sized P and Q +differ. DH_check() raises an error on the excessively sized P, but only +sets a flag for the excessively sized Q. This behaviour is mimicked in +DH_check_pub_key(). + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +Reviewed-by: Hugo Landau <hlandau@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/22518) + +(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) +--- + crypto/dh/dh_check.c | 12 ++++++++++++ + crypto/dh/dh_err.c | 3 ++- + crypto/dh/dh_key.c | 12 ++++++++++++ + crypto/err/openssl.txt | 1 + + include/crypto/dherr.h | 2 +- + include/openssl/dh.h | 6 +++--- + include/openssl/dherr.h | 3 ++- + 7 files changed, 33 insertions(+), 6 deletions(-) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 7ba2beae7f..e20eb62081 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) + */ + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); + } + +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c +index 4152397426..f76ac0dd14 100644 +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index d84ea99241..afc49f5cdc 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +@@ -267,6 +273,12 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e51504b7ab..36de321b74 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters +diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h +index bb24d131eb..519327f795 100644 +--- a/include/crypto/dherr.h ++++ b/include/crypto/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index 6533260f20..50e0cf54be 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_GENERATOR_3 3 + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + /* + * NB: These values must align with the equivalently named macros in + * internal/ffc.h. +@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 + # define DH_MODULUS_TOO_SMALL 0x80 +-# define DH_MODULUS_TOO_LARGE 0x100 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h +index 5d2a762a96..074a70145f 100644 +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -50,6 +50,7 @@ + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch new file mode 100644 index 000000000..8c8e0ba21 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch @@ -0,0 +1,120 @@ +From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Neil Horman <nhorman@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/23362) + +(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) +--- + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c +index 6fd4184af5a52..80ce31b3bca66 100644 +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 67a885a45f89e..68ff54d0e90ee 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (p12->mac->iter == NULL) +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c +index 62230bc6187ff..1e5b5495991a4 100644 +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c +index 49a0da5f819c4..8228315eeaa3a 100644 +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + int ctype_nid = OBJ_obj2nid(p7->type); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch deleted file mode 100644 index b7c0e9697..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch +++ /dev/null @@ -1,31 +0,0 @@ -Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. - -Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -diff --git a/Configure b/Configure -index 3baa8ce..9ef52ed 100755 ---- a/Configure -+++ b/Configure -@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"}) - unless ($disabled{afalgeng}) { - $config{afalgeng}=""; - if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { -- my $minver = 4*10000 + 1*100 + 0; -- if ($config{CROSS_COMPILE} eq "") { -- my $verstr = `uname -r`; -- my ($ma, $mi1, $mi2) = split("\\.", $verstr); -- ($mi2) = $mi2 =~ /(\d+)/; -- my $ver = $ma*10000 + $mi1*100 + $mi2; -- if ($ver < $minver) { -- disable('too-old-kernel', 'afalgeng'); -- } else { -- push @{$config{engdirs}}, "afalg"; -- } -- } else { -- disable('cross-compiling', 'afalgeng'); -- } -+ push @{$config{engdirs}}, "afalg"; - } else { - disable('not-linux', 'afalgeng'); - } diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch new file mode 100644 index 000000000..78dcd8168 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch @@ -0,0 +1,22 @@ +The perl script adds random suffixes to the local function names to ensure +it doesn't clash with other parts of openssl. Set the random number seed +to something predictable so the assembler files are generated consistently +and our own reproducible builds tests pass. + +Upstream-Status: Pending +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl +=================================================================== +--- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl ++++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl +@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable = (16 * 6); + # ;;; Helper functions + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + ++# Ensure the local labels are reproduicble ++srand(10000); ++ + # ; Generates "random" local labels + sub random_string() { + my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch deleted file mode 100644 index a24260c95..000000000 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch +++ /dev/null @@ -1,32 +0,0 @@ -The value for perl_archname can vary depending on the host, e.g. -x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which -makes the ptest package non-reproducible. Its unused other than -these references so drop it. - -RP 2020/2/6 - -Upstream-Status: Pending -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> - -Index: openssl-1.1.1d/Configure -=================================================================== ---- openssl-1.1.1d.orig/Configure -+++ openssl-1.1.1d/Configure -@@ -286,7 +286,7 @@ if (defined env($local_config_envname)) - # Save away perl command information - $config{perl_cmd} = $^X; - $config{perl_version} = $Config{version}; --$config{perl_archname} = $Config{archname}; -+#$config{perl_archname} = $Config{archname}; - - $config{prefix}=""; - $config{openssldir}=""; -@@ -2517,7 +2517,7 @@ _____ - @{$config{perlargv}}), "\n"; - print "\nPerl information:\n\n"; - print ' ',$config{perl_cmd},"\n"; -- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n"; -+ print ' ',$config{perl_version},"\n"; - } - if ($dump || $options) { - my $longest = 0; diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest index 3fb22471f..8dff79101 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest @@ -9,4 +9,4 @@ export TOP=. # OPENSSL_ENGINES is relative from the test binaries export OPENSSL_ENGINES=../engines -perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;' +perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb index 5353a9421..42157af0f 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb @@ -4,37 +4,32 @@ HOMEPAGE = "http://www.openssl.org/" BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html" SECTION = "libs/network" -# "openssl" here actually means both OpenSSL and SSLeay licenses apply -# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped) -LICENSE = "openssl" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" -DEPENDS = "hostperl-runtime-native" - -PV = "1.0+git${SRCPV}" - -S = "${WORKDIR}/git" - -SRCREV = "5dae6451aac56bdf5be8dc5f20519da0bc55451a" - -SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \ +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ - file://0001-skip-test_symbol_presence.patch \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ - file://reproducible.patch \ + file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://fix_random_labels.patch \ " +SRC_URI += " \ + file://CVE-2023-5678.patch \ + file://CVE-2023-2975.patch \ + file://CVE-2023-3446.patch \ + file://CVE-2023-3817.patch \ + file://CVE-2023-5363.patch \ + file://CVE-2024-0727.patch \ + " + SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI:append:riscv32 = " \ - file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \ - file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \ - " +SRC_URI[sha256sum] = "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674" -inherit lib_package multilib_header multilib_script ptest +inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" PACKAGECONFIG ?= "" @@ -63,21 +58,20 @@ EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -# Disable deprecated crypto algorithms -# Retained for compatibilty -# des (curl) -# dh (python-ssl) -# dsa (rpm) -# md4 (cyrus-sasl freeradius hostapd) -# bf (wvstreams postgresql x11vnc crda znc cfengine) -# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php) -# rc2 (mailx) -# psk (qt5) -# srp (libest) -# whirlpool (qca) -DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4" +# This allows disabling deprecated or undesirable crypto algorithms. +# The default is to trust upstream choices. +DEPRECATED_CRYPTO_FLAGS ?= "" do_configure () { + # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make + # the issue really clear that perl isn't functional due to symbol mismatch issues. + cat <<- EOF > ${WORKDIR}/perltest + #!/usr/bin/env perl + use POSIX; + EOF + chmod a+x ${WORKDIR}/perltest + ${WORKDIR}/perltest + os=${HOST_OS} case $os in linux-gnueabi |\ @@ -92,6 +86,9 @@ do_configure () { esac target="$os-${HOST_ARCH}" case $target in + linux-arc | linux-microblaze*) + target=linux-latomic + ;; linux-arm*) target=linux-armv4 ;; @@ -117,7 +114,7 @@ do_configure () { linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) target=linux64-mips64 ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) target=linux-generic32 ;; linux-powerpc) @@ -130,7 +127,7 @@ do_configure () { target=linux-ppc64le ;; linux-riscv32) - target=linux-generic32 + target=linux-latomic ;; linux-riscv64) target=linux-generic64 @@ -149,8 +146,10 @@ do_configure () { fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target + PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" + test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target perl ${B}/configdata.pm --dump } @@ -158,43 +157,50 @@ do_install () { oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install oe_multilib_header openssl/opensslconf.h + oe_multilib_header openssl/configuration.h # Create SSL structure for packages such as ca-certificates which # contain hard-coded paths to /etc/ssl. Debian does the same. install -d ${D}${sysconfdir}/ssl - mv ${D}${libdir}/ssl-1.1/certs \ - ${D}${libdir}/ssl-1.1/private \ - ${D}${libdir}/ssl-1.1/openssl.cnf \ + mv ${D}${libdir}/ssl-3/certs \ + ${D}${libdir}/ssl-3/private \ + ${D}${libdir}/ssl-3/openssl.cnf \ ${D}${sysconfdir}/ssl/ # Although absolute symlinks would be OK for the target, they become # invalid if native or nativesdk are relocated from sstate. - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private - ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private + ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf } do_install:append:class-native () { create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ - SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-1.1 + OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ + SSL_CERT_DIR=${libdir}/ssl-3/certs \ + SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ + OPENSSL_ENGINES=${libdir}/engines-3 \ + OPENSSL_MODULES=${libdir}/ossl-modules } do_install:append:class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } PTEST_BUILD_HOST_FILES += "configdata.pm" PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { + install -d ${D}${PTEST_PATH}/test + install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test + install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test + # Prune the build tree rm -f ${B}/fuzz/*.* ${B}/test/*.* cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH} + sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH} # For test_shlibload @@ -207,11 +213,21 @@ do_install_ptest () { install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines - # seems to be needed with perl 5.32.1 - install -d ${D}${PTEST_PATH}/util/perl/recipes - cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ + install -d ${D}${PTEST_PATH}/providers + install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers + + install -d ${D}${PTEST_PATH}/Configurations + cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ + + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ + + sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -219,25 +235,26 @@ do_install_ptest () { # file to be installed for both the openssl-bin package and the libcrypto # package since the openssl-bin package depends on the libcrypto package. -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc" +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \ - ${libdir}/ssl-1.1/openssl.cnf* \ + ${libdir}/ssl-3/openssl.cnf* \ " -FILES:${PN}-engines = "${libdir}/engines-1.1" +FILES:${PN}-engines = "${libdir}/engines-3" # ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP) -FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1" -FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash" -FILES:${PN} =+ "${libdir}/ssl-1.1/*" +FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" +FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" +FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" +FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" -RRECOMMENDS:libcrypto += "openssl-conf" +RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy" RDEPENDS:${PN}-misc = "perl" -RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" +RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed" RDEPENDS:${PN}-bin += "openssl-conf" @@ -247,6 +264,5 @@ CVE_PRODUCT = "openssl:openssl" CVE_VERSION_SUFFIX = "alphabetical" -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_WHITELIST += "CVE-2019-0190" +CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37" diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch new file mode 100644 index 000000000..7547770d3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch @@ -0,0 +1,80 @@ +From e39d97700f78586fcbf0837478681ec481433b94 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <vda.linux@googlemail.com> +Date: Mon, 12 Jun 2023 17:48:47 +0200 +Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216 + +function old new delta +evaluate_string 1011 1053 +42 + +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> +--- + shell/math.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 file changed, 35 insertions(+), 4 deletions(-) + +diff --git a/shell/math.c b/shell/math.c +index 2942cdd..e9bd62b 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ +@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + if (errno) + numstackptr->val = 0; /* bash compat */ + goto num; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg index 2550ffaf5..f94ca156d 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg @@ -4,3 +4,5 @@ CONFIG_TELNET=n CONFIG_TFTP=n CONFIG_WGET=n CONFIG_UDHCPD=n +#To mitigate cpio utility CVE, 2023-39810 +CONFIG_CPIO=n diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend index b9c654068..d6c8fcc36 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend @@ -5,6 +5,7 @@ SRC_URI += " \ file://CVE-2022-28391_1.patch \ file://CVE-2022-28391_2.patch \ file://CVE-2022-30065.patch \ + file://CVE-2022-48174.patch \ " SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch deleted file mode 100644 index 80ddcb4f2..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 -From: Rhodri James <rhodri@wildebeest.org.uk> -Date: Wed, 17 Aug 2022 18:26:18 +0100 -Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser - -It is possible to concoct a situation in which parsing is -suspended while substituting in an internal entity, so that -XML_ResumeParser directly uses internalEntityProcessor as -its processor. If the subsequent parse includes some unclosed -tags, this will return without calling storeRawNames to ensure -that the raw versions of the tag names are stored in memory other -than the parse buffer itself. If the parse buffer is then changed -or reallocated (for example if processing a file line by line), -badness will ensue. - -This patch ensures storeRawNames is always called when needed -after calling doContent. The earlier call do doContent does -not need the same protection; it only deals with entity -substitution, which cannot leave unbalanced tags, and in any -case the raw names will be pointing into the stored entity -value not the parse buffer. ---- - lib/xmlparse.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index 7bcabf7f4..d73f419cf 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, - { - parser->m_processor = contentProcessor; - /* see externalEntityContentProcessor vs contentProcessor */ -- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, -- s, end, nextPtr, -- (XML_Bool)! parser->m_parsingStatus.finalBuffer, -- XML_ACCOUNT_DIRECT); -+ result = doContent(parser, parser->m_parentParser ? 1 : 0, -+ parser->m_encoding, s, end, nextPtr, -+ (XML_Bool)! parser->m_parsingStatus.finalBuffer, -+ XML_ACCOUNT_DIRECT); -+ if (result == XML_ERROR_NONE) { -+ if (! storeRawNames(parser)) -+ return XML_ERROR_NO_MEMORY; -+ } -+ return result; - } - } - diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch deleted file mode 100644 index affd97faf..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a7ce80a013f2a08cb1ac4aac368f2250eea03ebf Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Sun, 11 Sep 2022 19:34:33 +0200 -Subject: [PATCH 1/2] tests: Cover heap use-after-free issue in doContent - ---- - tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 74 insertions(+) - -diff --git a/tests/runtests.c b/tests/runtests.c -index ea371b42f..ab3aff65b 100644 ---- a/tests/runtests.c -+++ b/tests/runtests.c -@@ -4990,6 +4990,78 @@ START_TEST(test_suspend_resume_internal_entity) { - } - END_TEST - -+void -+suspending_comment_handler(void *userData, const XML_Char *data) { -+ UNUSED_P(data); -+ XML_Parser parser = (XML_Parser)userData; -+ XML_StopParser(parser, XML_TRUE); -+} -+ -+START_TEST(test_suspend_resume_internal_entity_issue_629) { -+ const char *const text -+ = "<!DOCTYPE a [<!ENTITY e '<!--COMMENT-->a'>]><a>&e;<b>\n" -+ "<" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ "/>" -+ "</b></a>"; -+ const size_t firstChunkSizeBytes = 54; -+ -+ XML_Parser parser = XML_ParserCreate(NULL); -+ XML_SetUserData(parser, parser); -+ XML_SetCommentHandler(parser, suspending_comment_handler); -+ -+ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) -+ != XML_STATUS_SUSPENDED) -+ xml_failure(parser); -+ if (XML_ResumeParser(parser) != XML_STATUS_OK) -+ xml_failure(parser); -+ if (XML_Parse(parser, text + firstChunkSizeBytes, -+ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) -+ != XML_STATUS_OK) -+ xml_failure(parser); -+ XML_ParserFree(parser); -+} -+END_TEST -+ - /* Test syntax error is caught at parse resumption */ - START_TEST(test_resume_entity_with_syntax_error) { - const char *text = "<!DOCTYPE doc [\n" -@@ -12016,6 +12088,8 @@ make_suite(void) { - tcase_add_test(tc_basic, test_partial_char_in_epilog); - tcase_add_test(tc_basic, test_hash_collision); - tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_internal_entity); -+ tcase_add_test__ifdef_xml_dtd(tc_basic, -+ test_suspend_resume_internal_entity_issue_629); - tcase_add_test__ifdef_xml_dtd(tc_basic, test_resume_entity_with_syntax_error); - tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_parameter_entity); - tcase_add_test(tc_basic, test_restart_on_error); - - - diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch deleted file mode 100644 index b19647736..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 5290462a7ea1278a8d5c0d5b2860d4e244f997e4 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Tue, 20 Sep 2022 02:44:34 +0200 -Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in - XML_ExternalEntityParserCreate - ---- - lib/xmlparse.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/lib/xmlparse.c b/lib/xmlparse.c -index aacd6e7fc..57bf103cc 100644 ---- a/lib/xmlparse.c -+++ b/lib/xmlparse.c -@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName, - parserInit(parser, encodingName); - - if (encodingName && ! parser->m_protocolEncodingName) { -+ if (dtd) { -+ // We need to stop the upcoming call to XML_ParserFree from happily -+ // destroying parser->m_dtd because the DTD is shared with the parent -+ // parser and the only guard that keeps XML_ParserFree from destroying -+ // parser->m_dtd is parser->m_isParamEntity but it will be set to -+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all). -+ parser->m_dtd = NULL; -+ } - XML_ParserFree(parser); - return NULL; - } - -From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001 -From: Sebastian Pipping <sebastian@pipping.org> -Date: Mon, 19 Sep 2022 18:16:15 +0200 -Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in - XML_ExternalEntityParserCreate - ---- - tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 49 insertions(+) - -diff --git a/tests/runtests.c b/tests/runtests.c -index 245fe9bda..acb744dd4 100644 ---- a/tests/runtests.c -+++ b/tests/runtests.c -@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) { - } - END_TEST - -+static int XMLCALL -+external_entity_parser_create_alloc_fail_handler(XML_Parser parser, -+ const XML_Char *context, -+ const XML_Char *base, -+ const XML_Char *systemId, -+ const XML_Char *publicId) { -+ UNUSED_P(base); -+ UNUSED_P(systemId); -+ UNUSED_P(publicId); -+ -+ if (context != NULL) -+ fail("Unexpected non-NULL context"); -+ -+ // The following number intends to fail the upcoming allocation in line -+ // "parser->m_protocolEncodingName = copyString(encodingName, -+ // &(parser->m_mem));" in function parserInit. -+ allocation_count = 3; -+ -+ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL -+ const XML_Parser ext_parser -+ = XML_ExternalEntityParserCreate(parser, context, encodingName); -+ if (ext_parser != NULL) -+ fail( -+ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory"); -+ -+ allocation_count = ALLOC_ALWAYS_SUCCEED; -+ return XML_STATUS_ERROR; -+} -+ -+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) { -+ const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>"; -+ -+ XML_SetExternalEntityRefHandler( -+ g_parser, external_entity_parser_create_alloc_fail_handler); -+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS); -+ -+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE) -+ != XML_STATUS_ERROR) -+ fail("Call to parse was expected to fail"); -+ -+ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING) -+ fail("Call to parse was expected to fail from the external entity handler"); -+ -+ XML_ParserReset(g_parser, NULL); -+} -+END_TEST -+ - static void - nsalloc_setup(void) { - XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; -@@ -12401,6 +12448,8 @@ make_suite(void) { - tcase_add_test(tc_alloc, test_alloc_long_public_id); - tcase_add_test(tc_alloc, test_alloc_long_entity_value); - tcase_add_test(tc_alloc, test_alloc_long_notation); -+ tcase_add_test__ifdef_xml_dtd( -+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail); - - suite_add_tcase(s, tc_nsalloc); - tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown); - - diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest index 2cd3637d8..ff7986db3 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest @@ -1,23 +1,9 @@ #!/bin/bash -output=${1:-"expat_tests.log"} # default log file - -# logging function -function testCheck() { - testExec="$1" - shift - echo && echo ${testExec} && ./${testExec} "$@" - error=$? - result=$([[ ${error} -eq 0 ]] && echo "PASS" || echo "FAIL") - echo "${result}: ${testExec}" && echo "============================" -} - -export output -export -f testCheck TIME=$(which time) echo "runtests" ${TIME} -f 'Execution time: %e s' bash -c "./runtests -v" echo "runtestspp" -${TIME} -f 'Execution time: %e s' bash -c "./runtestspp -v" +${TIME} -f 'Execution time: %e s' bash -c "./runtests_cxx -v" echo diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb deleted file mode 100644 index 616838aa3..000000000 --- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb +++ /dev/null @@ -1,34 +0,0 @@ -SUMMARY = "A stream-oriented XML parser library" -DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)" -HOMEPAGE = "http://expat.sourceforge.net/" -SECTION = "libs" -LICENSE = "MIT" - -LIC_FILES_CHKSUM = "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9" - -VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" - -SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ - file://run-ptest \ - file://CVE-2022-40674_1.patch \ - file://CVE-2022-40674_2.patch \ - file://CVE-2022-43680.patch \ - " - -UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" - -SRC_URI[sha256sum] = "fbb430f964c7a2db2626452b6769e6a8d5d23593a453ccbc21701b74deabedff" - -EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF" - -RDEPENDS:${PN}-ptest += "bash" - -inherit cmake lib_package ptest - -do_install_ptest:class-target() { - install -m 755 ${B}/tests/* ${D}${PTEST_PATH} -} - -BBCLASSEXTEND += "native nativesdk" - -CVE_PRODUCT = "expat libexpat" diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb new file mode 100644 index 000000000..9bdc3b620 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb @@ -0,0 +1,33 @@ +SUMMARY = "A stream-oriented XML parser library" +DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)" +HOMEPAGE = "https://github.com/libexpat/libexpat" +SECTION = "libs" +LICENSE = "MIT" + +LIC_FILES_CHKSUM = "file://COPYING;md5=7b3b078238d0901d3b339289117cb7fb" + +VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" + +SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ + file://run-ptest \ + " + +GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" +UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P<pver>.+)" + +SRC_URI[sha256sum] = "4677d957c0c6cb2a3321101944574c24113b637c7ab1cf0659a27c5babc201fd" + +EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF" + +RDEPENDS:${PN}-ptest += "bash" + +inherit cmake lib_package ptest github-releases + +do_install_ptest:class-target() { + install -m 755 ${B}/tests/runtests* ${D}${PTEST_PATH} + install -m 755 ${B}/tests/benchmark/benchmark ${D}${PTEST_PATH} +} + +BBCLASSEXTEND += "native nativesdk" + +CVE_PRODUCT = "expat libexpat" diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch new file mode 100644 index 000000000..899a14ead --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch @@ -0,0 +1,982 @@ +From 1c37b8022e8763fedbb3f79c02e05c6acfe5a215 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Thu, 17 Mar 2022 11:44:34 +0530 +Subject: [PATCH] [PATCH] Simplify allocations and fix merge and continue + actions [BZ #28931] + +Allocations for address tuples is currently a bit confusing because of +the pointer chasing through PAT, making it hard to observe the sequence +in which allocations have been made. Narrow scope of the pointer +chasing through PAT so that it is only used where necessary. + +This also tightens actions behaviour with the hosts database in +getaddrinfo to comply with the manual text. The "continue" action +discards previous results and the "merge" action results in an immedate +lookup failure. Consequently, chaining of allocations across modules is +no longer necessary, thus opening up cleanup opportunities. + +A test has been added that checks some combinations to ensure that they +work correctly. + +Resolves: BZ #28931 + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Reviewed-by: DJ Delorie <dj@redhat.com> +--- + nss/Makefile | 1 + + nss/tst-nss-gai-actions.c | 149 ++++++ + nss/tst-nss-gai-actions.root/etc/host.conf | 1 + + nss/tst-nss-gai-actions.root/etc/hosts | 508 +++++++++++++++++++++ + sysdeps/posix/getaddrinfo.c | 143 +++--- + 5 files changed, 750 insertions(+), 52 deletions(-) + create mode 100644 nss/tst-nss-gai-actions.c + create mode 100644 nss/tst-nss-gai-actions.root/etc/host.conf + create mode 100644 nss/tst-nss-gai-actions.root/etc/hosts + +diff --git a/nss/Makefile b/nss/Makefile +index bccf9f2806..637cbcb769 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -67,6 +67,7 @@ tests-container = \ + tst-nss-compat1 \ + tst-nss-test3 \ + tst-nss-files-hosts-long \ ++ tst-nss-gai-actions \ + tst-nss-db-endpwent \ + tst-nss-db-endgrent \ + tst-reload1 tst-reload2 +diff --git a/nss/tst-nss-gai-actions.c b/nss/tst-nss-gai-actions.c +new file mode 100644 +index 0000000000..efca6cd183 +--- /dev/null ++++ b/nss/tst-nss-gai-actions.c +@@ -0,0 +1,149 @@ ++/* Test continue and merge NSS actions for getaddrinfo. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <dlfcn.h> ++#include <gnu/lib-names.h> ++#include <nss.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#include <support/check.h> ++#include <support/format_nss.h> ++#include <support/support.h> ++#include <support/xstdio.h> ++#include <support/xunistd.h> ++ ++enum ++{ ++ ACTION_MERGE = 0, ++ ACTION_CONTINUE, ++}; ++ ++static const char * ++family_str (int family) ++{ ++ switch (family) ++ { ++ case AF_UNSPEC: ++ return "AF_UNSPEC"; ++ case AF_INET: ++ return "AF_INET"; ++ default: ++ __builtin_unreachable (); ++ } ++} ++ ++static const char * ++action_str (int action) ++{ ++ switch (action) ++ { ++ case ACTION_MERGE: ++ return "merge"; ++ case ACTION_CONTINUE: ++ return "continue"; ++ default: ++ __builtin_unreachable (); ++ } ++} ++ ++static void ++do_one_test (int action, int family, bool canon) ++{ ++ struct addrinfo hints = ++ { ++ .ai_family = family, ++ }; ++ ++ struct addrinfo *ai; ++ ++ if (canon) ++ hints.ai_flags = AI_CANONNAME; ++ ++ printf ("***** Testing \"files [SUCCESS=%s] files\" for family %s, %s\n", ++ action_str (action), family_str (family), ++ canon ? "AI_CANONNAME" : ""); ++ ++ int ret = getaddrinfo ("example.org", "80", &hints, &ai); ++ ++ switch (action) ++ { ++ case ACTION_MERGE: ++ if (ret == 0) ++ { ++ char *formatted = support_format_addrinfo (ai, ret); ++ ++ printf ("merge unexpectedly succeeded:\n %s\n", formatted); ++ support_record_failure (); ++ free (formatted); ++ } ++ else ++ return; ++ case ACTION_CONTINUE: ++ { ++ char *formatted = support_format_addrinfo (ai, ret); ++ ++ /* Verify that the result appears exactly once. */ ++ const char *expected = "address: STREAM/TCP 192.0.0.1 80\n" ++ "address: DGRAM/UDP 192.0.0.1 80\n" ++ "address: RAW/IP 192.0.0.1 80\n"; ++ ++ const char *contains = strstr (formatted, expected); ++ const char *contains2 = NULL; ++ ++ if (contains != NULL) ++ contains2 = strstr (contains + strlen (expected), expected); ++ ++ if (contains == NULL || contains2 != NULL) ++ { ++ printf ("continue failed:\n%s\n", formatted); ++ support_record_failure (); ++ } ++ ++ free (formatted); ++ break; ++ } ++ default: ++ __builtin_unreachable (); ++ } ++} ++ ++static void ++do_one_test_set (int action) ++{ ++ char buf[32]; ++ ++ snprintf (buf, sizeof (buf), "files [SUCCESS=%s] files", ++ action_str (action)); ++ __nss_configure_lookup ("hosts", buf); ++ ++ do_one_test (action, AF_UNSPEC, false); ++ do_one_test (action, AF_INET, false); ++ do_one_test (action, AF_INET, true); ++} ++ ++static int ++do_test (void) ++{ ++ do_one_test_set (ACTION_CONTINUE); ++ do_one_test_set (ACTION_MERGE); ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/nss/tst-nss-gai-actions.root/etc/host.conf b/nss/tst-nss-gai-actions.root/etc/host.conf +new file mode 100644 +index 0000000000..d1a59f73a9 +--- /dev/null ++++ b/nss/tst-nss-gai-actions.root/etc/host.conf +@@ -0,0 +1 @@ ++multi on +diff --git a/nss/tst-nss-gai-actions.root/etc/hosts b/nss/tst-nss-gai-actions.root/etc/hosts +new file mode 100644 +index 0000000000..50ce9774dc +--- /dev/null ++++ b/nss/tst-nss-gai-actions.root/etc/hosts +@@ -0,0 +1,508 @@ ++192.0.0.1 example.org ++192.0.0.2 example.org ++192.0.0.3 example.org ++192.0.0.4 example.org ++192.0.0.5 example.org ++192.0.0.6 example.org ++192.0.0.7 example.org ++192.0.0.8 example.org ++192.0.0.9 example.org ++192.0.0.10 example.org ++192.0.0.11 example.org ++192.0.0.12 example.org ++192.0.0.13 example.org ++192.0.0.14 example.org ++192.0.0.15 example.org ++192.0.0.16 example.org ++192.0.0.17 example.org ++192.0.0.18 example.org ++192.0.0.19 example.org ++192.0.0.20 example.org ++192.0.0.21 example.org ++192.0.0.22 example.org ++192.0.0.23 example.org ++192.0.0.24 example.org ++192.0.0.25 example.org ++192.0.0.26 example.org ++192.0.0.27 example.org ++192.0.0.28 example.org ++192.0.0.29 example.org ++192.0.0.30 example.org ++192.0.0.31 example.org ++192.0.0.32 example.org ++192.0.0.33 example.org ++192.0.0.34 example.org ++192.0.0.35 example.org ++192.0.0.36 example.org ++192.0.0.37 example.org ++192.0.0.38 example.org ++192.0.0.39 example.org ++192.0.0.40 example.org ++192.0.0.41 example.org ++192.0.0.42 example.org ++192.0.0.43 example.org ++192.0.0.44 example.org ++192.0.0.45 example.org ++192.0.0.46 example.org ++192.0.0.47 example.org ++192.0.0.48 example.org ++192.0.0.49 example.org ++192.0.0.50 example.org ++192.0.0.51 example.org ++192.0.0.52 example.org ++192.0.0.53 example.org ++192.0.0.54 example.org ++192.0.0.55 example.org ++192.0.0.56 example.org ++192.0.0.57 example.org ++192.0.0.58 example.org ++192.0.0.59 example.org ++192.0.0.60 example.org ++192.0.0.61 example.org ++192.0.0.62 example.org ++192.0.0.63 example.org ++192.0.0.64 example.org ++192.0.0.65 example.org ++192.0.0.66 example.org ++192.0.0.67 example.org ++192.0.0.68 example.org ++192.0.0.69 example.org ++192.0.0.70 example.org ++192.0.0.71 example.org ++192.0.0.72 example.org ++192.0.0.73 example.org ++192.0.0.74 example.org ++192.0.0.75 example.org ++192.0.0.76 example.org ++192.0.0.77 example.org ++192.0.0.78 example.org ++192.0.0.79 example.org ++192.0.0.80 example.org ++192.0.0.81 example.org ++192.0.0.82 example.org ++192.0.0.83 example.org ++192.0.0.84 example.org ++192.0.0.85 example.org ++192.0.0.86 example.org ++192.0.0.87 example.org ++192.0.0.88 example.org ++192.0.0.89 example.org ++192.0.0.90 example.org ++192.0.0.91 example.org ++192.0.0.92 example.org ++192.0.0.93 example.org ++192.0.0.94 example.org ++192.0.0.95 example.org ++192.0.0.96 example.org ++192.0.0.97 example.org ++192.0.0.98 example.org ++192.0.0.99 example.org ++192.0.0.100 example.org ++192.0.0.101 example.org ++192.0.0.102 example.org ++192.0.0.103 example.org ++192.0.0.104 example.org ++192.0.0.105 example.org ++192.0.0.106 example.org ++192.0.0.107 example.org ++192.0.0.108 example.org ++192.0.0.109 example.org ++192.0.0.110 example.org ++192.0.0.111 example.org ++192.0.0.112 example.org ++192.0.0.113 example.org ++192.0.0.114 example.org ++192.0.0.115 example.org ++192.0.0.116 example.org ++192.0.0.117 example.org ++192.0.0.118 example.org ++192.0.0.119 example.org ++192.0.0.120 example.org ++192.0.0.121 example.org ++192.0.0.122 example.org ++192.0.0.123 example.org ++192.0.0.124 example.org ++192.0.0.125 example.org ++192.0.0.126 example.org ++192.0.0.127 example.org ++192.0.0.128 example.org ++192.0.0.129 example.org ++192.0.0.130 example.org ++192.0.0.131 example.org ++192.0.0.132 example.org ++192.0.0.133 example.org ++192.0.0.134 example.org ++192.0.0.135 example.org ++192.0.0.136 example.org ++192.0.0.137 example.org ++192.0.0.138 example.org ++192.0.0.139 example.org ++192.0.0.140 example.org ++192.0.0.141 example.org ++192.0.0.142 example.org ++192.0.0.143 example.org ++192.0.0.144 example.org ++192.0.0.145 example.org ++192.0.0.146 example.org ++192.0.0.147 example.org ++192.0.0.148 example.org ++192.0.0.149 example.org ++192.0.0.150 example.org ++192.0.0.151 example.org ++192.0.0.152 example.org ++192.0.0.153 example.org ++192.0.0.154 example.org ++192.0.0.155 example.org ++192.0.0.156 example.org ++192.0.0.157 example.org ++192.0.0.158 example.org ++192.0.0.159 example.org ++192.0.0.160 example.org ++192.0.0.161 example.org ++192.0.0.162 example.org ++192.0.0.163 example.org ++192.0.0.164 example.org ++192.0.0.165 example.org ++192.0.0.166 example.org ++192.0.0.167 example.org ++192.0.0.168 example.org ++192.0.0.169 example.org ++192.0.0.170 example.org ++192.0.0.171 example.org ++192.0.0.172 example.org ++192.0.0.173 example.org ++192.0.0.174 example.org ++192.0.0.175 example.org ++192.0.0.176 example.org ++192.0.0.177 example.org ++192.0.0.178 example.org ++192.0.0.179 example.org ++192.0.0.180 example.org ++192.0.0.181 example.org ++192.0.0.182 example.org ++192.0.0.183 example.org ++192.0.0.184 example.org ++192.0.0.185 example.org ++192.0.0.186 example.org ++192.0.0.187 example.org ++192.0.0.188 example.org ++192.0.0.189 example.org ++192.0.0.190 example.org ++192.0.0.191 example.org ++192.0.0.192 example.org ++192.0.0.193 example.org ++192.0.0.194 example.org ++192.0.0.195 example.org ++192.0.0.196 example.org ++192.0.0.197 example.org ++192.0.0.198 example.org ++192.0.0.199 example.org ++192.0.0.200 example.org ++192.0.0.201 example.org ++192.0.0.202 example.org ++192.0.0.203 example.org ++192.0.0.204 example.org ++192.0.0.205 example.org ++192.0.0.206 example.org ++192.0.0.207 example.org ++192.0.0.208 example.org ++192.0.0.209 example.org ++192.0.0.210 example.org ++192.0.0.211 example.org ++192.0.0.212 example.org ++192.0.0.213 example.org ++192.0.0.214 example.org ++192.0.0.215 example.org ++192.0.0.216 example.org ++192.0.0.217 example.org ++192.0.0.218 example.org ++192.0.0.219 example.org ++192.0.0.220 example.org ++192.0.0.221 example.org ++192.0.0.222 example.org ++192.0.0.223 example.org ++192.0.0.224 example.org ++192.0.0.225 example.org ++192.0.0.226 example.org ++192.0.0.227 example.org ++192.0.0.228 example.org ++192.0.0.229 example.org ++192.0.0.230 example.org ++192.0.0.231 example.org ++192.0.0.232 example.org ++192.0.0.233 example.org ++192.0.0.234 example.org ++192.0.0.235 example.org ++192.0.0.236 example.org ++192.0.0.237 example.org ++192.0.0.238 example.org ++192.0.0.239 example.org ++192.0.0.240 example.org ++192.0.0.241 example.org ++192.0.0.242 example.org ++192.0.0.243 example.org ++192.0.0.244 example.org ++192.0.0.245 example.org ++192.0.0.246 example.org ++192.0.0.247 example.org ++192.0.0.248 example.org ++192.0.0.249 example.org ++192.0.0.250 example.org ++192.0.0.251 example.org ++192.0.0.252 example.org ++192.0.0.253 example.org ++192.0.0.254 example.org ++192.0.1.1 example.org ++192.0.1.2 example.org ++192.0.1.3 example.org ++192.0.1.4 example.org ++192.0.1.5 example.org ++192.0.1.6 example.org ++192.0.1.7 example.org ++192.0.1.8 example.org ++192.0.1.9 example.org ++192.0.1.10 example.org ++192.0.1.11 example.org ++192.0.1.12 example.org ++192.0.1.13 example.org ++192.0.1.14 example.org ++192.0.1.15 example.org ++192.0.1.16 example.org ++192.0.1.17 example.org ++192.0.1.18 example.org ++192.0.1.19 example.org ++192.0.1.20 example.org ++192.0.1.21 example.org ++192.0.1.22 example.org ++192.0.1.23 example.org ++192.0.1.24 example.org ++192.0.1.25 example.org ++192.0.1.26 example.org ++192.0.1.27 example.org ++192.0.1.28 example.org ++192.0.1.29 example.org ++192.0.1.30 example.org ++192.0.1.31 example.org ++192.0.1.32 example.org ++192.0.1.33 example.org ++192.0.1.34 example.org ++192.0.1.35 example.org ++192.0.1.36 example.org ++192.0.1.37 example.org ++192.0.1.38 example.org ++192.0.1.39 example.org ++192.0.1.40 example.org ++192.0.1.41 example.org ++192.0.1.42 example.org ++192.0.1.43 example.org ++192.0.1.44 example.org ++192.0.1.45 example.org ++192.0.1.46 example.org ++192.0.1.47 example.org ++192.0.1.48 example.org ++192.0.1.49 example.org ++192.0.1.50 example.org ++192.0.1.51 example.org ++192.0.1.52 example.org ++192.0.1.53 example.org ++192.0.1.54 example.org ++192.0.1.55 example.org ++192.0.1.56 example.org ++192.0.1.57 example.org ++192.0.1.58 example.org ++192.0.1.59 example.org ++192.0.1.60 example.org ++192.0.1.61 example.org ++192.0.1.62 example.org ++192.0.1.63 example.org ++192.0.1.64 example.org ++192.0.1.65 example.org ++192.0.1.66 example.org ++192.0.1.67 example.org ++192.0.1.68 example.org ++192.0.1.69 example.org ++192.0.1.70 example.org ++192.0.1.71 example.org ++192.0.1.72 example.org ++192.0.1.73 example.org ++192.0.1.74 example.org ++192.0.1.75 example.org ++192.0.1.76 example.org ++192.0.1.77 example.org ++192.0.1.78 example.org ++192.0.1.79 example.org ++192.0.1.80 example.org ++192.0.1.81 example.org ++192.0.1.82 example.org ++192.0.1.83 example.org ++192.0.1.84 example.org ++192.0.1.85 example.org ++192.0.1.86 example.org ++192.0.1.87 example.org ++192.0.1.88 example.org ++192.0.1.89 example.org ++192.0.1.90 example.org ++192.0.1.91 example.org ++192.0.1.92 example.org ++192.0.1.93 example.org ++192.0.1.94 example.org ++192.0.1.95 example.org ++192.0.1.96 example.org ++192.0.1.97 example.org ++192.0.1.98 example.org ++192.0.1.99 example.org ++192.0.1.100 example.org ++192.0.1.101 example.org ++192.0.1.102 example.org ++192.0.1.103 example.org ++192.0.1.104 example.org ++192.0.1.105 example.org ++192.0.1.106 example.org ++192.0.1.107 example.org ++192.0.1.108 example.org ++192.0.1.109 example.org ++192.0.1.110 example.org ++192.0.1.111 example.org ++192.0.1.112 example.org ++192.0.1.113 example.org ++192.0.1.114 example.org ++192.0.1.115 example.org ++192.0.1.116 example.org ++192.0.1.117 example.org ++192.0.1.118 example.org ++192.0.1.119 example.org ++192.0.1.120 example.org ++192.0.1.121 example.org ++192.0.1.122 example.org ++192.0.1.123 example.org ++192.0.1.124 example.org ++192.0.1.125 example.org ++192.0.1.126 example.org ++192.0.1.127 example.org ++192.0.1.128 example.org ++192.0.1.129 example.org ++192.0.1.130 example.org ++192.0.1.131 example.org ++192.0.1.132 example.org ++192.0.1.133 example.org ++192.0.1.134 example.org ++192.0.1.135 example.org ++192.0.1.136 example.org ++192.0.1.137 example.org ++192.0.1.138 example.org ++192.0.1.139 example.org ++192.0.1.140 example.org ++192.0.1.141 example.org ++192.0.1.142 example.org ++192.0.1.143 example.org ++192.0.1.144 example.org ++192.0.1.145 example.org ++192.0.1.146 example.org ++192.0.1.147 example.org ++192.0.1.148 example.org ++192.0.1.149 example.org ++192.0.1.150 example.org ++192.0.1.151 example.org ++192.0.1.152 example.org ++192.0.1.153 example.org ++192.0.1.154 example.org ++192.0.1.155 example.org ++192.0.1.156 example.org ++192.0.1.157 example.org ++192.0.1.158 example.org ++192.0.1.159 example.org ++192.0.1.160 example.org ++192.0.1.161 example.org ++192.0.1.162 example.org ++192.0.1.163 example.org ++192.0.1.164 example.org ++192.0.1.165 example.org ++192.0.1.166 example.org ++192.0.1.167 example.org ++192.0.1.168 example.org ++192.0.1.169 example.org ++192.0.1.170 example.org ++192.0.1.171 example.org ++192.0.1.172 example.org ++192.0.1.173 example.org ++192.0.1.174 example.org ++192.0.1.175 example.org ++192.0.1.176 example.org ++192.0.1.177 example.org ++192.0.1.178 example.org ++192.0.1.179 example.org ++192.0.1.180 example.org ++192.0.1.181 example.org ++192.0.1.182 example.org ++192.0.1.183 example.org ++192.0.1.184 example.org ++192.0.1.185 example.org ++192.0.1.186 example.org ++192.0.1.187 example.org ++192.0.1.188 example.org ++192.0.1.189 example.org ++192.0.1.190 example.org ++192.0.1.191 example.org ++192.0.1.192 example.org ++192.0.1.193 example.org ++192.0.1.194 example.org ++192.0.1.195 example.org ++192.0.1.196 example.org ++192.0.1.197 example.org ++192.0.1.198 example.org ++192.0.1.199 example.org ++192.0.1.200 example.org ++192.0.1.201 example.org ++192.0.1.202 example.org ++192.0.1.203 example.org ++192.0.1.204 example.org ++192.0.1.205 example.org ++192.0.1.206 example.org ++192.0.1.207 example.org ++192.0.1.208 example.org ++192.0.1.209 example.org ++192.0.1.210 example.org ++192.0.1.211 example.org ++192.0.1.212 example.org ++192.0.1.213 example.org ++192.0.1.214 example.org ++192.0.1.215 example.org ++192.0.1.216 example.org ++192.0.1.217 example.org ++192.0.1.218 example.org ++192.0.1.219 example.org ++192.0.1.220 example.org ++192.0.1.221 example.org ++192.0.1.222 example.org ++192.0.1.223 example.org ++192.0.1.224 example.org ++192.0.1.225 example.org ++192.0.1.226 example.org ++192.0.1.227 example.org ++192.0.1.228 example.org ++192.0.1.229 example.org ++192.0.1.230 example.org ++192.0.1.231 example.org ++192.0.1.232 example.org ++192.0.1.233 example.org ++192.0.1.234 example.org ++192.0.1.235 example.org ++192.0.1.236 example.org ++192.0.1.237 example.org ++192.0.1.238 example.org ++192.0.1.239 example.org ++192.0.1.240 example.org ++192.0.1.241 example.org ++192.0.1.242 example.org ++192.0.1.243 example.org ++192.0.1.244 example.org ++192.0.1.245 example.org ++192.0.1.246 example.org ++192.0.1.247 example.org ++192.0.1.248 example.org ++192.0.1.249 example.org ++192.0.1.250 example.org ++192.0.1.251 example.org ++192.0.1.252 example.org ++192.0.1.253 example.org ++192.0.1.254 example.org +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 838a68f022..085c0b8370 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -458,11 +458,6 @@ gaih_inet (const char *name, const struct gaih_service *service, + + if (name != NULL) + { +- at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used); +- at->family = AF_UNSPEC; +- at->scopeid = 0; +- at->next = NULL; +- + if (req->ai_flags & AI_IDN) + { + char *out; +@@ -473,13 +468,21 @@ gaih_inet (const char *name, const struct gaih_service *service, + malloc_name = true; + } + +- if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0) ++ uint32_t addr[4]; ++ if (__inet_aton_exact (name, (struct in_addr *) addr) != 0) + { ++ at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used); ++ at->scopeid = 0; ++ at->next = NULL; ++ + if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET) +- at->family = AF_INET; ++ { ++ memcpy (at->addr, addr, sizeof (at->addr)); ++ at->family = AF_INET; ++ } + else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED)) + { +- at->addr[3] = at->addr[0]; ++ at->addr[3] = addr[0]; + at->addr[2] = htonl (0xffff); + at->addr[1] = 0; + at->addr[0] = 0; +@@ -493,49 +496,62 @@ gaih_inet (const char *name, const struct gaih_service *service, + + if (req->ai_flags & AI_CANONNAME) + canon = name; ++ ++ goto process_list; + } +- else if (at->family == AF_UNSPEC) ++ ++ char *scope_delim = strchr (name, SCOPE_DELIMITER); ++ int e; ++ ++ if (scope_delim == NULL) ++ e = inet_pton (AF_INET6, name, addr); ++ else ++ e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr); ++ ++ if (e > 0) + { +- char *scope_delim = strchr (name, SCOPE_DELIMITER); +- int e; +- if (scope_delim == NULL) +- e = inet_pton (AF_INET6, name, at->addr); ++ at = alloca_account (sizeof (struct gaih_addrtuple), ++ alloca_used); ++ at->scopeid = 0; ++ at->next = NULL; ++ ++ if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6) ++ { ++ memcpy (at->addr, addr, sizeof (at->addr)); ++ at->family = AF_INET6; ++ } ++ else if (req->ai_family == AF_INET ++ && IN6_IS_ADDR_V4MAPPED (addr)) ++ { ++ at->addr[0] = addr[3]; ++ at->addr[1] = addr[1]; ++ at->addr[2] = addr[2]; ++ at->addr[3] = addr[3]; ++ at->family = AF_INET; ++ } + else +- e = __inet_pton_length (AF_INET6, name, scope_delim - name, +- at->addr); +- if (e > 0) + { +- if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6) +- at->family = AF_INET6; +- else if (req->ai_family == AF_INET +- && IN6_IS_ADDR_V4MAPPED (at->addr)) +- { +- at->addr[0] = at->addr[3]; +- at->family = AF_INET; +- } +- else +- { +- result = -EAI_ADDRFAMILY; +- goto free_and_return; +- } +- +- if (scope_delim != NULL +- && __inet6_scopeid_pton ((struct in6_addr *) at->addr, +- scope_delim + 1, +- &at->scopeid) != 0) +- { +- result = -EAI_NONAME; +- goto free_and_return; +- } ++ result = -EAI_ADDRFAMILY; ++ goto free_and_return; ++ } + +- if (req->ai_flags & AI_CANONNAME) +- canon = name; ++ if (scope_delim != NULL ++ && __inet6_scopeid_pton ((struct in6_addr *) at->addr, ++ scope_delim + 1, ++ &at->scopeid) != 0) ++ { ++ result = -EAI_NONAME; ++ goto free_and_return; + } ++ ++ if (req->ai_flags & AI_CANONNAME) ++ canon = name; ++ ++ goto process_list; + } + +- if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0) ++ if ((req->ai_flags & AI_NUMERICHOST) == 0) + { +- struct gaih_addrtuple **pat = &at; + int no_data = 0; + int no_inet6_data = 0; + nss_action_list nip; +@@ -543,6 +559,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + enum nss_status status = NSS_STATUS_UNAVAIL; + int no_more; + struct resolv_context *res_ctx = NULL; ++ bool do_merge = false; + + /* If we do not have to look for IPv6 addresses or the canonical + name, use the simple, old functions, which do not support +@@ -579,7 +596,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + result = -EAI_MEMORY; + goto free_and_return; + } +- *pat = addrmem; ++ at = addrmem; + } + else + { +@@ -632,6 +649,8 @@ gaih_inet (const char *name, const struct gaih_service *service, + } + + struct gaih_addrtuple *addrfree = addrmem; ++ struct gaih_addrtuple **pat = &at; ++ + for (int i = 0; i < air->naddrs; ++i) + { + socklen_t size = (air->family[i] == AF_INET +@@ -695,12 +714,6 @@ gaih_inet (const char *name, const struct gaih_service *service, + + free (air); + +- if (at->family == AF_UNSPEC) +- { +- result = -EAI_NONAME; +- goto free_and_return; +- } +- + goto process_list; + } + else if (err == 0) +@@ -732,6 +745,22 @@ gaih_inet (const char *name, const struct gaih_service *service, + + while (!no_more) + { ++ /* Always start afresh; continue should discard previous results ++ and the hosts database does not support merge. */ ++ at = NULL; ++ free (canonbuf); ++ free (addrmem); ++ canon = canonbuf = NULL; ++ addrmem = NULL; ++ got_ipv6 = false; ++ ++ if (do_merge) ++ { ++ __set_h_errno (NETDB_INTERNAL); ++ __set_errno (EBUSY); ++ break; ++ } ++ + no_data = 0; + nss_gethostbyname4_r *fct4 = NULL; + +@@ -744,12 +773,14 @@ gaih_inet (const char *name, const struct gaih_service *service, + { + while (1) + { +- status = DL_CALL_FCT (fct4, (name, pat, ++ status = DL_CALL_FCT (fct4, (name, &at, + tmpbuf->data, tmpbuf->length, + &errno, &h_errno, + NULL)); + if (status == NSS_STATUS_SUCCESS) + break; ++ /* gethostbyname4_r may write into AT, so reset it. */ ++ at = NULL; + if (status != NSS_STATUS_TRYAGAIN + || errno != ERANGE || h_errno != NETDB_INTERNAL) + { +@@ -774,7 +805,9 @@ gaih_inet (const char *name, const struct gaih_service *service, + no_data = 1; + + if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL) +- canon = (*pat)->name; ++ canon = at->name; ++ ++ struct gaih_addrtuple **pat = &at; + + while (*pat != NULL) + { +@@ -826,6 +859,8 @@ gaih_inet (const char *name, const struct gaih_service *service, + + if (fct != NULL) + { ++ struct gaih_addrtuple **pat = &at; ++ + if (req->ai_family == AF_INET6 + || req->ai_family == AF_UNSPEC) + { +@@ -899,6 +934,10 @@ gaih_inet (const char *name, const struct gaih_service *service, + if (nss_next_action (nip, status) == NSS_ACTION_RETURN) + break; + ++ /* The hosts database does not support MERGE. */ ++ if (nss_next_action (nip, status) == NSS_ACTION_MERGE) ++ do_merge = true; ++ + nip++; + if (nip->module == NULL) + no_more = -1; +@@ -930,7 +969,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + } + + process_list: +- if (at->family == AF_UNSPEC) ++ if (at == NULL) + { + result = -EAI_NONAME; + goto free_and_return; +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch new file mode 100644 index 000000000..cae176613 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch @@ -0,0 +1,156 @@ +From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Tue, 19 Sep 2023 18:39:32 -0400 +Subject: [PATCH] tunables: Terminate if end of input is reached +(CVE-2023-4911) + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. + +This also fixes up tst-env-setuid-tunables to actually handle failures +correct and add new tests to validate the fix for this CVE. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +--- + elf/dl-tunables.c | 16 ++++++++------- + elf/tst-env-setuid-tunables.c | 38 ++++++++++++++++++++++++++--------- + 2 files changed, 38 insertions(+), 16 deletions(-) + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 8009e54ee5..a5a5d52ee1 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -188,11 +188,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -252,9 +248,15 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p+= len +1; + } ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + +diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c +index 05619c9adc..907aa6601f 100644 +--- a/elf/tst-env-setuid-tunables.c ++++ b/elf/tst-env-setuid-tunables.c +@@ -52,6 +52,8 @@ const char *teststrings[] = + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.check=2", + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + ":glibc.malloc.garbage=2:glibc.malloc.check=1", +@@ -70,6 +72,8 @@ const char *resultstrings[] = + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "", + "", + "", + "", +@@ -83,12 +87,19 @@ test_child (int off) + { + const char *val = getenv ("GLIBC_TUNABLES"); + ++ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); ++ fflush (stdout); + #if HAVE_TUNABLES + if (val != NULL && strcmp (val, resultstrings[off]) == 0) + return 0; + + if (val != NULL) +- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); ++ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", ++ off, val, resultstrings[off]); ++ else: ++ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); ++ ++ fflush(stdout); + + return 1; + #else +@@ -116,22 +127,26 @@ do_test (int argc, char **argv) + + if (ret != 0) + exit (1); +- +- exit (EXIT_SUCCESS); ++ /* Special return code to make sure that the child executed all the way ++ through. */ ++ exit(42); + } + else + { +- int ret = 0; +- + /* Spawn tests. */ + for (int i = 0; i < array_length (teststrings); i++) + { + char buf[INT_BUFSIZE_BOUND (int)]; + +- printf ("Spawned test for %s (%d)\n", teststrings[i], i); ++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); + snprintf (buf, sizeof (buf), "%d\n", i); ++ fflush (stdout); + if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) +- exit (1); ++ { ++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); ++ support_record_failure (); ++ continue; ++ } + + int status = support_capture_subprogram_self_sgid (buf); + +@@ -139,9 +154,14 @@ do_test (int argc, char **argv) + if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) + return EXIT_UNSUPPORTED; + +- ret |= status; ++ if (WEXITSTATUS (status) != 42) ++ { ++ printf (" [%d] child failed with status %d\n", i, ++ WEXITSTATUS (status)); ++ support_record_failure (); ++ } + } +- return ret; ++ return 0; + } + } + +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend index 96c4947ad..375ef8804 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend @@ -10,4 +10,6 @@ SRC_URI += " \ file://CVE-2021-43396.patch \ file://CVE-2021-3998.patch \ file://CVE-2023-0687.patch \ + file://CVE-2023-4813.patch \ + file://CVE-2023-4911.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch new file mode 100644 index 000000000..7440df946 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch @@ -0,0 +1,35 @@ +From a9d4919f7eb92fecbcea141200ca04507fa8c73b Mon Sep 17 00:00:00 2001 +From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +Date: Thu, 5 Oct 2023 12:50:39 +0000 +Subject: [PATCH] Fix for static analyser tool reported issues. + +In this code, we first save the original format flags of std::cerr +using std::ios_base::fmtflags originalFlags = std::cerr.flags(). +Then, we can modify the format flags as needed. Finally, after +using the modified format flags, we restore the original format +flags using std::cerr.flags(originalFlags); + +Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +--- + include/host_error_monitor.hpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/host_error_monitor.hpp b/include/host_error_monitor.hpp +index 4bccdcc..a4aa5a3 100644 +--- a/include/host_error_monitor.hpp ++++ b/include/host_error_monitor.hpp +@@ -169,9 +169,11 @@ static inline bool peciError(EPECIStatus peciStatus, uint8_t cc) + static void printPECIError(const std::string& reg, const size_t addr, + const EPECIStatus peciStatus, const size_t cc) + { ++ std::ios_base::fmtflags originalFlags = std::cerr.flags(); + std::cerr << "Failed to read " << reg << " on CPU address " << std::dec + << addr << ". Error: " << peciStatus << ": cc: 0x" << std::hex + << cc << "\n"; ++ std::cerr.flags(originalFlags); + } + + static void beep(std::shared_ptr<sdbusplus::asio::connection> conn, +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend index 26e9a2ea5..0479c2b6f 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend @@ -1,6 +1,11 @@ # The URI is required for the autobump script but keep it commented # to not override the upstream value # SRC_URI = "git://github.com/openbmc/host-error-monitor;branch=master;protocol=https" +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + SRCREV = "ed6972aefe37a039d5b41d183eafc8c48549be67" +SRC_URI += " \ + file://0001-Static-analyser-issue-resolution.patch \ + " EXTRA_OECMAKE = "-DYOCTO=1" diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch new file mode 100644 index 000000000..9ffed06d3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch @@ -0,0 +1,28 @@ +From f62ee5b5ccc0496c864ad2844af93b2a99ed0ed2 Mon Sep 17 00:00:00 2001 +From: "Munukuru, YaswanthX Reddy" <yaswanthx.reddy.munukuru@intel.com> +Date: Fri, 6 Oct 2023 05:01:55 -0700 +Subject: [PATCH] This Commit fixes the Uninitialized scalar variable issue + +Variable is declared but not initialized before it's used. + +Signed-off-by: Munukuru, YaswanthX Reddy <yaswanthx.reddy.munukuru@intel.com> +--- + src/manufacturingcommands.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/manufacturingcommands.cpp b/src/manufacturingcommands.cpp +index 9f16d95..14dc96a 100644 +--- a/src/manufacturingcommands.cpp ++++ b/src/manufacturingcommands.cpp +@@ -642,7 +642,7 @@ ipmi::RspType<> appMTMSetSignal(ipmi::Context::ptr ctx, uint8_t signalTypeByte, + return ipmi::responseUnspecifiedError(); + } + +- struct input_event event; ++ struct input_event event = {0}; + event.type = EV_SND; + event.code = SND_TONE; + event.value = 2000; +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend index 1892a3d44..ec3aa0c80 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend @@ -6,3 +6,5 @@ SRCREV = "6346e98cd5f33be2328478f865b34edc7203a99d" FILESEXTRAPATHS:append := ":${THISDIR}/${PN}" +SRC_URI += "file://0001-static-analyzer-issue-resolution.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch new file mode 100644 index 000000000..4c5dacd76 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch @@ -0,0 +1,38 @@ +From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001 +From: Hans Wennborg <hans@chromium.org> +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] minizip: Check length of comment, filename, and extra field, + in zipOpenNewFileInZip4_64 + +These are stored in 16-bit fields in the zip file format. Passing longer +values would generate an invalid file. + +Passing very long values could also cause the computation of +zi->ci.size_centralheader to overflow, which would cause heap buffer +overflow on subsequent writes to zi->ci.central_header. +--- + contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/contrib/minizip/zip.c ++++ b/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb index ec977a303..9d12f49f3 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6 SRC_URI = "https://zlib.net/${BP}.tar.gz \ file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \ file://run-ptest \ + file://CVE-2023-45853.patch \ " UPSTREAM_CHECK_URI = "http://zlib.net/" diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch new file mode 100644 index 000000000..bfbdce690 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch @@ -0,0 +1,24 @@ +From 4e9e44e5258dee7654f74948b0dd5da39c28beec Mon Sep 17 00:00:00 2001 +From: Marc <34656315+MarcT512@users.noreply.github.com> +Date: Fri, 7 Aug 2020 10:49:45 +0100 +Subject: [PATCH] Fix read past end of buffer + +Resolves https://github.com/json-c/json-c/issues/654 +--- + apps/json_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/apps/json_parse.c b/apps/json_parse.c +index bba4622183..72b31a860a 100644 +--- a/apps/json_parse.c ++++ b/apps/json_parse.c +@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *)) + int parse_end = json_tokener_get_parse_end(tok); + if (obj == NULL && jerr != json_tokener_continue) + { +- char *aterr = &buf[start_pos + parse_end]; ++ char *aterr = (start_pos + parse_end < sizeof(buf)) ? ++ &buf[start_pos + parse_end] : ""; + fflush(stdout); + int fail_offset = total_read - ret + start_pos + parse_end; + fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset, diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend new file mode 100644 index 000000000..c0c43ff17 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://CVE-2021-32292.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch new file mode 100644 index 000000000..d6e439ba2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch @@ -0,0 +1,22 @@ +From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova <zsvetlik@redhat.com> +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 93d63110..79caaec2 100644 +--- a/Makefile ++++ b/Makefile +@@ -138,7 +138,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch new file mode 100644 index 000000000..d7005ae97 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch @@ -0,0 +1,71 @@ +From dc3652c0abcdf8573fd044907b19d8eda7ca1124 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 20 Oct 2021 12:49:58 -0700 +Subject: [PATCH] [liftoff] Correct function signatures + +Fixes builds on mips where clang reports an error +../deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h:661:5: error: no matching member function for call to 'Move' + Move(tmp, src, type.value_type()); + ^~~~ + +Upstream-Status: Submitted [https://chromium-review.googlesource.com/c/v8/v8/+/3235674] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/wasm/baseline/liftoff-assembler.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/deps/v8/src/wasm/baseline/liftoff-assembler.h ++++ b/deps/v8/src/wasm/baseline/liftoff-assembler.h +@@ -613,7 +613,7 @@ class LiftoffAssembler : public TurboAss + void FinishCall(const ValueKindSig*, compiler::CallDescriptor*); + + // Move {src} into {dst}. {src} and {dst} must be different. +- void Move(LiftoffRegister dst, LiftoffRegister src, ValueKind); ++ void Move(LiftoffRegister dst, LiftoffRegister src, ValueKind kind); + + // Parallel register move: For a list of tuples <dst, src, kind>, move the + // {src} register of kind {kind} into {dst}. If {src} equals {dst}, ignore +@@ -759,8 +759,8 @@ class LiftoffAssembler : public TurboAss + inline void MoveStackValue(uint32_t dst_offset, uint32_t src_offset, + ValueKind); + +- inline void Move(Register dst, Register src, ValueKind); +- inline void Move(DoubleRegister dst, DoubleRegister src, ValueKind); ++ inline void Move(Register dst, Register src, ValueKind kind); ++ inline void Move(DoubleRegister dst, DoubleRegister src, ValueKind kind); + + inline void Spill(int offset, LiftoffRegister, ValueKind); + inline void Spill(int offset, WasmValue); +--- a/deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h ++++ b/deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h +@@ -658,7 +658,7 @@ void LiftoffAssembler::Store(Register ds + pinned = pinned | LiftoffRegList::ForRegs(dst_op.rm(), src); + LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned); + // Save original value. +- Move(tmp, src, type.value_type()); ++ Move(tmp, src, type.value_type().kind()); + + src = tmp; + pinned.set(tmp); +--- a/deps/v8/src/wasm/baseline/mips64/liftoff-assembler-mips64.h ++++ b/deps/v8/src/wasm/baseline/mips64/liftoff-assembler-mips64.h +@@ -596,7 +596,7 @@ void LiftoffAssembler::Store(Register ds + pinned.set(dst_op.rm()); + LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned); + // Save original value. +- Move(tmp, src, type.value_type()); ++ Move(tmp, src, type.value_type().kind()); + + src = tmp; + pinned.set(tmp); +--- a/deps/v8/src/wasm/baseline/riscv64/liftoff-assembler-riscv64.h ++++ b/deps/v8/src/wasm/baseline/riscv64/liftoff-assembler-riscv64.h +@@ -580,7 +580,7 @@ void LiftoffAssembler::Store(Register ds + pinned.set(dst_op.rm()); + LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned); + // Save original value. +- Move(tmp, src, type.value_type()); ++ Move(tmp, src, type.value_type().kind()); + + src = tmp; + pinned.set(tmp); diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch new file mode 100644 index 000000000..4773f0510 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch @@ -0,0 +1,23 @@ +From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Jun 2021 19:01:31 -0700 +Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang + +clang does not support this option + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + common.gypi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/common.gypi ++++ b/common.gypi +@@ -417,7 +417,7 @@ + 'ldflags': [ '-m32' ], + }], + [ 'target_arch=="ppc64" and OS!="aix"', { +- 'cflags': [ '-m64', '-mminimal-toc' ], ++ 'cflags': [ '-m64' ], + 'ldflags': [ '-m64' ], + }], + [ 'target_arch=="s390x"', { diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch new file mode 100644 index 000000000..5cb2e9701 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch @@ -0,0 +1,96 @@ +From 62ddf8499747fb1e366477d666c0634ad50039a9 Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH 2/2] Install both binaries and use libdir. + +This allows us to build with a shared library for other users while +still providing the normal executable. + +Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch + +Upstream-Status: Pending + +Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.py | 7 +++++++ + tools/install.py | 21 +++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/configure.py b/configure.py +index 6efb98c2316f089f3167e486282593245373af3f..a6d2ec939e4480dfae703f3978067537abf9f0f0 100755 +--- a/configure.py ++++ b/configure.py +@@ -721,10 +721,16 @@ parser.add_argument('--shared', + dest='shared', + default=None, + help='compile shared library for embedding node in another project. ' + + '(This mode is not officially supported for regular applications)') + ++parser.add_argument('--libdir', ++ action='store', ++ dest='libdir', ++ default='lib', ++ help='a directory to install the shared library into') ++ + parser.add_argument('--without-v8-platform', + action='store_true', + dest='without_v8_platform', + default=False, + help='do not initialize v8 platform during node.js startup. ' + +@@ -1305,10 +1311,11 @@ def configure_node(o): + o['variables']['debug_nghttp2'] = 'false' + + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + + o['variables']['node_shared'] = b(options.shared) ++ o['variables']['libdir'] = options.libdir + node_module_version = getmoduleversion.get_version() + + if options.dest_os == 'android': + shlib_suffix = 'so' + elif sys.platform == 'darwin': +diff --git a/tools/install.py b/tools/install.py +index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..11208f9e7166ab60da46d5ace2257c239a7e9263 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -128,26 +128,23 @@ def subdir_files(path, dest, action): + for subdir, files_in_path in ret.items(): + action(files_in_path, subdir + '/') + + def files(action): + is_windows = sys.platform == 'win32' +- output_file = 'node' + output_prefix = 'out/Release/' ++ output_libprefix = output_prefix + +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + + if 'true' == variables.get('node_use_dtrace'): + action(['out/Release/node.d'], 'lib/dtrace/node.d') + + # behave similarly for systemtap +-- +2.33.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch new file mode 100644 index 000000000..8db1f1dd5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch @@ -0,0 +1,70 @@ +From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001 +From: Guillaume Burel <guillaume.burel@stormshield.eu> +Date: Fri, 3 Jan 2020 11:25:54 +0100 +Subject: [PATCH] Using native binaries + +--- + node.gyp | 4 ++-- + tools/v8_gypfiles/v8.gyp | 11 ++++------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/node.gyp ++++ b/node.gyp +@@ -294,6 +294,7 @@ + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mkcodecache_exec)', + ], + 'outputs': [ +@@ -319,6 +320,7 @@ + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(node_mksnapshot_exec)', + ], + 'outputs': [ +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -68,6 +68,7 @@ + { + 'action_name': 'run_torque_action', + 'inputs': [ # Order matters. ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '<@(torque_files)', + ], +@@ -99,6 +100,7 @@ + '<@(torque_outputs_inc)', + ], + 'action': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '-o', '<(SHARED_INTERMEDIATE_DIR)/torque-generated', + '-v8-root', '<(V8_ROOT)', +@@ -225,6 +227,7 @@ + { + 'action_name': 'generate_bytecode_builtins_list_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ +@@ -415,6 +418,7 @@ + ], + }, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mksnapshot_exec)', + ], + 'outputs': [ +@@ -1548,6 +1552,7 @@ + { + 'action_name': 'run_gen-regexp-special-case_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch new file mode 100644 index 000000000..97ed972ce --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch @@ -0,0 +1,102 @@ +From 47ee5cc5501289205d3e8e9f27ea9daf18cebac1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> +Date: Sat, 9 Nov 2019 14:45:30 +0000 +Subject: [PATCH] v8: don't override ARM CFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This overrides yocto-provided build flags with its own, e.g we get + arm-poky-linux-musleabi-g++ -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a7 \ + ... \ + -march=armv7-a -mfpu=neon -mfloat-abi=hard -marm + +Causing the latter to override the former, and compiler warnings: + cc1plus: warning: switch '-mcpu=cortex-a7' conflicts with '-march=armv7-a' switch + +Patch this out, so that yocto-provided flags take precedence. +Note that in reality the same should probably be done for all the other +supported architectures, too. + +Note that this also switches to Thumb(2) mode (in my case). No obvious +problems have been noted during compilation or runtime. + +Upstream-Status: Inappropriate [oe-specific] +Signed-off-by: André Draszik <git@andred.net> +--- + tools/v8_gypfiles/toolchain.gypi | 52 ++------------------------------ + 1 file changed, 2 insertions(+), 50 deletions(-) + +diff --git a/tools/v8_gypfiles/toolchain.gypi b/tools/v8_gypfiles/toolchain.gypi +index 264b3e478e..0b41848145 100644 +--- a/tools/v8_gypfiles/toolchain.gypi ++++ b/tools/v8_gypfiles/toolchain.gypi +@@ -211,31 +211,7 @@ + 'target_conditions': [ + ['_toolset=="host"', { + 'conditions': [ +- ['v8_target_arch==host_arch', { +- # Host built with an Arm CXX compiler. +- 'conditions': [ +- [ 'arm_version==7', { +- 'cflags': ['-march=armv7-a',], +- }], +- [ 'arm_version==7 or arm_version=="default"', { +- 'conditions': [ +- [ 'arm_fpu!="default"', { +- 'cflags': ['-mfpu=<(arm_fpu)',], +- }], +- ], +- }], +- [ 'arm_float_abi!="default"', { +- 'cflags': ['-mfloat-abi=<(arm_float_abi)',], +- }], +- [ 'arm_thumb==1', { +- 'cflags': ['-mthumb',], +- }], +- [ 'arm_thumb==0', { +- 'cflags': ['-marm',], +- }], +- ], +- }, { +- # 'v8_target_arch!=host_arch' ++ ['v8_target_arch!=host_arch', { + # Host not built with an Arm CXX compiler (simulator build). + 'conditions': [ + [ 'arm_float_abi=="hard"', { +@@ -254,31 +230,7 @@ + }], # _toolset=="host" + ['_toolset=="target"', { + 'conditions': [ +- ['v8_target_arch==target_arch', { +- # Target built with an Arm CXX compiler. +- 'conditions': [ +- [ 'arm_version==7', { +- 'cflags': ['-march=armv7-a',], +- }], +- [ 'arm_version==7 or arm_version=="default"', { +- 'conditions': [ +- [ 'arm_fpu!="default"', { +- 'cflags': ['-mfpu=<(arm_fpu)',], +- }], +- ], +- }], +- [ 'arm_float_abi!="default"', { +- 'cflags': ['-mfloat-abi=<(arm_float_abi)',], +- }], +- [ 'arm_thumb==1', { +- 'cflags': ['-mthumb',], +- }], +- [ 'arm_thumb==0', { +- 'cflags': ['-marm',], +- }], +- ], +- }, { +- # 'v8_target_arch!=target_arch' ++ ['v8_target_arch!=target_arch', { + # Target not built with an Arm CXX compiler (simulator build). + 'conditions': [ + [ 'arm_float_abi=="hard"', { +-- +2.20.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch new file mode 100644 index 000000000..529381842 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch @@ -0,0 +1,18 @@ + +https://github.com/v8/v8/commit/878ccb33bd3cf0e6dc018ff8d15843f585ac07be + +did some automated cleanups but it missed big-endian code. + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- a/deps/v8/src/runtime/runtime-utils.h ++++ b/deps/v8/src/runtime/runtime-utils.h +@@ -126,7 +126,7 @@ static inline ObjectPair MakePair(Object + #if defined(V8_TARGET_LITTLE_ENDIAN) + return x.ptr() | (static_cast<ObjectPair>(y.ptr()) << 32); + #elif defined(V8_TARGET_BIG_ENDIAN) +- return y->ptr() | (static_cast<ObjectPair>(x->ptr()) << 32); ++ return y.ptr() | (static_cast<ObjectPair>(x.ptr()) << 32); + #else + #error Unknown endianness + #endif diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch new file mode 100644 index 000000000..cb0237309 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch @@ -0,0 +1,21 @@ +Link mksnapshot with libatomic on x86 + +Clang-12 on x86 emits atomic builtins + +Fixes +| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un +defined reference to `__atomic_load' + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -1436,6 +1436,7 @@ + { + 'target_name': 'mksnapshot', + 'type': 'executable', ++ 'libraries': [ '-latomic' ], + 'dependencies': [ + 'v8_base_without_compiler', + 'v8_compiler_for_mksnapshot', diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch new file mode 100644 index 000000000..56e93c50c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch @@ -0,0 +1,32 @@ +Description: mksnapshot uses too much memory on 32-bit mipsel +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2020-06-03 +Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586 + +This ensures that we reserve 500M instead of 2G range for codegen +ensures that qemu-mips can allocate such large ranges + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/deps/v8/src/common/globals.h ++++ b/deps/v8/src/common/globals.h +@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize = + constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux + #elif V8_TARGET_ARCH_MIPS + constexpr bool kPlatformRequiresCodeRange = false; +-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB; ++constexpr size_t kMaximalCodeRangeSize = 512 * MB; + constexpr size_t kMinimumCodeRangeSize = 0 * MB; + constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page. + #else +--- a/deps/v8/src/codegen/mips/constants-mips.h ++++ b/deps/v8/src/codegen/mips/constants-mips.h +@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn + namespace v8 { + namespace internal { + +-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096; ++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024; + + // ----------------------------------------------------------------------------- + // Registers and FPURegisters. diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch new file mode 100644 index 000000000..141889ad2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch @@ -0,0 +1,24 @@ +keep nodejs compatible with c-ares 1.17.1 + +Upstream-Status: Inappropriate [c-ares specific] +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/src/cares_wrap.h ++++ b/src/cares_wrap.h +@@ -22,7 +22,15 @@ + # include <netdb.h> + #endif // __POSIX__ + +-# include <ares_nameser.h> ++#if defined(__ANDROID__) || \ ++ defined(__MINGW32__) || \ ++ defined(__OpenBSD__) || \ ++ defined(_MSC_VER) ++ ++# include <nameser.h> ++#else ++# include <arpa/nameser.h> ++#endif + + namespace node { + namespace cares_wrap { diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb new file mode 100644 index 000000000..beed833c0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb @@ -0,0 +1,202 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=12f6b053282af96a218353ae7aff7cd8" + +DEPENDS = "openssl" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps.patch \ + file://0002-Install-both-binaries-and-use-libdir.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-less-memory.patch \ + file://system-c-ares.patch \ + file://0001-liftoff-Correct-function-signatures.patch \ + " +SRC_URI:append:class-target = " \ + file://0002-Using-native-binaries.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \ + " +SRC_URI[sha256sum] = "67587f4de25e30a9cc0b51a6033eca3bc82d7b4e0d79bb84a265e88f76ab6278" + +S = "${WORKDIR}/node-v${PV}" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +ARCHFLAGS:append:mips = " --v8-lite-mode" +ARCHFLAGS:append:mipsel = " --v8-lite-mode" +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "ares brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + shutil.rmtree(d.getVar('S') + '/deps/openssl', True) + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +LDFLAGS:append:x86 = " -latomic" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling \ + --shared-openssl \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install:append:class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install:append:class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch new file mode 100644 index 000000000..781101372 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch @@ -0,0 +1,55 @@ +From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner <matthias.gerstner@suse.de> +Date: Wed, 27 Dec 2023 14:01:59 +0100 +Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent + local DoS situations + +Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs +being placed in user controlled directories, causing the PAM module to +block indefinitely during `openat()`. + +Pass O_DIRECTORY to cause the `openat()` to fail if the path does not +refer to a directory. + +With this the check whether the final path element is a directory +becomes unnecessary, drop it. +--- + modules/pam_namespace/pam_namespace.c | 18 +----------------- + 1 file changed, 1 insertion(+), 17 deletions(-) + +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index 2528cff86..f72d67189 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + int dfd = AT_FDCWD; + int dfd_next; + int save_errno; +- int flags = O_RDONLY; ++ int flags = O_RDONLY | O_DIRECTORY; + int rv = -1; + struct stat st; + +@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, + rv = openat(dfd, dir, flags); + } + +- if (rv != -1) { +- if (fstat(rv, &st) != 0) { +- save_errno = errno; +- close(rv); +- rv = -1; +- errno = save_errno; +- goto error; +- } +- if (!S_ISDIR(st.st_mode)) { +- close(rv); +- errno = ENOTDIR; +- rv = -1; +- goto error; +- } +- } +- + if (flags & O_NOFOLLOW) { + /* we are inside user-owned dir - protect */ + if (protect_mount(rv, p, idata) == -1) { diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb index 5197f1813..74a9c8579 100644 --- a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb @@ -25,6 +25,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \ file://run-ptest \ file://pam-volatiles.conf \ file://CVE-2022-28321-0002.patch \ + file://CVE-2024-22365.patch \ " SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d" diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch new file mode 100644 index 000000000..4b5891dd2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch @@ -0,0 +1,142 @@ +From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar <alx@kernel.org> +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") +Reported-by: Alejandro Colomar <alx@kernel.org> +Cc: Serge Hallyn <serge@hallyn.com> +Cc: Iker Pedrosa <ipedrosa@redhat.com> +Cc: Seth Arnold <seth.arnold@canonical.com> +Cc: Christian Brauner <christian@brauner.io> +Cc: Balint Reczey <rbalint@debian.org> +Cc: Sam James <sam@gentoo.org> +Cc: David Runge <dvzrv@archlinux.org> +Cc: Andreas Jaeger <aj@suse.de> +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar <alx@kernel.org> +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index a43d9a5..f69eb85 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -919,6 +919,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend index 15fd63096..c3d1864a2 100644 --- a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend @@ -5,4 +5,5 @@ PAM_SRC_URI += "file://pam.d/login \ SRC_URI += " \ file://CVE-2023-29383_1.patch \ file://CVE-2023-29383_2.patch \ + file://CVE-2023-4641.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb b/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb new file mode 100644 index 000000000..90f4c3d82 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb @@ -0,0 +1,44 @@ +SUMMARY = "Utilities for managing LZMA compressed files" +HOMEPAGE = "https://tukaani.org/xz/" +DESCRIPTION = "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils." +SECTION = "base" + +# The source includes bits of PD, GPL-2.0, GPL-3.0, LGPL-2.1-or-later, but the +# only file which is GPL-3.0 is an m4 macro which isn't shipped in any of our +# packages, and the LGPL bits are under lib/, which appears to be used for +# libgnu, which appears to be used for DOS builds. So we're left with +# GPL-2.0-or-later and PD. +LICENSE = "GPL-2.0-or-later & GPL-3.0-with-autoconf-exception & LGPL-2.1-or-later & PD" +LICENSE:${PN} = "GPL-2.0-or-later" +LICENSE:${PN}-dev = "GPL-2.0-or-later" +LICENSE:${PN}-staticdev = "GPL-2.0-or-later" +LICENSE:${PN}-doc = "GPL-2.0-or-later" +LICENSE:${PN}-dbg = "GPL-2.0-or-later" +LICENSE:${PN}-locale = "GPL-2.0-or-later" +LICENSE:liblzma = "PD" + +LIC_FILES_CHKSUM = "file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \ + file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \ + file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c \ + file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ + " + +SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" +SRC_URI[sha256sum] = "aae39544e254cfd27e942d35a048d592959bd7a79f9a624afb0498bb5613bdf8" +UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" + +CACHED_CONFIGUREVARS += "gl_cv_posix_shell=/bin/sh" + +inherit autotools gettext + +PACKAGES =+ "liblzma" + +FILES:liblzma = "${libdir}/liblzma*${SOLIBS}" + +inherit update-alternatives +ALTERNATIVE_PRIORITY = "100" +ALTERNATIVE:${PN} = "xz xzcat unxz \ + lzma lzcat unlzma" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch new file mode 100644 index 000000000..4c12c53a1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch @@ -0,0 +1,107 @@ +From 5c099c4fdc438014d5893629e70a8ba934433ee8 Mon Sep 17 00:00:00 2001 +From: Ye Bin <yebin10@huawei.com> +Date: Tue, 6 Dec 2022 22:41:34 +0800 +Subject: ext4: fix kernel BUG in 'ext4_write_inline_data_end()' + +Syzbot report follow issue: +------------[ cut here ]------------ +kernel BUG at fs/ext4/inline.c:227! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 +RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227 +RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000 +RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006 +RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199 +R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b +R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82 +FS: 000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0 +Call Trace: + <TASK> + ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768 + ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313 + ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063 + generic_perform_write+0x316/0x570 mm/filemap.c:3764 + ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285 + ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700 + call_write_iter include/linux/fs.h:2191 [inline] + do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735 + do_iter_write+0x182/0x700 fs/read_write.c:861 + vfs_iter_write+0x74/0xa0 fs/read_write.c:902 + iter_file_splice_write+0x745/0xc90 fs/splice.c:686 + do_splice_from fs/splice.c:764 [inline] + direct_splice_actor+0x114/0x180 fs/splice.c:931 + splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886 + do_splice_direct+0x1ab/0x280 fs/splice.c:974 + do_sendfile+0xb19/0x1270 fs/read_write.c:1255 + __do_sys_sendfile64 fs/read_write.c:1323 [inline] + __se_sys_sendfile64 fs/read_write.c:1309 [inline] + __x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +---[ end trace 0000000000000000 ]--- + +Above issue may happens as follows: +ext4_da_write_begin + ext4_da_write_inline_data_begin + ext4_da_convert_inline_data_to_extent + ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA); +ext4_da_write_end + +ext4_run_li_request + ext4_mb_prefetch + ext4_read_block_bitmap_nowait + ext4_validate_block_bitmap + ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT) + percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free); + -> sbi->s_freeclusters_counter become zero +ext4_da_write_begin + if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true + *fsdata = (void *)FALL_BACK_TO_NONDELALLOC; + ext4_write_begin +ext4_da_write_end + if (write_mode == FALL_BACK_TO_NONDELALLOC) + ext4_write_end + if (inline_data) + ext4_write_inline_data_end + ext4_write_inline_data + BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); + -> As inode is already convert to extent, so 'pos + len' > inline_size + -> then trigger BUG. + +To solve this issue, instead of checking ext4_has_inline_data() which +is only cleared after data has been written back, check the +EXT4_STATE_MAY_INLINE_DATA flag in ext4_write_end(). + +Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data") +Reported-by: syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com +Reported-by: Jun Nie <jun.nie@linaro.org> +Signed-off-by: Ye Bin <yebin10@huawei.com> +Link: https://lore.kernel.org/r/20221206144134.1919987-1-yebin@huaweicloud.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Cc: stable@kernel.org +--- + fs/ext4/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index 181bc161b1ac3d..a0f4d4197a0b71 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -1315,7 +1315,8 @@ static int ext4_write_end(struct file *file, + + trace_ext4_write_end(inode, pos, len, copied); + +- if (ext4_has_inline_data(inode)) ++ if (ext4_has_inline_data(inode) && ++ ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) + return ext4_write_inline_data_end(inode, pos, len, copied, page); + + copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch new file mode 100644 index 000000000..eb2b5cc93 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch @@ -0,0 +1,44 @@ +From 012e332286e2bb9f6ac77d195f17e74b2963d663 Mon Sep 17 00:00:00 2001 +From: Christian Brauner <christian.brauner@ubuntu.com> +Date: Thu, 30 Dec 2021 20:23:09 +0100 +Subject: fs/mount_setattr: always cleanup mount_kattr + +Make sure that finish_mount_kattr() is called after mount_kattr was +succesfully built in both the success and failure case to prevent +leaking any references we took when we built it. We returned early if +path lookup failed thereby risking to leak an additional reference we +took when building mount_kattr when an idmapped mount was requested. + +Cc: linux-fsdevel@vger.kernel.org +Cc: stable@vger.kernel.org +Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP") +Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + fs/namespace.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/namespace.c b/fs/namespace.c +index 659a8f39c61afb..b696543adab848 100644 +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -4263,12 +4263,11 @@ SYSCALL_DEFINE5(mount_setattr, int, dfd, const char __user *, path, + return err; + + err = user_path_at(dfd, path, kattr.lookup_flags, &target); +- if (err) +- return err; +- +- err = do_mount_setattr(&target, &kattr); ++ if (!err) { ++ err = do_mount_setattr(&target, &kattr); ++ path_put(&target); ++ } + finish_mount_kattr(&kattr); +- path_put(&target); + return err; + } + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch new file mode 100644 index 000000000..74c9cac10 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch @@ -0,0 +1,118 @@ +From 1c4ace3e6b8575745c50dca9e76e0021e697d645 Mon Sep 17 00:00:00 2001 +From: Vincent Pelletier <plr.vincent@gmail.com> +Date: Sat, 18 Dec 2021 02:18:40 +0000 +Subject: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. + +commit b1e0887379422975f237d43d8839b751a6bcf154 upstream. + +ffs_data_clear is indirectly called from both ffs_fs_kill_sb and +ffs_ep0_release, so it ends up being called twice when userland closes ep0 +and then unmounts f_fs. +If userland provided an eventfd along with function's USB descriptors, it +ends up calling eventfd_ctx_put as many times, causing a refcount +underflow. +NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls. + +Also, set epfiles to NULL right after de-allocating it, for readability. + +For completeness, ffs_data_clear actually ends up being called thrice, the +last call being before the whole ffs structure gets freed, so when this +specific sequence happens there is a second underflow happening (but not +being reported): + +/sys/kernel/debug/tracing# modprobe usb_f_fs +/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter +/sys/kernel/debug/tracing# echo function > current_tracer +/sys/kernel/debug/tracing# echo 1 > tracing_on +(setup gadget, run and kill function userland process, teardown gadget) +/sys/kernel/debug/tracing# echo 0 > tracing_on +/sys/kernel/debug/tracing# cat trace + smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed + smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put + +Warning output corresponding to above trace: +[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c +[ 1946.293094] refcount_t: underflow; use-after-free. +[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E) +[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1 +[ 1946.417950] Hardware name: BCM2835 +[ 1946.425442] Backtrace: +[ 1946.432048] [<c08d60a0>] (dump_backtrace) from [<c08d62ec>] (show_stack+0x20/0x24) +[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c +[ 1946.458412] [<c08d62cc>] (show_stack) from [<c08d9ae0>] (dump_stack+0x28/0x30) +[ 1946.470380] [<c08d9ab8>] (dump_stack) from [<c0123500>] (__warn+0xe8/0x154) +[ 1946.482067] r5:c04a948c r4:c0a71dc8 +[ 1946.490184] [<c0123418>] (__warn) from [<c08d6948>] (warn_slowpath_fmt+0xa0/0xe4) +[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04 +[ 1946.517070] [<c08d68ac>] (warn_slowpath_fmt) from [<c04a948c>] (refcount_warn_saturate+0x110/0x15c) +[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0 +[ 1946.546708] [<c04a937c>] (refcount_warn_saturate) from [<c0380134>] (eventfd_ctx_put+0x48/0x74) +[ 1946.564476] [<c03800ec>] (eventfd_ctx_put) from [<bf5464e8>] (ffs_data_clear+0xd0/0x118 [usb_f_fs]) +[ 1946.582664] r5:c3b84c00 r4:c2695b00 +[ 1946.590668] [<bf546418>] (ffs_data_clear [usb_f_fs]) from [<bf547cc0>] (ffs_data_closed+0x9c/0x150 [usb_f_fs]) +[ 1946.609608] r5:bf54d014 r4:c2695b00 +[ 1946.617522] [<bf547c24>] (ffs_data_closed [usb_f_fs]) from [<bf547da0>] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs]) +[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000 +[ 1946.646273] [<bf547d74>] (ffs_fs_kill_sb [usb_f_fs]) from [<c0326d50>] (deactivate_locked_super+0x54/0x9c) +[ 1946.664893] r5:bf54d014 r4:c229f000 +[ 1946.672921] [<c0326cfc>] (deactivate_locked_super) from [<c0326df8>] (deactivate_super+0x60/0x64) +[ 1946.690722] r5:c2a09000 r4:c229f000 +[ 1946.698706] [<c0326d98>] (deactivate_super) from [<c0349a28>] (cleanup_mnt+0xe4/0x14c) +[ 1946.715553] r5:c2a09000 r4:00000000 +[ 1946.723528] [<c0349944>] (cleanup_mnt) from [<c0349b08>] (__cleanup_mnt+0x1c/0x20) +[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000 +[ 1946.750088] [<c0349aec>] (__cleanup_mnt) from [<c0143d10>] (task_work_run+0x84/0xb8) +[ 1946.766602] [<c0143c8c>] (task_work_run) from [<c010bdc8>] (do_work_pending+0x470/0x56c) +[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000 +[ 1946.793614] [<c010b958>] (do_work_pending) from [<c01000c0>] (slow_work_pending+0xc/0x20) +[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8) +[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430 +[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0 +[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760 +[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001 +[ 1946.881914] r4:bef867a0 +[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]--- + +Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events") +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com> +Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/usb/gadget/function/f_fs.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 725e35167837eb..cbb7947f366f93 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1772,11 +1772,15 @@ static void ffs_data_clear(struct ffs_data *ffs) + + BUG_ON(ffs->gadget); + +- if (ffs->epfiles) ++ if (ffs->epfiles) { + ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count); ++ ffs->epfiles = NULL; ++ } + +- if (ffs->ffs_eventfd) ++ if (ffs->ffs_eventfd) { + eventfd_ctx_put(ffs->ffs_eventfd); ++ ffs->ffs_eventfd = NULL; ++ } + + kfree(ffs->raw_descs_data); + kfree(ffs->raw_strings); +@@ -1789,7 +1793,6 @@ static void ffs_data_reset(struct ffs_data *ffs) + + ffs_data_clear(ffs); + +- ffs->epfiles = NULL; + ffs->raw_descs_data = NULL; + ffs->raw_descs = NULL; + ffs->raw_strings = NULL; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch new file mode 100644 index 000000000..a8aa64856 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch @@ -0,0 +1,38 @@ +From 407c8708fb1bf2d4afc5337ef50635cf540c364b Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin <paskripkin@gmail.com> +Date: Fri, 31 Dec 2021 01:47:50 +0300 +Subject: i2c: validate user data in compat ioctl + +[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ] + +Wrong user data may cause warning in i2c_transfer(), ex: zero msgs. +Userspace should not be able to trigger warnings, so this patch adds +validation checks for user data in compact ioctl to prevent reported +warnings + +Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com +Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()") +Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> +Signed-off-by: Wolfram Sang <wsa@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/i2c/i2c-dev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 57aece80984166..140dd074fdee5a 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -544,6 +544,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo + sizeof(rdwr_arg))) + return -EFAULT; + ++ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0) ++ return -EINVAL; ++ + if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS) + return -EINVAL; + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch new file mode 100644 index 000000000..9a3605809 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch @@ -0,0 +1,88 @@ +From 08eacbd141e2495d2fcdde84358a06c4f95cbb13 Mon Sep 17 00:00:00 2001 +From: Muchun Song <songmuchun@bytedance.com> +Date: Tue, 28 Dec 2021 18:41:45 +0800 +Subject: net: fix use-after-free in tw_timer_handler + +commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream. + +A real world panic issue was found as follow in Linux 5.4. + + BUG: unable to handle page fault for address: ffffde49a863de28 + PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0 + RIP: 0010:tw_timer_handler+0x20/0x40 + Call Trace: + <IRQ> + call_timer_fn+0x2b/0x120 + run_timer_softirq+0x1ef/0x450 + __do_softirq+0x10d/0x2b8 + irq_exit+0xc7/0xd0 + smp_apic_timer_interrupt+0x68/0x120 + apic_timer_interrupt+0xf/0x20 + +This issue was also reported since 2017 in the thread [1], +unfortunately, the issue was still can be reproduced after fixing +DCCP. + +The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net +namespace is destroyed since tcp_sk_ops is registered befrore +ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops +in the list of pernet_list. There will be a use-after-free on +net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net +if there are some inflight time-wait timers. + +This bug is not introduced by commit f2bf415cfed7 ("mib: add net to +NET_ADD_STATS_BH") since the net_statistics is a global variable +instead of dynamic allocation and freeing. Actually, commit +61a7e26028b9 ("mib: put net statistics on struct net") introduces +the bug since it put net statistics on struct net and free it when +net namespace is destroyed. + +Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug +and replace pr_crit() with panic() since continuing is meaningless +when init_ipv4_mibs() fails. + +[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1 + +Fixes: 61a7e26028b9 ("mib: put net statistics on struct net") +Signed-off-by: Muchun Song <songmuchun@bytedance.com> +Cc: Cong Wang <cong.wang@bytedance.com> +Cc: Fam Zheng <fam.zheng@bytedance.com> +Cc: <stable@vger.kernel.org> +Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/ipv4/af_inet.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 3a9422a5873eb4..dcea653a5204ad 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -2004,6 +2004,10 @@ static int __init inet_init(void) + + ip_init(); + ++ /* Initialise per-cpu ipv4 mibs */ ++ if (init_ipv4_mibs()) ++ panic("%s: Cannot init ipv4 mibs\n", __func__); ++ + /* Setup TCP slab cache for open requests. */ + tcp_init(); + +@@ -2034,12 +2038,6 @@ static int __init inet_init(void) + + if (init_inet_pernet_ops()) + pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__); +- /* +- * Initialise per-cpu ipv4 mibs +- */ +- +- if (init_ipv4_mibs()) +- pr_crit("%s: Cannot init ipv4 mibs\n", __func__); + + ipv4_proc_init(); + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch new file mode 100644 index 000000000..a92a8002b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch @@ -0,0 +1,43 @@ +From 806142c805cacd098e61bdc0f72c778a2389fe4a Mon Sep 17 00:00:00 2001 +From: Sumit Garg <sumit.garg@linaro.org> +Date: Thu, 16 Dec 2021 11:17:25 +0530 +Subject: tee: optee: Fix incorrect page free bug + +commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream. + +Pointer to the allocated pages (struct page *page) has already +progressed towards the end of allocation. It is incorrect to perform +__free_pages(page, order) using this pointer as we would free any +arbitrary pages. Fix this by stop modifying the page pointer. + +Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages") +Cc: stable@vger.kernel.org +Reported-by: Patrik Lantz <patrik.lantz@axis.com> +Signed-off-by: Sumit Garg <sumit.garg@linaro.org> +Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com> +Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/tee/optee/shm_pool.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/tee/optee/shm_pool.c b/drivers/tee/optee/shm_pool.c +index c41a9a501a6e9d..fa75024f16f7f1 100644 +--- a/drivers/tee/optee/shm_pool.c ++++ b/drivers/tee/optee/shm_pool.c +@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_pool_mgr *poolm, + goto err; + } + +- for (i = 0; i < nr_pages; i++) { +- pages[i] = page; +- page++; +- } ++ for (i = 0; i < nr_pages; i++) ++ pages[i] = page + i; + + shm->flags |= TEE_SHM_REGISTER; + rc = optee_shm_register(shm->ctx, shm, pages, nr_pages, +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch new file mode 100644 index 000000000..c4be1a8d1 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch @@ -0,0 +1,43 @@ +From 9d2231c5d74e13b2a0546fee6737ee4446017903 Mon Sep 17 00:00:00 2001 +From: Max Kellermann <max.kellermann@ionos.com> +Date: Mon, 21 Feb 2022 11:03:13 +0100 +Subject: lib/iov_iter: initialize "flags" in new pipe_buffer + +The functions copy_page_to_iter_pipe() and push_pipe() can both +allocate a new pipe_buffer, but the "flags" member initializer is +missing. + +Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed") +To: Alexander Viro <viro@zeniv.linux.org.uk> +To: linux-fsdevel@vger.kernel.org +To: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Max Kellermann <max.kellermann@ionos.com> +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +--- + lib/iov_iter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index b0e0acdf96c15..6dd5330f7a995 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -414,6 +414,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by + return 0; + + buf->ops = &page_cache_pipe_buf_ops; ++ buf->flags = 0; + get_page(page); + buf->page = page; + buf->offset = offset; +@@ -577,6 +578,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size, + break; + + buf->ops = &default_pipe_buf_ops; ++ buf->flags = 0; + buf->page = page; + buf->offset = 0; + buf->len = min_t(ssize_t, left, PAGE_SIZE); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch new file mode 100644 index 000000000..96f861bcf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch @@ -0,0 +1,77 @@ +From 8974eb588283b7d44a7c91fa09fcbaf380339f3a Mon Sep 17 00:00:00 2001 +From: Daniel Sneddon <daniel.sneddon@linux.intel.com> +Date: Wed, 12 Jul 2023 19:43:11 -0700 +Subject: [PATCH] x86/speculation: Add Gather Data Sampling mitigation + +Gather Data Sampling (GDS) is a hardware vulnerability which allows +unprivileged speculative access to data which was previously stored in +vector registers. + +Intel processors that support AVX2 and AVX512 have gather instructions +that fetch non-contiguous data elements from memory. On vulnerable +hardware, when a gather instruction is transiently executed and +encounters a fault, stale data from architectural or internal vector +registers may get transiently stored to the destination vector +register allowing an attacker to infer the stale data using typical +side channel techniques like cache timing attacks. + +This mitigation is different from many earlier ones for two reasons. +First, it is enabled by default and a bit must be set to *DISABLE* it. +This is the opposite of normal mitigation polarity. This means GDS can +be mitigated simply by updating microcode and leaving the new control +bit alone. + +Second, GDS has a "lock" bit. This lock bit is there because the +mitigation affects the hardware security features KeyLocker and SGX. +It needs to be enabled and *STAY* enabled for these features to be +mitigated against GDS. + +The mitigation is enabled in the microcode by default. Disable it by +setting gather_data_sampling=off or by disabling all mitigations with +mitigations=off. The mitigation status can be checked by reading: + + /sys/devices/system/cpu/vulnerabilities/gather_data_sampling + +Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com> +Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> +Acked-by: Josh Poimboeuf <jpoimboe@kernel.org> +--- + drivers/base/cpu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c +index 5fc258073bc7..3dd3fe80f8fc 100644 +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -564,6 +564,12 @@ ssize_t __weak cpu_show_srbds(struct device *dev, + return sysfs_emit(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_gds(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sysfs_emit(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); +@@ -573,6 +579,7 @@ static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); + static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); + static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); + static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL); ++static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -584,6 +591,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_tsx_async_abort.attr, + &dev_attr_itlb_multihit.attr, + &dev_attr_srbds.attr, ++ &dev_attr_gather_data_sampling.attr, + NULL + }; + +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch new file mode 100644 index 000000000..10014562c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch @@ -0,0 +1,136 @@ +From 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 Mon Sep 17 00:00:00 2001 +From: Edward Lo <edward.lo@ambergroup.io> +Date: Sat, 5 Nov 2022 23:39:44 +0800 +Subject: fs/ntfs3: Validate MFT flags before replaying logs + +Log load and replay is part of the metadata handle flow during mount +operation. The $MFT record will be loaded and used while replaying logs. +However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and +contains an ATTR_ROOT attribute will misguide kernel to treat it as a +directory, and try to free the allocated resources when the +corresponding inode is freed, which will cause an invalid kfree because +the memory hasn't actually been allocated. + +[ 101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40 +[ 101.369457] +[ 101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5 +[ 101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 +[ 101.371362] Call Trace: +[ 101.371795] <TASK> +[ 101.372157] dump_stack_lvl+0x49/0x63 +[ 101.372658] print_report.cold+0xf5/0x689 +[ 101.373022] ? ni_write_inode+0x754/0xd90 +[ 101.373378] ? kvfree+0x2c/0x40 +[ 101.373698] kasan_report_invalid_free+0x77/0xf0 +[ 101.374058] ? kvfree+0x2c/0x40 +[ 101.374352] ? kvfree+0x2c/0x40 +[ 101.374668] __kasan_slab_free+0x189/0x1b0 +[ 101.374992] ? kvfree+0x2c/0x40 +[ 101.375271] kfree+0x168/0x3b0 +[ 101.375717] kvfree+0x2c/0x40 +[ 101.376002] indx_clear+0x26/0x60 +[ 101.376316] ni_clear+0xc5/0x290 +[ 101.376661] ntfs_evict_inode+0x45/0x70 +[ 101.377001] evict+0x199/0x280 +[ 101.377432] iput.part.0+0x286/0x320 +[ 101.377819] iput+0x32/0x50 +[ 101.378166] ntfs_loadlog_and_replay+0x143/0x320 +[ 101.378656] ? ntfs_bio_fill_1+0x510/0x510 +[ 101.378968] ? iput.part.0+0x286/0x320 +[ 101.379367] ntfs_fill_super+0xecb/0x1ba0 +[ 101.379729] ? put_ntfs+0x1d0/0x1d0 +[ 101.380046] ? vsprintf+0x20/0x20 +[ 101.380542] ? mutex_unlock+0x81/0xd0 +[ 101.380914] ? set_blocksize+0x95/0x150 +[ 101.381597] get_tree_bdev+0x232/0x370 +[ 101.382254] ? put_ntfs+0x1d0/0x1d0 +[ 101.382699] ntfs_fs_get_tree+0x15/0x20 +[ 101.383094] vfs_get_tree+0x4c/0x130 +[ 101.383675] path_mount+0x654/0xfe0 +[ 101.384203] ? putname+0x80/0xa0 +[ 101.384540] ? finish_automount+0x2e0/0x2e0 +[ 101.384943] ? putname+0x80/0xa0 +[ 101.385362] ? kmem_cache_free+0x1c4/0x440 +[ 101.385968] ? putname+0x80/0xa0 +[ 101.386666] do_mount+0xd6/0xf0 +[ 101.387228] ? path_mount+0xfe0/0xfe0 +[ 101.387585] ? __kasan_check_write+0x14/0x20 +[ 101.387979] __x64_sys_mount+0xca/0x110 +[ 101.388436] do_syscall_64+0x3b/0x90 +[ 101.388757] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.389289] RIP: 0033:0x7fa0f70e948a +[ 101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008 +[ 101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 +[ 101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a +[ 101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0 +[ 101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020 +[ 101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0 +[ 101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff +[ 101.394747] </TASK> +[ 101.395402] +[ 101.396047] Allocated by task 198: +[ 101.396724] kasan_save_stack+0x26/0x50 +[ 101.397400] __kasan_slab_alloc+0x6d/0x90 +[ 101.397974] kmem_cache_alloc_lru+0x192/0x5a0 +[ 101.398524] ntfs_alloc_inode+0x23/0x70 +[ 101.399137] alloc_inode+0x3b/0xf0 +[ 101.399534] iget5_locked+0x54/0xa0 +[ 101.400026] ntfs_iget5+0xaf/0x1780 +[ 101.400414] ntfs_loadlog_and_replay+0xe5/0x320 +[ 101.400883] ntfs_fill_super+0xecb/0x1ba0 +[ 101.401313] get_tree_bdev+0x232/0x370 +[ 101.401774] ntfs_fs_get_tree+0x15/0x20 +[ 101.402224] vfs_get_tree+0x4c/0x130 +[ 101.402673] path_mount+0x654/0xfe0 +[ 101.403160] do_mount+0xd6/0xf0 +[ 101.403537] __x64_sys_mount+0xca/0x110 +[ 101.404058] do_syscall_64+0x3b/0x90 +[ 101.404333] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 101.404816] +[ 101.405067] The buggy address belongs to the object at ffff888008cc9ea0 +[ 101.405067] which belongs to the cache ntfs_inode_cache of size 992 +[ 101.406171] The buggy address is located 232 bytes inside of +[ 101.406171] 992-byte region [ffff888008cc9ea0, ffff888008cca280) +[ 101.406995] +[ 101.408559] The buggy address belongs to the physical page: +[ 101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8 +[ 101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0 +[ 101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) +[ 101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140 +[ 101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000 +[ 101.413799] page dumped because: kasan: bad access detected +[ 101.414213] +[ 101.414427] Memory state around the buggy address: +[ 101.414991] ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.415785] ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.417857] ^ +[ 101.418566] ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 101.419704] ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +Signed-off-by: Edward Lo <edward.lo@ambergroup.io> +Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> +--- + fs/ntfs3/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index ce6bb3bd86b6e..059f288784580 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -100,6 +100,12 @@ static struct inode *ntfs_read_mft(struct inode *inode, + /* Record should contain $I30 root. */ + is_dir = rec->flags & RECORD_FLAG_DIR; + ++ /* MFT_REC_MFT is not a dir */ ++ if (is_dir && ino == MFT_REC_MFT) { ++ err = -EINVAL; ++ goto out; ++ } ++ + inode->i_generation = le16_to_cpu(rec->seq); + + /* Enumerate all struct Attributes MFT. */ +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch new file mode 100644 index 000000000..840e2de82 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch @@ -0,0 +1,73 @@ +From 016b150992eebc32c4a18f783cf2bb6e2545a3d9 Mon Sep 17 00:00:00 2001 +From: Chao Yu <chao.yu@oppo.com> +Date: Wed, 31 Aug 2022 22:54:54 +0800 +Subject: mm/slub: fix to return errno if kmalloc() fails + +commit 7e9c323c52b379d261a72dc7bd38120a761a93cd upstream. + +In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to +out-of-memory, if it fails, return errno correctly rather than +triggering panic via BUG_ON(); + +kernel BUG at mm/slub.c:5893! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP + +Call trace: + sysfs_slab_add+0x258/0x260 mm/slub.c:5973 + __kmem_cache_create+0x60/0x118 mm/slub.c:4899 + create_cache mm/slab_common.c:229 [inline] + kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335 + kmem_cache_create+0x1c/0x28 mm/slab_common.c:390 + f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline] + f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808 + f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149 + mount_bdev+0x1b8/0x210 fs/super.c:1400 + f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512 + legacy_get_tree+0x30/0x74 fs/fs_context.c:610 + vfs_get_tree+0x40/0x140 fs/super.c:1530 + do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040 + path_mount+0x358/0x914 fs/namespace.c:3370 + do_mount fs/namespace.c:3383 [inline] + __do_sys_mount fs/namespace.c:3591 [inline] + __se_sys_mount fs/namespace.c:3568 [inline] + __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568 + +Cc: <stable@kernel.org> +Fixes: 81819f0fc8285 ("SLUB core") +Reported-by: syzbot+81684812ea68216e08c5@syzkaller.appspotmail.com +Reviewed-by: Muchun Song <songmuchun@bytedance.com> +Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Signed-off-by: Chao Yu <chao.yu@oppo.com> +Acked-by: David Rientjes <rientjes@google.com> +Signed-off-by: Vlastimil Babka <vbabka@suse.cz> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/slub.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 5211496f6d24fc..17e663cf38f69b 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -5743,7 +5743,8 @@ static char *create_unique_id(struct kmem_cache *s) + char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL); + char *p = name; + +- BUG_ON(!name); ++ if (!name) ++ return ERR_PTR(-ENOMEM); + + *p++ = ':'; + /* +@@ -5825,6 +5826,8 @@ static int sysfs_slab_add(struct kmem_cache *s) + * for the symlinks. + */ + name = create_unique_id(s); ++ if (IS_ERR(name)) ++ return PTR_ERR(name); + } + + s->kobj.kset = kset; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch new file mode 100644 index 000000000..c6538d9ac --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch @@ -0,0 +1,69 @@ +From 657803b918e097e47d99d1489da83a603c36bcdd Mon Sep 17 00:00:00 2001 +From: Meng Li <Meng.Li@windriver.com> +Date: Wed, 21 Sep 2022 11:20:20 +0800 +Subject: gpiolib: cdev: Set lineevent_state::irq after IRQ register + successfully + +commit 69bef19d6b9700e96285f4b4e28691cda3dcd0d1 upstream. + +When running gpio test on nxp-ls1028 platform with below command +gpiomon --num-events=3 --rising-edge gpiochip1 25 +There will be a warning trace as below: +Call trace: +free_irq+0x204/0x360 +lineevent_free+0x64/0x70 +gpio_ioctl+0x598/0x6a0 +__arm64_sys_ioctl+0xb4/0x100 +invoke_syscall+0x5c/0x130 +...... +el0t_64_sync+0x1a0/0x1a4 +The reason of this issue is that calling request_threaded_irq() +function failed, and then lineevent_free() is invoked to release +the resource. Since the lineevent_state::irq was already set, so +the subsequent invocation of free_irq() would trigger the above +warning call trace. To fix this issue, set the lineevent_state::irq +after the IRQ register successfully. + +Fixes: 468242724143 ("gpiolib: cdev: refactor lineevent cleanup into lineevent_free") +Cc: stable@vger.kernel.org +Signed-off-by: Meng Li <Meng.Li@windriver.com> +Reviewed-by: Kent Gibson <warthog618@gmail.com> +Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpio/gpiolib-cdev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c +index 2613881a66e662..381cfa26a4a1a0 100644 +--- a/drivers/gpio/gpiolib-cdev.c ++++ b/drivers/gpio/gpiolib-cdev.c +@@ -1769,7 +1769,6 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) + ret = -ENODEV; + goto out_free_le; + } +- le->irq = irq; + + if (eflags & GPIOEVENT_REQUEST_RISING_EDGE) + irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ? +@@ -1783,7 +1782,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) + init_waitqueue_head(&le->wait); + + /* Request a thread to read the events */ +- ret = request_threaded_irq(le->irq, ++ ret = request_threaded_irq(irq, + lineevent_irq_handler, + lineevent_irq_thread, + irqflags, +@@ -1792,6 +1791,8 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip) + if (ret) + goto out_free_le; + ++ le->irq = irq; ++ + fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC); + if (fd < 0) { + ret = fd; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch new file mode 100644 index 000000000..93d21e5da --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch @@ -0,0 +1,39 @@ +From 2133f451311671c7c42b5640d2b999326b39aa0e Mon Sep 17 00:00:00 2001 +From: Sergey Shtylyov <s.shtylyov@omp.ru> +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru> +Signed-off-by: Rob Herring <robh@kernel.org> +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 520ed965bb7a4e..583ca847a39cba 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -314,7 +314,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch new file mode 100644 index 000000000..53b751d83 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch @@ -0,0 +1,76 @@ +From 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa Mon Sep 17 00:00:00 2001 +From: David Lebrun <dlebrun@google.com> +Date: Fri, 2 Sep 2022 10:45:06 +0100 +Subject: ipv6: sr: fix out-of-bounds read when setting HMAC data. + +[ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ] + +The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 +Segment Routing Headers. This configuration is realised via netlink through +four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and +SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual +length of the SECRET attribute, it is possible to provide invalid combinations +(e.g., secret = "", secretlen = 64). This case is not checked in the code and +with an appropriately crafted netlink message, an out-of-bounds read of up +to 64 bytes (max secret length) can occur past the skb end pointer and into +skb_shared_info: + +Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 +208 memcpy(hinfo->secret, secret, slen); +(gdb) bt + #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 + #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, + extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, + family=<optimized out>) at net/netlink/genetlink.c:731 + #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, + family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 + #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 + #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) + at net/netlink/af_netlink.c:2501 + #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 + #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) + at net/netlink/af_netlink.c:1319 + #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) + at net/netlink/af_netlink.c:1345 + #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 +... +(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end +$1 = 0xffff88800b1b76c0 +(gdb) p/x secret +$2 = 0xffff88800b1b76c0 +(gdb) p slen +$3 = 64 '@' + +The OOB data can then be read back from userspace by dumping HMAC state. This +commit fixes this by ensuring SECRETLEN cannot exceed the actual length of +SECRET. + +Reported-by: Lucas Leong <wmliang.tw@gmail.com> +Tested: verified that EINVAL is correctly returned when secretlen > len(secret) +Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") +Signed-off-by: David Lebrun <dlebrun@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv6/seg6.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index d2f8138e5a73a5..2278c0234c4979 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) + goto out_unlock; + } + ++ if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) { ++ err = -EINVAL; ++ goto out_unlock; ++ } ++ + if (hinfo) { + err = seg6_hmac_info_del(net, hmackeyid); + if (err) +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch new file mode 100644 index 000000000..136878aaf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch @@ -0,0 +1,167 @@ +From 3261400639463a853ba2b3be8bd009c2a8089775 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Wed, 31 Aug 2022 23:38:09 +0000 +Subject: [PATCH] tcp: TX zerocopy should not sense pfmemalloc status + +We got a recent syzbot report [1] showing a possible misuse +of pfmemalloc page status in TCP zerocopy paths. + +Indeed, for pages coming from user space or other layers, +using page_is_pfmemalloc() is moot, and possibly could give +false positives. + +There has been attempts to make page_is_pfmemalloc() more robust, +but not using it in the first place in this context is probably better, +removing cpu cycles. + +Note to stable teams : + +You need to backport 84ce071e38a6 ("net: introduce +__skb_fill_page_desc_noacc") as a prereq. + +Race is more probable after commit c07aea3ef4d4 +("mm: add a signature in struct page") because page_is_pfmemalloc() +is now using low order bit from page->lru.next, which can change +more often than page->index. + +Low order bit should never be set for lru.next (when used as an anchor +in LRU list), so KCSAN report is mostly a false positive. + +Backporting to older kernel versions seems not necessary. + +[1] +BUG: KCSAN: data-race in lru_add_fn / tcp_build_frag + +write to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0: +__list_add include/linux/list.h:73 [inline] +list_add include/linux/list.h:88 [inline] +lruvec_add_folio include/linux/mm_inline.h:105 [inline] +lru_add_fn+0x440/0x520 mm/swap.c:228 +folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246 +folio_batch_add_and_move mm/swap.c:263 [inline] +folio_add_lru+0xf1/0x140 mm/swap.c:490 +filemap_add_folio+0xf8/0x150 mm/filemap.c:948 +__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981 +pagecache_get_page+0x26/0x190 mm/folio-compat.c:104 +grab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116 +ext4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988 +generic_perform_write+0x1d4/0x3f0 mm/filemap.c:3738 +ext4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270 +ext4_file_write_iter+0x2e3/0x1210 +call_write_iter include/linux/fs.h:2187 [inline] +new_sync_write fs/read_write.c:491 [inline] +vfs_write+0x468/0x760 fs/read_write.c:578 +ksys_write+0xe8/0x1a0 fs/read_write.c:631 +__do_sys_write fs/read_write.c:643 [inline] +__se_sys_write fs/read_write.c:640 [inline] +__x64_sys_write+0x3e/0x50 fs/read_write.c:640 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +read to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1: +page_is_pfmemalloc include/linux/mm.h:1740 [inline] +__skb_fill_page_desc include/linux/skbuff.h:2422 [inline] +skb_fill_page_desc include/linux/skbuff.h:2443 [inline] +tcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018 +do_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075 +tcp_sendpage_locked net/ipv4/tcp.c:1140 [inline] +tcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150 +inet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833 +kernel_sendpage+0x184/0x300 net/socket.c:3561 +sock_sendpage+0x5a/0x70 net/socket.c:1054 +pipe_to_sendpage+0x128/0x160 fs/splice.c:361 +splice_from_pipe_feed fs/splice.c:415 [inline] +__splice_from_pipe+0x222/0x4d0 fs/splice.c:559 +splice_from_pipe fs/splice.c:594 [inline] +generic_splice_sendpage+0x89/0xc0 fs/splice.c:743 +do_splice_from fs/splice.c:764 [inline] +direct_splice_actor+0x80/0xa0 fs/splice.c:931 +splice_direct_to_actor+0x305/0x620 fs/splice.c:886 +do_splice_direct+0xfb/0x180 fs/splice.c:974 +do_sendfile+0x3bf/0x910 fs/read_write.c:1249 +__do_sys_sendfile64 fs/read_write.c:1317 [inline] +__se_sys_sendfile64 fs/read_write.c:1303 [inline] +__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +value changed: 0x0000000000000000 -> 0xffffea0004a1d288 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 + +Fixes: c07aea3ef4d4 ("mm: add a signature in struct page") +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Shakeel Butt <shakeelb@google.com> +Reviewed-by: Shakeel Butt <shakeelb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/linux/skbuff.h | 20 ++++++++++++++++++++ + net/core/datagram.c | 2 +- + net/ipv4/tcp.c | 2 +- + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 841e2f0f5240..051843e918c8 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -2211,6 +2211,26 @@ static inline void skb_fill_page_desc(struct sk_buff *skb, int i, + skb_shinfo(skb)->nr_frags = i + 1; + } + ++/** ++ * skb_fill_page_desc_noacc - initialise a paged fragment in an skb ++ * @skb: buffer containing fragment to be initialised ++ * @i: paged fragment index to initialise ++ * @page: the page to use for this fragment ++ * @off: the offset to the data with @page ++ * @size: the length of the data ++ * ++ * Variant of skb_fill_page_desc() which does not deal with ++ * pfmemalloc, if page is not owned by us. ++ */ ++static inline void skb_fill_page_desc_noacc(struct sk_buff *skb, int i, ++ struct page *page, int off, ++ int size) ++{ ++ struct skb_shared_info *shinfo = skb_shinfo(skb); ++ ++ shinfo->nr_frags = i + 1; ++} ++ + void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off, + int size, unsigned int truesize); + +diff --git a/net/core/datagram.c b/net/core/datagram.c +index 15ab9ffb27fe..28e5f921dcaf 100644 +--- a/net/core/datagram.c ++++ b/net/core/datagram.c +@@ -677,7 +677,7 @@ int __zerocopy_sg_from_iter(struct sock *sk, struct sk_buff *skb, + page_ref_sub(last_head, refs); + refs = 0; + } +- skb_fill_page_desc(skb, frag++, head, start, size); ++ skb_fill_page_desc_noacc(skb, frag++, head, start, size); + } + if (refs) + page_ref_sub(last_head, refs); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index c86d27d653be..d066d780010d 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1002,7 +1002,7 @@ struct sk_buff *tcp_build_frag(struct sock *sk, int size_goal, int flags, + skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy); + } else { + get_page(page); +- skb_fill_page_desc(skb, i, page, offset, copy); ++ skb_fill_page_desc_noacc(skb, i, page, offset, copy); + } + + if (!(flags & MSG_NO_SHARED_FRAGS)) +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch new file mode 100644 index 000000000..0c457f4a2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch @@ -0,0 +1,48 @@ +From 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi <mszeredi@redhat.com> +Date: Tue, 24 Jan 2023 16:41:18 +0100 +Subject: ovl: fail on invalid uid/gid mapping at copy up + +If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then +copy-up should fail, just like it would fail if the mounter task was doing +the copy using "cp -a". + +There's a corner case where the "cp -a" would succeed but copy up fail: if +there's a mapping of the invalid uid/gid (65534 by default) in the user +namespace. This is because stat(2) will return this value if the mapping +doesn't exist in the current user_ns and "cp -a" will in turn be able to +create a file with this uid/gid. + +This behavior would be inconsistent with POSIX ACL's, which return -1 for +invalid uid/gid which result in a failed copy. + +For consistency and simplicity fail the copy of the st_uid/st_gid are +invalid. + +Fixes: 459c7c565ac3 ("ovl: unprivieged mounts") +Cc: <stable@vger.kernel.org> # v5.11 +Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> +Reviewed-by: Christian Brauner <brauner@kernel.org> +Reviewed-by: Seth Forshee <sforshee@kernel.org> +--- + fs/overlayfs/copy_up.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c +index 140f2742074d4..c14e90764e356 100644 +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -1011,6 +1011,10 @@ static int ovl_copy_up_one(struct dentry *parent, struct dentry *dentry, + if (err) + return err; + ++ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) || ++ !kgid_has_mapping(current_user_ns(), ctx.stat.gid)) ++ return -EOVERFLOW; ++ + ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags); + + if (parent) { +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0458.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0458.patch new file mode 100644 index 000000000..351debf21 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0458.patch @@ -0,0 +1,34 @@ +From 739790605705ddcf18f21782b9c99ad7d53a8c11 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Fri, 20 Jan 2023 11:03:20 +0100 +Subject: prlimit: do_prlimit needs to have a speculation check + +do_prlimit() adds the user-controlled resource value to a pointer that +will subsequently be dereferenced. In order to help prevent this +codepath from being used as a spectre "gadget" a barrier needs to be +added after checking the range. + +Reported-by: Jordy Zomer <jordyzomer@google.com> +Tested-by: Jordy Zomer <jordyzomer@google.com> +Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/sys.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/sys.c b/kernel/sys.c +index 5fd54bf0e8867..88b31f096fb2d 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1442,6 +1442,8 @@ static int do_prlimit(struct task_struct *tsk, unsigned int resource, + + if (resource >= RLIM_NLIMITS) + return -EINVAL; ++ resource = array_index_nospec(resource, RLIM_NLIMITS); ++ + if (new_rlim) { + if (new_rlim->rlim_cur > new_rlim->rlim_max) + return -EINVAL; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2176.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2176.patch new file mode 100644 index 000000000..093151077 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2176.patch @@ -0,0 +1,317 @@ +From 8d037973d48c026224ab285e6a06985ccac6f7bf Mon Sep 17 00:00:00 2001 +From: Patrisious Haddad <phaddad@nvidia.com> +Date: Wed, 4 Jan 2023 10:01:38 +0200 +Subject: RDMA/core: Refactor rdma_bind_addr + +Refactor rdma_bind_addr function so that it doesn't require that the +cma destination address be changed before calling it. + +So now it will update the destination address internally only when it is +really needed and after passing all the required checks. + +Which in turn results in a cleaner and more sensible call and error +handling flows for the functions that call it directly or indirectly. + +Signed-off-by: Patrisious Haddad <phaddad@nvidia.com> +Reported-by: Wei Chen <harperchen1110@gmail.com> +Reviewed-by: Mark Zhang <markzhang@nvidia.com> +Link: https://lore.kernel.org/r/3d0e9a2fd62bc10ba02fed1c7c48a48638952320.1672819273.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky <leon@kernel.org> +--- + drivers/infiniband/core/cma.c | 245 ++++++++++++++++++---------------- + 1 file changed, 130 insertions(+), 115 deletions(-) + +diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c +index 704ce595542c..5d673dfa117a 100644 +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3357,113 +3357,6 @@ static int cma_resolve_ib_addr(struct rdma_id_private *id_priv) + return ret; + } + +-static int cma_bind_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, +- const struct sockaddr *dst_addr) +-{ +- if (!src_addr || !src_addr->sa_family) { +- src_addr = (struct sockaddr *) &id->route.addr.src_addr; +- src_addr->sa_family = dst_addr->sa_family; +- if (IS_ENABLED(CONFIG_IPV6) && +- dst_addr->sa_family == AF_INET6) { +- struct sockaddr_in6 *src_addr6 = (struct sockaddr_in6 *) src_addr; +- struct sockaddr_in6 *dst_addr6 = (struct sockaddr_in6 *) dst_addr; +- src_addr6->sin6_scope_id = dst_addr6->sin6_scope_id; +- if (ipv6_addr_type(&dst_addr6->sin6_addr) & IPV6_ADDR_LINKLOCAL) +- id->route.addr.dev_addr.bound_dev_if = dst_addr6->sin6_scope_id; +- } else if (dst_addr->sa_family == AF_IB) { +- ((struct sockaddr_ib *) src_addr)->sib_pkey = +- ((struct sockaddr_ib *) dst_addr)->sib_pkey; +- } +- } +- return rdma_bind_addr(id, src_addr); +-} +- +-/* +- * If required, resolve the source address for bind and leave the id_priv in +- * state RDMA_CM_ADDR_BOUND. This oddly uses the state to determine the prior +- * calls made by ULP, a previously bound ID will not be re-bound and src_addr is +- * ignored. +- */ +-static int resolve_prepare_src(struct rdma_id_private *id_priv, +- struct sockaddr *src_addr, +- const struct sockaddr *dst_addr) +-{ +- int ret; +- +- memcpy(cma_dst_addr(id_priv), dst_addr, rdma_addr_size(dst_addr)); +- if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) { +- /* For a well behaved ULP state will be RDMA_CM_IDLE */ +- ret = cma_bind_addr(&id_priv->id, src_addr, dst_addr); +- if (ret) +- goto err_dst; +- if (WARN_ON(!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, +- RDMA_CM_ADDR_QUERY))) { +- ret = -EINVAL; +- goto err_dst; +- } +- } +- +- if (cma_family(id_priv) != dst_addr->sa_family) { +- ret = -EINVAL; +- goto err_state; +- } +- return 0; +- +-err_state: +- cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY, RDMA_CM_ADDR_BOUND); +-err_dst: +- memset(cma_dst_addr(id_priv), 0, rdma_addr_size(dst_addr)); +- return ret; +-} +- +-int rdma_resolve_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, +- const struct sockaddr *dst_addr, unsigned long timeout_ms) +-{ +- struct rdma_id_private *id_priv = +- container_of(id, struct rdma_id_private, id); +- int ret; +- +- ret = resolve_prepare_src(id_priv, src_addr, dst_addr); +- if (ret) +- return ret; +- +- if (cma_any_addr(dst_addr)) { +- ret = cma_resolve_loopback(id_priv); +- } else { +- if (dst_addr->sa_family == AF_IB) { +- ret = cma_resolve_ib_addr(id_priv); +- } else { +- /* +- * The FSM can return back to RDMA_CM_ADDR_BOUND after +- * rdma_resolve_ip() is called, eg through the error +- * path in addr_handler(). If this happens the existing +- * request must be canceled before issuing a new one. +- * Since canceling a request is a bit slow and this +- * oddball path is rare, keep track once a request has +- * been issued. The track turns out to be a permanent +- * state since this is the only cancel as it is +- * immediately before rdma_resolve_ip(). +- */ +- if (id_priv->used_resolve_ip) +- rdma_addr_cancel(&id->route.addr.dev_addr); +- else +- id_priv->used_resolve_ip = 1; +- ret = rdma_resolve_ip(cma_src_addr(id_priv), dst_addr, +- &id->route.addr.dev_addr, +- timeout_ms, addr_handler, +- false, id_priv); +- } +- } +- if (ret) +- goto err; +- +- return 0; +-err: +- cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY, RDMA_CM_ADDR_BOUND); +- return ret; +-} +-EXPORT_SYMBOL(rdma_resolve_addr); +- + int rdma_set_reuseaddr(struct rdma_cm_id *id, int reuse) + { + struct rdma_id_private *id_priv; +@@ -3866,27 +3759,26 @@ int rdma_listen(struct rdma_cm_id *id, int backlog) + } + EXPORT_SYMBOL(rdma_listen); + +-int rdma_bind_addr(struct rdma_cm_id *id, struct sockaddr *addr) ++static int rdma_bind_addr_dst(struct rdma_id_private *id_priv, ++ struct sockaddr *addr, const struct sockaddr *daddr) + { +- struct rdma_id_private *id_priv; ++ struct sockaddr *id_daddr; + int ret; +- struct sockaddr *daddr; + + if (addr->sa_family != AF_INET && addr->sa_family != AF_INET6 && + addr->sa_family != AF_IB) + return -EAFNOSUPPORT; + +- id_priv = container_of(id, struct rdma_id_private, id); + if (!cma_comp_exch(id_priv, RDMA_CM_IDLE, RDMA_CM_ADDR_BOUND)) + return -EINVAL; + +- ret = cma_check_linklocal(&id->route.addr.dev_addr, addr); ++ ret = cma_check_linklocal(&id_priv->id.route.addr.dev_addr, addr); + if (ret) + goto err1; + + memcpy(cma_src_addr(id_priv), addr, rdma_addr_size(addr)); + if (!cma_any_addr(addr)) { +- ret = cma_translate_addr(addr, &id->route.addr.dev_addr); ++ ret = cma_translate_addr(addr, &id_priv->id.route.addr.dev_addr); + if (ret) + goto err1; + +@@ -3906,8 +3798,10 @@ int rdma_bind_addr(struct rdma_cm_id *id, struct sockaddr *addr) + } + #endif + } +- daddr = cma_dst_addr(id_priv); +- daddr->sa_family = addr->sa_family; ++ id_daddr = cma_dst_addr(id_priv); ++ if (daddr != id_daddr) ++ memcpy(id_daddr, daddr, rdma_addr_size(addr)); ++ id_daddr->sa_family = addr->sa_family; + + ret = cma_get_port(id_priv); + if (ret) +@@ -3923,6 +3817,127 @@ int rdma_bind_addr(struct rdma_cm_id *id, struct sockaddr *addr) + cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_IDLE); + return ret; + } ++ ++static int cma_bind_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, ++ const struct sockaddr *dst_addr) ++{ ++ struct rdma_id_private *id_priv = ++ container_of(id, struct rdma_id_private, id); ++ struct sockaddr_storage zero_sock = {}; ++ ++ if (src_addr && src_addr->sa_family) ++ return rdma_bind_addr_dst(id_priv, src_addr, dst_addr); ++ ++ /* ++ * When the src_addr is not specified, automatically supply an any addr ++ */ ++ zero_sock.ss_family = dst_addr->sa_family; ++ if (IS_ENABLED(CONFIG_IPV6) && dst_addr->sa_family == AF_INET6) { ++ struct sockaddr_in6 *src_addr6 = ++ (struct sockaddr_in6 *)&zero_sock; ++ struct sockaddr_in6 *dst_addr6 = ++ (struct sockaddr_in6 *)dst_addr; ++ ++ src_addr6->sin6_scope_id = dst_addr6->sin6_scope_id; ++ if (ipv6_addr_type(&dst_addr6->sin6_addr) & IPV6_ADDR_LINKLOCAL) ++ id->route.addr.dev_addr.bound_dev_if = ++ dst_addr6->sin6_scope_id; ++ } else if (dst_addr->sa_family == AF_IB) { ++ ((struct sockaddr_ib *)&zero_sock)->sib_pkey = ++ ((struct sockaddr_ib *)dst_addr)->sib_pkey; ++ } ++ return rdma_bind_addr_dst(id_priv, (struct sockaddr *)&zero_sock, dst_addr); ++} ++ ++/* ++ * If required, resolve the source address for bind and leave the id_priv in ++ * state RDMA_CM_ADDR_BOUND. This oddly uses the state to determine the prior ++ * calls made by ULP, a previously bound ID will not be re-bound and src_addr is ++ * ignored. ++ */ ++static int resolve_prepare_src(struct rdma_id_private *id_priv, ++ struct sockaddr *src_addr, ++ const struct sockaddr *dst_addr) ++{ ++ int ret; ++ ++ if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, RDMA_CM_ADDR_QUERY)) { ++ /* For a well behaved ULP state will be RDMA_CM_IDLE */ ++ ret = cma_bind_addr(&id_priv->id, src_addr, dst_addr); ++ if (ret) ++ return ret; ++ if (WARN_ON(!cma_comp_exch(id_priv, RDMA_CM_ADDR_BOUND, ++ RDMA_CM_ADDR_QUERY))) ++ return -EINVAL; ++ ++ } ++ ++ if (cma_family(id_priv) != dst_addr->sa_family) { ++ ret = -EINVAL; ++ goto err_state; ++ } ++ return 0; ++ ++err_state: ++ cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY, RDMA_CM_ADDR_BOUND); ++ return ret; ++} ++ ++int rdma_resolve_addr(struct rdma_cm_id *id, struct sockaddr *src_addr, ++ const struct sockaddr *dst_addr, unsigned long timeout_ms) ++{ ++ struct rdma_id_private *id_priv = ++ container_of(id, struct rdma_id_private, id); ++ int ret; ++ ++ ret = resolve_prepare_src(id_priv, src_addr, dst_addr); ++ if (ret) ++ return ret; ++ ++ if (cma_any_addr(dst_addr)) { ++ ret = cma_resolve_loopback(id_priv); ++ } else { ++ if (dst_addr->sa_family == AF_IB) { ++ ret = cma_resolve_ib_addr(id_priv); ++ } else { ++ /* ++ * The FSM can return back to RDMA_CM_ADDR_BOUND after ++ * rdma_resolve_ip() is called, eg through the error ++ * path in addr_handler(). If this happens the existing ++ * request must be canceled before issuing a new one. ++ * Since canceling a request is a bit slow and this ++ * oddball path is rare, keep track once a request has ++ * been issued. The track turns out to be a permanent ++ * state since this is the only cancel as it is ++ * immediately before rdma_resolve_ip(). ++ */ ++ if (id_priv->used_resolve_ip) ++ rdma_addr_cancel(&id->route.addr.dev_addr); ++ else ++ id_priv->used_resolve_ip = 1; ++ ret = rdma_resolve_ip(cma_src_addr(id_priv), dst_addr, ++ &id->route.addr.dev_addr, ++ timeout_ms, addr_handler, ++ false, id_priv); ++ } ++ } ++ if (ret) ++ goto err; ++ ++ return 0; ++err: ++ cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY, RDMA_CM_ADDR_BOUND); ++ return ret; ++} ++EXPORT_SYMBOL(rdma_resolve_addr); ++ ++int rdma_bind_addr(struct rdma_cm_id *id, struct sockaddr *addr) ++{ ++ struct rdma_id_private *id_priv = ++ container_of(id, struct rdma_id_private, id); ++ ++ return rdma_bind_addr_dst(id_priv, addr, cma_dst_addr(id_priv)); ++} + EXPORT_SYMBOL(rdma_bind_addr); + + static int cma_format_hdr(void *hdr, struct rdma_id_private *id_priv) +-- +cgit 1.2.3-korg diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2235.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2235.patch new file mode 100644 index 000000000..7271d470c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2235.patch @@ -0,0 +1,35 @@ +From fd0815f632c24878e325821943edccc7fde947a2 Mon Sep 17 00:00:00 2001 +From: Budimir Markovic <markovicbudimir@gmail.com> +Date: Wed, 15 Mar 2023 00:29:01 -0700 +Subject: perf: Fix check before add_event_to_groups() in perf_group_detach() + +Events should only be added to a groups rb tree if they have not been +removed from their context by list_del_event(). Since remove_on_exec +made it possible to call list_del_event() on individual events before +they are detached from their group, perf_group_detach() should check each +sibling's attach_state before calling add_event_to_groups() on it. + +Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec") +Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com> +Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> +Link: https://lkml.kernel.org/r/ZBFzvQV9tEqoHEtH@gentoo +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 52b4aa0b3bd17..fb3e436bcd4ac 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -2163,7 +2163,7 @@ static void perf_group_detach(struct perf_event *event) + /* Inherit group flags from the previous leader */ + sibling->group_caps = event->group_caps; + +- if (!RB_EMPTY_NODE(&event->group_node)) { ++ if (sibling->attach_state & PERF_ATTACH_CONTEXT) { + add_event_to_groups(sibling, event->ctx); + + if (sibling->state == PERF_EVENT_STATE_ACTIVE) +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2860.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2860.patch new file mode 100644 index 000000000..2b0c387d7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2860.patch @@ -0,0 +1,73 @@ +From 84a53580c5d2138c7361c7c3eea5b31827e63b35 Mon Sep 17 00:00:00 2001 +From: David Lebrun <dlebrun@google.com> +Date: Fri, 2 Sep 2022 10:45:06 +0100 +Subject: ipv6: sr: fix out-of-bounds read when setting HMAC data. + +The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 +Segment Routing Headers. This configuration is realised via netlink through +four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and +SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual +length of the SECRET attribute, it is possible to provide invalid combinations +(e.g., secret = "", secretlen = 64). This case is not checked in the code and +with an appropriately crafted netlink message, an out-of-bounds read of up +to 64 bytes (max secret length) can occur past the skb end pointer and into +skb_shared_info: + +Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 +208 memcpy(hinfo->secret, secret, slen); +(gdb) bt + #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 + #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, + extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, + family=<optimized out>) at net/netlink/genetlink.c:731 + #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, + family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 + #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 + #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) + at net/netlink/af_netlink.c:2501 + #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 + #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) + at net/netlink/af_netlink.c:1319 + #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) + at net/netlink/af_netlink.c:1345 + #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 +... +(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end +$1 = 0xffff88800b1b76c0 +(gdb) p/x secret +$2 = 0xffff88800b1b76c0 +(gdb) p slen +$3 = 64 '@' + +The OOB data can then be read back from userspace by dumping HMAC state. This +commit fixes this by ensuring SECRETLEN cannot exceed the actual length of +SECRET. + +Reported-by: Lucas Leong <wmliang.tw@gmail.com> +Tested: verified that EINVAL is correctly returned when secretlen > len(secret) +Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure") +Signed-off-by: David Lebrun <dlebrun@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv6/seg6.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 73aaabf0e9665..0b0e34ddc64e0 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -191,6 +191,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info) + goto out_unlock; + } + ++ if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) { ++ err = -EINVAL; ++ goto out_unlock; ++ } ++ + if (hinfo) { + err = seg6_hmac_info_del(net, hmackeyid); + if (err) +-- +cgit + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-31085.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-31085.patch new file mode 100644 index 000000000..ddf4ded54 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-31085.patch @@ -0,0 +1,40 @@ +From 017c73a34a661a861712f7cc1393a123e5b2208c Mon Sep 17 00:00:00 2001 +From: Zhihao Cheng <chengzhihao1@huawei.com> +Date: Sun, 23 Apr 2023 19:10:41 +0800 +Subject: ubi: Refuse attaching if mtd's erasesize is 0 + +There exists mtd devices with zero erasesize, which will trigger a +divide-by-zero exception while attaching ubi device. +Fix it by refusing attaching if mtd's erasesize is 0. + +Fixes: 801c135ce73d ("UBI: Unsorted Block Images") +Reported-by: Yu Hao <yhao016@ucr.edu> +Link: https://lore.kernel.org/lkml/977347543.226888.1682011999468.JavaMail.zimbra@nod.at/T/ +Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> +Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> +Signed-off-by: Richard Weinberger <richard@nod.at> +--- + drivers/mtd/ubi/build.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c +index 8b91a55ec0d28..8ee51e49fced5 100644 +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -894,6 +894,13 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, + return -EINVAL; + } + ++ /* UBI cannot work on flashes with zero erasesize. */ ++ if (!mtd->erasesize) { ++ pr_err("ubi: refuse attaching mtd%d - zero erasesize flash is not supported\n", ++ mtd->index); ++ return -EINVAL; ++ } ++ + if (ubi_num == UBI_DEV_NUM_AUTO) { + /* Search for an empty slot in the @ubi_devices array */ + for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++) +-- +cgit + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch new file mode 100644 index 000000000..60dc63406 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch @@ -0,0 +1,99 @@ +From 4f04351888a83e595571de672e0a4a8b74f4fb31 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus <tudor.ambarus@linaro.org> +Date: Thu, 4 May 2023 12:15:25 +0000 +Subject: ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum + +When modifying the block device while it is mounted by the filesystem, +syzbot reported the following: + +BUG: KASAN: slab-out-of-bounds in crc16+0x206/0x280 lib/crc16.c:58 +Read of size 1 at addr ffff888075f5c0a8 by task syz-executor.2/15586 + +CPU: 1 PID: 15586 Comm: syz-executor.2 Not tainted 6.2.0-rc5-syzkaller-00205-gc96618275234 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 +Call Trace: + <TASK> + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x290 lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:306 + print_report+0x107/0x1f0 mm/kasan/report.c:417 + kasan_report+0xcd/0x100 mm/kasan/report.c:517 + crc16+0x206/0x280 lib/crc16.c:58 + ext4_group_desc_csum+0x81b/0xb20 fs/ext4/super.c:3187 + ext4_group_desc_csum_set+0x195/0x230 fs/ext4/super.c:3210 + ext4_mb_clear_bb fs/ext4/mballoc.c:6027 [inline] + ext4_free_blocks+0x191a/0x2810 fs/ext4/mballoc.c:6173 + ext4_remove_blocks fs/ext4/extents.c:2527 [inline] + ext4_ext_rm_leaf fs/ext4/extents.c:2710 [inline] + ext4_ext_remove_space+0x24ef/0x46a0 fs/ext4/extents.c:2958 + ext4_ext_truncate+0x177/0x220 fs/ext4/extents.c:4416 + ext4_truncate+0xa6a/0xea0 fs/ext4/inode.c:4342 + ext4_setattr+0x10c8/0x1930 fs/ext4/inode.c:5622 + notify_change+0xe50/0x1100 fs/attr.c:482 + do_truncate+0x200/0x2f0 fs/open.c:65 + handle_truncate fs/namei.c:3216 [inline] + do_open fs/namei.c:3561 [inline] + path_openat+0x272b/0x2dd0 fs/namei.c:3714 + do_filp_open+0x264/0x4f0 fs/namei.c:3741 + do_sys_openat2+0x124/0x4e0 fs/open.c:1310 + do_sys_open fs/open.c:1326 [inline] + __do_sys_creat fs/open.c:1402 [inline] + __se_sys_creat fs/open.c:1396 [inline] + __x64_sys_creat+0x11f/0x160 fs/open.c:1396 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7f72f8a8c0c9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f72f97e3168 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 +RAX: ffffffffffffffda RBX: 00007f72f8bac050 RCX: 00007f72f8a8c0c9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000280 +RBP: 00007f72f8ae7ae9 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007ffd165348bf R14: 00007f72f97e3300 R15: 0000000000022000 + +Replace + le16_to_cpu(sbi->s_es->s_desc_size) +with + sbi->s_desc_size + +It reduces ext4's compiled text size, and makes the code more efficient +(we remove an extra indirect reference and a potential byte +swap on big endian systems), and there is no downside. It also avoids the +potential KASAN / syzkaller failure, as a bonus. + +Reported-by: syzbot+fc51227e7100c9294894@syzkaller.appspotmail.com +Reported-by: syzbot+8785e41224a3afd04321@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=70d28d11ab14bd7938f3e088365252aa923cff42 +Link: https://syzkaller.appspot.com/bug?id=b85721b38583ecc6b5e72ff524c67302abbc30f3 +Link: https://lore.kernel.org/all/000000000000ece18705f3b20934@google.com/ +Fixes: 717d50e4971b ("Ext4: Uninitialized Block Groups") +Cc: stable@vger.kernel.org +Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org> +Link: https://lore.kernel.org/r/20230504121525.3275886-1-tudor.ambarus@linaro.org +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 4037c8611c02e..425b95a7a0ab6 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3240,11 +3240,9 @@ static __le16 ext4_group_desc_csum(struct super_block *sb, __u32 block_group, + crc = crc16(crc, (__u8 *)gdp, offset); + offset += sizeof(gdp->bg_checksum); /* skip checksum */ + /* for checksum of struct ext4_group_desc do the rest...*/ +- if (ext4_has_feature_64bit(sb) && +- offset < le16_to_cpu(sbi->s_es->s_desc_size)) ++ if (ext4_has_feature_64bit(sb) && offset < sbi->s_desc_size) + crc = crc16(crc, (__u8 *)gdp + offset, +- le16_to_cpu(sbi->s_es->s_desc_size) - +- offset); ++ sbi->s_desc_size - offset); + + out: + return cpu_to_le16(crc); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch new file mode 100644 index 000000000..d1498f247 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch @@ -0,0 +1,58 @@ +From 87b5a5c209405cb6b57424cdfa226a6dbd349232 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con <kongln9170@gmail.com> +Reviewed-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index db526cb7a4858..49915a2a58eb7 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1929,7 +1929,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +cgit + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-42754.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-42754.patch new file mode 100644 index 000000000..f16fa3f86 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-42754.patch @@ -0,0 +1,48 @@ +From 0113d9c9d1ccc07f5a3710dac4aa24b6d711278c Mon Sep 17 00:00:00 2001 +From: Kyle Zeng <zengyhkyle@gmail.com> +Date: Thu, 14 Sep 2023 22:12:57 -0700 +Subject: ipv4: fix null-deref in ipv4_link_failure + +Currently, we assume the skb is associated with a device before calling +__ip_options_compile, which is not always the case if it is re-routed by +ipvs. +When skb->dev is NULL, dev_net(skb->dev) will become null-dereference. +This patch adds a check for the edge case and switch to use the net_device +from the rtable when skb->dev is NULL. + +Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") +Suggested-by: David Ahern <dsahern@kernel.org> +Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com> +Cc: Stephen Suryaputra <ssuryaextr@gmail.com> +Cc: Vadim Fedorenko <vfedorenko@novek.ru> +Reviewed-by: David Ahern <dsahern@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + net/ipv4/route.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 66f419e7f9a7f..a570622832196 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -1213,6 +1213,7 @@ EXPORT_INDIRECT_CALLABLE(ipv4_dst_check); + + static void ipv4_send_dest_unreach(struct sk_buff *skb) + { ++ struct net_device *dev; + struct ip_options opt; + int res; + +@@ -1230,7 +1231,8 @@ static void ipv4_send_dest_unreach(struct sk_buff *skb) + opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr); + + rcu_read_lock(); +- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL); ++ dev = skb->dev ? skb->dev : skb_rtable(skb)->dst.dev; ++ res = __ip_options_compile(dev_net(dev), &opt, skb, NULL); + rcu_read_unlock(); + + if (res) +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-45863.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-45863.patch new file mode 100644 index 000000000..217b45022 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-45863.patch @@ -0,0 +1,143 @@ +From 3bb2a01caa813d3a1845d378bbe4169ef280d394 Mon Sep 17 00:00:00 2001 +From: Wang Hai <wanghai38@huawei.com> +Date: Tue, 20 Dec 2022 09:21:43 +0800 +Subject: kobject: Fix slab-out-of-bounds in fill_kobj_path() + +In kobject_get_path(), if kobj->name is changed between calls +get_kobj_path_length() and fill_kobj_path() and the length becomes +longer, then fill_kobj_path() will have an out-of-bounds bug. + +The actual current problem occurs when the ixgbe probe. + +In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name +length becomes longer, out-of-bounds will occur. + +cpu0 cpu1 +ixgbe_probe + register_netdev(netdev) + netdev_register_kobject + device_add + kobject_uevent // Sending ADD events + systemd-udevd // rename netdev + dev_change_name + device_rename + kobject_rename + ixgbe_mii_bus_init | + mdiobus_register | + __mdiobus_register | + device_register | + device_add | + kobject_uevent | + kobject_get_path | + len = get_kobj_path_length // old name | + path = kzalloc(len, gfp_mask); | + kobj->name = name; + /* name length becomes + * longer + */ + fill_kobj_path /* kobj path length is + * longer than path, + * resulting in out of + * bounds when filling path + */ + +This is the kasan report: + +================================================================== +BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0 +Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673 + + Workqueue: events work_for_cpu_fn + Call Trace: + <TASK> + dump_stack_lvl+0x34/0x48 + print_address_description.constprop.0+0x86/0x1e7 + print_report+0x36/0x4f + kasan_report+0xad/0x130 + kasan_check_range+0x35/0x1c0 + memcpy+0x39/0x60 + fill_kobj_path+0x50/0xc0 + kobject_get_path+0x5a/0xc0 + kobject_uevent_env+0x140/0x460 + device_add+0x5c7/0x910 + __mdiobus_register+0x14e/0x490 + ixgbe_probe.cold+0x441/0x574 [ixgbe] + local_pci_probe+0x78/0xc0 + work_for_cpu_fn+0x26/0x40 + process_one_work+0x3b6/0x6a0 + worker_thread+0x368/0x520 + kthread+0x165/0x1a0 + ret_from_fork+0x1f/0x30 + +This reproducer triggers that bug: + +while: +do + rmmod ixgbe + sleep 0.5 + modprobe ixgbe + sleep 0.5 + +When calling fill_kobj_path() to fill path, if the name length of +kobj becomes longer, return failure and retry. This fixes the problem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Wang Hai <wanghai38@huawei.com> +Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + lib/kobject.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/kobject.c b/lib/kobject.c +index ea53b30cf483..a2604e0fc66b 100644 +--- a/lib/kobject.c ++++ b/lib/kobject.c +@@ -144,7 +144,7 @@ static int get_kobj_path_length(struct kobject *kobj) + return length; + } + +-static void fill_kobj_path(struct kobject *kobj, char *path, int length) ++static int fill_kobj_path(struct kobject *kobj, char *path, int length) + { + struct kobject *parent; + +@@ -153,12 +153,16 @@ static void fill_kobj_path(struct kobject *kobj, char *path, int length) + int cur = strlen(kobject_name(parent)); + /* back up enough to print this name with '/' */ + length -= cur; ++ if (length <= 0) ++ return -EINVAL; + memcpy(path + length, kobject_name(parent), cur); + *(path + --length) = '/'; + } + + pr_debug("kobject: '%s' (%p): %s: path = '%s'\n", kobject_name(kobj), + kobj, __func__, path); ++ ++ return 0; + } + + /** +@@ -173,13 +177,17 @@ char *kobject_get_path(struct kobject *kobj, gfp_t gfp_mask) + char *path; + int len; + ++retry: + len = get_kobj_path_length(kobj); + if (len == 0) + return NULL; + path = kzalloc(len, gfp_mask); + if (!path) + return NULL; +- fill_kobj_path(kobj, path, len); ++ if (fill_kobj_path(kobj, path, len)) { ++ kfree(path); ++ goto retry; ++ } + + return path; + } +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-5178.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-5178.patch new file mode 100644 index 000000000..6265d8c36 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-5178.patch @@ -0,0 +1,61 @@ +From d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg <sagi@grimberg.me> +Date: Mon, 2 Oct 2023 13:54:28 +0300 +Subject: nvmet-tcp: Fix a possible UAF in queue intialization setup + +From Alon: +"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel, +a malicious user can cause a UAF and a double free, which may lead to +RCE (may also lead to an LPE in case the attacker already has local +privileges)." + +Hence, when a queue initialization fails after the ahash requests are +allocated, it is guaranteed that the queue removal async work will be +called, hence leave the deallocation to the queue removal. + +Also, be extra careful not to continue processing the socket, so set +queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error. + +Cc: stable@vger.kernel.org +Reported-by: Alon Zahavi <zahavi.alon@gmail.com> +Tested-by: Alon Zahavi <zahavi.alon@gmail.com> +Signed-off-by: Sagi Grimberg <sagi@grimberg.me> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> +Signed-off-by: Keith Busch <kbusch@kernel.org> +--- + drivers/nvme/target/tcp.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index cd92d7ddf5ed1..197fc2ecb164d 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct nvmet_tcp_queue *queue) + + static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status) + { ++ queue->rcv_state = NVMET_TCP_RECV_ERR; + if (status == -EPIPE || status == -ECONNRESET) + kernel_sock_shutdown(queue->sock, SHUT_RDWR); + else +@@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue) + iov.iov_len = sizeof(*icresp); + ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len); + if (ret < 0) +- goto free_crypto; ++ return ret; /* queue removal will cleanup */ + + queue->state = NVMET_TCP_Q_LIVE; + nvmet_prepare_receive_pdu(queue); + return 0; +-free_crypto: +- if (queue->hdr_digest || queue->data_digest) +- nvmet_tcp_free_crypto(queue); +- return ret; + } + + static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue, +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52435.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52435.patch new file mode 100644 index 000000000..bd9549c73 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52435.patch @@ -0,0 +1,115 @@ +From 6c53e8547687d9c767c139cd4b50af566f58c29a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Tue, 12 Dec 2023 16:46:21 +0000 +Subject: net: prevent mss overflow in skb_segment() + +commit 23d05d563b7e7b0314e65c8e882bc27eac2da8e7 upstream. + +Once again syzbot is able to crash the kernel in skb_segment() [1] + +GSO_BY_FRAGS is a forbidden value, but unfortunately the following +computation in skb_segment() can reach it quite easily : + + mss = mss * partial_segs; + +65535 = 3 * 5 * 17 * 257, so many initial values of mss can lead to +a bad final result. + +Make sure to limit segmentation so that the new mss value is smaller +than GSO_BY_FRAGS. + +[1] + +general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] +CPU: 1 PID: 5079 Comm: syz-executor993 Not tainted 6.7.0-rc4-syzkaller-00141-g1ae4cd3cbdd0 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 +RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 +Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 +RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 +RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 +RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 +R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 +FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: +<TASK> +udp6_ufo_fragment+0xa0e/0xd00 net/ipv6/udp_offload.c:109 +ipv6_gso_segment+0x534/0x17e0 net/ipv6/ip6_offload.c:120 +skb_mac_gso_segment+0x290/0x610 net/core/gso.c:53 +__skb_gso_segment+0x339/0x710 net/core/gso.c:124 +skb_gso_segment include/net/gso.h:83 [inline] +validate_xmit_skb+0x36c/0xeb0 net/core/dev.c:3626 +__dev_queue_xmit+0x6f3/0x3d60 net/core/dev.c:4338 +dev_queue_xmit include/linux/netdevice.h:3134 [inline] +packet_xmit+0x257/0x380 net/packet/af_packet.c:276 +packet_snd net/packet/af_packet.c:3087 [inline] +packet_sendmsg+0x24c6/0x5220 net/packet/af_packet.c:3119 +sock_sendmsg_nosec net/socket.c:730 [inline] +__sock_sendmsg+0xd5/0x180 net/socket.c:745 +__sys_sendto+0x255/0x340 net/socket.c:2190 +__do_sys_sendto net/socket.c:2202 [inline] +__se_sys_sendto net/socket.c:2198 [inline] +__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 +do_syscall_x64 arch/x86/entry/common.c:52 [inline] +do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 +entry_SYSCALL_64_after_hwframe+0x63/0x6b +RIP: 0033:0x7f8692032aa9 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fff8d685418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8692032aa9 +RDX: 0000000000010048 RSI: 00000000200000c0 RDI: 0000000000000003 +RBP: 00000000000f4240 R08: 0000000020000540 R09: 0000000000000014 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff8d685480 +R13: 0000000000000001 R14: 00007fff8d685480 R15: 0000000000000003 +</TASK> +Modules linked in: +---[ end trace 0000000000000000 ]--- +RIP: 0010:skb_segment+0x181d/0x3f30 net/core/skbuff.c:4551 +Code: 83 e3 02 e9 fb ed ff ff e8 90 68 1c f9 48 8b 84 24 f8 00 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 8a 21 00 00 48 8b 84 24 f8 00 +RSP: 0018:ffffc900043473d0 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: 0000000000010046 RCX: ffffffff886b1597 +RDX: 000000000000000e RSI: ffffffff886b2520 RDI: 0000000000000070 +RBP: ffffc90004347578 R08: 0000000000000005 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000002 R12: ffff888063202ac0 +R13: 0000000000010000 R14: 000000000000ffff R15: 0000000000000046 +FS: 0000555556e7e380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000020010000 CR3: 0000000027ee2000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 3953c46c3ac7 ("sk_buff: allow segmenting based on frag sizes") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://lore.kernel.org/r/20231212164621.4131800-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/core/skbuff.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 7090844af4991a..3dbefce8d14b7f 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4079,8 +4079,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, + /* GSO partial only requires that we trim off any excess that + * doesn't fit into an MSS sized block, so take care of that + * now. ++ * Cap len to not accidentally hit GSO_BY_FRAGS. + */ +- partial_segs = len / mss; ++ partial_segs = min(len, GSO_BY_FRAGS - 1U) / mss; + if (partial_segs > 1) + mss *= partial_segs; + else +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52449.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52449.patch new file mode 100644 index 000000000..ebae2414a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52449.patch @@ -0,0 +1,83 @@ +From 5389407bba1eab1266c6d83e226fb0840cb98dd5 Mon Sep 17 00:00:00 2001 +From: ZhaoLong Wang <wangzhaolong1@huawei.com> +Date: Wed, 20 Dec 2023 10:46:19 +0800 +Subject: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ] + +If both ftl.ko and gluebi.ko are loaded, the notifier of ftl +triggers NULL pointer dereference when trying to access +‘gluebi->desc’ in gluebi_read(). + +ubi_gluebi_init + ubi_register_volume_notifier + ubi_enumerate_volumes + ubi_notify_all + gluebi_notify nb->notifier_call() + gluebi_create + mtd_device_register + mtd_device_parse_register + add_mtd_device + blktrans_notify_add not->add() + ftl_add_mtd tr->add_mtd() + scan_header + mtd_read + mtd_read_oob + mtd_read_oob_std + gluebi_read mtd->read() + gluebi->desc - NULL + +Detailed reproduction information available at the Link [1], + +In the normal case, obtain gluebi->desc in the gluebi_get_device(), +and access gluebi->desc in the gluebi_read(). However, +gluebi_get_device() is not executed in advance in the +ftl_add_mtd() process, which leads to NULL pointer dereference. + +The solution for the gluebi module is to run jffs2 on the UBI +volume without considering working with ftl or mtdblock [2]. +Therefore, this problem can be avoided by preventing gluebi from +creating the mtdblock device after creating mtd partition of the +type MTD_UBIVOLUME. + +Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1] +Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2] +Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com> +Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com> +Acked-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> +Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/mtd/mtd_blkdevs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c +index 60b222799871e8..8ee60605a6dcc3 100644 +--- a/drivers/mtd/mtd_blkdevs.c ++++ b/drivers/mtd/mtd_blkdevs.c +@@ -463,7 +463,7 @@ static void blktrans_notify_add(struct mtd_info *mtd) + { + struct mtd_blktrans_ops *tr; + +- if (mtd->type == MTD_ABSENT) ++ if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME) + return; + + list_for_each_entry(tr, &blktrans_majors, list) +@@ -503,7 +503,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr) + mutex_lock(&mtd_table_mutex); + list_add(&tr->list, &blktrans_majors); + mtd_for_each_device(mtd) +- if (mtd->type != MTD_ABSENT) ++ if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME) + tr->add_mtd(tr, mtd); + mutex_unlock(&mtd_table_mutex); + return 0; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52458.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52458.patch new file mode 100644 index 000000000..667131aa2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52458.patch @@ -0,0 +1,67 @@ +From 8f6dfa1f1efe6dcca2d43e575491d8fcbe922f62 Mon Sep 17 00:00:00 2001 +From: Min Li <min15.li@samsung.com> +Date: Thu, 29 Jun 2023 14:25:17 +0000 +Subject: [PATCH] block: add check that partition length needs to be aligned + with block size + +commit 6f64f866aa1ae6975c95d805ed51d7e9433a0016 upstream. + +Before calling add partition or resize partition, there is no check +on whether the length is aligned with the logical block size. +If the logical block size of the disk is larger than 512 bytes, +then the partition size maybe not the multiple of the logical block size, +and when the last sector is read, bio_truncate() will adjust the bio size, +resulting in an IO error if the size of the read command is smaller than +the logical block size.If integrity data is supported, this will also +result in a null pointer dereference when calling bio_integrity_free. + +Cc: <stable@vger.kernel.org> +Signed-off-by: Min Li <min15.li@samsung.com> +Reviewed-by: Damien Le Moal <dlemoal@kernel.org> +Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Link: https://lore.kernel.org/r/20230629142517.121241-1-min15.li@samsung.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Ashwin Dayanand Kamat <ashwin.kamat@broadcom.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + block/ioctl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/block/ioctl.c b/block/ioctl.c +index eb0491e90b9a..7c7dd52e50c3 100644 +--- a/block/ioctl.c ++++ b/block/ioctl.c +@@ -18,7 +18,7 @@ static int blkpg_do_ioctl(struct block_device *bdev, + { + struct gendisk *disk = bdev->bd_disk; + struct blkpg_partition p; +- long long start, length; ++ sector_t start, length; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; +@@ -33,14 +33,17 @@ static int blkpg_do_ioctl(struct block_device *bdev, + if (op == BLKPG_DEL_PARTITION) + return bdev_del_partition(disk, p.pno); + ++ if (p.start < 0 || p.length <= 0 || p.start + p.length < 0) ++ return -EINVAL; ++ /* Check that the partition is aligned to the block size */ ++ if (!IS_ALIGNED(p.start | p.length, bdev_logical_block_size(bdev))) ++ return -EINVAL; ++ + start = p.start >> SECTOR_SHIFT; + length = p.length >> SECTOR_SHIFT; + + switch (op) { + case BLKPG_ADD_PARTITION: +- /* check if partition is aligned to blocksize */ +- if (p.start & (bdev_logical_block_size(bdev) - 1)) +- return -EINVAL; + return bdev_add_partition(disk, p.pno, start, length); + case BLKPG_RESIZE_PARTITION: + return bdev_resize_partition(disk, p.pno, start, length); +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52467.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52467.patch new file mode 100644 index 000000000..4140fb2eb --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52467.patch @@ -0,0 +1,38 @@ +From 927626a2073887ee30ba00633260d4d203f8e875 Mon Sep 17 00:00:00 2001 +From: Kunwu Chan <chentao@kylinos.cn> +Date: Mon, 4 Dec 2023 17:24:43 +0800 +Subject: mfd: syscon: Fix null pointer dereference in of_syscon_register() + +[ Upstream commit 41673c66b3d0c09915698fec5c13b24336f18dd1 ] + +kasprintf() returns a pointer to dynamically allocated memory +which can be NULL upon failure. + +Fixes: e15d7f2b81d2 ("mfd: syscon: Use a unique name with regmap_config") +Signed-off-by: Kunwu Chan <chentao@kylinos.cn> +Reviewed-by: Arnd Bergmann <arnd@arndb.de> +Link: https://lore.kernel.org/r/20231204092443.2462115-1-chentao@kylinos.cn +Signed-off-by: Lee Jones <lee@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/mfd/syscon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mfd/syscon.c b/drivers/mfd/syscon.c +index df5cebb372a592..60f74144a4f88e 100644 +--- a/drivers/mfd/syscon.c ++++ b/drivers/mfd/syscon.c +@@ -103,6 +103,10 @@ static struct syscon *of_syscon_register(struct device_node *np, bool check_clk) + + syscon_config.name = kasprintf(GFP_KERNEL, "%pOFn@%llx", np, + (u64)res.start); ++ if (!syscon_config.name) { ++ ret = -ENOMEM; ++ goto err_regmap; ++ } + syscon_config.reg_stride = reg_io_width; + syscon_config.val_bits = reg_io_width * 8; + syscon_config.max_register = resource_size(&res) - reg_io_width; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52522.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52522.patch new file mode 100644 index 000000000..c89cd2ac5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52522.patch @@ -0,0 +1,46 @@ +From 2ea52a2fb8e87067e26bbab4efb8872639240eb0 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Thu, 21 Sep 2023 08:46:26 +0000 +Subject: net: fix possible store tearing in neigh_periodic_work() + +[ Upstream commit 25563b581ba3a1f263a00e8c9a97f5e7363be6fd ] + +While looking at a related syzbot report involving neigh_periodic_work(), +I found that I forgot to add an annotation when deleting an +RCU protected item from a list. + +Readers use rcu_deference(*np), we need to use either +rcu_assign_pointer() or WRITE_ONCE() on writer side +to prevent store tearing. + +I use rcu_assign_pointer() to have lockdep support, +this was the choice made in neigh_flush_dev(). + +Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reviewed-by: David Ahern <dsahern@kernel.org> +Reviewed-by: Simon Horman <horms@kernel.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/core/neighbour.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 3b642c412cf322..15267428c4f83d 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -935,7 +935,9 @@ static void neigh_periodic_work(struct work_struct *work) + if (refcount_read(&n->refcnt) == 1 && + (state == NUD_FAILED || + time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { +- *np = n->next; ++ rcu_assign_pointer(*np, ++ rcu_dereference_protected(n->next, ++ lockdep_is_held(&tbl->lock))); + neigh_mark_dead(n); + write_unlock(&n->lock); + neigh_cleanup_and_release(n); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52580.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52580.patch new file mode 100644 index 000000000..fcf344233 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52580.patch @@ -0,0 +1,121 @@ +From 488ea2a3e2666022f79abfdd7d12e8305fc27a40 Mon Sep 17 00:00:00 2001 +From: Sasha Neftin <sasha.neftin@intel.com> +Date: Wed, 13 Sep 2023 09:39:05 +0300 +Subject: net/core: Fix ETH_P_1588 flow dissector + +[ Upstream commit 75ad80ed88a182ab2ad5513e448cf07b403af5c3 ] + +When a PTP ethernet raw frame with a size of more than 256 bytes followed +by a 0xff pattern is sent to __skb_flow_dissect, nhoff value calculation +is wrong. For example: hdr->message_length takes the wrong value (0xffff) +and it does not replicate real header length. In this case, 'nhoff' value +was overridden and the PTP header was badly dissected. This leads to a +kernel crash. + +net/core: flow_dissector +net/core flow dissector nhoff = 0x0000000e +net/core flow dissector hdr->message_length = 0x0000ffff +net/core flow dissector nhoff = 0x0001000d (u16 overflow) +... +skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 +skb frag: 00000000: f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Using the size of the ptp_header struct will allow the corrected +calculation of the nhoff value. + +net/core flow dissector nhoff = 0x0000000e +net/core flow dissector nhoff = 0x00000030 (sizeof ptp_header) +... +skb linear: 00000000: 00 a0 c9 00 00 00 00 a0 c9 00 00 00 88 f7 ff ff +skb linear: 00000010: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +skb linear: 00000020: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +skb frag: 00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +Kernel trace: +[ 74.984279] ------------[ cut here ]------------ +[ 74.989471] kernel BUG at include/linux/skbuff.h:2440! +[ 74.995237] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI +[ 75.001098] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G U 5.15.85-intel-ese-standard-lts #1 +[ 75.011629] Hardware name: Intel Corporation A-Island (CPU:AlderLake)/A-Island (ID:06), BIOS SB_ADLP.01.01.00.01.03.008.D-6A9D9E73-dirty Mar 30 2023 +[ 75.026507] RIP: 0010:eth_type_trans+0xd0/0x130 +[ 75.031594] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 +[ 75.052612] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 +[ 75.058473] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 +[ 75.066462] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 +[ 75.074458] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 +[ 75.082466] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 +[ 75.090461] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 +[ 75.098464] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 +[ 75.107530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 75.113982] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 +[ 75.121980] PKRU: 55555554 +[ 75.125035] Call Trace: +[ 75.127792] <IRQ> +[ 75.130063] ? eth_get_headlen+0xa4/0xc0 +[ 75.134472] igc_process_skb_fields+0xcd/0x150 +[ 75.139461] igc_poll+0xc80/0x17b0 +[ 75.143272] __napi_poll+0x27/0x170 +[ 75.147192] net_rx_action+0x234/0x280 +[ 75.151409] __do_softirq+0xef/0x2f4 +[ 75.155424] irq_exit_rcu+0xc7/0x110 +[ 75.159432] common_interrupt+0xb8/0xd0 +[ 75.163748] </IRQ> +[ 75.166112] <TASK> +[ 75.168473] asm_common_interrupt+0x22/0x40 +[ 75.173175] RIP: 0010:cpuidle_enter_state+0xe2/0x350 +[ 75.178749] Code: 85 c0 0f 8f 04 02 00 00 31 ff e8 39 6c 67 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 50 02 00 00 31 ff e8 52 b0 6d ff fb 45 85 f6 <0f> 88 b1 00 00 00 49 63 ce 4c 2b 2c 24 48 89 c8 48 6b d1 68 48 c1 +[ 75.199757] RSP: 0018:ffff9948c013bea8 EFLAGS: 00000202 +[ 75.205614] RAX: ffff8e4e8fb00000 RBX: ffffb948bfd23900 RCX: 000000000000001f +[ 75.213619] RDX: 0000000000000004 RSI: ffffffff94206161 RDI: ffffffff94212e20 +[ 75.221620] RBP: 0000000000000004 R08: 000000117568973a R09: 0000000000000001 +[ 75.229622] R10: 000000000000afc8 R11: ffff8e4e8fb29ce4 R12: ffffffff945ae980 +[ 75.237628] R13: 000000117568973a R14: 0000000000000004 R15: 0000000000000000 +[ 75.245635] ? cpuidle_enter_state+0xc7/0x350 +[ 75.250518] cpuidle_enter+0x29/0x40 +[ 75.254539] do_idle+0x1d9/0x260 +[ 75.258166] cpu_startup_entry+0x19/0x20 +[ 75.262582] secondary_startup_64_no_verify+0xc2/0xcb +[ 75.268259] </TASK> +[ 75.270721] Modules linked in: 8021q snd_sof_pci_intel_tgl snd_sof_intel_hda_common tpm_crb snd_soc_hdac_hda snd_sof_intel_hda snd_hda_ext_core snd_sof_pci snd_sof snd_sof_xtensa_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_soc_core snd_compress iTCO_wdt ac97_bus intel_pmc_bxt mei_hdcp iTCO_vendor_support snd_hda_codec_hdmi pmt_telemetry intel_pmc_core pmt_class snd_hda_intel x86_pkg_temp_thermal snd_intel_dspcfg snd_hda_codec snd_hda_core kvm_intel snd_pcm snd_timer kvm snd mei_me soundcore tpm_tis irqbypass i2c_i801 mei tpm_tis_core pcspkr intel_rapl_msr tpm i2c_smbus intel_pmt thermal sch_fq_codel uio uhid i915 drm_buddy video drm_display_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm fuse configfs +[ 75.342736] ---[ end trace 3785f9f360400e3a ]--- +[ 75.347913] RIP: 0010:eth_type_trans+0xd0/0x130 +[ 75.352984] Code: 03 88 47 78 eb c7 8b 47 68 2b 47 6c 48 8b 97 c0 00 00 00 83 f8 01 7e 1b 48 85 d2 74 06 66 83 3a ff 74 09 b8 00 04 00 00 eb ab <0f> 0b b8 00 01 00 00 eb a2 48 85 ff 74 eb 48 8d 54 24 06 31 f6 b9 +[ 75.373994] RSP: 0018:ffff9948c0228de0 EFLAGS: 00010297 +[ 75.379860] RAX: 00000000000003f2 RBX: ffff8e47047dc300 RCX: 0000000000001003 +[ 75.387856] RDX: ffff8e4e8c9ea040 RSI: ffff8e4704e0a000 RDI: ffff8e47047dc300 +[ 75.395864] RBP: ffff8e4704e2acc0 R08: 00000000000003f3 R09: 0000000000000800 +[ 75.403857] R10: 000000000000000d R11: ffff9948c0228dec R12: ffff8e4715e4e010 +[ 75.411863] R13: ffff9948c0545018 R14: 0000000000000001 R15: 0000000000000800 +[ 75.419875] FS: 0000000000000000(0000) GS:ffff8e4e8fb00000(0000) knlGS:0000000000000000 +[ 75.428946] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 75.435403] CR2: 00007f5eb35934a0 CR3: 0000000150e0a002 CR4: 0000000000770ee0 +[ 75.443410] PKRU: 55555554 +[ 75.446477] Kernel panic - not syncing: Fatal exception in interrupt +[ 75.453738] Kernel Offset: 0x11c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) +[ 75.465794] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: 4f1cc51f3488 ("net: flow_dissector: Parse PTP L2 packet header") +Signed-off-by: Sasha Neftin <sasha.neftin@intel.com> +Reviewed-by: Jiri Pirko <jiri@nvidia.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 3288490590f276..0c85c8a9e752f3 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -1366,7 +1366,7 @@ proto_again: + break; + } + +- nhoff += ntohs(hdr->message_length); ++ nhoff += sizeof(struct ptp_header); + fdret = FLOW_DISSECT_RET_OUT_GOOD; + break; + } +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch new file mode 100644 index 000000000..2c417d22e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch @@ -0,0 +1,68 @@ +From 0671f42a9c1084db10d68ac347d08dbf6689ecb3 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens <hca@linux.ibm.com> +Date: Thu, 30 Nov 2023 18:56:00 +0100 +Subject: KVM: s390: fix setting of fpc register + +[ Upstream commit b988b1bb0053c0dcd26187d29ef07566a565cf55 ] + +kvm_arch_vcpu_ioctl_set_fpu() allows to set the floating point control +(fpc) register of a guest cpu. The new value is tested for validity by +temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the host process: +if an interrupt happens while the value is temporarily loaded into the fpc +register, and within interrupt context floating point or vector registers +are used, the current fp/vx registers are saved with save_fpu_regs() +assuming they belong to user space and will be loaded into fp/vx registers +when returning to user space. + +test_fp_ctl() restores the original user space / host process fpc register +value, however it will be discarded, when returning to user space. + +In result the host process will incorrectly continue to run with the value +that was supposed to be used for a guest cpu. + +Fix this by simply removing the test. There is another test right before +the SIE context is entered which will handles invalid values. + +This results in a change of behaviour: invalid values will now be accepted +instead of that the ioctl fails with -EINVAL. This seems to be acceptable, +given that this interface is most likely not used anymore, and this is in +addition the same behaviour implemented with the memory mapped interface +(replace invalid values with zero) - see sync_regs() in kvm-s390.c. + +Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com> +Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> +Signed-off-by: Heiko Carstens <hca@linux.ibm.com> +Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/s390/kvm/kvm-s390.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 3775363471f0c6..f604946ab2c85e 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -4138,10 +4138,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + + vcpu_load(vcpu); + +- if (test_fp_ctl(fpu->fpc)) { +- ret = -EINVAL; +- goto out; +- } + vcpu->run->s.regs.fpc = fpu->fpc; + if (MACHINE_HAS_VX) + convert_fp_to_vx((__vector128 *) vcpu->run->s.regs.vrs, +@@ -4149,7 +4145,6 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu) + else + memcpy(vcpu->run->s.regs.fprs, &fpu->fprs, sizeof(fpu->fprs)); + +-out: + vcpu_put(vcpu); + return ret; + } +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52598.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52598.patch new file mode 100644 index 000000000..02c7ab205 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52598.patch @@ -0,0 +1,69 @@ +From 02c6bbfb08bad78dd014e24c7b893723c15ec7a1 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens <hca@linux.ibm.com> +Date: Thu, 30 Nov 2023 18:55:59 +0100 +Subject: s390/ptrace: handle setting of fpc register correctly + +[ Upstream commit 8b13601d19c541158a6e18b278c00ba69ae37829 ] + +If the content of the floating point control (fpc) register of a traced +process is modified with the ptrace interface the new value is tested for +validity by temporarily loading it into the fpc register. + +This may lead to corruption of the fpc register of the tracing process: +if an interrupt happens while the value is temporarily loaded into the +fpc register, and within interrupt context floating point or vector +registers are used, the current fp/vx registers are saved with +save_fpu_regs() assuming they belong to user space and will be loaded into +fp/vx registers when returning to user space. + +test_fp_ctl() restores the original user space fpc register value, however +it will be discarded, when returning to user space. + +In result the tracer will incorrectly continue to run with the value that +was supposed to be used for the traced process. + +Fix this by saving fpu register contents with save_fpu_regs() before using +test_fp_ctl(). + +Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com> +Signed-off-by: Heiko Carstens <hca@linux.ibm.com> +Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/s390/kernel/ptrace.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index ea244a73efad9d..512b8147375935 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -385,6 +385,7 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if ((unsigned int) data != 0 || + test_fp_ctl(data >> (BITS_PER_LONG - 32))) + return -EINVAL; +@@ -741,6 +742,7 @@ static int __poke_user_compat(struct task_struct *child, + /* + * floating point control reg. is in the thread structure + */ ++ save_fpu_regs(); + if (test_fp_ctl(tmp)) + return -EINVAL; + child->thread.fpu.fpc = data; +@@ -904,9 +906,7 @@ static int s390_fpregs_set(struct task_struct *target, + int rc = 0; + freg_t fprs[__NUM_FPRS]; + +- if (target == current) +- save_fpu_regs(); +- ++ save_fpu_regs(); + if (MACHINE_HAS_VX) + convert_vx_to_fp(fprs, target->thread.fpu.vxrs); + else +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch new file mode 100644 index 000000000..65fc76942 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch @@ -0,0 +1,55 @@ +From 1142d65c5b881590962ad763f94505b6dd67d2fe Mon Sep 17 00:00:00 2001 +From: Chengming Zhou <zhouchengming@bytedance.com> +Date: Wed, 27 Dec 2023 09:35:23 +0000 +Subject: crypto: scomp - fix req->dst buffer overflow + +[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ] + +The req->dst buffer size should be checked before copying from the +scomp_scratch->dst to avoid req->dst buffer overflow problem. + +Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") +Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ +Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com> +Reviewed-by: Barry Song <v-songbaohua@oppo.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + crypto/scompress.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/crypto/scompress.c b/crypto/scompress.c +index 3702f1648ea8c9..34174f55a6d6ed 100644 +--- a/crypto/scompress.c ++++ b/crypto/scompress.c +@@ -132,6 +132,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + struct crypto_scomp *scomp = *tfm_ctx; + void **ctx = acomp_request_ctx(req); + struct scomp_scratch *scratch; ++ unsigned int dlen; + int ret; + + if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) +@@ -143,6 +144,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) + req->dlen = SCOMP_SCRATCH_SIZE; + ++ dlen = req->dlen; ++ + scratch = raw_cpu_ptr(&scomp_scratch); + spin_lock(&scratch->lock); + +@@ -160,6 +163,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) + ret = -ENOMEM; + goto out; + } ++ } else if (req->dlen > dlen) { ++ ret = -ENOSPC; ++ goto out; + } + scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, + 1); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52615.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52615.patch new file mode 100644 index 000000000..9cb2c119c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52615.patch @@ -0,0 +1,120 @@ +From 26cc6d7006f922df6cc4389248032d955750b2a0 Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Sat, 2 Dec 2023 09:01:54 +0800 +Subject: hwrng: core - Fix page fault dead lock on mmap-ed hwrng + +commit 78aafb3884f6bc6636efcc1760c891c8500b9922 upstream. + +There is a dead-lock in the hwrng device read path. This triggers +when the user reads from /dev/hwrng into memory also mmap-ed from +/dev/hwrng. The resulting page fault triggers a recursive read +which then dead-locks. + +Fix this by using a stack buffer when calling copy_to_user. + +Reported-by: Edward Adam Davis <eadavis@qq.com> +Reported-by: syzbot+c52ab18308964d248092@syzkaller.appspotmail.com +Fixes: 9996508b3353 ("hwrng: core - Replace u32 in driver API with byte array") +Cc: <stable@vger.kernel.org> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/char/hw_random/core.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c +index cfb085de876b70..c3a2df67e0e997 100644 +--- a/drivers/char/hw_random/core.c ++++ b/drivers/char/hw_random/core.c +@@ -24,10 +24,13 @@ + #include <linux/random.h> + #include <linux/sched.h> + #include <linux/slab.h> ++#include <linux/string.h> + #include <linux/uaccess.h> + + #define RNG_MODULE_NAME "hw_random" + ++#define RNG_BUFFER_SIZE (SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES) ++ + static struct hwrng *current_rng; + /* the current rng has been explicitly chosen by user via sysfs */ + static int cur_rng_set_by_user; +@@ -59,7 +62,7 @@ static inline int rng_get_data(struct hwrng *rng, u8 *buffer, size_t size, + + static size_t rng_buffer_size(void) + { +- return SMP_CACHE_BYTES < 32 ? 32 : SMP_CACHE_BYTES; ++ return RNG_BUFFER_SIZE; + } + + static void add_early_randomness(struct hwrng *rng) +@@ -206,6 +209,7 @@ static inline int rng_get_data(struct hwrng *rng, u8 *buffer, size_t size, + static ssize_t rng_dev_read(struct file *filp, char __user *buf, + size_t size, loff_t *offp) + { ++ u8 buffer[RNG_BUFFER_SIZE]; + ssize_t ret = 0; + int err = 0; + int bytes_read, len; +@@ -233,34 +237,37 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, + if (bytes_read < 0) { + err = bytes_read; + goto out_unlock_reading; ++ } else if (bytes_read == 0 && ++ (filp->f_flags & O_NONBLOCK)) { ++ err = -EAGAIN; ++ goto out_unlock_reading; + } ++ + data_avail = bytes_read; + } + +- if (!data_avail) { +- if (filp->f_flags & O_NONBLOCK) { +- err = -EAGAIN; +- goto out_unlock_reading; +- } +- } else { +- len = data_avail; ++ len = data_avail; ++ if (len) { + if (len > size) + len = size; + + data_avail -= len; + +- if (copy_to_user(buf + ret, rng_buffer + data_avail, +- len)) { ++ memcpy(buffer, rng_buffer + data_avail, len); ++ } ++ mutex_unlock(&reading_mutex); ++ put_rng(rng); ++ ++ if (len) { ++ if (copy_to_user(buf + ret, buffer, len)) { + err = -EFAULT; +- goto out_unlock_reading; ++ goto out; + } + + size -= len; + ret += len; + } + +- mutex_unlock(&reading_mutex); +- put_rng(rng); + + if (need_resched()) + schedule_timeout_interruptible(1); +@@ -271,6 +278,7 @@ static ssize_t rng_dev_read(struct file *filp, char __user *buf, + } + } + out: ++ memzero_explicit(buffer, sizeof(buffer)); + return ret ? : err; + + out_unlock_reading: +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52619.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52619.patch new file mode 100644 index 000000000..647e66a9a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52619.patch @@ -0,0 +1,45 @@ +From 0593cfd321df9001142a9d2c58d4144917dff7ee Mon Sep 17 00:00:00 2001 +From: Weichen Chen <weichen.chen@mediatek.com> +Date: Fri, 24 Feb 2023 10:36:32 +0800 +Subject: pstore/ram: Fix crash when setting number of cpus to an odd number + +[ Upstream commit d49270a04623ce3c0afddbf3e984cb245aa48e9c ] + +When the number of cpu cores is adjusted to 7 or other odd numbers, +the zone size will become an odd number. +The address of the zone will become: + addr of zone0 = BASE + addr of zone1 = BASE + zone_size + addr of zone2 = BASE + zone_size*2 + ... +The address of zone1/3/5/7 will be mapped to non-alignment va. +Eventually crashes will occur when accessing these va. + +So, use ALIGN_DOWN() to make sure the zone size is even +to avoid this bug. + +Signed-off-by: Weichen Chen <weichen.chen@mediatek.com> +Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com> +Tested-by: "Guilherme G. Piccoli" <gpiccoli@igalia.com> +Link: https://lore.kernel.org/r/20230224023632.6840-1-weichen.chen@mediatek.com +Signed-off-by: Kees Cook <keescook@chromium.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/pstore/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c +index d36702c7ab3c43..88b34fdbf7592f 100644 +--- a/fs/pstore/ram.c ++++ b/fs/pstore/ram.c +@@ -529,6 +529,7 @@ static int ramoops_init_przs(const char *name, + } + + zone_sz = mem_sz / *cnt; ++ zone_sz = ALIGN_DOWN(zone_sz, 2); + if (!zone_sz) { + dev_err(dev, "%s zone size == 0\n", name); + goto fail; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52622.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52622.patch new file mode 100644 index 000000000..9f16384b9 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52622.patch @@ -0,0 +1,131 @@ +From b183fe8702e78bba3dcef8e7193cab6898abee07 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Mon, 23 Oct 2023 09:30:56 +0800 +Subject: ext4: avoid online resizing failures due to oversized flex bg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 5d1935ac02ca5aee364a449a35e2977ea84509b0 ] + +When we online resize an ext4 filesystem with a oversized flexbg_size, + + mkfs.ext4 -F -G 67108864 $dev -b 4096 100M + mount $dev $dir + resize2fs $dev 16G + +the following WARN_ON is triggered: +================================================================== +WARNING: CPU: 0 PID: 427 at mm/page_alloc.c:4402 __alloc_pages+0x411/0x550 +Modules linked in: sg(E) +CPU: 0 PID: 427 Comm: resize2fs Tainted: G E 6.6.0-rc5+ #314 +RIP: 0010:__alloc_pages+0x411/0x550 +Call Trace: + <TASK> + __kmalloc_large_node+0xa2/0x200 + __kmalloc+0x16e/0x290 + ext4_resize_fs+0x481/0xd80 + __ext4_ioctl+0x1616/0x1d90 + ext4_ioctl+0x12/0x20 + __x64_sys_ioctl+0xf0/0x150 + do_syscall_64+0x3b/0x90 +================================================================== + +This is because flexbg_size is too large and the size of the new_group_data +array to be allocated exceeds MAX_ORDER. Currently, the minimum value of +MAX_ORDER is 8, the minimum value of PAGE_SIZE is 4096, the corresponding +maximum number of groups that can be allocated is: + + (PAGE_SIZE << MAX_ORDER) / sizeof(struct ext4_new_group_data) ≈ 21845 + +And the value that is down-aligned to the power of 2 is 16384. Therefore, +this value is defined as MAX_RESIZE_BG, and the number of groups added +each time does not exceed this value during resizing, and is added multiple +times to complete the online resizing. The difference is that the metadata +in a flex_bg may be more dispersed. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20231023013057.2117948-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ext4/resize.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index b63cb88ccdae..355acc064a14 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -217,10 +217,16 @@ struct ext4_new_flex_group_data { + in the flex group */ + __u16 *bg_flags; /* block group flags of groups + in @groups */ ++ ext4_group_t resize_bg; /* number of allocated ++ new_group_data */ + ext4_group_t count; /* number of groups in @groups + */ + }; + ++/* ++ * Avoiding memory allocation failures due to too many groups added each time. ++ */ ++#define MAX_RESIZE_BG 16384 + /* + * alloc_flex_gd() allocates a ext4_new_flex_group_data with size of + * @flexbg_size. +@@ -237,15 +243,18 @@ static struct ext4_new_flex_group_data *alloc_flex_gd(unsigned long flexbg_size) + + if (flexbg_size >= UINT_MAX / sizeof(struct ext4_new_group_data)) + goto out2; +- flex_gd->count = flexbg_size; ++ if (unlikely(flexbg_size > MAX_RESIZE_BG)) ++ flex_gd->resize_bg = MAX_RESIZE_BG; ++ else ++ flex_gd->resize_bg = flexbg_size; + +- flex_gd->groups = kmalloc_array(flexbg_size, +- sizeof(struct ext4_new_group_data), +- GFP_NOFS); ++ flex_gd->groups = kmalloc_array(flex_gd->resize_bg, ++ sizeof(struct ext4_new_group_data), ++ GFP_NOFS); + if (flex_gd->groups == NULL) + goto out2; + +- flex_gd->bg_flags = kmalloc_array(flexbg_size, sizeof(__u16), ++ flex_gd->bg_flags = kmalloc_array(flex_gd->resize_bg, sizeof(__u16), + GFP_NOFS); + if (flex_gd->bg_flags == NULL) + goto out1; +@@ -1566,8 +1575,7 @@ static int ext4_flex_group_add(struct super_block *sb, + + static int ext4_setup_next_flex_gd(struct super_block *sb, + struct ext4_new_flex_group_data *flex_gd, +- ext4_fsblk_t n_blocks_count, +- unsigned long flexbg_size) ++ ext4_fsblk_t n_blocks_count) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; +@@ -1591,7 +1599,7 @@ static int ext4_setup_next_flex_gd(struct super_block *sb, + BUG_ON(last); + ext4_get_group_no_and_offset(sb, n_blocks_count - 1, &n_group, &last); + +- last_group = group | (flexbg_size - 1); ++ last_group = group | (flex_gd->resize_bg - 1); + if (last_group > n_group) + last_group = n_group; + +@@ -2087,8 +2095,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + /* Add flex groups. Note that a regular group is a + * flex group with 1 group. + */ +- while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count, +- flexbg_size)) { ++ while (ext4_setup_next_flex_gd(sb, flex_gd, n_blocks_count)) { + if (jiffies - last_update_time > HZ * 10) { + if (last_update_time) + ext4_msg(sb, KERN_INFO, +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0562.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0562.patch new file mode 100644 index 000000000..600b764f6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0562.patch @@ -0,0 +1,143 @@ +From f87904c075515f3e1d8f4a7115869d3b914674fd Mon Sep 17 00:00:00 2001 +From: Khazhismel Kumykov <khazhy@chromium.org> +Date: Mon, 1 Aug 2022 08:50:34 -0700 +Subject: writeback: avoid use-after-free after removing device + +When a disk is removed, bdi_unregister gets called to stop further +writeback and wait for associated delayed work to complete. However, +wb_inode_writeback_end() may schedule bandwidth estimation dwork after +this has completed, which can result in the timer attempting to access the +just freed bdi_writeback. + +Fix this by checking if the bdi_writeback is alive, similar to when +scheduling writeback work. + +Since this requires wb->work_lock, and wb_inode_writeback_end() may get +called from interrupt, switch wb->work_lock to an irqsafe lock. + +Link: https://lkml.kernel.org/r/20220801155034.3772543-1-khazhy@google.com +Fixes: 45a2966fd641 ("writeback: fix bandwidth estimate for spiky workload") +Signed-off-by: Khazhismel Kumykov <khazhy@google.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Cc: Michael Stapelberg <stapelberg+linux@google.com> +Cc: Wu Fengguang <fengguang.wu@intel.com> +Cc: Alexander Viro <viro@zeniv.linux.org.uk> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +--- + fs/fs-writeback.c | 12 ++++++------ + mm/backing-dev.c | 10 +++++----- + mm/page-writeback.c | 6 +++++- + 3 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 05221366a16dc9..08a1993ab7fd39 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -134,10 +134,10 @@ static bool inode_io_list_move_locked(struct inode *inode, + + static void wb_wakeup(struct bdi_writeback *wb) + { +- spin_lock_bh(&wb->work_lock); ++ spin_lock_irq(&wb->work_lock); + if (test_bit(WB_registered, &wb->state)) + mod_delayed_work(bdi_wq, &wb->dwork, 0); +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + } + + static void finish_writeback_work(struct bdi_writeback *wb, +@@ -164,7 +164,7 @@ static void wb_queue_work(struct bdi_writeback *wb, + if (work->done) + atomic_inc(&work->done->cnt); + +- spin_lock_bh(&wb->work_lock); ++ spin_lock_irq(&wb->work_lock); + + if (test_bit(WB_registered, &wb->state)) { + list_add_tail(&work->list, &wb->work_list); +@@ -172,7 +172,7 @@ static void wb_queue_work(struct bdi_writeback *wb, + } else + finish_writeback_work(wb, work); + +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + } + + /** +@@ -2082,13 +2082,13 @@ static struct wb_writeback_work *get_next_work_item(struct bdi_writeback *wb) + { + struct wb_writeback_work *work = NULL; + +- spin_lock_bh(&wb->work_lock); ++ spin_lock_irq(&wb->work_lock); + if (!list_empty(&wb->work_list)) { + work = list_entry(wb->work_list.next, + struct wb_writeback_work, list); + list_del_init(&work->list); + } +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + return work; + } + +diff --git a/mm/backing-dev.c b/mm/backing-dev.c +index 95550b8fa7fe2e..de65cb1e5f7611 100644 +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -260,10 +260,10 @@ void wb_wakeup_delayed(struct bdi_writeback *wb) + unsigned long timeout; + + timeout = msecs_to_jiffies(dirty_writeback_interval * 10); +- spin_lock_bh(&wb->work_lock); ++ spin_lock_irq(&wb->work_lock); + if (test_bit(WB_registered, &wb->state)) + queue_delayed_work(bdi_wq, &wb->dwork, timeout); +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + } + + static void wb_update_bandwidth_workfn(struct work_struct *work) +@@ -334,12 +334,12 @@ static void cgwb_remove_from_bdi_list(struct bdi_writeback *wb); + static void wb_shutdown(struct bdi_writeback *wb) + { + /* Make sure nobody queues further work */ +- spin_lock_bh(&wb->work_lock); ++ spin_lock_irq(&wb->work_lock); + if (!test_and_clear_bit(WB_registered, &wb->state)) { +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + return; + } +- spin_unlock_bh(&wb->work_lock); ++ spin_unlock_irq(&wb->work_lock); + + cgwb_remove_from_bdi_list(wb); + /* +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index d0d466a5c804ca..032a7bf8d25930 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2892,6 +2892,7 @@ static void wb_inode_writeback_start(struct bdi_writeback *wb) + + static void wb_inode_writeback_end(struct bdi_writeback *wb) + { ++ unsigned long flags; + atomic_dec(&wb->writeback_inodes); + /* + * Make sure estimate of writeback throughput gets updated after +@@ -2900,7 +2901,10 @@ static void wb_inode_writeback_end(struct bdi_writeback *wb) + * that if multiple inodes end writeback at a similar time, they get + * batched into one bandwidth update. + */ +- queue_delayed_work(bdi_wq, &wb->bw_dwork, BANDWIDTH_INTERVAL); ++ spin_lock_irqsave(&wb->work_lock, flags); ++ if (test_bit(WB_registered, &wb->state)) ++ queue_delayed_work(bdi_wq, &wb->bw_dwork, BANDWIDTH_INTERVAL); ++ spin_unlock_irqrestore(&wb->work_lock, flags); + } + + int test_clear_page_writeback(struct page *page) +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0639.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0639.patch new file mode 100644 index 000000000..86e3532c5 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0639.patch @@ -0,0 +1,52 @@ +From 6feb37b3b06e9049e20dcf7e23998f92c9c5be9a Mon Sep 17 00:00:00 2001 +From: Chengfeng Ye <dg573847474@gmail.com> +Date: Tue, 27 Jun 2023 12:03:40 +0000 +Subject: sctp: fix potential deadlock on &net->sctp.addr_wq_lock + +As &net->sctp.addr_wq_lock is also acquired by the timer +sctp_addr_wq_timeout_handler() in protocal.c, the same lock acquisition +at sctp_auto_asconf_init() seems should disable irq since it is called +from sctp_accept() under process context. + +Possible deadlock scenario: +sctp_accept() + -> sctp_sock_migrate() + -> sctp_auto_asconf_init() + -> spin_lock(&net->sctp.addr_wq_lock) + <timer interrupt> + -> sctp_addr_wq_timeout_handler() + -> spin_lock_bh(&net->sctp.addr_wq_lock); (deadlock here) + +This flaw was found using an experimental static analysis tool we are +developing for irq-related deadlock. + +The tentative patch fix the potential deadlock by spin_lock_bh(). + +Signed-off-by: Chengfeng Ye <dg573847474@gmail.com> +Fixes: 34e5b0118685 ("sctp: delay auto_asconf init until binding the first addr") +Acked-by: Xin Long <lucien.xin@gmail.com> +Link: https://lore.kernel.org/r/20230627120340.19432-1-dg573847474@gmail.com +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index 6554a357fe33f1..9388d98aebc033 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -364,9 +364,9 @@ static void sctp_auto_asconf_init(struct sctp_sock *sp) + struct net *net = sock_net(&sp->inet.sk); + + if (net->sctp.default_auto_asconf) { +- spin_lock(&net->sctp.addr_wq_lock); ++ spin_lock_bh(&net->sctp.addr_wq_lock); + list_add_tail(&sp->auto_asconf_list, &net->sctp.auto_asconf_splist); +- spin_unlock(&net->sctp.addr_wq_lock); ++ spin_unlock_bh(&net->sctp.addr_wq_lock); + sp->do_auto_asconf = 1; + } + } +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0775.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0775.patch new file mode 100644 index 000000000..82b48fa97 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0775.patch @@ -0,0 +1,62 @@ +From 4c0b4818b1f636bc96359f7817a2d8bab6370162 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Fri, 5 May 2023 22:20:29 -0400 +Subject: ext4: improve error recovery code paths in __ext4_remount() + +If there are failures while changing the mount options in +__ext4_remount(), we need to restore the old mount options. + +This commit fixes two problem. The first is there is a chance that we +will free the old quota file names before a potential failure leading +to a use-after-free. The second problem addressed in this commit is +if there is a failed read/write to read-only transition, if the quota +has already been suspended, we need to renable quota handling. + +Cc: stable@kernel.org +Link: https://lore.kernel.org/r/20230506142419.984260-2-tytso@mit.edu +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +--- + fs/ext4/super.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index c7bc4a2709cc25..bc0b4a98b337ec 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -6617,9 +6617,6 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + } + + #ifdef CONFIG_QUOTA +- /* Release old quota file names */ +- for (i = 0; i < EXT4_MAXQUOTAS; i++) +- kfree(old_opts.s_qf_names[i]); + if (enable_quota) { + if (sb_any_quota_suspended(sb)) + dquot_resume(sb, -1); +@@ -6629,6 +6626,9 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + goto restore_opts; + } + } ++ /* Release old quota file names */ ++ for (i = 0; i < EXT4_MAXQUOTAS; i++) ++ kfree(old_opts.s_qf_names[i]); + #endif + if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks) + ext4_release_system_zone(sb); +@@ -6642,6 +6642,13 @@ static int __ext4_remount(struct fs_context *fc, struct super_block *sb) + return 0; + + restore_opts: ++ /* ++ * If there was a failing r/w to ro transition, we may need to ++ * re-enable quota ++ */ ++ if ((sb->s_flags & SB_RDONLY) && !(old_sb_flags & SB_RDONLY) && ++ sb_any_quota_suspended(sb)) ++ dquot_resume(sb, -1); + sb->s_flags = old_sb_flags; + sbi->s_mount_opt = old_opts.s_mount_opt; + sbi->s_mount_opt2 = old_opts.s_mount_opt2; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26001.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26001.patch new file mode 100644 index 000000000..7978b435f --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26001.patch @@ -0,0 +1,67 @@ +From c1317822e2de80e78f137d3a2d99febab1b80326 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:35 +0800 +Subject:ext4: regenerate buddy after block freeing failed if under fc + replay + +commit c9b528c35795b711331ed36dc3dbee90d5812d4e upstream. + +This mostly reverts commit 6bd97bf273bd ("ext4: remove redundant +mb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based on +code in mb_free_blocks(), fast commit replay can end up marking as free +blocks that are already marked as such. This causes corruption of the +buddy bitmap so we need to regenerate it in that case. + +Reported-by: Jan Kara <jack@suse.cz> +Fixes: 6bd97bf273bd ("ext4: remove redundant mb_regenerate_buddy()") +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-4-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/ext4/mballoc.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index e436acb8f0cc..c3d76f2e59d2 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1160,6 +1160,24 @@ void ext4_mb_generate_buddy(struct super_block *sb, + mb_update_avg_fragment_size(sb, grp); + } + ++static void mb_regenerate_buddy(struct ext4_buddy *e4b) ++{ ++ int count; ++ int order = 1; ++ void *buddy; ++ ++ while ((buddy = mb_find_buddy(e4b, order++, &count))) ++ ext4_set_bits(buddy, 0, count); ++ ++ e4b->bd_info->bb_fragments = 0; ++ memset(e4b->bd_info->bb_counters, 0, ++ sizeof(*e4b->bd_info->bb_counters) * ++ (e4b->bd_sb->s_blocksize_bits + 2)); ++ ++ ext4_mb_generate_buddy(e4b->bd_sb, e4b->bd_buddy, ++ e4b->bd_bitmap, e4b->bd_group); ++} ++ + /* The buddy information is attached the buddy cache inode + * for convenience. The information regarding each group + * is loaded via ext4_mb_load_buddy. The information involve +@@ -1827,6 +1845,8 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b, + ext4_mark_group_bitmap_corrupted( + sb, e4b->bd_group, + EXT4_GROUP_INFO_BBITMAP_CORRUPT); ++ } else { ++ mb_regenerate_buddy(e4b); + } + goto done; + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26602.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26602.patch new file mode 100644 index 000000000..b9f68cca6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26602.patch @@ -0,0 +1,89 @@ +From 2441a64070b85c14eecc3728cc87e883f953f265 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linuxfoundation.org> +Date: Sun, 4 Feb 2024 15:25:12 +0000 +Subject: sched/membarrier: reduce the ability to hammer on sys_membarrier + +commit 944d5fe50f3f03daacfea16300e656a1691c4a23 upstream. + +On some systems, sys_membarrier can be very expensive, causing overall +slowdowns for everything. So put a lock on the path in order to +serialize the accesses to prevent the ability for this to be called at +too high of a frequency and saturate the machine. + +Reviewed-and-tested-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Acked-by: Borislav Petkov <bp@alien8.de> +Fixes: 22e4ebb97582 ("membarrier: Provide expedited private command") +Fixes: c5f58bd58f43 ("membarrier: Provide GLOBAL_EXPEDITED command") +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[ converted to explicit mutex_*() calls - cleanup.h is not in this stable + branch - gregkh ] +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/sched/membarrier.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/kernel/sched/membarrier.c b/kernel/sched/membarrier.c +index b5add64d9698..0b5e3e520bf6 100644 +--- a/kernel/sched/membarrier.c ++++ b/kernel/sched/membarrier.c +@@ -161,6 +161,8 @@ + | MEMBARRIER_CMD_REGISTER_PRIVATE_EXPEDITED \ + | MEMBARRIER_PRIVATE_EXPEDITED_SYNC_CORE_BITMASK) + ++static DEFINE_MUTEX(membarrier_ipi_mutex); ++ + static void ipi_mb(void *info) + { + smp_mb(); /* IPIs should be serializing but paranoid. */ +@@ -258,6 +260,7 @@ static int membarrier_global_expedited(void) + if (!zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { +@@ -303,6 +306,8 @@ static int membarrier_global_expedited(void) + * rq->curr modification in scheduler. + */ + smp_mb(); /* exit from system call is not a mb */ ++ mutex_unlock(&membarrier_ipi_mutex); ++ + return 0; + } + +@@ -346,6 +351,7 @@ static int membarrier_private_expedited(int flags, int cpu_id) + if (cpu_id < 0 && !zalloc_cpumask_var(&tmpmask, GFP_KERNEL)) + return -ENOMEM; + ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + + if (cpu_id >= 0) { +@@ -418,6 +424,7 @@ static int membarrier_private_expedited(int flags, int cpu_id) + * rq->curr modification in scheduler. + */ + smp_mb(); /* exit from system call is not a mb */ ++ mutex_unlock(&membarrier_ipi_mutex); + + return 0; + } +@@ -459,6 +466,7 @@ static int sync_runqueues_membarrier_state(struct mm_struct *mm) + * between threads which are users of @mm has its membarrier state + * updated. + */ ++ mutex_lock(&membarrier_ipi_mutex); + cpus_read_lock(); + rcu_read_lock(); + for_each_online_cpu(cpu) { +@@ -475,6 +483,7 @@ static int sync_runqueues_membarrier_state(struct mm_struct *mm) + + free_cpumask_var(tmpmask); + cpus_read_unlock(); ++ mutex_unlock(&membarrier_ipi_mutex); + + return 0; + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch new file mode 100644 index 000000000..1020a2c6b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch @@ -0,0 +1,76 @@ +From 2e7ef287f07c74985f1bf2858bedc62bd9ebf155 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Date: Wed, 17 Jan 2024 09:21:02 -0800 +Subject: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work + +idev->mc_ifc_count can be written over without proper locking. + +Originally found by syzbot [1], fix this issue by encapsulating calls +to mld_ifc_stop_work() (and mld_gq_stop_work() for good measure) with +mutex_lock() and mutex_unlock() accordingly as these functions +should only be called with mc_lock per their declarations. + +[1] +BUG: KCSAN: data-race in ipv6_mc_down / mld_ifc_work + +write to 0xffff88813a80c832 of 1 bytes by task 3771 on cpu 0: + mld_ifc_stop_work net/ipv6/mcast.c:1080 [inline] + ipv6_mc_down+0x10a/0x280 net/ipv6/mcast.c:2725 + addrconf_ifdown+0xe32/0xf10 net/ipv6/addrconf.c:3949 + addrconf_notify+0x310/0x980 + notifier_call_chain kernel/notifier.c:93 [inline] + raw_notifier_call_chain+0x6b/0x1c0 kernel/notifier.c:461 + __dev_notify_flags+0x205/0x3d0 + dev_change_flags+0xab/0xd0 net/core/dev.c:8685 + do_setlink+0x9f6/0x2430 net/core/rtnetlink.c:2916 + rtnl_group_changelink net/core/rtnetlink.c:3458 [inline] + __rtnl_newlink net/core/rtnetlink.c:3717 [inline] + rtnl_newlink+0xbb3/0x1670 net/core/rtnetlink.c:3754 + rtnetlink_rcv_msg+0x807/0x8c0 net/core/rtnetlink.c:6558 + netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2545 + rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6576 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0x589/0x650 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x66e/0x770 net/netlink/af_netlink.c:1910 + ... + +write to 0xffff88813a80c832 of 1 bytes by task 22 on cpu 1: + mld_ifc_work+0x54c/0x7b0 net/ipv6/mcast.c:2653 + process_one_work kernel/workqueue.c:2627 [inline] + process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2700 + worker_thread+0x525/0x730 kernel/workqueue.c:2781 + ... + +Fixes: 2d9a93b4902b ("mld: convert from timer to delayed work") +Reported-by: syzbot+a9400cabb1d784e49abf@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/000000000000994e09060ebcdffb@google.com/ +Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Acked-by: Taehee Yoo <ap420073@gmail.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> +Link: https://lore.kernel.org/r/20240117172102.12001-1-n.zhandarovich@fintech.ru +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/ipv6/mcast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index b75d3c9d41bb50..bc6e0a0bad3c12 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -2722,8 +2722,12 @@ void ipv6_mc_down(struct inet6_dev *idev) + synchronize_net(); + mld_query_stop_work(idev); + mld_report_stop_work(idev); ++ ++ mutex_lock(&idev->mc_lock); + mld_ifc_stop_work(idev); + mld_gq_stop_work(idev); ++ mutex_unlock(&idev->mc_lock); ++ + mld_dad_stop_work(idev); + } + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26671.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26671.patch new file mode 100644 index 000000000..9e9fedb09 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26671.patch @@ -0,0 +1,70 @@ +From 1d9c777d3e70bdc57dddf7a14a80059d65919e56 Mon Sep 17 00:00:00 2001 +From: Ming Lei <ming.lei@redhat.com> +Date: Fri, 12 Jan 2024 20:26:26 +0800 +Subject: blk-mq: fix IO hang from sbitmap wakeup race + +[ Upstream commit 5266caaf5660529e3da53004b8b7174cab6374ed ] + +In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-ordered +with the following blk_mq_get_driver_tag() in case of getting driver +tag failure. + +Then in __sbitmap_queue_wake_up(), waitqueue_active() may not observe +the added waiter in blk_mq_mark_tag_wait() and wake up nothing, meantime +blk_mq_mark_tag_wait() can't get driver tag successfully. + +This issue can be reproduced by running the following test in loop, and +fio hang can be observed in < 30min when running it on my test VM +in laptop. + + modprobe -r scsi_debug + modprobe scsi_debug delay=0 dev_size_mb=4096 max_queue=1 host_max_queue=1 submit_queues=4 + dev=`ls -d /sys/bus/pseudo/drivers/scsi_debug/adapter*/host*/target*/*/block/* | head -1 | xargs basename` + fio --filename=/dev/"$dev" --direct=1 --rw=randrw --bs=4k --iodepth=1 \ + --runtime=100 --numjobs=40 --time_based --name=test \ + --ioengine=libaio + +Fix the issue by adding one explicit barrier in blk_mq_mark_tag_wait(), which +is just fine in case of running out of tag. + +Cc: Jan Kara <jack@suse.cz> +Cc: Kemeng Shi <shikemeng@huaweicloud.com> +Reported-by: Changhui Zhong <czhong@redhat.com> +Signed-off-by: Ming Lei <ming.lei@redhat.com> +Link: https://lore.kernel.org/r/20240112122626.4181044-1-ming.lei@redhat.com +Signed-off-by: Jens Axboe <axboe@kernel.dk> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + block/blk-mq.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index b3f99dda45300a..c07e5eebcbd853 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1859,6 +1859,22 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, + wait->flags &= ~WQ_FLAG_EXCLUSIVE; + __add_wait_queue(wq, wait); + ++ /* ++ * Add one explicit barrier since blk_mq_get_driver_tag() may ++ * not imply barrier in case of failure. ++ * ++ * Order adding us to wait queue and allocating driver tag. ++ * ++ * The pair is the one implied in sbitmap_queue_wake_up() which ++ * orders clearing sbitmap tag bits and waitqueue_active() in ++ * __sbitmap_queue_wake_up(), since waitqueue_active() is lockless ++ * ++ * Otherwise, re-order of adding wait queue and getting driver tag ++ * may cause __sbitmap_queue_wake_up() to wake up nothing because ++ * the waitqueue_active() may not observe us in wait queue. ++ */ ++ smp_mb(); ++ + /* + * It's possible that a tag was freed in the window between the + * allocation failure and adding the hardware queue to the wait +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26676.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26676.patch new file mode 100644 index 000000000..2ff7af39d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26676.patch @@ -0,0 +1,107 @@ +From 1279f9d9dec2d7462823a18c29ad61359e0a007d Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima <kuniyu@amazon.com> +Date: Sat, 3 Feb 2024 10:31:49 -0800 +Subject: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. + +syzbot reported a warning [0] in __unix_gc() with a repro, which +creates a socketpair and sends one socket's fd to itself using the +peer. + + socketpair(AF_UNIX, SOCK_STREAM, 0, [3, 4]) = 0 + sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\360", iov_len=1}], + msg_iovlen=1, msg_control=[{cmsg_len=20, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_RIGHTS, cmsg_data=[3]}], + msg_controllen=24, msg_flags=0}, MSG_OOB|MSG_PROBE|MSG_DONTWAIT|MSG_ZEROCOPY) = 1 + +This forms a self-cyclic reference that GC should finally untangle +but does not due to lack of MSG_OOB handling, resulting in memory +leak. + +Recently, commit 11498715f266 ("af_unix: Remove io_uring code for +GC.") removed io_uring's dead code in GC and revealed the problem. + +The code was executed at the final stage of GC and unconditionally +moved all GC candidates from gc_candidates to gc_inflight_list. +That papered over the reported problem by always making the following +WARN_ON_ONCE(!list_empty(&gc_candidates)) false. + +The problem has been there since commit 2aab4b969002 ("af_unix: fix +struct pid leaks in OOB support") added full scm support for MSG_OOB +while fixing another bug. + +To fix this problem, we must call kfree_skb() for unix_sk(sk)->oob_skb +if the socket still exists in gc_candidates after purging collected skb. + +Then, we need to set NULL to oob_skb before calling kfree_skb() because +it calls last fput() and triggers unix_release_sock(), where we call +duplicate kfree_skb(u->oob_skb) if not NULL. + +Note that the leaked socket remained being linked to a global list, so +kmemleak also could not detect it. We need to check /proc/net/protocol +to notice the unfreed socket. + +[0]: +WARNING: CPU: 0 PID: 2863 at net/unix/garbage.c:345 __unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Modules linked in: +CPU: 0 PID: 2863 Comm: kworker/u4:11 Not tainted 6.8.0-rc1-syzkaller-00583-g1701940b1a02 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 +Workqueue: events_unbound __unix_gc +RIP: 0010:__unix_gc+0xc74/0xe80 net/unix/garbage.c:345 +Code: 8b 5c 24 50 e9 86 f8 ff ff e8 f8 e4 22 f8 31 d2 48 c7 c6 30 6a 69 89 4c 89 ef e8 97 ef ff ff e9 80 f9 ff ff e8 dd e4 22 f8 90 <0f> 0b 90 e9 7b fd ff ff 48 89 df e8 5c e7 7c f8 e9 d3 f8 ff ff e8 +RSP: 0018:ffffc9000b03fba0 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: ffffc9000b03fc10 RCX: ffffffff816c493e +RDX: ffff88802c02d940 RSI: ffffffff896982f3 RDI: ffffc9000b03fb30 +RBP: ffffc9000b03fce0 R08: 0000000000000001 R09: fffff52001607f66 +R10: 0000000000000003 R11: 0000000000000002 R12: dffffc0000000000 +R13: ffffc9000b03fc10 R14: ffffc9000b03fc10 R15: 0000000000000001 +FS: 0000000000000000(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00005559c8677a60 CR3: 000000000d57a000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + <TASK> + process_one_work+0x889/0x15e0 kernel/workqueue.c:2633 + process_scheduled_works kernel/workqueue.c:2706 [inline] + worker_thread+0x8b9/0x12a0 kernel/workqueue.c:2787 + kthread+0x2c6/0x3b0 kernel/kthread.c:388 + ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:242 + </TASK> + +Reported-by: syzbot+fa3ef895554bdbfd1183@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=fa3ef895554bdbfd1183 +Fixes: 2aab4b969002 ("af_unix: fix struct pid leaks in OOB support") +Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> +Reviewed-by: Eric Dumazet <edumazet@google.com> +Link: https://lore.kernel.org/r/20240203183149.63573-1-kuniyu@amazon.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +--- + net/unix/garbage.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/net/unix/garbage.c b/net/unix/garbage.c +index 2405f0f9af31c0..8f63f0b4bf0129 100644 +--- a/net/unix/garbage.c ++++ b/net/unix/garbage.c +@@ -314,6 +314,17 @@ void unix_gc(void) + /* Here we are. Hitlist is filled. Die. */ + __skb_queue_purge(&hitlist); + ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ list_for_each_entry_safe(u, next, &gc_candidates, link) { ++ struct sk_buff *skb = u->oob_skb; ++ ++ if (skb) { ++ u->oob_skb = NULL; ++ kfree_skb(skb); ++ } ++ } ++#endif ++ + spin_lock(&unix_gc_lock); + + /* All candidates should have been detached by now. */ +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26679.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26679.patch new file mode 100644 index 000000000..3c2827929 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26679.patch @@ -0,0 +1,44 @@ +From 307fa8a75ab7423fa5c73573ec3d192de5027830 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Fri, 2 Feb 2024 09:54:04 +0000 +Subject: inet: read sk->sk_family once in inet_recv_error() + +[ Upstream commit eef00a82c568944f113f2de738156ac591bbd5cd ] + +inet_recv_error() is called without holding the socket lock. + +IPv6 socket could mutate to IPv4 with IPV6_ADDRFORM +socket option and trigger a KCSAN warning. + +Fixes: f4713a3dfad0 ("net-timestamp: make tcp_recvmsg call ipv6_recv_error for AF_INET6 socks") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Cc: Willem de Bruijn <willemb@google.com> +Reviewed-by: Willem de Bruijn <willemb@google.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv4/af_inet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1c58bd72e1245d..e59962f34caa6c 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -1628,10 +1628,12 @@ EXPORT_SYMBOL(inet_current_timestamp); + + int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { +- if (sk->sk_family == AF_INET) ++ unsigned int family = READ_ONCE(sk->sk_family); ++ ++ if (family == AF_INET) + return ip_recv_error(sk, msg, len, addr_len); + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == AF_INET6) ++ if (family == AF_INET6) + return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len); + #endif + return -EINVAL; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26686.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26686.patch new file mode 100644 index 000000000..7bed5bc46 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26686.patch @@ -0,0 +1,161 @@ +From 27978243f165b44e342f28f449b91327944ea071 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov <oleg@redhat.com> +Date: Tue, 23 Jan 2024 16:33:57 +0100 +Subject: [PATCH] fs/proc: do_task_stat: use sig->stats_lock to gather the + threads/children stats + +commit 7601df8031fd67310af891897ef6cc0df4209305 upstream. + +lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads call +do_task_stat() at the same time and the process has NR_THREADS, it will +spin with irqs disabled O(NR_CPUS * NR_THREADS) time. + +Change do_task_stat() to use sig->stats_lock to gather the statistics +outside of ->siglock protected section, in the likely case this code will +run lockless. + +Link: https://lkml.kernel.org/r/20240123153357.GA21857@redhat.com +Signed-off-by: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Dylan Hatch <dylanbhatch@google.com> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/proc/array.c | 76 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 43 insertions(+), 33 deletions(-) + +diff --git a/fs/proc/array.c b/fs/proc/array.c +index 49be8c8ef555..c6b840e25151 100644 +--- a/fs/proc/array.c ++++ b/fs/proc/array.c +@@ -462,12 +462,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + int permitted; + struct mm_struct *mm; + unsigned long long start_time; +- unsigned long cmin_flt = 0, cmaj_flt = 0; +- unsigned long min_flt = 0, maj_flt = 0; +- u64 cutime, cstime, utime, stime; +- u64 cgtime, gtime; ++ unsigned long cmin_flt, cmaj_flt, min_flt, maj_flt; ++ u64 cutime, cstime, cgtime, utime, stime, gtime; + unsigned long rsslim = 0; + unsigned long flags; ++ int exit_code = task->exit_code; ++ struct signal_struct *sig = task->signal; ++ unsigned int seq = 1; + + state = *get_task_state(task); + vsize = eip = esp = 0; +@@ -495,12 +496,8 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + + sigemptyset(&sigign); + sigemptyset(&sigcatch); +- cutime = cstime = utime = stime = 0; +- cgtime = gtime = 0; + + if (lock_task_sighand(task, &flags)) { +- struct signal_struct *sig = task->signal; +- + if (sig->tty) { + struct pid *pgrp = tty_get_pgrp(sig->tty); + tty_pgrp = pid_nr_ns(pgrp, ns); +@@ -511,26 +508,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + num_threads = get_nr_threads(task); + collect_sigign_sigcatch(task, &sigign, &sigcatch); + +- cmin_flt = sig->cmin_flt; +- cmaj_flt = sig->cmaj_flt; +- cutime = sig->cutime; +- cstime = sig->cstime; +- cgtime = sig->cgtime; + rsslim = READ_ONCE(sig->rlim[RLIMIT_RSS].rlim_cur); + +- /* add up live thread stats at the group level */ + if (whole) { +- struct task_struct *t = task; +- do { +- min_flt += t->min_flt; +- maj_flt += t->maj_flt; +- gtime += task_gtime(t); +- } while_each_thread(task, t); +- +- min_flt += sig->min_flt; +- maj_flt += sig->maj_flt; +- thread_group_cputime_adjusted(task, &utime, &stime); +- gtime += sig->gtime; ++ if (sig->flags & (SIGNAL_GROUP_EXIT | SIGNAL_STOP_STOPPED)) ++ exit_code = sig->group_exit_code; + } + + sid = task_session_nr_ns(task, ns); +@@ -541,11 +523,42 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + } + + if (permitted && (!whole || num_threads < 2)) +- wchan = get_wchan(task); +- if (!whole) { ++ wchan = !task_is_running(task); ++ ++ do { ++ seq++; /* 2 on the 1st/lockless path, otherwise odd */ ++ flags = read_seqbegin_or_lock_irqsave(&sig->stats_lock, &seq); ++ ++ cmin_flt = sig->cmin_flt; ++ cmaj_flt = sig->cmaj_flt; ++ cutime = sig->cutime; ++ cstime = sig->cstime; ++ cgtime = sig->cgtime; ++ ++ if (whole) { ++ struct task_struct *t; ++ ++ min_flt = sig->min_flt; ++ maj_flt = sig->maj_flt; ++ gtime = sig->gtime; ++ ++ rcu_read_lock(); ++ __for_each_thread(sig, t) { ++ min_flt += t->min_flt; ++ maj_flt += t->maj_flt; ++ gtime += task_gtime(t); ++ } ++ rcu_read_unlock(); ++ } ++ } while (need_seqretry(&sig->stats_lock, seq)); ++ done_seqretry_irqrestore(&sig->stats_lock, seq, flags); ++ ++ if (whole) { ++ thread_group_cputime_adjusted(task, &utime, &stime); ++ } else { ++ task_cputime_adjusted(task, &utime, &stime); + min_flt = task->min_flt; + maj_flt = task->maj_flt; +- task_cputime_adjusted(task, &utime, &stime); + gtime = task_gtime(task); + } + +@@ -606,10 +619,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + * + * This works with older implementations of procps as well. + */ +- if (wchan) +- seq_puts(m, " 1"); +- else +- seq_puts(m, " 0"); ++ seq_put_decimal_ull(m, " ", wchan); + + seq_put_decimal_ull(m, " ", 0); + seq_put_decimal_ull(m, " ", 0); +@@ -633,7 +643,7 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns, + seq_puts(m, " 0 0 0 0 0 0 0"); + + if (permitted) +- seq_put_decimal_ll(m, " ", task->exit_code); ++ seq_put_decimal_ll(m, " ", exit_code); + else + seq_puts(m, " 0"); + +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch new file mode 100644 index 000000000..0fb6d112d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch @@ -0,0 +1,71 @@ +From 185eab30486ba3e7bf8b9c2e049c79a06ffd2bc1 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:33 +0800 +Subject: ext4: fix double-free of blocks due to wrong extents moved_len + +commit 55583e899a5357308274601364741a83e78d6ac4 upstream. + +In ext4_move_extents(), moved_len is only updated when all moves are +successfully executed, and only discards orig_inode and donor_inode +preallocations when moved_len is not zero. When the loop fails to exit +after successfully moving some extents, moved_len is not updated and +remains at 0, so it does not discard the preallocations. + +If the moved extents overlap with the preallocated extents, the +overlapped extents are freed twice in ext4_mb_release_inode_pa() and +ext4_process_freed_data() (as described in commit 94d7c16cbbbd ("ext4: +Fix double-free of blocks with EXT4_IOC_MOVE_EXT")), and bb_free is +incremented twice. Hence when trim is executed, a zero-division bug is +triggered in mb_update_avg_fragment_size() because bb_free is not zero +and bb_fragments is zero. + +Therefore, update move_len after each extent move to avoid the issue. + +Reported-by: Wei Chen <harperchen1110@gmail.com> +Reported-by: xingwei lee <xrivendell7@gmail.com> +Closes: https://lore.kernel.org/r/CAO4mrferzqBUnCag8R3m2zf897ts9UEuhjFQGPtODT92rYyR2Q@mail.gmail.com +Fixes: fcf6b1b729bc ("ext4: refactor ext4_move_extents code base") +CC: <stable@vger.kernel.org> # 3.18 +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-2-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + fs/ext4/move_extent.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c +index dedc9d445f2433..8e3ff150bc36b1 100644 +--- a/fs/ext4/move_extent.c ++++ b/fs/ext4/move_extent.c +@@ -621,6 +621,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + goto out; + o_end = o_start + len; + ++ *moved_len = 0; + while (o_start < o_end) { + struct ext4_extent *ex; + ext4_lblk_t cur_blk, next_blk; +@@ -675,7 +676,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + */ + ext4_double_up_write_data_sem(orig_inode, donor_inode); + /* Swap original branches with new branches */ +- move_extent_per_page(o_filp, donor_inode, ++ *moved_len += move_extent_per_page(o_filp, donor_inode, + orig_page_index, donor_page_index, + offset_in_page, cur_len, + unwritten, &ret); +@@ -685,9 +686,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk, + o_start += cur_len; + d_start += cur_len; + } +- *moved_len = o_start - orig_blk; +- if (*moved_len > len) +- *moved_len = len; + + out: + if (*moved_len) { +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch new file mode 100644 index 000000000..0bb927550 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch @@ -0,0 +1,49 @@ +From 16b1025eaa8fc223ab4273ece20d1c3a4211a95d Mon Sep 17 00:00:00 2001 +From: Zach O'Keefe <zokeefe@google.com> +Date: Thu, 18 Jan 2024 10:19:53 -0800 +Subject: mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again + +commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78 upstream. + +(struct dirty_throttle_control *)->thresh is an unsigned long, but is +passed as the u32 divisor argument to div_u64(). On architectures where +unsigned long is 64 bytes, the argument will be implicitly truncated. + +Use div64_u64() instead of div_u64() so that the value used in the "is +this a safe division" check is the same as the divisor. + +Also, remove redundant cast of the numerator to u64, as that should happen +implicitly. + +This would be difficult to exploit in memcg domain, given the ratio-based +arithmetic domain_drity_limits() uses, but is much easier in global +writeback domain with a BDI_CAP_STRICTLIMIT-backing device, using e.g. +vm.dirty_bytes=(1<<32)*PAGE_SIZE so that dtc->thresh == (1<<32) + +Link: https://lkml.kernel.org/r/20240118181954.1415197-1-zokeefe@google.com +Fixes: f6789593d5ce ("mm/page-writeback.c: fix divide by zero in bdi_dirty_limits()") +Signed-off-by: Zach O'Keefe <zokeefe@google.com> +Cc: Maxim Patlasov <MPatlasov@parallels.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/page-writeback.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index de5f69921b9465..d3e9d12860b9f4 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -1526,7 +1526,7 @@ static inline void wb_dirty_limits(struct dirty_throttle_control *dtc) + */ + dtc->wb_thresh = __wb_calc_thresh(dtc); + dtc->wb_bg_thresh = dtc->thresh ? +- div_u64((u64)dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; ++ div64_u64(dtc->wb_thresh * dtc->bg_thresh, dtc->thresh) : 0; + + /* + * In order to avoid the stacked BDI deadlock we need +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26735.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26735.patch new file mode 100644 index 000000000..5446d2696 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26735.patch @@ -0,0 +1,72 @@ +From 02b08db594e8218cfbc0e4680d4331b457968a9b Mon Sep 17 00:00:00 2001 +From: Vasiliy Kovalev <kovalev@altlinux.org> +Date: Thu, 15 Feb 2024 23:27:17 +0300 +Subject: ipv6: sr: fix possible use-after-free and null-ptr-deref + +[ Upstream commit 5559cea2d5aa3018a5f00dd2aca3427ba09b386b ] + +The pernet operations structure for the subsystem must be registered +before registering the generic netlink family. + +Fixes: 915d7e5e5930 ("ipv6: sr: add code base for control plane support of SR-IPv6") +Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org> +Link: https://lore.kernel.org/r/20240215202717.29815-1-kovalev@altlinux.org +Signed-off-by: Paolo Abeni <pabeni@redhat.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv6/seg6.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c +index 29346a6eec9ffe..35508abd76f43d 100644 +--- a/net/ipv6/seg6.c ++++ b/net/ipv6/seg6.c +@@ -512,22 +512,24 @@ int __init seg6_init(void) + { + int err; + +- err = genl_register_family(&seg6_genl_family); ++ err = register_pernet_subsys(&ip6_segments_ops); + if (err) + goto out; + +- err = register_pernet_subsys(&ip6_segments_ops); ++ err = genl_register_family(&seg6_genl_family); + if (err) +- goto out_unregister_genl; ++ goto out_unregister_pernet; + + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL + err = seg6_iptunnel_init(); + if (err) +- goto out_unregister_pernet; ++ goto out_unregister_genl; + + err = seg6_local_init(); +- if (err) +- goto out_unregister_pernet; ++ if (err) { ++ seg6_iptunnel_exit(); ++ goto out_unregister_genl; ++ } + #endif + + #ifdef CONFIG_IPV6_SEG6_HMAC +@@ -548,11 +550,11 @@ out_unregister_iptun: + #endif + #endif + #ifdef CONFIG_IPV6_SEG6_LWTUNNEL +-out_unregister_pernet: +- unregister_pernet_subsys(&ip6_segments_ops); +-#endif + out_unregister_genl: + genl_unregister_family(&seg6_genl_family); ++#endif ++out_unregister_pernet: ++ unregister_pernet_subsys(&ip6_segments_ops); + goto out; + } + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26772.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26772.patch new file mode 100644 index 000000000..0a2e78077 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26772.patch @@ -0,0 +1,52 @@ +From 21dbe20589c7f48e9c5d336ce6402bcebfa6d76a Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:39 +0800 +Subject: ext4: avoid allocating blocks from corrupted group in + ext4_mb_find_by_goal() + +[ Upstream commit 832698373a25950942c04a512daa652c18a9b513 ] + +Places the logic for checking if the group's block bitmap is corrupt under +the protection of the group lock to avoid allocating blocks from the group +with a corrupted block bitmap. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-8-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ext4/mballoc.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 1bc615d6219171..7497a789d002eb 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -2342,12 +2342,10 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac, + if (err) + return err; + +- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) { +- ext4_mb_unload_buddy(e4b); +- return 0; +- } +- + ext4_lock_group(ac->ac_sb, group); ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ goto out; ++ + max = mb_find_extent(e4b, ac->ac_g_ex.fe_start, + ac->ac_g_ex.fe_len, &ex); + ex.fe_logical = 0xDEADFA11; /* debug value */ +@@ -2380,6 +2378,7 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac, + ac->ac_b_ex = ex; + ext4_mb_use_best_found(ac, e4b); + } ++out: + ext4_unlock_group(ac->ac_sb, group); + ext4_mb_unload_buddy(e4b); + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26773.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26773.patch new file mode 100644 index 000000000..c5bf1503c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26773.patch @@ -0,0 +1,63 @@ +From 21f8cfe79f776287459343e9cfa6055af61328ea Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:38 +0800 +Subject: ext4: avoid allocating blocks from corrupted group in + ext4_mb_try_best_found() + +[ Upstream commit 4530b3660d396a646aad91a787b6ab37cf604b53 ] + +Determine if the group block bitmap is corrupted before using ac_b_ex in +ext4_mb_try_best_found() to avoid allocating blocks from a group with a +corrupted block bitmap in the following concurrency and making the +situation worse. + +ext4_mb_regular_allocator + ext4_lock_group(sb, group) + ext4_mb_good_group + // check if the group bbitmap is corrupted + ext4_mb_complex_scan_group + // Scan group gets ac_b_ex but doesn't use it + ext4_unlock_group(sb, group) + ext4_mark_group_bitmap_corrupted(group) + // The block bitmap was corrupted during + // the group unlock gap. + ext4_mb_try_best_found + ext4_lock_group(ac->ac_sb, group) + ext4_mb_use_best_found + mb_mark_used + // Allocating blocks in block bitmap corrupted group + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-7-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ext4/mballoc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index df390979058fd7..e0dd01cb1a0e77 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -1802,6 +1802,9 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, + return err; + + ext4_lock_group(ac->ac_sb, group); ++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) ++ goto out; ++ + max = mb_find_extent(e4b, ex.fe_start, ex.fe_len, &ex); + + if (max > 0) { +@@ -1809,6 +1812,7 @@ int ext4_mb_try_best_found(struct ext4_allocation_context *ac, + ext4_mb_use_best_found(ac, e4b); + } + ++out: + ext4_unlock_group(ac->ac_sb, group); + ext4_mb_unload_buddy(e4b); + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26774.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26774.patch new file mode 100644 index 000000000..b16497843 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26774.patch @@ -0,0 +1,36 @@ +From 687061cfaa2ac3095170e136dd9c29a4974f41d4 Mon Sep 17 00:00:00 2001 +From: Baokun Li <libaokun1@huawei.com> +Date: Thu, 4 Jan 2024 22:20:37 +0800 +Subject: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block + bitmap corrupt + +[ Upstream commit 993bf0f4c393b3667830918f9247438a8f6fdb5b ] + +Determine if bb_fragments is 0 instead of determining bb_free to eliminate +the risk of dividing by zero when the block bitmap is corrupted. + +Signed-off-by: Baokun Li <libaokun1@huawei.com> +Reviewed-by: Jan Kara <jack@suse.cz> +Link: https://lore.kernel.org/r/20240104142040.2835097-6-libaokun1@huawei.com +Signed-off-by: Theodore Ts'o <tytso@mit.edu> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + fs/ext4/mballoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index 762c2f8b5b2a86..48930df9ae565b 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -853,7 +853,7 @@ mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp) + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + +- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_free == 0) ++ if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0) + return; + + write_lock(&sbi->s_mb_rb_lock); +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26795.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26795.patch new file mode 100644 index 000000000..fe34515b7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26795.patch @@ -0,0 +1,48 @@ +From 2a1728c15ec4f45ed9248ae22f626541c179bfbe Mon Sep 17 00:00:00 2001 +From: Dimitris Vlachos <dvlachos@ics.forth.gr> +Date: Thu, 29 Feb 2024 21:17:23 +0200 +Subject: riscv: Sparse-Memory/vmemmap out-of-bounds fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit a11dd49dcb9376776193e15641f84fcc1e5980c9 ] + +Offset vmemmap so that the first page of vmemmap will be mapped +to the first page of physical memory in order to ensure that +vmemmap’s bounds will be respected during +pfn_to_page()/page_to_pfn() operations. +The conversion macros will produce correct SV39/48/57 addresses +for every possible/valid DRAM_BASE inside the physical memory limits. + +v2:Address Alex's comments + +Suggested-by: Alexandre Ghiti <alexghiti@rivosinc.com> +Signed-off-by: Dimitris Vlachos <dvlachos@ics.forth.gr> +Reported-by: Dimitris Vlachos <dvlachos@ics.forth.gr> +Closes: https://lore.kernel.org/linux-riscv/20240202135030.42265-1-csd4492@csd.uoc.gr +Fixes: d95f1a542c3d ("RISC-V: Implement sparsemem") +Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com> +Link: https://lore.kernel.org/r/20240229191723.32779-1-dvlachos@ics.forth.gr +Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + arch/riscv/include/asm/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h +index ec8468ddad4a09..76b131e7bbcad4 100644 +--- a/arch/riscv/include/asm/pgtable.h ++++ b/arch/riscv/include/asm/pgtable.h +@@ -84,7 +84,7 @@ + * Define vmemmap for pfn_to_page & page_to_pfn calls. Needed if kernel + * is configured with CONFIG_SPARSEMEM_VMEMMAP enabled. + */ +-#define vmemmap ((struct page *)VMEMMAP_START) ++#define vmemmap ((struct page *)VMEMMAP_START - (phys_ram_base >> PAGE_SHIFT)) + + #define PCI_IO_SIZE SZ_16M + #define PCI_IO_END VMEMMAP_START +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26900.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26900.patch new file mode 100644 index 000000000..eecc87e6e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26900.patch @@ -0,0 +1,67 @@ +From 3948abaa4e2be938ccdfc289385a27342fb13d43 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Date: Fri, 19 Jan 2024 07:39:06 -0800 +Subject: do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak + +syzbot identified a kernel information leak vulnerability in +do_sys_name_to_handle() and issued the following report [1]. + +[1] +"BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + instrument_copy_to_user include/linux/instrumented.h:114 [inline] + _copy_to_user+0xbc/0x100 lib/usercopy.c:40 + copy_to_user include/linux/uaccess.h:191 [inline] + do_sys_name_to_handle fs/fhandle.c:73 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x949/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + __kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517 + __do_kmalloc_node mm/slab_common.c:1006 [inline] + __kmalloc+0x121/0x3c0 mm/slab_common.c:1020 + kmalloc include/linux/slab.h:604 [inline] + do_sys_name_to_handle fs/fhandle.c:39 [inline] + __do_sys_name_to_handle_at fs/fhandle.c:112 [inline] + __se_sys_name_to_handle_at+0x441/0xb10 fs/fhandle.c:94 + __x64_sys_name_to_handle_at+0xe4/0x140 fs/fhandle.c:94 + ... + +Bytes 18-19 of 20 are uninitialized +Memory access of size 20 starts at ffff888128a46380 +Data copied to user address 0000000020000240" + +Per Chuck Lever's suggestion, use kzalloc() instead of kmalloc() to +solve the problem. + +Fixes: 990d6c2d7aee ("vfs: Add name to file handle conversion support") +Suggested-by: Chuck Lever III <chuck.lever@oracle.com> +Reported-and-tested-by: <syzbot+09b349b3066c2e0b1e96@syzkaller.appspotmail.com> +Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> +Link: https://lore.kernel.org/r/20240119153906.4367-1-n.zhandarovich@fintech.ru +Reviewed-by: Jan Kara <jack@suse.cz> +Signed-off-by: Christian Brauner <brauner@kernel.org> +--- + fs/fhandle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/fhandle.c b/fs/fhandle.c +index 18b3ba8dc8ead7..57a12614addfd4 100644 +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -36,7 +36,7 @@ static long do_sys_name_to_handle(const struct path *path, + if (f_handle.handle_bytes > MAX_HANDLE_SZ) + return -EINVAL; + +- handle = kmalloc(sizeof(struct file_handle) + f_handle.handle_bytes, ++ handle = kzalloc(sizeof(struct file_handle) + f_handle.handle_bytes, + GFP_KERNEL); + if (!handle) + return -ENOMEM; +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-35984.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-35984.patch new file mode 100644 index 000000000..39f07ce42 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-35984.patch @@ -0,0 +1,63 @@ +From 357c64ef1ef39b1e7cd91ab6bdd304d043702c83 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang <wsa+renesas@sang-engineering.com> +Date: Fri, 26 Apr 2024 08:44:08 +0200 +Subject: [PATCH] i2c: smbus: fix NULL function pointer dereference + +[ Upstream commit 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f ] + +Baruch reported an OOPS when using the designware controller as target +only. Target-only modes break the assumption of one transfer function +always being available. Fix this by always checking the pointer in +__i2c_transfer. + +Reported-by: Baruch Siach <baruch@tkos.co.il> +Closes: https://lore.kernel.org/r/4269631780e5ba789cf1ae391eec1b959def7d99.1712761976.git.baruch@tkos.co.il +Fixes: 4b1acc43331d ("i2c: core changes for slave support") +[wsa: dropped the simplification in core-smbus to avoid theoretical regressions] +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Tested-by: Baruch Siach <baruch@tkos.co.il> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + drivers/i2c/i2c-core-base.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c +index be242605df91..43eededcb654 100644 +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -2200,7 +2200,7 @@ static int i2c_check_for_quirks(struct i2c_adapter *adap, struct i2c_msg *msgs, + * Returns negative errno, else the number of messages executed. + * + * Adapter lock must be held when calling this function. No debug logging +- * takes place. adap->algo->master_xfer existence isn't checked. ++ * takes place. + */ + int __i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + { +@@ -2209,6 +2209,11 @@ int __i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + unsigned long timeout; + int ret, try; + ++ if (!adap->algo->master_xfer) { ++ dev_dbg(&adap->dev, "I2C level transfers not supported\n"); ++ return -EOPNOTSUPP; ++ } ++ + if (WARN_ON(!msgs || num < 1)) + return -EINVAL; + +@@ -2302,11 +2307,6 @@ int i2c_transfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num) + bool do_bus_lock = true; + int ret; + +- if (!adap->algo->master_xfer) { +- dev_dbg(&adap->dev, "I2C level transfers not supported\n"); +- return -EOPNOTSUPP; +- } +- + /* REVISIT the fault reporting model here is weak: + * + * - When we get an error after receiving N bytes from a slave, +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-36008.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-36008.patch new file mode 100644 index 000000000..240e50046 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-36008.patch @@ -0,0 +1,81 @@ +From 03b5a9b2b526862b21bcc31976e393a6e63785d1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <edumazet@google.com> +Date: Sun, 21 Apr 2024 18:43:26 +0000 +Subject: ipv4: check for NULL idev in ip_route_use_hint() + +[ Upstream commit 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1 ] + +syzbot was able to trigger a NULL deref in fib_validate_source() +in an old tree [1]. + +It appears the bug exists in latest trees. + +All calls to __in_dev_get_rcu() must be checked for a NULL result. + +[1] +general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 2 PID: 3257 Comm: syz-executor.3 Not tainted 5.10.0-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 + RIP: 0010:fib_validate_source+0xbf/0x15a0 net/ipv4/fib_frontend.c:425 +Code: 18 f2 f2 f2 f2 42 c7 44 20 23 f3 f3 f3 f3 48 89 44 24 78 42 c6 44 20 27 f3 e8 5d 88 48 fc 4c 89 e8 48 c1 e8 03 48 89 44 24 18 <42> 80 3c 20 00 74 08 4c 89 ef e8 d2 15 98 fc 48 89 5c 24 10 41 bf +RSP: 0018:ffffc900015fee40 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff88800f7a4000 RCX: ffff88800f4f90c0 +RDX: 0000000000000000 RSI: 0000000004001eac RDI: ffff8880160c64c0 +RBP: ffffc900015ff060 R08: 0000000000000000 R09: ffff88800f7a4000 +R10: 0000000000000002 R11: ffff88800f4f90c0 R12: dffffc0000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: ffff88800f7a4000 +FS: 00007f938acfe6c0(0000) GS:ffff888058c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f938acddd58 CR3: 000000001248e000 CR4: 0000000000352ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ip_route_use_hint+0x410/0x9b0 net/ipv4/route.c:2231 + ip_rcv_finish_core+0x2c4/0x1a30 net/ipv4/ip_input.c:327 + ip_list_rcv_finish net/ipv4/ip_input.c:612 [inline] + ip_sublist_rcv+0x3ed/0xe50 net/ipv4/ip_input.c:638 + ip_list_rcv+0x422/0x470 net/ipv4/ip_input.c:673 + __netif_receive_skb_list_ptype net/core/dev.c:5572 [inline] + __netif_receive_skb_list_core+0x6b1/0x890 net/core/dev.c:5620 + __netif_receive_skb_list net/core/dev.c:5672 [inline] + netif_receive_skb_list_internal+0x9f9/0xdc0 net/core/dev.c:5764 + netif_receive_skb_list+0x55/0x3e0 net/core/dev.c:5816 + xdp_recv_frames net/bpf/test_run.c:257 [inline] + xdp_test_run_batch net/bpf/test_run.c:335 [inline] + bpf_test_run_xdp_live+0x1818/0x1d00 net/bpf/test_run.c:363 + bpf_prog_test_run_xdp+0x81f/0x1170 net/bpf/test_run.c:1376 + bpf_prog_test_run+0x349/0x3c0 kernel/bpf/syscall.c:3736 + __sys_bpf+0x45c/0x710 kernel/bpf/syscall.c:5115 + __do_sys_bpf kernel/bpf/syscall.c:5201 [inline] + __se_sys_bpf kernel/bpf/syscall.c:5199 [inline] + __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5199 + +Fixes: 02b24941619f ("ipv4: use dst hint for ipv4 list receive") +Reported-by: syzbot <syzkaller@googlegroups.com> +Signed-off-by: Eric Dumazet <edumazet@google.com> +Acked-by: Paolo Abeni <pabeni@redhat.com> +Link: https://lore.kernel.org/r/20240421184326.1704930-1-edumazet@google.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> +--- + net/ipv4/route.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 4ff94596f8cd5a..895754439393e1 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2173,6 +2173,9 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, + int err = -EINVAL; + u32 tag = 0; + ++ if (!in_dev) ++ return -EINVAL; ++ + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + goto martian_source; + +-- +cgit 1.2.3-korg + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index 54ddf246e..0d15f61d7 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -18,6 +18,14 @@ SRC_URI += " \ file://0001-peci-aspeed-Improve-workaround-for-controller-hang.patch \ file://0002-gpio-gpio-aspeed-sgpio-Fix-wrong-hwirq-base-in-irq-h.patch \ file://0003-Add-mux-deselect-support-on-timeout.patch \ + file://CVE-2022-0847.patch \ + file://CVE-2022-48425.patch \ + file://CVE-2023-0386.patch \ + file://CVE-2023-0458.patch \ + file://CVE-2023-2235.patch \ + file://CVE-2023-34256.patch \ + file://CVE-2023-42754.patch \ + file://CVE-2023-5178.patch \ file://CVE-2022-0185.patch \ file://CVE-2021-22600.patch \ file://CVE-2022-24122.patch \ @@ -71,8 +79,57 @@ SRC_URI += " \ file://CVE-2023-2156.patch \ file://CVE-2023-3355.patch \ file://CVE-2023-3357.patch \ + file://CVE-2023-52458.patch \ file://CVE-2022-3566.patch \ file://CVE-2023-3161.patch \ + file://CVE-2022-40982.patch \ + file://CVE-2023-2860.patch \ + file://CVE-2023-31085.patch \ + file://CVE-2023-4004.patch \ + file://CVE-2023-2176.patch \ + file://CVE-2023-45863.patch \ + file://CVE-2021-33631.patch \ + file://CVE-2024-0562.patch \ + file://CVE-2024-0639.patch \ + file://CVE-2024-0775.patch \ + file://CVE-2023-52449.patch \ + file://CVE-2023-52435.patch \ + file://CVE-2021-46933.patch \ + file://CVE-2021-46934.patch \ + file://CVE-2021-46936.patch \ + file://CVE-2021-46923.patch \ + file://CVE-2023-52580.patch \ + file://CVE-2023-52597.patch \ + file://CVE-2023-52598.patch \ + file://CVE-2023-52612.patch \ + file://CVE-2023-52615.patch \ + file://CVE-2023-52619.patch \ + file://CVE-2024-26631.patch \ + file://CVE-2024-26671.patch \ + file://CVE-2024-26679.patch \ + file://CVE-2024-26772.patch \ + file://CVE-2024-26773.patch \ + file://CVE-2024-26774.patch \ + file://CVE-2024-26704.patch \ + file://CVE-2024-26720.patch \ + file://CVE-2024-26735.patch \ + file://CVE-2024-26795.patch \ + file://CVE-2021-47087.patch \ + file://CVE-2023-52467.patch \ + file://CVE-2023-52522.patch \ + file://CVE-2023-52622.patch \ + file://CVE-2024-26676.patch \ + file://CVE-2024-26602.patch \ + file://CVE-2024-26001.patch \ + file://CVE-2024-26686.patch \ + file://CVE-2022-48659.patch \ + file://CVE-2022-48660.patch \ + file://CVE-2022-48672.patch \ + file://CVE-2022-48687.patch \ + file://CVE-2022-48689.patch \ + file://CVE-2024-26900.patch \ + file://CVE-2024-35984.patch \ + file://CVE-2024-36008.patch \ " SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}" SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks', 'file://debug.cfg', '', d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0037-Fix-certificate-replacement-URI-response-error-code.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0037-Fix-certificate-replacement-URI-response-error-code.patch index 3d8312961..ede4e6179 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0037-Fix-certificate-replacement-URI-response-error-code.patch +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0037-Fix-certificate-replacement-URI-response-error-code.patch @@ -3,9 +3,8 @@ From: Manish Baing <manish.baing@intel.com> Date: Thu, 10 Aug 2023 05:48:48 +0000 Subject: [PATCH] Fix certificate replacement URI response error code - We get 500 Internal Server Error when we try to replace certificate -without providing certificate but expected response is 400 +without providing certificate but expected response is 404 Not Found. So fixed the issue by checking for json (body) content before looking for specific keys and identifying it as 500 Internal Server Error. diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0065--Refactor-DCMI-IPMI-commands.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0065--Refactor-DCMI-IPMI-commands.patch new file mode 100644 index 000000000..bf222cf54 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0065--Refactor-DCMI-IPMI-commands.patch @@ -0,0 +1,2845 @@ +From 2cced6aac7e35f8f3c1d9c5f56a8c8873556bd7d Mon Sep 17 00:00:00 2001 +From: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com> +Date: Mon, 28 Aug 2023 18:18:43 +0000 +Subject: [PATCH] Refactor DCMI IPMI commands + +This PR ported from below upstream commit ID's +82cffccd642142b7dd48c9a874718e69e83b2ef3 +f4eb35d069bb338506dcac80905c0bc9e929ac89 +d4222fd3b66e4fd69b42ea7b91ad2af11fd77cce +dca4720fe3d0af8c433614a6199f0a6b41ade6a4 +efb5ae550fe5033742c74b611c5c3f1791261414 +f038dc095f8d9089d92d89740177b19a5d2b5f5b +cce9ffd9efea31ea6c42692a6d3ba50a3fccaacf +056fab1a60e1b23de2526f6d7a06b419e8ac8008 +53d0cf1d4aacbea483d0fe99e1bb9b57da70fc2f +6475b5c9d7efc23a48d0c522d1eb7fecde09bd55 + +Tested: +Testing is in progress + +Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com> +Signed-off-by: Jayaprakash Mutyala <mutyalax.jayaprakash@intel.com> +--- + dcmihandler.cpp | 1802 +++++++++++++++++++++-------------------------- + dcmihandler.hpp | 536 +------------- + ipmid-new.cpp | 5 +- + 3 files changed, 788 insertions(+), 1555 deletions(-) + +diff --git a/dcmihandler.cpp b/dcmihandler.cpp +index 2ab02f3..e2addb5 100644 +--- a/dcmihandler.cpp ++++ b/dcmihandler.cpp +@@ -15,745 +15,703 @@ + #include <sdbusplus/bus.hpp> + #include <variant> + #include <xyz/openbmc_project/Common/error.hpp> ++#include <xyz/openbmc_project/Network/EthernetInterface/server.hpp> + + using namespace phosphor::logging; ++using sdbusplus::xyz::openbmc_project::Network::server::EthernetInterface; + using InternalFailure = + sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure; + + void register_netfn_dcmi_functions() __attribute__((constructor)); + +-constexpr auto PCAP_PATH = "/xyz/openbmc_project/control/host0/power_cap"; +-constexpr auto PCAP_INTERFACE = "xyz.openbmc_project.Control.Power.Cap"; +- +-constexpr auto POWER_CAP_PROP = "PowerCap"; +-constexpr auto POWER_CAP_ENABLE_PROP = "PowerCapEnable"; +- +-constexpr auto DCMI_PARAMETER_REVISION = 2; +-constexpr auto DCMI_SPEC_MAJOR_VERSION = 1; +-constexpr auto DCMI_SPEC_MINOR_VERSION = 5; +-constexpr auto DCMI_CONFIG_PARAMETER_REVISION = 1; +-constexpr auto DCMI_RAND_BACK_OFF_MASK = 0x80; +-constexpr auto DCMI_OPTION_60_43_MASK = 0x02; +-constexpr auto DCMI_OPTION_12_MASK = 0x01; +-constexpr auto DCMI_ACTIVATE_DHCP_MASK = 0x01; +-constexpr auto DCMI_ACTIVATE_DHCP_REPLY = 0x00; +-constexpr auto DCMI_SET_CONF_PARAM_REQ_PACKET_MAX_SIZE = 0x04; +-constexpr auto DCMI_SET_CONF_PARAM_REQ_PACKET_MIN_SIZE = 0x03; +-constexpr auto DHCP_TIMING1 = 0x04; // 4 sec +-constexpr auto DHCP_TIMING2_UPPER = 0x00; // 2 min +-constexpr auto DHCP_TIMING2_LOWER = 0x78; +-constexpr auto DHCP_TIMING3_UPPER = 0x00; // 64 sec +-constexpr auto DHCP_TIMING3_LOWER = 0x40; +-// When DHCP Option 12 is enabled the string "SendHostName=true" will be +-// added into n/w configuration file and the parameter +-// SendHostNameEnabled will set to true. +-constexpr auto DHCP_OPT12_ENABLED = "SendHostNameEnabled"; ++constexpr auto pcapPath = "/xyz/openbmc_project/control/host0/power_cap"; ++constexpr auto pcapInterface = "xyz.openbmc_project.Control.Power.Cap"; + +-constexpr auto SENSOR_VALUE_INTF = "xyz.openbmc_project.Sensor.Value"; +-constexpr auto SENSOR_VALUE_PROP = "Value"; +-constexpr auto SENSOR_SCALE_PROP = "Scale"; ++constexpr auto powerCapProp = "PowerCap"; ++constexpr auto powerCapEnableProp = "PowerCapEnable"; + + using namespace phosphor::logging; + + namespace dcmi + { ++constexpr auto assetTagMaxOffset = 62; ++constexpr auto assetTagMaxSize = 63; ++constexpr auto maxBytes = 16; ++constexpr size_t maxCtrlIdStrLen = 63; ++ ++constexpr uint8_t parameterRevision = 2; ++constexpr uint8_t specMajorVersion = 1; ++constexpr uint8_t specMinorVersion = 5; ++constexpr auto sensorValueIntf = "xyz.openbmc_project.Sensor.Value"; ++constexpr auto sensorValueProp = "Value"; ++constexpr uint8_t configParameterRevision = 1; ++constexpr auto option12Mask = 0x01; ++constexpr auto activateDhcpReply = 0x00; ++constexpr uint8_t dhcpTiming1 = 0x04; // 4 sec ++constexpr uint16_t dhcpTiming2 = 0x78; // 120 sec ++constexpr uint16_t dhcpTiming3 = 0x40; // 60 sec ++// When DHCP Option 12 is enabled the string "SendHostName=true" will be ++// added into n/w configuration file and the parameter ++// SendHostNameEnabled will set to true. ++constexpr auto dhcpOpt12Enabled = "SendHostNameEnabled"; ++ ++enum class DCMIConfigParameters : uint8_t ++{ ++ ActivateDHCP = 1, ++ DiscoveryConfig, ++ DHCPTiming1, ++ DHCPTiming2, ++ DHCPTiming3, ++}; + + // Refer Table 6-14, DCMI Entity ID Extension, DCMI v1.5 spec + static const std::map<uint8_t, std::string> entityIdToName{ + {0x40, "inlet"}, {0x37, "inlet"}, {0x41, "cpu"}, + {0x03, "cpu"}, {0x42, "baseboard"}, {0x07, "baseboard"}}; + +-bool isDCMIPowerMgmtSupported() ++nlohmann::json parseJSONConfig(const std::string& configFile) + { +- auto data = parseJSONConfig(gDCMICapabilitiesConfig); +- +- return (gDCMIPowerMgmtSupported == data.value(gDCMIPowerMgmtCapability, 0)); +-} +- +-uint32_t getPcap(sdbusplus::bus::bus& bus) +-{ +- auto settingService = ipmi::getService(bus, PCAP_INTERFACE, PCAP_PATH); +- +- auto method = bus.new_method_call(settingService.c_str(), PCAP_PATH, +- "org.freedesktop.DBus.Properties", "Get"); +- +- method.append(PCAP_INTERFACE, POWER_CAP_PROP); +- auto reply = bus.call(method); ++ std::ifstream jsonFile(configFile); ++ if (!jsonFile.is_open()) ++ { ++ log<level::ERR>("Temperature readings JSON file not found"); ++ elog<InternalFailure>(); ++ } + +- if (reply.is_method_error()) ++ auto data = nlohmann::json::parse(jsonFile, nullptr, false); ++ if (data.is_discarded()) + { +- log<level::ERR>("Error in getPcap prop"); ++ log<level::ERR>("Temperature readings JSON parser failure"); + elog<InternalFailure>(); + } +- std::variant<uint32_t> pcap; +- reply.read(pcap); + +- return std::get<uint32_t>(pcap); ++ return data; + } + +-bool getPcapEnabled(sdbusplus::bus::bus& bus) ++bool isDCMIPowerMgmtSupported() + { +- auto settingService = ipmi::getService(bus, PCAP_INTERFACE, PCAP_PATH); +- +- auto method = bus.new_method_call(settingService.c_str(), PCAP_PATH, +- "org.freedesktop.DBus.Properties", "Get"); ++ static bool parsed = false; ++ static bool supported = false; ++ if (!parsed) ++ { ++ auto data = parseJSONConfig(gDCMICapabilitiesConfig); + +- method.append(PCAP_INTERFACE, POWER_CAP_ENABLE_PROP); +- auto reply = bus.call(method); ++ supported = (gDCMIPowerMgmtSupported == ++ data.value(gDCMIPowerMgmtCapability, 0)); ++ } ++ return supported; ++} + +- if (reply.is_method_error()) ++std::optional<uint32_t> getPcap(ipmi::Context::ptr& ctx) ++{ ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, pcapInterface, ++ pcapPath, service); ++ if (ec.value()) + { +- log<level::ERR>("Error in getPcapEnabled prop"); ++ return std::nullopt; ++ } ++ uint32_t pcap{}; ++ ec = ipmi::getDbusProperty(ctx, service, pcapPath, pcapInterface, ++ powerCapProp, pcap); ++ if (ec.value()) ++ { ++ log<level::ERR>("Error in getPcap prop", ++ entry("ERROR=%s", ec.message().c_str())); + elog<InternalFailure>(); ++ return std::nullopt; + } +- std::variant<bool> pcapEnabled; +- reply.read(pcapEnabled); +- +- return std::get<bool>(pcapEnabled); ++ return pcap; + } + +-void setPcap(sdbusplus::bus::bus& bus, const uint32_t powerCap) ++std::optional<bool> getPcapEnabled(ipmi::Context::ptr& ctx) + { +- auto service = ipmi::getService(bus, PCAP_INTERFACE, PCAP_PATH); +- +- auto method = bus.new_method_call(service.c_str(), PCAP_PATH, +- "org.freedesktop.DBus.Properties", "Set"); +- +- method.append(PCAP_INTERFACE, POWER_CAP_PROP); +- method.append(std::variant<uint32_t>(powerCap)); +- +- auto reply = bus.call(method); +- +- if (reply.is_method_error()) ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, pcapInterface, ++ pcapPath, service); ++ if (ec.value()) + { +- log<level::ERR>("Error in setPcap property"); ++ return std::nullopt; ++ } ++ bool pcapEnabled{}; ++ ec = ipmi::getDbusProperty(ctx, service, pcapPath, pcapInterface, ++ powerCapEnableProp, pcapEnabled); ++ if (ec.value()) ++ { ++ log<level::ERR>("Error in getPcap prop"); + elog<InternalFailure>(); ++ return std::nullopt; + } ++ return pcapEnabled; + } + +-void setPcapEnable(sdbusplus::bus::bus& bus, bool enabled) ++bool setPcap(ipmi::Context::ptr& ctx, const uint32_t powerCap) + { +- auto service = ipmi::getService(bus, PCAP_INTERFACE, PCAP_PATH); +- +- auto method = bus.new_method_call(service.c_str(), PCAP_PATH, +- "org.freedesktop.DBus.Properties", "Set"); +- +- method.append(PCAP_INTERFACE, POWER_CAP_ENABLE_PROP); +- method.append(std::variant<bool>(enabled)); +- +- auto reply = bus.call(method); ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, pcapInterface, ++ pcapPath, service); ++ if (ec.value()) ++ { ++ return false; ++ } + +- if (reply.is_method_error()) ++ ec = ipmi::setDbusProperty(ctx, service, pcapPath, pcapInterface, ++ powerCapProp, powerCap); ++ if (ec.value()) + { +- log<level::ERR>("Error in setPcapEnabled property"); ++ log<level::ERR>("Error in setPcap property", ++ entry("ERROR=%s", ec.message().c_str())); + elog<InternalFailure>(); ++ return false; + } ++ return true; + } + +-void readAssetTagObjectTree(dcmi::assettag::ObjectTree& objectTree) ++bool setPcapEnable(ipmi::Context::ptr& ctx, bool enabled) + { +- static constexpr auto mapperBusName = "xyz.openbmc_project.ObjectMapper"; +- static constexpr auto mapperObjPath = "/xyz/openbmc_project/object_mapper"; +- static constexpr auto mapperIface = "xyz.openbmc_project.ObjectMapper"; +- static constexpr auto inventoryRoot = "/xyz/openbmc_project/inventory/"; +- +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- auto depth = 0; +- +- auto mapperCall = bus.new_method_call(mapperBusName, mapperObjPath, +- mapperIface, "GetSubTree"); +- +- mapperCall.append(inventoryRoot); +- mapperCall.append(depth); +- mapperCall.append(std::vector<std::string>({dcmi::assetTagIntf})); +- +- auto mapperReply = bus.call(mapperCall); +- if (mapperReply.is_method_error()) ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, pcapInterface, ++ pcapPath, service); ++ if (ec.value()) + { +- log<level::ERR>("Error in mapper call"); +- elog<InternalFailure>(); ++ return false; + } + +- mapperReply.read(objectTree); +- +- if (objectTree.empty()) ++ ec = ipmi::setDbusProperty(ctx, service, pcapPath, pcapInterface, ++ powerCapEnableProp, enabled); ++ if (ec.value()) + { +- log<level::ERR>("AssetTag property is not populated"); ++ log<level::ERR>("Error in setPcapEnabled property", ++ entry("ERROR=%s", ec.message().c_str())); + elog<InternalFailure>(); ++ return false; + } ++ return true; + } + +-std::string readAssetTag() ++std::optional<std::string> readAssetTag(ipmi::Context::ptr& ctx) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- dcmi::assettag::ObjectTree objectTree; +- + // Read the object tree with the inventory root to figure out the object + // that has implemented the Asset tag interface. +- readAssetTagObjectTree(objectTree); +- +- auto method = bus.new_method_call( +- (objectTree.begin()->second.begin()->first).c_str(), +- (objectTree.begin()->first).c_str(), dcmi::propIntf, "Get"); +- method.append(dcmi::assetTagIntf); +- method.append(dcmi::assetTagProp); ++ ipmi::DbusObjectInfo objectInfo; ++ boost::system::error_code ec = getDbusObject( ++ ctx, dcmi::assetTagIntf, ipmi::sensor::inventoryRoot, "", objectInfo); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } + +- auto reply = bus.call(method); +- if (reply.is_method_error()) ++ std::string assetTag{}; ++ ec = ipmi::getDbusProperty(ctx, objectInfo.second, objectInfo.first, ++ dcmi::assetTagIntf, dcmi::assetTagProp, ++ assetTag); ++ if (ec.value()) + { +- log<level::ERR>("Error in reading asset tag"); ++ log<level::ERR>("Error in reading asset tag", ++ entry("ERROR=%s", ec.message().c_str())); + elog<InternalFailure>(); ++ return std::nullopt; + } + +- std::variant<std::string> assetTag; +- reply.read(assetTag); +- +- return std::get<std::string>(assetTag); ++ return assetTag; + } + +-void writeAssetTag(const std::string& assetTag) ++bool writeAssetTag(ipmi::Context::ptr& ctx, const std::string& assetTag) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- dcmi::assettag::ObjectTree objectTree; +- + // Read the object tree with the inventory root to figure out the object + // that has implemented the Asset tag interface. +- readAssetTagObjectTree(objectTree); +- +- auto method = bus.new_method_call( +- (objectTree.begin()->second.begin()->first).c_str(), +- (objectTree.begin()->first).c_str(), dcmi::propIntf, "Set"); +- method.append(dcmi::assetTagIntf); +- method.append(dcmi::assetTagProp); +- method.append(std::variant<std::string>(assetTag)); ++ ipmi::DbusObjectInfo objectInfo; ++ boost::system::error_code ec = getDbusObject( ++ ctx, dcmi::assetTagIntf, ipmi::sensor::inventoryRoot, "", objectInfo); ++ if (ec.value()) ++ { ++ return false; ++ } + +- auto reply = bus.call(method); +- if (reply.is_method_error()) ++ ec = ipmi::setDbusProperty(ctx, objectInfo.second, objectInfo.first, ++ dcmi::assetTagIntf, dcmi::assetTagProp, ++ assetTag); ++ if (ec.value()) + { +- log<level::ERR>("Error in writing asset tag"); ++ log<level::ERR>("Error in writing asset tag", ++ entry("ERROR=%s", ec.message().c_str())); + elog<InternalFailure>(); ++ return false; + } ++ return true; + } + +-std::string getHostName(void) ++std::optional<std::string> getHostName(ipmi::Context::ptr& ctx) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- +- auto service = ipmi::getService(bus, networkConfigIntf, networkConfigObj); +- auto value = ipmi::getDbusProperty(bus, service, networkConfigObj, +- networkConfigIntf, hostNameProp); +- +- return std::get<std::string>(value); ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, networkConfigIntf, ++ networkConfigObj, service); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } ++ std::string hostname{}; ++ ec = ipmi::getDbusProperty(ctx, service, networkConfigObj, ++ networkConfigIntf, hostNameProp, hostname); ++ if (ec.value()) ++ { ++ log<level::ERR>("Error fetching hostname"); ++ elog<InternalFailure>(); ++ return std::nullopt; ++ } ++ return hostname; + } + +-bool getDHCPEnabled() ++std::optional<EthernetInterface::DHCPConf> ++ getDHCPEnabled(ipmi::Context::ptr& ctx) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- + auto ethdevice = ipmi::getChannelName(ethernetDefaultChannelNum); +- auto ethernetObj = +- ipmi::getDbusObject(bus, ethernetIntf, networkRoot, ethdevice); +- auto service = ipmi::getService(bus, ethernetIntf, ethernetObj.first); +- auto value = ipmi::getDbusProperty(bus, service, ethernetObj.first, +- ethernetIntf, "DHCPEnabled"); +- +- return std::get<bool>(value); +-} +- +-bool getDHCPOption(std::string prop) +-{ +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- +- auto service = ipmi::getService(bus, dhcpIntf, dhcpObj); +- auto value = ipmi::getDbusProperty(bus, service, dhcpObj, dhcpIntf, prop); ++ ipmi::DbusObjectInfo ethernetObj{}; ++ boost::system::error_code ec = ipmi::getDbusObject( ++ ctx, ethernetIntf, networkRoot, ethdevice, ethernetObj); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } ++ std::string service{}; ++ ec = ipmi::getService(ctx, ethernetIntf, ethernetObj.first, service); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } ++ std::string dhcpVal{}; ++ ec = ipmi::getDbusProperty(ctx, service, ethernetObj.first, ethernetIntf, ++ "DHCPEnabled", dhcpVal); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } + +- return std::get<bool>(value); ++ return EthernetInterface::convertDHCPConfFromString(dhcpVal); + } + +-void setDHCPOption(std::string prop, bool value) ++std::optional<bool> getDHCPOption(ipmi::Context::ptr& ctx, ++ const std::string& prop) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; ++ std::string service; ++ boost::system::error_code ec = ipmi::getService(ctx, dhcpIntf, dhcpObj, ++ service); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } ++ bool value{}; ++ ec = ipmi::getDbusProperty(ctx, service, dhcpObj, dhcpIntf, prop, value); ++ if (ec.value()) ++ { ++ return std::nullopt; ++ } + +- auto service = ipmi::getService(bus, dhcpIntf, dhcpObj); +- ipmi::setDbusProperty(bus, service, dhcpObj, dhcpIntf, prop, value); ++ return value; + } + +-Json parseJSONConfig(const std::string& configFile) ++bool setDHCPOption(ipmi::Context::ptr& ctx, std::string prop, bool value) + { +- std::ifstream jsonFile(configFile); +- if (!jsonFile.is_open()) ++ std::string service; ++ boost::system::error_code ec = ipmi::getService(ctx, dhcpIntf, dhcpObj, ++ service); ++ if (!ec.value()) + { +- log<level::ERR>("Temperature readings JSON file not found"); +- elog<InternalFailure>(); ++ ec = ipmi::setDbusProperty(ctx, service, dhcpObj, dhcpIntf, prop, ++ value); + } +- +- auto data = Json::parse(jsonFile, nullptr, false); +- if (data.is_discarded()) +- { +- log<level::ERR>("Temperature readings JSON parser failure"); +- elog<InternalFailure>(); +- } +- +- return data; ++ return (!ec.value()); + } + + } // namespace dcmi + +-ipmi_ret_t getPowerLimit(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++constexpr uint8_t exceptionPowerOff = 0x01; ++ipmi::RspType<uint16_t, // reserved ++ uint8_t, // exception actions ++ uint16_t, // power limit requested in watts ++ uint32_t, // correction time in milliseconds ++ uint16_t, // reserved ++ uint16_t // statistics sampling period in seconds ++ > ++ getPowerLimit(ipmi::Context::ptr ctx, uint16_t reserved) + { + if (!dcmi::isDCMIPowerMgmtSupported()) + { +- *data_len = 0; +- log<level::ERR>("DCMI Power management is unsupported!"); +- return IPMI_CC_INVALID; ++ return ipmi::responseInvalidCommand(); + } +- +- std::vector<uint8_t> outPayload(sizeof(dcmi::GetPowerLimitResponse)); +- auto responseData = +- reinterpret_cast<dcmi::GetPowerLimitResponse*>(outPayload.data()); +- +- sdbusplus::bus::bus sdbus{ipmid_get_sd_bus_connection()}; +- uint32_t pcapValue = 0; +- bool pcapEnable = false; +- +- try ++ if (reserved) + { +- pcapValue = dcmi::getPcap(sdbus); +- pcapEnable = dcmi::getPcapEnabled(sdbus); ++ return ipmi::responseInvalidFieldRequest(); + } +- catch (const InternalFailure& e) ++ ++ std::optional<uint16_t> pcapValue = dcmi::getPcap(ctx); ++ std::optional<bool> pcapEnable = dcmi::getPcapEnabled(ctx); ++ if (!pcapValue || !pcapEnable) + { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } + ++ constexpr uint16_t reserved1{}; ++ constexpr uint16_t reserved2{}; + /* + * Exception action if power limit is exceeded and cannot be controlled + * with the correction time limit is hardcoded to Hard Power Off system + * and log event to SEL. + */ +- constexpr auto exception = 0x01; +- responseData->exceptionAction = exception; +- +- responseData->powerLimit = static_cast<uint16_t>(pcapValue); +- ++ constexpr uint8_t exception = exceptionPowerOff; + /* + * Correction time limit and Statistics sampling period is currently not + * populated. + */ +- +- *data_len = outPayload.size(); +- memcpy(response, outPayload.data(), *data_len); +- +- if (pcapEnable) ++ constexpr uint32_t correctionTime{}; ++ constexpr uint16_t statsPeriod{}; ++ if (!pcapEnable) + { +- return IPMI_CC_OK; +- } +- else +- { +- return IPMI_DCMI_CC_NO_ACTIVE_POWER_LIMIT; ++ constexpr ipmi::Cc responseNoPowerLimitSet = 0x80; ++ constexpr uint16_t noPcap{}; ++ return ipmi::response(responseNoPowerLimitSet, reserved1, exception, ++ noPcap, correctionTime, reserved2, statsPeriod); + } ++ return ipmi::responseSuccess(reserved1, exception, *pcapValue, ++ correctionTime, reserved2, statsPeriod); + } + +-ipmi_ret_t setPowerLimit(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<> setPowerLimit(ipmi::Context::ptr& ctx, uint16_t reserved1, ++ uint8_t exceptionAction, uint16_t powerLimit, ++ uint32_t correctionTime, uint16_t reserved2, ++ uint16_t statsPeriod) + { + if (!dcmi::isDCMIPowerMgmtSupported()) + { +- *data_len = 0; + log<level::ERR>("DCMI Power management is unsupported!"); +- return IPMI_CC_INVALID; ++ return ipmi::responseInvalidCommand(); + } + +- auto requestData = +- reinterpret_cast<const dcmi::SetPowerLimitRequest*>(request); +- +- sdbusplus::bus::bus sdbus{ipmid_get_sd_bus_connection()}; +- +- // Only process the power limit requested in watts. +- try ++ // Only process the power limit requested in watts. Return errors ++ // for other fields that are set ++ if (reserved1 || reserved2 || correctionTime || statsPeriod || ++ exceptionAction != exceptionPowerOff) + { +- dcmi::setPcap(sdbus, requestData->powerLimit); ++ return ipmi::responseInvalidFieldRequest(); + } +- catch (const InternalFailure& e) ++ ++ if (!dcmi::setPcap(ctx, powerLimit)) + { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } + +- log<level::INFO>("Set Power Cap", +- entry("POWERCAP=%u", requestData->powerLimit)); ++ log<level::INFO>("Set Power Cap", entry("POWERCAP=%u", powerLimit)); + +- *data_len = 0; +- return IPMI_CC_OK; ++ return ipmi::responseSuccess(); + } + +-ipmi_ret_t applyPowerLimit(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<> applyPowerLimit(ipmi::Context::ptr& ctx, bool enabled, ++ uint7_t reserved1, uint16_t reserved2) + { + if (!dcmi::isDCMIPowerMgmtSupported()) + { +- *data_len = 0; + log<level::ERR>("DCMI Power management is unsupported!"); +- return IPMI_CC_INVALID; ++ return ipmi::responseInvalidCommand(); + } +- +- auto requestData = +- reinterpret_cast<const dcmi::ApplyPowerLimitRequest*>(request); +- +- sdbusplus::bus::bus sdbus{ipmid_get_sd_bus_connection()}; +- +- try ++ if (reserved1 || reserved2) + { +- dcmi::setPcapEnable(sdbus, +- static_cast<bool>(requestData->powerLimitAction)); ++ return ipmi::responseInvalidFieldRequest(); + } +- catch (const InternalFailure& e) ++ ++ if (!dcmi::setPcapEnable(ctx, enabled)) + { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } + + log<level::INFO>("Set Power Cap Enable", +- entry("POWERCAPENABLE=%u", requestData->powerLimitAction)); ++ entry("POWERCAPENABLE=%u", static_cast<uint8_t>(enabled))); + +- *data_len = 0; +- return IPMI_CC_OK; ++ return ipmi::responseSuccess(); + } + +-ipmi_ret_t getAssetTag(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint8_t, // total tag length ++ std::vector<char> // tag data ++ > ++ getAssetTag(ipmi::Context::ptr& ctx, uint8_t offset, uint8_t count) + { +- auto requestData = +- reinterpret_cast<const dcmi::GetAssetTagRequest*>(request); +- std::vector<uint8_t> outPayload(sizeof(dcmi::GetAssetTagResponse)); +- auto responseData = +- reinterpret_cast<dcmi::GetAssetTagResponse*>(outPayload.data()); +- +- // Verify offset to read and number of bytes to read are not exceeding the +- // range. +- if ((requestData->offset > dcmi::assetTagMaxOffset) || +- (requestData->bytes > dcmi::maxBytes) || +- ((requestData->offset + requestData->bytes) > dcmi::assetTagMaxSize)) +- { +- *data_len = 0; +- return IPMI_CC_PARM_OUT_OF_RANGE; +- } +- +- std::string assetTag; +- +- try +- { +- assetTag = dcmi::readAssetTag(); +- } +- catch (const InternalFailure& e) ++ // Verify offset to read and number of bytes to read are not exceeding ++ // the range. ++ if ((offset > dcmi::assetTagMaxOffset) || (count > dcmi::maxBytes) || ++ ((offset + count) > dcmi::assetTagMaxSize)) + { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseParmOutOfRange(); + } + +- // Return if the asset tag is not populated. +- if (!assetTag.size()) ++ std::optional<std::string> assetTagResp = dcmi::readAssetTag(ctx); ++ if (!assetTagResp) + { +- responseData->tagLength = 0; +- memcpy(response, outPayload.data(), outPayload.size()); +- *data_len = outPayload.size(); +- return IPMI_CC_OK; ++ return ipmi::responseUnspecifiedError(); + } + +- // If the asset tag is longer than 63 bytes, restrict it to 63 bytes to suit +- // Get Asset Tag command. ++ std::string& assetTag = assetTagResp.value(); ++ // If the asset tag is longer than 63 bytes, restrict it to 63 bytes to ++ // suit Get Asset Tag command. + if (assetTag.size() > dcmi::assetTagMaxSize) + { + assetTag.resize(dcmi::assetTagMaxSize); + } + +- // If the requested offset is beyond the asset tag size. +- if (requestData->offset >= assetTag.size()) ++ if (offset >= assetTag.size()) + { +- *data_len = 0; +- return IPMI_CC_PARM_OUT_OF_RANGE; ++ return ipmi::responseParmOutOfRange(); + } + +- auto returnData = assetTag.substr(requestData->offset, requestData->bytes); +- +- responseData->tagLength = assetTag.size(); ++ // silently truncate reads beyond the end of assetTag ++ if ((offset + count) >= assetTag.size()) ++ { ++ count = assetTag.size() - offset; ++ } + +- memcpy(response, outPayload.data(), outPayload.size()); +- memcpy(static_cast<uint8_t*>(response) + outPayload.size(), +- returnData.data(), returnData.size()); +- *data_len = outPayload.size() + returnData.size(); ++ auto totalTagSize = static_cast<uint8_t>(assetTag.size()); ++ std::vector<char> data{assetTag.begin() + offset, ++ assetTag.begin() + offset + count}; + +- return IPMI_CC_OK; ++ return ipmi::responseSuccess(totalTagSize, data); + } + +-ipmi_ret_t setAssetTag(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint8_t // new asset tag length ++ > ++ setAssetTag(ipmi::Context::ptr& ctx, uint8_t offset, uint8_t count, ++ const std::vector<char>& data) + { +- auto requestData = +- reinterpret_cast<const dcmi::SetAssetTagRequest*>(request); +- std::vector<uint8_t> outPayload(sizeof(dcmi::SetAssetTagResponse)); +- auto responseData = +- reinterpret_cast<dcmi::SetAssetTagResponse*>(outPayload.data()); +- +- // Verify offset to read and number of bytes to read are not exceeding the +- // range. +- if ((requestData->offset > dcmi::assetTagMaxOffset) || +- (requestData->bytes > dcmi::maxBytes) || +- ((requestData->offset + requestData->bytes) > dcmi::assetTagMaxSize)) ++ // Verify offset to read and number of bytes to read are not exceeding ++ // the range. ++ if ((offset > dcmi::assetTagMaxOffset) || (count > dcmi::maxBytes) || ++ ((offset + count) > dcmi::assetTagMaxSize)) + { +- *data_len = 0; +- return IPMI_CC_PARM_OUT_OF_RANGE; ++ return ipmi::responseParmOutOfRange(); + } +- +- std::string assetTag; +- +- try ++ if (data.size() != count) + { +- assetTag = dcmi::readAssetTag(); ++ return ipmi::responseReqDataLenInvalid(); ++ } + +- if (requestData->offset > assetTag.size()) +- { +- *data_len = 0; +- return IPMI_CC_PARM_OUT_OF_RANGE; +- } ++ std::optional<std::string> assetTagResp = dcmi::readAssetTag(ctx); ++ if (!assetTagResp) ++ { ++ return ipmi::responseUnspecifiedError(); ++ } + +- assetTag.replace(requestData->offset, +- assetTag.size() - requestData->offset, +- static_cast<const char*>(request) + +- sizeof(dcmi::SetAssetTagRequest), +- requestData->bytes); ++ std::string& assetTag = assetTagResp.value(); + +- dcmi::writeAssetTag(assetTag); ++ if (offset > assetTag.size()) ++ { ++ return ipmi::responseParmOutOfRange(); ++ } + +- responseData->tagLength = assetTag.size(); +- memcpy(response, outPayload.data(), outPayload.size()); +- *data_len = outPayload.size(); ++ // operation is to truncate at offset and append new data ++ assetTag.resize(offset); ++ assetTag.append(data.begin(), data.end()); + +- return IPMI_CC_OK; +- } +- catch (const InternalFailure& e) ++ if (!dcmi::writeAssetTag(ctx, assetTag)) + { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } ++ ++ auto totalTagSize = static_cast<uint8_t>(assetTag.size()); ++ return ipmi::responseSuccess(totalTagSize); + } + +-ipmi_ret_t getMgmntCtrlIdStr(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint8_t, // length ++ std::vector<char> // data ++ > ++ getMgmntCtrlIdStr(ipmi::Context::ptr& ctx, uint8_t offset, uint8_t count) + { +- auto requestData = +- reinterpret_cast<const dcmi::GetMgmntCtrlIdStrRequest*>(request); +- auto responseData = +- reinterpret_cast<dcmi::GetMgmntCtrlIdStrResponse*>(response); +- std::string hostName; +- +- *data_len = 0; ++ if (count > dcmi::maxBytes || offset + count > dcmi::maxCtrlIdStrLen) ++ { ++ return ipmi::responseParmOutOfRange(); ++ } + +- if (requestData->bytes > dcmi::maxBytes || +- requestData->offset + requestData->bytes > dcmi::maxCtrlIdStrLen) ++ std::optional<std::string> hostnameResp = dcmi::getHostName(ctx); ++ if (!hostnameResp) + { +- return IPMI_CC_INVALID_FIELD_REQUEST; ++ return ipmi::responseUnspecifiedError(); + } + +- try ++ std::string& hostname = hostnameResp.value(); ++ // If the id string is longer than 63 bytes, restrict it to 63 bytes to ++ // suit set management ctrl str command. ++ if (hostname.size() > dcmi::maxCtrlIdStrLen) + { +- hostName = dcmi::getHostName(); ++ hostname.resize(dcmi::maxCtrlIdStrLen); + } +- catch (const InternalFailure& e) ++ ++ if (offset >= hostname.size()) + { +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseParmOutOfRange(); + } + +- if (requestData->offset > hostName.length()) ++ // silently truncate reads beyond the end of hostname ++ if ((offset + count) >= hostname.size()) + { +- return IPMI_CC_PARM_OUT_OF_RANGE; ++ count = hostname.size() - offset; + } +- auto responseStr = hostName.substr(requestData->offset, requestData->bytes); +- auto responseStrLen = std::min(static_cast<std::size_t>(requestData->bytes), +- responseStr.length() + 1); +- responseData->strLen = hostName.length(); +- std::copy(begin(responseStr), end(responseStr), responseData->data); + +- *data_len = sizeof(*responseData) + responseStrLen; +- return IPMI_CC_OK; ++ auto nameSize = static_cast<uint8_t>(hostname.size()); ++ std::vector<char> data{hostname.begin() + offset, ++ hostname.begin() + offset + count}; ++ ++ return ipmi::responseSuccess(nameSize, data); + } + +-ipmi_ret_t setMgmntCtrlIdStr(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint8_t> setMgmntCtrlIdStr(ipmi::Context::ptr& ctx, ++ uint8_t offset, uint8_t count, ++ std::vector<char> data) + { +- static std::array<char, dcmi::maxCtrlIdStrLen + 1> newCtrlIdStr; +- +- auto requestData = +- reinterpret_cast<const dcmi::SetMgmntCtrlIdStrRequest*>(request); +- auto responseData = +- reinterpret_cast<dcmi::SetMgmntCtrlIdStrResponse*>(response); +- +- *data_len = 0; +- +- if (requestData->bytes > dcmi::maxBytes || +- requestData->offset + requestData->bytes > dcmi::maxCtrlIdStrLen + 1 || +- (requestData->offset + requestData->bytes == +- dcmi::maxCtrlIdStrLen + 1 && +- requestData->data[requestData->bytes - 1] != '\0')) ++ if ((offset > dcmi::maxCtrlIdStrLen) || (count > dcmi::maxBytes) || ++ ((offset + count) > dcmi::maxCtrlIdStrLen)) + { +- return IPMI_CC_INVALID_FIELD_REQUEST; ++ return ipmi::responseParmOutOfRange(); ++ } ++ if (data.size() != count) ++ { ++ return ipmi::responseReqDataLenInvalid(); ++ } ++ bool terminalWrite{data.back() == '\0'}; ++ if (terminalWrite) ++ { ++ // remove the null termination from the data (no need with std::string) ++ data.resize(count - 1); + } + +- try ++ static std::string hostname{}; ++ // read in the current value if not starting at offset 0 ++ if (hostname.size() == 0 && offset != 0) + { +- /* if there is no old value and offset is not 0 */ +- if (newCtrlIdStr[0] == '\0' && requestData->offset != 0) ++ /* read old ctrlIdStr */ ++ std::optional<std::string> hostnameResp = dcmi::getHostName(ctx); ++ if (!hostnameResp) + { +- /* read old ctrlIdStr */ +- auto hostName = dcmi::getHostName(); +- hostName.resize(dcmi::maxCtrlIdStrLen); +- std::copy(begin(hostName), end(hostName), begin(newCtrlIdStr)); +- newCtrlIdStr[hostName.length()] = '\0'; ++ return ipmi::responseUnspecifiedError(); + } ++ hostname = hostnameResp.value(); ++ hostname.resize(offset); ++ } + +- /* replace part of string and mark byte after the last as \0 */ +- auto restStrIter = +- std::copy_n(requestData->data, requestData->bytes, +- begin(newCtrlIdStr) + requestData->offset); +- /* if the last written byte is not 64th - add '\0' */ +- if (requestData->offset + requestData->bytes <= dcmi::maxCtrlIdStrLen) +- { +- *restStrIter = '\0'; +- } ++ // operation is to truncate at offset and append new data ++ hostname.append(data.begin(), data.end()); + +- /* if input data contains '\0' whole string is sent - update hostname */ +- auto it = std::find(requestData->data, +- requestData->data + requestData->bytes, '\0'); +- if (it != requestData->data + requestData->bytes) ++ // do the update if this is the last write ++ if (terminalWrite) ++ { ++ boost::system::error_code ec = ipmi::setDbusProperty( ++ ctx, dcmi::networkServiceName, dcmi::networkConfigObj, ++ dcmi::networkConfigIntf, dcmi::hostNameProp, hostname); ++ hostname.clear(); ++ if (ec.value()) + { +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- ipmi::setDbusProperty(bus, dcmi::networkServiceName, +- dcmi::networkConfigObj, +- dcmi::networkConfigIntf, dcmi::hostNameProp, +- std::string(newCtrlIdStr.data())); ++ return ipmi::responseUnspecifiedError(); + } + } +- catch (const InternalFailure& e) +- { +- *data_len = 0; +- return IPMI_CC_UNSPECIFIED_ERROR; +- } + +- responseData->offset = requestData->offset + requestData->bytes; +- *data_len = sizeof(*responseData); +- return IPMI_CC_OK; ++ auto totalIdSize = static_cast<uint8_t>(offset + count); ++ return ipmi::responseSuccess(totalIdSize); + } + +-// List of the capabilities under each parameter +-dcmi::DCMICaps dcmiCaps = { +- // Supported DCMI Capabilities +- {dcmi::DCMICapParameters::SUPPORTED_DCMI_CAPS, +- {3, +- {{"PowerManagement", 2, 0, 1}, +- {"OOBSecondaryLan", 3, 2, 1}, +- {"SerialTMODE", 3, 1, 1}, +- {"InBandSystemInterfaceChannel", 3, 0, 1}}}}, +- // Mandatory Platform Attributes +- {dcmi::DCMICapParameters::MANDATORY_PLAT_ATTRIBUTES, +- {5, +- {{"SELAutoRollOver", 1, 15, 1}, +- {"FlushEntireSELUponRollOver", 1, 14, 1}, +- {"RecordLevelSELFlushUponRollOver", 1, 13, 1}, +- {"NumberOfSELEntries", 1, 0, 12}, +- {"TempMonitoringSamplingFreq", 5, 0, 8}}}}, +- // Optional Platform Attributes +- {dcmi::DCMICapParameters::OPTIONAL_PLAT_ATTRIBUTES, +- {2, +- {{"PowerMgmtDeviceSlaveAddress", 1, 1, 7}, +- {"BMCChannelNumber", 2, 4, 4}, +- {"DeviceRivision", 2, 0, 4}}}}, +- // Manageability Access Attributes +- {dcmi::DCMICapParameters::MANAGEABILITY_ACCESS_ATTRIBUTES, +- {3, +- {{"MandatoryPrimaryLanOOBSupport", 1, 0, 8}, +- {"OptionalSecondaryLanOOBSupport", 2, 0, 8}, +- {"OptionalSerialOOBMTMODECapability", 3, 0, 8}}}}}; +- +-ipmi_ret_t getDCMICapabilities(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<ipmi::message::Payload> getDCMICapabilities(uint8_t parameter) + { +- + std::ifstream dcmiCapFile(dcmi::gDCMICapabilitiesConfig); + if (!dcmiCapFile.is_open()) + { + log<level::ERR>("DCMI Capabilities file not found"); +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } + + auto data = nlohmann::json::parse(dcmiCapFile, nullptr, false); + if (data.is_discarded()) + { + log<level::ERR>("DCMI Capabilities JSON parser failure"); +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } + +- auto requestData = +- reinterpret_cast<const dcmi::GetDCMICapRequest*>(request); ++ constexpr bool reserved1{}; ++ constexpr uint5_t reserved5{}; ++ constexpr uint7_t reserved7{}; ++ constexpr uint8_t reserved8{}; ++ constexpr uint16_t reserved16{}; + +- // get list of capabilities in a parameter +- auto caps = +- dcmiCaps.find(static_cast<dcmi::DCMICapParameters>(requestData->param)); +- if (caps == dcmiCaps.end()) +- { +- log<level::ERR>("Invalid input parameter"); +- return IPMI_CC_INVALID_FIELD_REQUEST; +- } ++ ipmi::message::Payload payload; ++ payload.pack(dcmi::specMajorVersion, dcmi::specMinorVersion, ++ dcmi::parameterRevision); + +- auto responseData = reinterpret_cast<dcmi::GetDCMICapResponse*>(response); ++ enum class DCMICapParameters : uint8_t ++ { ++ SupportedDcmiCaps = 0x01, // Supported DCMI Capabilities ++ MandatoryPlatAttributes = 0x02, // Mandatory Platform Attributes ++ OptionalPlatAttributes = 0x03, // Optional Platform Attributes ++ ManageabilityAccessAttributes = 0x04, // Manageability Access Attributes ++ }; + +- // For each capabilities in a parameter fill the data from +- // the json file based on the capability name. +- for (auto cap : caps->second.capList) ++ switch (static_cast<DCMICapParameters>(parameter)) + { +- // If the data is beyond first byte boundary, insert in a +- // 16bit pattern for example number of SEL entries are represented +- // in 12bits. +- if ((cap.length + cap.position) > dcmi::gByteBitSize) ++ case DCMICapParameters::SupportedDcmiCaps: + { +- uint16_t val = data.value(cap.name.c_str(), 0); +- // According to DCMI spec v1.5, max number of SEL entries is +- // 4096, but bit 12b of DCMI capabilities Mandatory Platform +- // Attributes field is reserved and therefore we can use only +- // the provided 12 bits with maximum value of 4095. +- // We're playing safe here by applying the mask +- // to ensure that provided value will fit into 12 bits. +- if (cap.length > dcmi::gByteBitSize) +- { +- val &= dcmi::gMaxSELEntriesMask; +- } +- val <<= cap.position; +- responseData->data[cap.bytePosition - 1] |= +- static_cast<uint8_t>(val); +- responseData->data[cap.bytePosition] |= val >> dcmi::gByteBitSize; ++ bool powerManagement = data.value("PowerManagement", 0); ++ bool oobSecondaryLan = data.value("OOBSecondaryLan", 0); ++ bool serialTMode = data.value("SerialTMODE", 0); ++ bool inBandSystemInterfaceChannel = ++ data.value("InBandSystemInterfaceChannel", 0); ++ payload.pack(reserved8, powerManagement, reserved7, ++ inBandSystemInterfaceChannel, serialTMode, ++ oobSecondaryLan, reserved5); ++ break; ++ } ++ // Mandatory Platform Attributes ++ case DCMICapParameters::MandatoryPlatAttributes: ++ { ++ bool selAutoRollOver = data.value("SELAutoRollOver", 0); ++ bool flushEntireSELUponRollOver = ++ data.value("FlushEntireSELUponRollOver", 0); ++ bool recordLevelSELFlushUponRollOver = ++ data.value("RecordLevelSELFlushUponRollOver", 0); ++ uint12_t numberOfSELEntries = data.value("NumberOfSELEntries", ++ 0xcac); ++ uint8_t tempMonitoringSamplingFreq = ++ data.value("TempMonitoringSamplingFreq", 0); ++ payload.pack(numberOfSELEntries, reserved1, ++ recordLevelSELFlushUponRollOver, ++ flushEntireSELUponRollOver, selAutoRollOver, ++ reserved16, tempMonitoringSamplingFreq); ++ break; ++ } ++ // Optional Platform Attributes ++ case DCMICapParameters::OptionalPlatAttributes: ++ { ++ uint7_t powerMgmtDeviceSlaveAddress = ++ data.value("PowerMgmtDeviceSlaveAddress", 0); ++ uint4_t bmcChannelNumber = data.value("BMCChannelNumber", 0); ++ uint4_t deviceRivision = data.value("DeviceRivision", 0); ++ payload.pack(powerMgmtDeviceSlaveAddress, reserved1, deviceRivision, ++ bmcChannelNumber); ++ break; + } +- else ++ // Manageability Access Attributes ++ case DCMICapParameters::ManageabilityAccessAttributes: + { +- responseData->data[cap.bytePosition - 1] |= +- data.value(cap.name.c_str(), 0) << cap.position; ++ uint8_t mandatoryPrimaryLanOOBSupport = ++ data.value("MandatoryPrimaryLanOOBSupport", 0xff); ++ uint8_t optionalSecondaryLanOOBSupport = ++ data.value("OptionalSecondaryLanOOBSupport", 0xff); ++ uint8_t optionalSerialOOBMTMODECapability = ++ data.value("OptionalSerialOOBMTMODECapability", 0xff); ++ payload.pack(mandatoryPrimaryLanOOBSupport, ++ optionalSecondaryLanOOBSupport, ++ optionalSerialOOBMTMODECapability); ++ break; ++ } ++ default: ++ { ++ log<level::ERR>("Invalid input parameter"); ++ return ipmi::responseInvalidFieldRequest(); + } + } + +- responseData->major = DCMI_SPEC_MAJOR_VERSION; +- responseData->minor = DCMI_SPEC_MINOR_VERSION; +- responseData->paramRevision = DCMI_PARAMETER_REVISION; +- *data_len = sizeof(*responseData) + caps->second.size; +- +- return IPMI_CC_OK; ++ return ipmi::responseSuccess(payload); + } + + namespace dcmi +@@ -761,20 +719,25 @@ namespace dcmi + namespace temp_readings + { + +-Temperature readTemp(const std::string& dbusService, +- const std::string& dbusPath) ++std::tuple<bool, bool, uint8_t> readTemp(ipmi::Context::ptr& ctx, ++ const std::string& dbusService, ++ const std::string& dbusPath) + { + // Read the temperature value from d-bus object. Need some conversion. +- // As per the interface xyz.openbmc_project.Sensor.Value, the temperature +- // is an double and in degrees C. It needs to be scaled by using the +- // formula Value * 10^Scale. The ipmi spec has the temperature as a uint8_t, +- // with a separate single bit for the sign. +- +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- auto result = ipmi::getAllDbusProperties( +- bus, dbusService, dbusPath, "xyz.openbmc_project.Sensor.Value"); +- auto temperature = +- std::visit(ipmi::VariantToDoubleVisitor(), result.at("Value")); ++ // As per the interface xyz.openbmc_project.Sensor.Value, the ++ // temperature is an double and in degrees C. It needs to be scaled by ++ // using the formula Value * 10^Scale. The ipmi spec has the temperature ++ // as a uint8_t, with a separate single bit for the sign. ++ ++ ipmi::PropertyMap result{}; ++ boost::system::error_code ec = ipmi::getAllDbusProperties( ++ ctx, dbusService, dbusPath, "xyz.openbmc_project.Sensor.Value", result); ++ if (ec.value()) ++ { ++ return std::make_tuple(false, false, 0); ++ } ++ auto temperature = std::visit(ipmi::VariantToDoubleVisitor(), ++ result.at("Value")); + double absTemp = std::abs(temperature); + + auto findFactor = result.find("Scale"); +@@ -786,199 +749,222 @@ Temperature readTemp(const std::string& dbusService, + double scale = std::pow(10, factor); + + auto tempDegrees = absTemp * scale; +- // Max absolute temp as per ipmi spec is 128. ++ // Max absolute temp as per ipmi spec is 127. ++ constexpr auto maxTemp = 127; + if (tempDegrees > maxTemp) + { + tempDegrees = maxTemp; + } + +- return std::make_tuple(static_cast<uint8_t>(tempDegrees), +- (temperature < 0)); ++ return std::make_tuple(true, (temperature < 0), ++ static_cast<uint8_t>(tempDegrees)); + } + +-std::tuple<Response, NumInstances> read(const std::string& type, +- uint8_t instance) ++std::tuple<std::vector<std::tuple<uint7_t, bool, uint8_t>>, uint8_t> ++ read(ipmi::Context::ptr& ctx, const std::string& type, uint8_t instance, ++ size_t count) + { +- Response response{}; +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- +- if (!instance) +- { +- log<level::ERR>("Expected non-zero instance"); +- elog<InternalFailure>(); +- } ++ std::vector<std::tuple<uint7_t, bool, uint8_t>> response{}; + + auto data = parseJSONConfig(gDCMISensorsConfig); +- static const std::vector<Json> empty{}; +- std::vector<Json> readings = data.value(type, empty); +- size_t numInstances = readings.size(); ++ static const std::vector<nlohmann::json> empty{}; ++ std::vector<nlohmann::json> readings = data.value(type, empty); + for (const auto& j : readings) + { ++ // Max of 8 response data sets ++ if (response.size() == count) ++ { ++ break; ++ } ++ + uint8_t instanceNum = j.value("instance", 0); +- // Not the instance we're interested in +- if (instanceNum != instance) ++ // Not in the instance range we're interested in ++ if (instanceNum < instance) + { + continue; + } + + std::string path = j.value("dbus", ""); +- std::string service; +- try ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService( ++ ctx, "xyz.openbmc_project.Sensor.Value", path, service); ++ if (ec.value()) + { +- service = +- ipmi::getService(bus, "xyz.openbmc_project.Sensor.Value", path); ++ // not found on dbus ++ continue; + } +- catch (const std::exception& e) ++ ++ const auto& [ok, sign, temp] = readTemp(ctx, service, path); ++ if (ok) + { +- log<level::DEBUG>(e.what()); +- return std::make_tuple(response, numInstances); ++ response.emplace_back(uint7_t{temp}, sign, instanceNum); + } ++ } + +- response.instance = instance; +- uint8_t temp{}; +- bool sign{}; +- std::tie(temp, sign) = readTemp(service, path); +- response.temperature = temp; +- response.sign = sign; ++ auto totalInstances = ++ static_cast<uint8_t>(std::min(readings.size(), maxInstances)); ++ return std::make_tuple(response, totalInstances); ++} + +- // Found the instance we're interested in +- break; ++} // namespace temp_readings ++} // namespace dcmi ++ ++ipmi::RspType<uint8_t, // total instances for entity id ++ uint8_t, // number of instances in this reply ++ std::vector< // zero or more of the following two bytes ++ std::tuple<uint7_t, // temperature value ++ bool, // sign bit ++ uint8_t // entity instance ++ >>> ++ getTempReadings(ipmi::Context::ptr& ctx, uint8_t sensorType, ++ uint8_t entityId, uint8_t entityInstance, ++ uint8_t instanceStart) ++{ ++ auto it = dcmi::entityIdToName.find(entityId); ++ if (it == dcmi::entityIdToName.end()) ++ { ++ log<level::ERR>("Unknown Entity ID", entry("ENTITY_ID=%d", entityId)); ++ return ipmi::responseInvalidFieldRequest(); + } + +- if (numInstances > maxInstances) ++ if (sensorType != dcmi::temperatureSensorType) + { +- numInstances = maxInstances; ++ log<level::ERR>("Invalid sensor type", ++ entry("SENSOR_TYPE=%d", sensorType)); ++ return ipmi::responseInvalidFieldRequest(); + } +- return std::make_tuple(response, numInstances); ++ ++ uint8_t requestedRecords = (entityInstance == 0) ? dcmi::maxRecords : 1; ++ ++ // Read requested instances ++ const auto& [temps, totalInstances] = dcmi::temp_readings::read( ++ ctx, it->second, instanceStart, requestedRecords); ++ ++ auto numInstances = static_cast<uint8_t>(temps.size()); ++ ++ return ipmi::responseSuccess(totalInstances, numInstances, temps); + } + +-std::tuple<ResponseList, NumInstances> readAll(const std::string& type, +- uint8_t instanceStart) ++ipmi::RspType<> setDCMIConfParams(ipmi::Context::ptr& ctx, uint8_t parameter, ++ uint8_t setSelector, ++ ipmi::message::Payload& payload) + { +- ResponseList response{}; +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- +- size_t numInstances = 0; +- auto data = parseJSONConfig(gDCMISensorsConfig); +- static const std::vector<Json> empty{}; +- std::vector<Json> readings = data.value(type, empty); +- numInstances = readings.size(); +- for (const auto& j : readings) ++ if (setSelector) + { +- try ++ return ipmi::responseInvalidFieldRequest(); ++ } ++ // Take action based on the Parameter Selector ++ switch (static_cast<dcmi::DCMIConfigParameters>(parameter)) ++ { ++ case dcmi::DCMIConfigParameters::ActivateDHCP: + { +- // Max of 8 response data sets +- if (response.size() == maxDataSets) ++ uint7_t reserved{}; ++ bool activate{}; ++ if (payload.unpack(activate, reserved) || !payload.fullyUnpacked()) + { +- break; ++ return ipmi::responseReqDataLenInvalid(); + } +- +- uint8_t instanceNum = j.value("instance", 0); +- // Not in the instance range we're interested in +- if (instanceNum < instanceStart) ++ if (reserved) + { +- continue; ++ return ipmi::responseInvalidFieldRequest(); + } +- +- std::string path = j.value("dbus", ""); +- auto service = +- ipmi::getService(bus, "xyz.openbmc_project.Sensor.Value", path); +- +- Response r{}; +- r.instance = instanceNum; +- uint8_t temp{}; +- bool sign{}; +- std::tie(temp, sign) = readTemp(service, path); +- r.temperature = temp; +- r.sign = sign; +- response.push_back(r); ++ std::optional<EthernetInterface::DHCPConf> dhcpEnabled = ++ dcmi::getDHCPEnabled(ctx); ++ if (!dhcpEnabled) ++ { ++ return ipmi::responseUnspecifiedError(); ++ } ++ if (activate && ++ (dhcpEnabled.value() != EthernetInterface::DHCPConf::none)) ++ { ++ // When these conditions are met we have to trigger DHCP ++ // protocol restart using the latest parameter settings, ++ // but as per n/w manager design, each time when we ++ // update n/w parameters, n/w service is restarted. So ++ // we no need to take any action in this case. ++ } ++ break; + } +- catch (const std::exception& e) ++ case dcmi::DCMIConfigParameters::DiscoveryConfig: + { +- log<level::DEBUG>(e.what()); +- continue; ++ bool option12{}; ++ uint6_t reserved1{}; ++ bool randBackOff{}; ++ if (payload.unpack(option12, reserved1, randBackOff) || ++ !payload.fullyUnpacked()) ++ { ++ return ipmi::responseReqDataLenInvalid(); ++ } ++ // Systemd-networkd doesn't support Random Back off ++ if (reserved1 || randBackOff) ++ { ++ return ipmi::responseInvalidFieldRequest(); ++ } ++ dcmi::setDHCPOption(ctx, dcmi::dhcpOpt12Enabled, option12); ++ break; + } +- } +- +- if (numInstances > maxInstances) +- { +- numInstances = maxInstances; +- } +- return std::make_tuple(response, numInstances); ++ // Systemd-networkd doesn't allow to configure DHCP timigs ++ case dcmi::DCMIConfigParameters::DHCPTiming1: ++ case dcmi::DCMIConfigParameters::DHCPTiming2: ++ case dcmi::DCMIConfigParameters::DHCPTiming3: ++ default: ++ return ipmi::responseInvalidFieldRequest(); ++ } ++ return ipmi::responseSuccess(); + } + +-} // namespace temp_readings +-} // namespace dcmi +- +-ipmi_ret_t getTempReadings(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<ipmi::message::Payload> getDCMIConfParams(ipmi::Context::ptr& ctx, ++ uint8_t parameter, ++ uint8_t setSelector) + { +- auto requestData = +- reinterpret_cast<const dcmi::GetTempReadingsRequest*>(request); +- auto responseData = +- reinterpret_cast<dcmi::GetTempReadingsResponseHdr*>(response); +- +- if (*data_len != sizeof(dcmi::GetTempReadingsRequest)) ++ if (setSelector) + { +- log<level::ERR>("Malformed request data", +- entry("DATA_SIZE=%d", *data_len)); +- return IPMI_CC_REQ_DATA_LEN_INVALID; ++ return ipmi::responseInvalidFieldRequest(); + } +- *data_len = 0; ++ ipmi::message::Payload payload; ++ payload.pack(dcmi::specMajorVersion, dcmi::specMinorVersion, ++ dcmi::configParameterRevision); + +- auto it = dcmi::entityIdToName.find(requestData->entityId); +- if (it == dcmi::entityIdToName.end()) ++ // Take action based on the Parameter Selector ++ switch (static_cast<dcmi::DCMIConfigParameters>(parameter)) + { +- log<level::ERR>("Unknown Entity ID", +- entry("ENTITY_ID=%d", requestData->entityId)); +- return IPMI_CC_INVALID_FIELD_REQUEST; +- } +- +- if (requestData->sensorType != dcmi::temperatureSensorType) +- { +- log<level::ERR>("Invalid sensor type", +- entry("SENSOR_TYPE=%d", requestData->sensorType)); +- return IPMI_CC_INVALID_FIELD_REQUEST; +- } +- +- dcmi::temp_readings::ResponseList temps{}; +- try +- { +- if (!requestData->entityInstance) ++ case dcmi::DCMIConfigParameters::ActivateDHCP: ++ payload.pack(dcmi::activateDhcpReply); ++ break; ++ case dcmi::DCMIConfigParameters::DiscoveryConfig: + { +- // Read all instances +- std::tie(temps, responseData->numInstances) = +- dcmi::temp_readings::readAll(it->second, +- requestData->instanceStart); +- } +- else +- { +- // Read one instance +- temps.resize(1); +- std::tie(temps[0], responseData->numInstances) = +- dcmi::temp_readings::read(it->second, +- requestData->entityInstance); ++ uint8_t discovery{}; ++ std::optional<bool> enabled = ++ dcmi::getDHCPOption(ctx, dcmi::dhcpOpt12Enabled); ++ if (!enabled.has_value()) ++ { ++ return ipmi::responseUnspecifiedError(); ++ } ++ if (enabled.value()) ++ { ++ discovery = dcmi::option12Mask; ++ } ++ payload.pack(discovery); ++ break; + } +- responseData->numDataSets = temps.size(); +- } +- catch (const InternalFailure& e) +- { +- return IPMI_CC_UNSPECIFIED_ERROR; +- } +- +- size_t payloadSize = temps.size() * sizeof(dcmi::temp_readings::Response); +- if (!temps.empty()) +- { +- memcpy(responseData + 1, // copy payload right after the response header +- temps.data(), payloadSize); +- } +- *data_len = sizeof(dcmi::GetTempReadingsResponseHdr) + payloadSize; +- +- return IPMI_CC_OK; ++ // Get below values from Systemd-networkd source code ++ case dcmi::DCMIConfigParameters::DHCPTiming1: ++ payload.pack(dcmi::dhcpTiming1); ++ break; ++ case dcmi::DCMIConfigParameters::DHCPTiming2: ++ payload.pack(dcmi::dhcpTiming2); ++ break; ++ case dcmi::DCMIConfigParameters::DHCPTiming3: ++ payload.pack(dcmi::dhcpTiming3); ++ break; ++ default: ++ return ipmi::responseInvalidFieldRequest(); ++ } ++ ++ return ipmi::responseSuccess(); + } + +-int64_t getPowerReading(sdbusplus::bus::bus& bus) ++static std::optional<uint16_t> readPower(ipmi::Context::ptr& ctx) + { + std::ifstream sensorFile(POWER_READING_SENSOR); + std::string objectPath; +@@ -986,7 +972,7 @@ int64_t getPowerReading(sdbusplus::bus::bus& bus) + { + log<level::ERR>("Power reading configuration file not found", + entry("POWER_SENSOR_FILE=%s", POWER_READING_SENSOR)); +- elog<InternalFailure>(); ++ return std::nullopt; + } + + auto data = nlohmann::json::parse(sensorFile, nullptr, false); +@@ -994,7 +980,7 @@ int64_t getPowerReading(sdbusplus::bus::bus& bus) + { + log<level::ERR>("Error in parsing configuration file", + entry("POWER_SENSOR_FILE=%s", POWER_READING_SENSOR)); +- elog<InternalFailure>(); ++ return std::nullopt; + } + + objectPath = data.value("path", ""); +@@ -1002,215 +988,93 @@ int64_t getPowerReading(sdbusplus::bus::bus& bus) + { + log<level::ERR>("Power sensor D-Bus object path is empty", + entry("POWER_SENSOR_FILE=%s", POWER_READING_SENSOR)); +- elog<InternalFailure>(); ++ return std::nullopt; + } + + // Return default value if failed to read from D-Bus object +- int64_t power = 0; +- try ++ std::string service{}; ++ boost::system::error_code ec = ipmi::getService(ctx, dcmi::sensorValueIntf, ++ objectPath, service); ++ if (ec.value()) + { +- auto service = ipmi::getService(bus, SENSOR_VALUE_INTF, objectPath); +- +- // Read the sensor value and scale properties +- auto properties = ipmi::getAllDbusProperties(bus, service, objectPath, +- SENSOR_VALUE_INTF); +- auto value = std::get<int64_t>(properties[SENSOR_VALUE_PROP]); +- auto scale = std::get<int64_t>(properties[SENSOR_SCALE_PROP]); +- +- // Power reading needs to be scaled with the Scale value using the +- // formula Value * 10^Scale. +- power = value * std::pow(10, scale); ++ log<level::ERR>("Failed to fetch service for D-Bus object", ++ entry("OBJECT_PATH=%s", objectPath.c_str()), ++ entry("INTERFACE=%s", dcmi::sensorValueIntf)); ++ return std::nullopt; + } +- catch (const std::exception& e) ++ ++ // Read the sensor value and scale properties ++ double value{}; ++ ec = ipmi::getDbusProperty(ctx, service, objectPath, dcmi::sensorValueIntf, ++ dcmi::sensorValueProp, value); ++ if (ec.value()) + { +- log<level::INFO>("Failure to read power value from D-Bus object", +- entry("OBJECT_PATH=%s", objectPath.c_str()), +- entry("INTERFACE=%s", SENSOR_VALUE_INTF)); ++ log<level::ERR>("Failure to read power value from D-Bus object", ++ entry("OBJECT_PATH=%s", objectPath.c_str()), ++ entry("INTERFACE=%s", dcmi::sensorValueIntf)); ++ return std::nullopt; + } ++ auto power = static_cast<uint16_t>(value); + return power; + } + +-ipmi_ret_t setDCMIConfParams(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint16_t, // current power ++ uint16_t, // minimum power ++ uint16_t, // maximum power ++ uint16_t, // average power ++ uint32_t, // timestamp ++ uint32_t, // sample period ms ++ uint6_t, // reserved ++ bool, // power measurement active ++ bool // reserved ++ > ++ getPowerReading(ipmi::Context::ptr& ctx, uint8_t mode, uint8_t attributes, ++ uint8_t reserved) + { +- auto requestData = +- reinterpret_cast<const dcmi::SetConfParamsRequest*>(request); +- +- if (*data_len < DCMI_SET_CONF_PARAM_REQ_PACKET_MIN_SIZE || +- *data_len > DCMI_SET_CONF_PARAM_REQ_PACKET_MAX_SIZE) +- { +- log<level::ERR>("Invalid Requested Packet size", +- entry("PACKET SIZE=%d", *data_len)); +- *data_len = 0; +- return IPMI_CC_INVALID_FIELD_REQUEST; +- } +- *data_len = 0; +- +- try ++ if (!dcmi::isDCMIPowerMgmtSupported()) + { +- // Take action based on the Parameter Selector +- switch ( +- static_cast<dcmi::DCMIConfigParameters>(requestData->paramSelect)) +- { +- case dcmi::DCMIConfigParameters::ActivateDHCP: +- +- if ((requestData->data[0] & DCMI_ACTIVATE_DHCP_MASK) && +- dcmi::getDHCPEnabled()) +- { +- // When these conditions are met we have to trigger DHCP +- // protocol restart using the latest parameter settings, but +- // as per n/w manager design, each time when we update n/w +- // parameters, n/w service is restarted. So we no need to +- // take any action in this case. +- } +- break; +- +- case dcmi::DCMIConfigParameters::DiscoveryConfig: +- +- if (requestData->data[0] & DCMI_OPTION_12_MASK) +- { +- dcmi::setDHCPOption(DHCP_OPT12_ENABLED, true); +- } +- else +- { +- dcmi::setDHCPOption(DHCP_OPT12_ENABLED, false); +- } +- +- // Systemd-networkd doesn't support Random Back off +- if (requestData->data[0] & DCMI_RAND_BACK_OFF_MASK) +- { +- return IPMI_CC_INVALID; +- } +- break; +- // Systemd-networkd doesn't allow to configure DHCP timigs +- case dcmi::DCMIConfigParameters::DHCPTiming1: +- case dcmi::DCMIConfigParameters::DHCPTiming2: +- case dcmi::DCMIConfigParameters::DHCPTiming3: +- default: +- return IPMI_CC_INVALID; +- } ++ log<level::ERR>("DCMI Power management is unsupported!"); ++ return ipmi::responseInvalidCommand(); + } +- catch (const std::exception& e) ++ if (reserved) + { +- log<level::ERR>(e.what()); +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseInvalidFieldRequest(); + } +- return IPMI_CC_OK; +-} + +-ipmi_ret_t getDCMIConfParams(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) +-{ +- +- auto requestData = +- reinterpret_cast<const dcmi::GetConfParamsRequest*>(request); +- auto responseData = +- reinterpret_cast<dcmi::GetConfParamsResponse*>(response); +- +- responseData->data[0] = 0x00; +- +- if (*data_len != sizeof(dcmi::GetConfParamsRequest)) ++ enum class PowerMode : uint8_t + { +- log<level::ERR>("Invalid Requested Packet size", +- entry("PACKET SIZE=%d", *data_len)); +- return IPMI_CC_INVALID_FIELD_REQUEST; +- } +- +- *data_len = 0; ++ SystemPowerStatistics = 1, ++ EnhancedSystemPowerStatistics = 2, ++ }; + +- try ++ if (static_cast<PowerMode>(mode) != PowerMode::SystemPowerStatistics) + { +- // Take action based on the Parameter Selector +- switch ( +- static_cast<dcmi::DCMIConfigParameters>(requestData->paramSelect)) +- { +- case dcmi::DCMIConfigParameters::ActivateDHCP: +- responseData->data[0] = DCMI_ACTIVATE_DHCP_REPLY; +- *data_len = sizeof(dcmi::GetConfParamsResponse) + 1; +- break; +- case dcmi::DCMIConfigParameters::DiscoveryConfig: +- if (dcmi::getDHCPOption(DHCP_OPT12_ENABLED)) +- { +- responseData->data[0] |= DCMI_OPTION_12_MASK; +- } +- *data_len = sizeof(dcmi::GetConfParamsResponse) + 1; +- break; +- // Get below values from Systemd-networkd source code +- case dcmi::DCMIConfigParameters::DHCPTiming1: +- responseData->data[0] = DHCP_TIMING1; +- *data_len = sizeof(dcmi::GetConfParamsResponse) + 1; +- break; +- case dcmi::DCMIConfigParameters::DHCPTiming2: +- responseData->data[0] = DHCP_TIMING2_LOWER; +- responseData->data[1] = DHCP_TIMING2_UPPER; +- *data_len = sizeof(dcmi::GetConfParamsResponse) + 2; +- break; +- case dcmi::DCMIConfigParameters::DHCPTiming3: +- responseData->data[0] = DHCP_TIMING3_LOWER; +- responseData->data[1] = DHCP_TIMING3_UPPER; +- *data_len = sizeof(dcmi::GetConfParamsResponse) + 2; +- break; +- default: +- *data_len = 0; +- return IPMI_CC_INVALID; +- } ++ return ipmi::responseInvalidFieldRequest(); + } +- catch (const std::exception& e) ++ if (attributes) + { +- log<level::ERR>(e.what()); +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseInvalidFieldRequest(); + } + +- responseData->major = DCMI_SPEC_MAJOR_VERSION; +- responseData->minor = DCMI_SPEC_MINOR_VERSION; +- responseData->paramRevision = DCMI_CONFIG_PARAMETER_REVISION; +- +- return IPMI_CC_OK; +-} +- +-ipmi_ret_t getPowerReading(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) +-{ +- *data_len = 0; +- if (!dcmi::isDCMIPowerMgmtSupported()) ++ std::optional<uint16_t> powerResp = readPower(ctx); ++ if (!powerResp) + { +- log<level::ERR>("DCMI Power management is unsupported!"); +- return IPMI_CC_INVALID; +- } +- +- ipmi_ret_t rc = IPMI_CC_OK; +- auto responseData = +- reinterpret_cast<dcmi::GetPowerReadingResponse*>(response); +- +- sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; +- int64_t power = 0; +- try +- { +- power = getPowerReading(bus); +- } +- catch (const InternalFailure& e) +- { +- log<level::ERR>("Error in reading power sensor value", +- entry("INTERFACE=%s", SENSOR_VALUE_INTF), +- entry("PROPERTY=%s", SENSOR_VALUE_PROP)); +- return IPMI_CC_UNSPECIFIED_ERROR; ++ return ipmi::responseUnspecifiedError(); + } ++ auto& power = powerResp.value(); + + // TODO: openbmc/openbmc#2819 + // Minimum, Maximum, Average power, TimeFrame, TimeStamp, + // PowerReadingState readings need to be populated + // after Telemetry changes. +- uint16_t totalPower = static_cast<uint16_t>(power); +- responseData->currentPower = totalPower; +- responseData->minimumPower = totalPower; +- responseData->maximumPower = totalPower; +- responseData->averagePower = totalPower; +- +- *data_len = sizeof(*responseData); +- return rc; ++ constexpr uint32_t samplePeriod = 1; ++ constexpr uint6_t reserved1 = 0; ++ constexpr bool measurementActive = true; ++ constexpr bool reserved2 = false; ++ auto timestamp = static_cast<uint32_t>(time(nullptr)); ++ return ipmi::responseSuccess(power, power, power, power, timestamp, ++ samplePeriod, reserved1, measurementActive, ++ reserved2); + } + + namespace dcmi +@@ -1218,237 +1082,139 @@ namespace dcmi + namespace sensor_info + { + +-Response createFromJson(const Json& config) +-{ +- Response response{}; +- uint16_t recordId = config.value("record_id", 0); +- response.recordIdLsb = recordId & 0xFF; +- response.recordIdMsb = (recordId >> 8) & 0xFF; +- return response; +-} +- +-std::tuple<Response, NumInstances> read(const std::string& type, +- uint8_t instance, const Json& config) ++std::tuple<std::vector<uint16_t>, uint8_t> read(const std::string& type, ++ uint8_t instance, ++ const nlohmann::json& config, ++ uint8_t count) + { +- Response response{}; +- +- if (!instance) +- { +- log<level::ERR>("Expected non-zero instance"); +- elog<InternalFailure>(); +- } ++ std::vector<uint16_t> responses{}; + +- static const std::vector<Json> empty{}; +- std::vector<Json> readings = config.value(type, empty); +- size_t numInstances = readings.size(); ++ static const std::vector<nlohmann::json> empty{}; ++ std::vector<nlohmann::json> readings = config.value(type, empty); ++ uint8_t totalInstances = std::min(readings.size(), maxInstances); + for (const auto& reading : readings) + { +- uint8_t instanceNum = reading.value("instance", 0); +- // Not the instance we're interested in +- if (instanceNum != instance) ++ // limit to requested count ++ if (responses.size() == count) + { +- continue; ++ break; + } + +- response = createFromJson(reading); +- +- // Found the instance we're interested in +- break; +- } +- +- if (numInstances > maxInstances) +- { +- log<level::DEBUG>("Trimming IPMI num instances", +- entry("NUM_INSTANCES=%d", numInstances)); +- numInstances = maxInstances; +- } +- return std::make_tuple(response, numInstances); +-} +- +-std::tuple<ResponseList, NumInstances> +- readAll(const std::string& type, uint8_t instanceStart, const Json& config) +-{ +- ResponseList responses{}; +- +- size_t numInstances = 0; +- static const std::vector<Json> empty{}; +- std::vector<Json> readings = config.value(type, empty); +- numInstances = readings.size(); +- for (const auto& reading : readings) +- { +- try +- { +- // Max of 8 records +- if (responses.size() == maxRecords) +- { +- break; +- } +- +- uint8_t instanceNum = reading.value("instance", 0); +- // Not in the instance range we're interested in +- if (instanceNum < instanceStart) +- { +- continue; +- } +- +- Response response = createFromJson(reading); +- responses.push_back(response); +- } +- catch (const std::exception& e) ++ uint8_t instanceNum = reading.value("instance", 0); ++ // Not in the instance range we're interested in ++ if (instanceNum < instance) + { +- log<level::DEBUG>(e.what()); + continue; + } +- } + +- if (numInstances > maxInstances) +- { +- log<level::DEBUG>("Trimming IPMI num instances", +- entry("NUM_INSTANCES=%d", numInstances)); +- numInstances = maxInstances; ++ uint16_t recordId = config.value("record_id", 0); ++ responses.emplace_back(recordId); + } +- return std::make_tuple(responses, numInstances); ++ ++ return std::make_tuple(responses, totalInstances); + } + + } // namespace sensor_info + } // namespace dcmi + +-ipmi_ret_t getSensorInfo(ipmi_netfn_t netfn, ipmi_cmd_t cmd, +- ipmi_request_t request, ipmi_response_t response, +- ipmi_data_len_t data_len, ipmi_context_t context) ++ipmi::RspType<uint8_t, // total available instances ++ uint8_t, // number of records in this response ++ std::vector<uint16_t> // records ++ > ++ getSensorInfo(uint8_t sensorType, uint8_t entityId, uint8_t entityInstance, ++ uint8_t instanceStart) + { +- auto requestData = +- reinterpret_cast<const dcmi::GetSensorInfoRequest*>(request); +- auto responseData = +- reinterpret_cast<dcmi::GetSensorInfoResponseHdr*>(response); +- +- if (*data_len != sizeof(dcmi::GetSensorInfoRequest)) +- { +- log<level::ERR>("Malformed request data", +- entry("DATA_SIZE=%d", *data_len)); +- return IPMI_CC_REQ_DATA_LEN_INVALID; +- } +- *data_len = 0; +- +- auto it = dcmi::entityIdToName.find(requestData->entityId); ++ auto it = dcmi::entityIdToName.find(entityId); + if (it == dcmi::entityIdToName.end()) + { +- log<level::ERR>("Unknown Entity ID", +- entry("ENTITY_ID=%d", requestData->entityId)); +- return IPMI_CC_INVALID_FIELD_REQUEST; ++ log<level::ERR>("Unknown Entity ID", entry("ENTITY_ID=%d", entityId)); ++ return ipmi::responseInvalidFieldRequest(); + } + +- if (requestData->sensorType != dcmi::temperatureSensorType) ++ if (sensorType != dcmi::temperatureSensorType) + { + log<level::ERR>("Invalid sensor type", +- entry("SENSOR_TYPE=%d", requestData->sensorType)); +- return IPMI_CC_INVALID_FIELD_REQUEST; ++ entry("SENSOR_TYPE=%d", sensorType)); ++ return ipmi::responseInvalidFieldRequest(); + } + +- dcmi::sensor_info::ResponseList sensors{}; +- static dcmi::Json config{}; +- static bool parsed = false; ++ nlohmann::json config = dcmi::parseJSONConfig(dcmi::gDCMISensorsConfig); + +- try +- { +- if (!parsed) +- { +- config = dcmi::parseJSONConfig(dcmi::gDCMISensorsConfig); +- parsed = true; +- } +- +- if (!requestData->entityInstance) +- { +- // Read all instances +- std::tie(sensors, responseData->numInstances) = +- dcmi::sensor_info::readAll(it->second, +- requestData->instanceStart, config); +- } +- else +- { +- // Read one instance +- sensors.resize(1); +- std::tie(sensors[0], responseData->numInstances) = +- dcmi::sensor_info::read(it->second, requestData->entityInstance, +- config); +- } +- responseData->numRecords = sensors.size(); +- } +- catch (const InternalFailure& e) +- { +- return IPMI_CC_UNSPECIFIED_ERROR; +- } ++ uint8_t requestedRecords = (entityInstance == 0) ? dcmi::maxRecords : 1; ++ // Read requested instances ++ const auto& [sensors, totalInstances] = dcmi::sensor_info::read( ++ it->second, instanceStart, config, requestedRecords); ++ uint8_t numRecords = sensors.size(); + +- size_t payloadSize = sensors.size() * sizeof(dcmi::sensor_info::Response); +- if (!sensors.empty()) +- { +- memcpy(responseData + 1, // copy payload right after the response header +- sensors.data(), payloadSize); +- } +- *data_len = sizeof(dcmi::GetSensorInfoResponseHdr) + payloadSize; +- +- return IPMI_CC_OK; ++ return ipmi::responseSuccess(totalInstances, numRecords, sensors); + } + + void register_netfn_dcmi_functions() + { + // <Get Power Limit> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_POWER_LIMIT, NULL, +- getPowerLimit, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetPowerLimit, ipmi::Privilege::User, ++ getPowerLimit); + + // <Set Power Limit> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::SET_POWER_LIMIT, NULL, +- setPowerLimit, PRIVILEGE_OPERATOR); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdSetPowerLimit, ++ ipmi::Privilege::Operator, setPowerLimit); + + // <Activate/Deactivate Power Limit> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::APPLY_POWER_LIMIT, +- NULL, applyPowerLimit, PRIVILEGE_OPERATOR); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdActDeactivatePwrLimit, ++ ipmi::Privilege::Operator, applyPowerLimit); + + // <Get Asset Tag> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_ASSET_TAG, NULL, +- getAssetTag, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetAssetTag, ipmi::Privilege::User, ++ getAssetTag); + + // <Set Asset Tag> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::SET_ASSET_TAG, NULL, +- setAssetTag, PRIVILEGE_OPERATOR); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdSetAssetTag, ipmi::Privilege::Operator, ++ setAssetTag); + + // <Get Management Controller Identifier String> +- +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_MGMNT_CTRL_ID_STR, +- NULL, getMgmntCtrlIdStr, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetMgmtCntlrIdString, ++ ipmi::Privilege::User, getMgmntCtrlIdStr); + + // <Set Management Controller Identifier String> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::SET_MGMNT_CTRL_ID_STR, +- NULL, setMgmntCtrlIdStr, PRIVILEGE_ADMIN); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdSetMgmtCntlrIdString, ++ ipmi::Privilege::Admin, setMgmntCtrlIdStr); + + // <Get DCMI capabilities> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_CAPABILITIES, +- NULL, getDCMICapabilities, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetDcmiCapabilitiesInfo, ++ ipmi::Privilege::User, getDCMICapabilities); + + // <Get Temperature Readings> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_TEMP_READINGS, +- NULL, getTempReadings, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetTemperatureReadings, ++ ipmi::Privilege::User, getTempReadings); + + // <Get Power Reading> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_POWER_READING, +- NULL, getPowerReading, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetPowerReading, ipmi::Privilege::User, ++ getPowerReading); + + // <Get Sensor Info> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_SENSOR_INFO, NULL, +- getSensorInfo, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetDcmiSensorInfo, ++ ipmi::Privilege::Operator, getSensorInfo); + + // <Get DCMI Configuration Parameters> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::GET_CONF_PARAMS, NULL, +- getDCMIConfParams, PRIVILEGE_USER); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdGetDcmiConfigParameters, ++ ipmi::Privilege::User, getDCMIConfParams); + + // <Set DCMI Configuration Parameters> +- ipmi_register_callback(NETFUN_GRPEXT, dcmi::Commands::SET_CONF_PARAMS, NULL, +- setDCMIConfParams, PRIVILEGE_ADMIN); ++ registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ ipmi::dcmi::cmdSetDcmiConfigParameters, ++ ipmi::Privilege::Admin, setDCMIConfParams); + + return; + } +diff --git a/dcmihandler.hpp b/dcmihandler.hpp +index 4f35bc6..5adbd73 100644 +--- a/dcmihandler.hpp ++++ b/dcmihandler.hpp +@@ -10,27 +10,6 @@ + namespace dcmi + { + +-using NumInstances = size_t; +-using Json = nlohmann::json; +- +-enum Commands +-{ +- // Get capability bits +- GET_CAPABILITIES = 0x01, +- GET_POWER_READING = 0x02, +- GET_POWER_LIMIT = 0x03, +- SET_POWER_LIMIT = 0x04, +- APPLY_POWER_LIMIT = 0x05, +- GET_ASSET_TAG = 0x06, +- GET_SENSOR_INFO = 0x07, +- SET_ASSET_TAG = 0x08, +- GET_MGMNT_CTRL_ID_STR = 0x09, +- SET_MGMNT_CTRL_ID_STR = 0x0A, +- GET_TEMP_READINGS = 0x10, +- SET_CONF_PARAMS = 0x12, +- GET_CONF_PARAMS = 0x13, +-}; +- + static constexpr auto propIntf = "org.freedesktop.DBus.Properties"; + static constexpr auto assetTagIntf = + "xyz.openbmc_project.Inventory.Decorator.AssetTag"; +@@ -41,7 +20,8 @@ static constexpr auto networkConfigIntf = + "xyz.openbmc_project.Network.SystemConfiguration"; + static constexpr auto hostNameProp = "HostName"; + static constexpr auto temperatureSensorType = 0x01; +-static constexpr auto maxInstances = 255; ++static constexpr size_t maxInstances = 255; ++static constexpr uint8_t maxRecords = 8; + static constexpr auto gDCMISensorsConfig = + "/usr/share/ipmi-providers/dcmi_sensors.json"; + static constexpr auto ethernetIntf = +@@ -61,106 +41,6 @@ static constexpr auto gDCMIPowerMgmtSupported = 0x1; + static constexpr auto gMaxSELEntriesMask = 0xFFF; + static constexpr auto gByteBitSize = 8; + +-namespace assettag +-{ +- +-using ObjectPath = std::string; +-using Service = std::string; +-using Interfaces = std::vector<std::string>; +-using ObjectTree = std::map<ObjectPath, std::map<Service, Interfaces>>; +- +-} // namespace assettag +- +-namespace temp_readings +-{ +-static constexpr auto maxDataSets = 8; +-static constexpr auto maxTemp = 127; // degrees C +- +-/** @struct Response +- * +- * DCMI payload for Get Temperature Readings response +- */ +-struct Response +-{ +-#if BYTE_ORDER == LITTLE_ENDIAN +- uint8_t temperature : 7; //!< Temperature reading in Celsius +- uint8_t sign : 1; //!< Sign bit +-#endif +-#if BYTE_ORDER == BIG_ENDIAN +- uint8_t sign : 1; //!< Sign bit +- uint8_t temperature : 7; //!< Temperature reading in Celsius +-#endif +- uint8_t instance; //!< Entity instance number +-} __attribute__((packed)); +- +-using ResponseList = std::vector<Response>; +-using Value = uint8_t; +-using Sign = bool; +-using Temperature = std::tuple<Value, Sign>; +-} // namespace temp_readings +- +-namespace sensor_info +-{ +-static constexpr auto maxRecords = 8; +- +-/** @struct Response +- * +- * DCMI payload for Get Sensor Info response +- */ +-struct Response +-{ +- uint8_t recordIdLsb; //!< SDR record id LS byte +- uint8_t recordIdMsb; //!< SDR record id MS byte +-} __attribute__((packed)); +- +-using ResponseList = std::vector<Response>; +-} // namespace sensor_info +- +-static constexpr auto groupExtId = 0xDC; +- +-static constexpr auto assetTagMaxOffset = 62; +-static constexpr auto assetTagMaxSize = 63; +-static constexpr auto maxBytes = 16; +-static constexpr size_t maxCtrlIdStrLen = 63; +- +-/** @struct GetAssetTagRequest +- * +- * DCMI payload for Get Asset Tag command request. +- */ +-struct GetAssetTagRequest +-{ +- uint8_t offset; //!< Offset to read. +- uint8_t bytes; //!< Number of bytes to read. +-} __attribute__((packed)); +- +-/** @struct GetAssetTagResponse +- * +- * DCMI payload for Get Asset Tag command response. +- */ +-struct GetAssetTagResponse +-{ +- uint8_t tagLength; //!< Total asset tag length. +-} __attribute__((packed)); +- +-/** @struct SetAssetTagRequest +- * +- * DCMI payload for Set Asset Tag command request. +- */ +-struct SetAssetTagRequest +-{ +- uint8_t offset; //!< Offset to write. +- uint8_t bytes; //!< Number of bytes to write. +-} __attribute__((packed)); +- +-/** @struct SetAssetTagResponse +- * +- * DCMI payload for Set Asset Tag command response. +- */ +-struct SetAssetTagResponse +-{ +- uint8_t tagLength; //!< Total asset tag length. +-} __attribute__((packed)); +- + /** @brief Check whether DCMI power management is supported + * in the DCMI Capabilities config file. + * +@@ -168,416 +48,4 @@ struct SetAssetTagResponse + */ + bool isDCMIPowerMgmtSupported(); + +-/** @brief Read the object tree to fetch the object path that implemented the +- * Asset tag interface. +- * +- * @param[in,out] objectTree - object tree +- * +- * @return On success return the object tree with the object path that +- * implemented the AssetTag interface. +- */ +-void readAssetTagObjectTree(dcmi::assettag::ObjectTree& objectTree); +- +-/** @brief Read the asset tag of the server +- * +- * @return On success return the asset tag. +- */ +-std::string readAssetTag(); +- +-/** @brief Write the asset tag to the asset tag DBUS property +- * +- * @param[in] assetTag - Asset Tag to be written to the property. +- */ +-void writeAssetTag(const std::string& assetTag); +- +-/** @brief Read the current power cap value +- * +- * @param[in] bus - dbus connection +- * +- * @return On success return the power cap value. +- */ +-uint32_t getPcap(sdbusplus::bus::bus& bus); +- +-/** @brief Check if the power capping is enabled +- * +- * @param[in] bus - dbus connection +- * +- * @return true if the powerCap is enabled and false if the powercap +- * is disabled. +- */ +-bool getPcapEnabled(sdbusplus::bus::bus& bus); +- +-/** @struct GetPowerLimitResponse +- * +- * DCMI payload for Get Power Limit command response. +- */ +-struct GetPowerLimitResponse +-{ +- uint16_t reserved; //!< Reserved. +- uint8_t exceptionAction; //!< Exception action. +- uint16_t powerLimit; //!< Power limit requested in watts. +- uint32_t correctionTime; //!< Correction time limit in milliseconds. +- uint16_t reserved1; //!< Reserved. +- uint16_t samplingPeriod; //!< Statistics sampling period in seconds. +-} __attribute__((packed)); +- +-/** @brief Set the power cap value +- * +- * @param[in] bus - dbus connection +- * @param[in] powerCap - power cap value +- */ +-void setPcap(sdbusplus::bus::bus& bus, const uint32_t powerCap); +- +-/** @struct SetPowerLimitRequest +- * +- * DCMI payload for Set Power Limit command request. +- */ +-struct SetPowerLimitRequest +-{ +- uint16_t reserved; //!< Reserved +- uint8_t reserved1; //!< Reserved +- uint8_t exceptionAction; //!< Exception action. +- uint16_t powerLimit; //!< Power limit requested in watts. +- uint32_t correctionTime; //!< Correction time limit in milliseconds. +- uint16_t reserved2; //!< Reserved. +- uint16_t samplingPeriod; //!< Statistics sampling period in seconds. +-} __attribute__((packed)); +- +-/** @brief Enable or disable the power capping +- * +- * @param[in] bus - dbus connection +- * @param[in] enabled - enable/disable +- */ +-void setPcapEnable(sdbusplus::bus::bus& bus, bool enabled); +- +-/** @struct ApplyPowerLimitRequest +- * +- * DCMI payload for Activate/Deactivate Power Limit command request. +- */ +-struct ApplyPowerLimitRequest +-{ +- uint8_t powerLimitAction; //!< Power limit activation +- uint16_t reserved; //!< Reserved +-} __attribute__((packed)); +- +-/** @struct GetMgmntCtrlIdStrRequest +- * +- * DCMI payload for Get Management Controller Identifier String cmd request. +- */ +-struct GetMgmntCtrlIdStrRequest +-{ +- uint8_t offset; //!< Offset to read. +- uint8_t bytes; //!< Number of bytes to read. +-} __attribute__((packed)); +- +-/** @struct GetMgmntCtrlIdStrResponse +- * +- * DCMI payload for Get Management Controller Identifier String cmd response. +- */ +-struct GetMgmntCtrlIdStrResponse +-{ +- uint8_t strLen; //!< ID string length. +- char data[]; //!< ID string +-} __attribute__((packed)); +- +-/** @struct SetMgmntCtrlIdStrRequest +- * +- * DCMI payload for Set Management Controller Identifier String cmd request. +- */ +-struct SetMgmntCtrlIdStrRequest +-{ +- uint8_t offset; //!< Offset to write. +- uint8_t bytes; //!< Number of bytes to read. +- char data[]; //!< ID string +-} __attribute__((packed)); +- +-/** @struct GetMgmntCtrlIdStrResponse +- * +- * DCMI payload for Get Management Controller Identifier String cmd response. +- */ +-struct SetMgmntCtrlIdStrResponse +-{ +- uint8_t offset; //!< Last Offset Written. +-} __attribute__((packed)); +- +-/** @enum DCMICapParameters +- * +- * DCMI Capability parameters +- */ +-enum class DCMICapParameters +-{ +- SUPPORTED_DCMI_CAPS = 0x01, //!< Supported DCMI Capabilities +- MANDATORY_PLAT_ATTRIBUTES = 0x02, //!< Mandatory Platform Attributes +- OPTIONAL_PLAT_ATTRIBUTES = 0x03, //!< Optional Platform Attributes +- MANAGEABILITY_ACCESS_ATTRIBUTES = 0x04, //!< Manageability Access Attributes +-}; +- +-/** @struct GetDCMICapRequest +- * +- * DCMI payload for Get capabilities cmd request. +- */ +-struct GetDCMICapRequest +-{ +- uint8_t param; //!< Capability parameter selector. +-} __attribute__((packed)); +- +-/** @struct GetDCMICapRequest +- * +- * DCMI payload for Get capabilities cmd response. +- */ +-struct GetDCMICapResponse +-{ +- uint8_t major; //!< DCMI Specification Conformance - major ver +- uint8_t minor; //!< DCMI Specification Conformance - minor ver +- uint8_t paramRevision; //!< Parameter Revision = 02h +- uint8_t data[]; //!< Capability array +-} __attribute__((packed)); +- +-/** @struct DCMICap +- * +- * DCMI capabilities protocol info. +- */ +-struct DCMICap +-{ +- std::string name; //!< Name of DCMI capability. +- uint8_t bytePosition; //!< Starting byte number from DCMI spec. +- uint8_t position; //!< bit position from the DCMI spec. +- uint8_t length; //!< Length of the value from DCMI spec. +-}; +- +-using DCMICapList = std::vector<DCMICap>; +- +-/** @struct DCMICapEntry +- * +- * DCMI capabilities list and size for each parameter. +- */ +-struct DCMICapEntry +-{ +- uint8_t size; //!< Size of capability array in bytes. +- DCMICapList capList; //!< List of capabilities for a parameter. +-}; +- +-using DCMICaps = std::map<DCMICapParameters, DCMICapEntry>; +- +-/** @struct GetTempReadingsRequest +- * +- * DCMI payload for Get Temperature Readings request +- */ +-struct GetTempReadingsRequest +-{ +- uint8_t sensorType; //!< Type of the sensor +- uint8_t entityId; //!< Entity ID +- uint8_t entityInstance; //!< Entity Instance (0 means all instances) +- uint8_t instanceStart; //!< Instance start (used if instance is 0) +-} __attribute__((packed)); +- +-/** @struct GetTempReadingsResponse +- * +- * DCMI header for Get Temperature Readings response +- */ +-struct GetTempReadingsResponseHdr +-{ +- uint8_t numInstances; //!< No. of instances for requested id +- uint8_t numDataSets; //!< No. of sets of temperature data +-} __attribute__((packed)); +- +-/** @brief Parse out JSON config file. +- * +- * @param[in] configFile - JSON config file name +- * +- * @return A json object +- */ +-Json parseJSONConfig(const std::string& configFile); +- +-namespace temp_readings +-{ +-/** @brief Read temperature from a d-bus object, scale it as per dcmi +- * get temperature reading requirements. +- * +- * @param[in] dbusService - the D-Bus service +- * @param[in] dbusPath - the D-Bus path +- * +- * @return A temperature reading +- */ +-Temperature readTemp(const std::string& dbusService, +- const std::string& dbusPath); +- +-/** @brief Read temperatures and fill up DCMI response for the Get +- * Temperature Readings command. This looks at a specific +- * instance. +- * +- * @param[in] type - one of "inlet", "cpu", "baseboard" +- * @param[in] instance - A non-zero Entity instance number +- * +- * @return A tuple, containing a temperature reading and the +- * number of instances. +- */ +-std::tuple<Response, NumInstances> read(const std::string& type, +- uint8_t instance); +- +-/** @brief Read temperatures and fill up DCMI response for the Get +- * Temperature Readings command. This looks at a range of +- * instances. +- * +- * @param[in] type - one of "inlet", "cpu", "baseboard" +- * @param[in] instanceStart - Entity instance start index +- * +- * @return A tuple, containing a list of temperature readings and the +- * number of instances. +- */ +-std::tuple<ResponseList, NumInstances> readAll(const std::string& type, +- uint8_t instanceStart); +-} // namespace temp_readings +- +-namespace sensor_info +-{ +-/** @brief Create response from JSON config. +- * +- * @param[in] config - JSON config info about DCMI sensors +- * +- * @return Sensor info response +- */ +-Response createFromJson(const Json& config); +- +-/** @brief Read sensor info and fill up DCMI response for the Get +- * Sensor Info command. This looks at a specific +- * instance. +- * +- * @param[in] type - one of "inlet", "cpu", "baseboard" +- * @param[in] instance - A non-zero Entity instance number +- * @param[in] config - JSON config info about DCMI sensors +- * +- * @return A tuple, containing a sensor info response and +- * number of instances. +- */ +-std::tuple<Response, NumInstances> read(const std::string& type, +- uint8_t instance, const Json& config); +- +-/** @brief Read sensor info and fill up DCMI response for the Get +- * Sensor Info command. This looks at a range of +- * instances. +- * +- * @param[in] type - one of "inlet", "cpu", "baseboard" +- * @param[in] instanceStart - Entity instance start index +- * @param[in] config - JSON config info about DCMI sensors +- * +- * @return A tuple, containing a list of sensor info responses and the +- * number of instances. +- */ +-std::tuple<ResponseList, NumInstances> +- readAll(const std::string& type, uint8_t instanceStart, const Json& config); +-} // namespace sensor_info +- +-/** @brief Read power reading from power reading sensor object +- * +- * @param[in] bus - dbus connection +- * +- * @return total power reading +- */ +-int64_t getPowerReading(sdbusplus::bus::bus& bus); +- +-/** @struct GetPowerReadingRequest +- * +- * DCMI Get Power Reading command request. +- * Refer DCMI specification Version 1.1 Section 6.6.1 +- */ +-struct GetPowerReadingRequest +-{ +- uint8_t mode; //!< Mode +- uint8_t modeAttribute; //!< Mode Attributes +-} __attribute__((packed)); +- +-/** @struct GetPowerReadingResponse +- * +- * DCMI Get Power Reading command response. +- * Refer DCMI specification Version 1.1 Section 6.6.1 +- */ +-struct GetPowerReadingResponse +-{ +- uint16_t currentPower; //!< Current power in watts +- uint16_t minimumPower; //!< Minimum power over sampling duration +- //!< in watts +- uint16_t maximumPower; //!< Maximum power over sampling duration +- //!< in watts +- uint16_t averagePower; //!< Average power over sampling duration +- //!< in watts +- uint32_t timeStamp; //!< IPMI specification based time stamp +- uint32_t timeFrame; //!< Statistics reporting time period in milli +- //!< seconds. +- uint8_t powerReadingState; //!< Power Reading State +-} __attribute__((packed)); +- +-/** @struct GetSensorInfoRequest +- * +- * DCMI payload for Get Sensor Info request +- */ +-struct GetSensorInfoRequest +-{ +- uint8_t sensorType; //!< Type of the sensor +- uint8_t entityId; //!< Entity ID +- uint8_t entityInstance; //!< Entity Instance (0 means all instances) +- uint8_t instanceStart; //!< Instance start (used if instance is 0) +-} __attribute__((packed)); +- +-/** @struct GetSensorInfoResponseHdr +- * +- * DCMI header for Get Sensor Info response +- */ +-struct GetSensorInfoResponseHdr +-{ +- uint8_t numInstances; //!< No. of instances for requested id +- uint8_t numRecords; //!< No. of record ids in the response +-} __attribute__((packed)); +-/** +- * @brief Parameters for DCMI Configuration Parameters +- */ +-enum class DCMIConfigParameters : uint8_t +-{ +- ActivateDHCP = 1, +- DiscoveryConfig, +- DHCPTiming1, +- DHCPTiming2, +- DHCPTiming3, +-}; +- +-/** @struct SetConfParamsRequest +- * +- * DCMI Set DCMI Configuration Parameters Command. +- * Refer DCMI specification Version 1.1 Section 6.1.2 +- */ +-struct SetConfParamsRequest +-{ +- uint8_t paramSelect; //!< Parameter selector. +- uint8_t setSelect; //!< Set Selector (use 00h for parameters that only +- //!< have one set). +- uint8_t data[]; //!< Configuration parameter data. +-} __attribute__((packed)); +- +-/** @struct GetConfParamsRequest +- * +- * DCMI Get DCMI Configuration Parameters Command. +- * Refer DCMI specification Version 1.1 Section 6.1.3 +- */ +-struct GetConfParamsRequest +-{ +- uint8_t paramSelect; //!< Parameter selector. +- uint8_t setSelect; //!< Set Selector. Selects a given set of parameters +- //!< under a given Parameter selector value. 00h if +- //!< parameter doesn't use a Set Selector. +-} __attribute__((packed)); +- +-/** @struct GetConfParamsResponse +- * +- * DCMI Get DCMI Configuration Parameters Command response. +- * Refer DCMI specification Version 1.1 Section 6.1.3 +- */ +-struct GetConfParamsResponse +-{ +- uint8_t major; //!< DCMI Spec Conformance - major ver = 01h. +- uint8_t minor; //!< DCMI Spec Conformance - minor ver = 05h. +- uint8_t paramRevision; //!< Parameter Revision = 01h. +- uint8_t data[]; //!< Parameter data. +- +-} __attribute__((packed)); +- + } // namespace dcmi +diff --git a/ipmid-new.cpp b/ipmid-new.cpp +index 7f558cd..d2ae3b3 100644 +--- a/ipmid-new.cpp ++++ b/ipmid-new.cpp +@@ -23,7 +23,6 @@ + #include <any> + #include <boost/algorithm/string.hpp> + #include <boost/asio/io_context.hpp> +-#include <dcmihandler.hpp> + #include <exception> + #include <filesystem> + #include <forward_list> +@@ -713,8 +712,8 @@ void ipmi_register_callback(ipmi_netfn_t netFn, ipmi_cmd_t cmd, + // all the handlers were part of the DCMI group, so default to that. + if (netFn == NETFUN_GRPEXT) + { +- ipmi::impl::registerGroupHandler(ipmi::prioOpenBmcBase, +- dcmi::groupExtId, cmd, realPriv, h); ++ ipmi::impl::registerGroupHandler(ipmi::prioOpenBmcBase, ipmi::groupDCMI, ++ cmd, realPriv, h); + } + else + { +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0066-Fix-for-static-analyser-tool-reported-issues.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0066-Fix-for-static-analyser-tool-reported-issues.patch new file mode 100644 index 000000000..a3fe8a224 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0066-Fix-for-static-analyser-tool-reported-issues.patch @@ -0,0 +1,186 @@ +From 1b5c7030d1d9b13e73fb5779498233630f76bdf8 Mon Sep 17 00:00:00 2001 +From: PavanKumarIntel <pavanx.kumar.martha@intel.com> +Date: Thu, 14 Sep 2023 12:14:25 +0000 +Subject: [PATCH] Fix for static analyser tool reported issues + +Signed-off-by: PavanKumarIntel <pavanx.kumar.martha@intel.com> + +%% original patch: 0066-Fix-for-Coverity-Issues.patch +--- + apphandler.cpp | 11 ++--------- + storagehandler.cpp | 11 ++++++----- + transporthandler.cpp | 6 +++--- + user_channel/channel_layer.cpp | 4 +--- + user_channel/channelcommands.cpp | 4 ++-- + user_channel/passwd_mgr.cpp | 10 ++++++++-- + 6 files changed, 22 insertions(+), 24 deletions(-) + +diff --git a/apphandler.cpp b/apphandler.cpp +index 41dbc8f..bd2bd6f 100644 +--- a/apphandler.cpp ++++ b/apphandler.cpp +@@ -88,9 +88,7 @@ static constexpr const char* cmdStr = "command"; + static constexpr const char* cmdMaskStr = "commandMask"; + static constexpr int base_16 = 16; + #endif // ENABLE_I2C_WHITELIST_CHECK +-static constexpr uint8_t maxIPMIWriteReadSize = 255; + static constexpr uint8_t oemCmdStart = 192; +-static constexpr uint8_t oemCmdEnd = 255; + static constexpr uint8_t invalidParamSelectorStart = 8; + static constexpr uint8_t invalidParamSelectorEnd = 191; + +@@ -1292,7 +1290,7 @@ ipmi::RspType<uint8_t, // Parameter revision + { + return ipmi::responseInvalidFieldRequest(); + } +- if ((paramSelector >= oemCmdStart) && (paramSelector <= oemCmdEnd)) ++ if (paramSelector >= oemCmdStart) + { + return ipmi::responseParmNotSupported(); + } +@@ -1369,7 +1367,7 @@ ipmi::RspType<> ipmiAppSetSystemInfo(uint8_t paramSelector, uint8_t data1, + { + return ipmi::responseInvalidFieldRequest(); + } +- if ((paramSelector >= oemCmdStart) && (paramSelector <= oemCmdEnd)) ++ if (paramSelector >= oemCmdStart) + { + return ipmi::responseParmNotSupported(); + } +@@ -1633,11 +1631,6 @@ ipmi::RspType<std::vector<uint8_t>> + { + return ipmi::responseInvalidFieldRequest(); + } +- if (readCount > maxIPMIWriteReadSize) +- { +- log<level::ERR>("Master write read command: Read count exceeds limit"); +- return ipmi::responseParmOutOfRange(); +- } + const size_t writeCount = writeData.size(); + if (!readCount && !writeCount) + { +diff --git a/storagehandler.cpp b/storagehandler.cpp +index cdd61da..d2f06cc 100644 +--- a/storagehandler.cpp ++++ b/storagehandler.cpp +@@ -437,14 +437,15 @@ ipmi::RspType<uint16_t // deleted record ID + } + else + { +- iter = selCacheMap.find(selRecordID); +- if (iter == selCacheMap.end()) +- { +- return ipmi::responseSensorInvalid(); +- } + delRecordID = selRecordID; + } + ++ iter = selCacheMap.find(delRecordID); ++ if (iter == selCacheMap.end()) ++ { ++ return ipmi::responseSensorInvalid(); ++ } ++ + sdbusplus::bus::bus bus{ipmid_get_sd_bus_connection()}; + std::string service; + +diff --git a/transporthandler.cpp b/transporthandler.cpp +index 5f70d96..0713440 100644 +--- a/transporthandler.cpp ++++ b/transporthandler.cpp +@@ -55,7 +55,6 @@ const std::unordered_set<IP::AddressOrigin> originsV4 = { + }; + + static constexpr uint8_t oemCmdStart = 192; +-static constexpr uint8_t oemCmdEnd = 255; + + std::optional<ChannelParams> maybeGetChannelParams(sdbusplus::bus::bus& bus, + uint8_t channel) +@@ -1234,7 +1233,7 @@ RspType<> setLan(Context::ptr ctx, uint4_t channelBits, uint4_t reserved1, + } + } + +- if ((parameter >= oemCmdStart) && (parameter <= oemCmdEnd)) ++ if (parameter >= oemCmdStart) + { + return setLanOem(channel, parameter, req); + } +@@ -1521,7 +1520,7 @@ RspType<message::Payload> getLan(Context::ptr ctx, uint4_t channelBits, + } + } + +- if ((parameter >= oemCmdStart) && (parameter <= oemCmdEnd)) ++ if (parameter >= oemCmdStart) + { + return getLanOem(channel, parameter, set, block); + } +@@ -1982,6 +1981,7 @@ ipmi::RspType<uint8_t, std::optional<uint8_t>, std::optional<uint8_t>> + { + phosphor::logging::log<phosphor::logging::level::ERR>( + "Failed to get valid baud rate from D-Bus interface"); ++ return ipmi::responseUnspecifiedError(); + } + switch (*pBaudRate) + { +diff --git a/user_channel/channel_layer.cpp b/user_channel/channel_layer.cpp +index 03b1729..022c132 100644 +--- a/user_channel/channel_layer.cpp ++++ b/user_channel/channel_layer.cpp +@@ -51,9 +51,7 @@ bool isValidPrivLimit(const uint8_t privLimit) + + bool isValidAccessMode(const uint8_t accessMode) + { +- return ( +- (accessMode >= static_cast<uint8_t>(EChannelAccessMode::disabled)) && +- (accessMode <= static_cast<uint8_t>(EChannelAccessMode::shared))); ++ return (accessMode <= static_cast<uint8_t>(EChannelAccessMode::shared)); + } + + bool isValidChannel(const uint8_t chNum) +diff --git a/user_channel/channelcommands.cpp b/user_channel/channelcommands.cpp +index 769f9ff..e3dffe8 100644 +--- a/user_channel/channelcommands.cpp ++++ b/user_channel/channelcommands.cpp +@@ -194,9 +194,9 @@ ipmi ::RspType<uint3_t, // access mode, + return response(ccActionNotSupportedForChannel); + } + +- ChannelAccess chAccess; ++ ChannelAccess chAccess = {}; + +- Cc compCode; ++ Cc compCode = ipmi::ccUnspecifiedError; + + if (types::enum_cast<EChannelActionType>(accessSetMode) == nvData) + { +diff --git a/user_channel/passwd_mgr.cpp b/user_channel/passwd_mgr.cpp +index 9b232b5..86a38d5 100644 +--- a/user_channel/passwd_mgr.cpp ++++ b/user_channel/passwd_mgr.cpp +@@ -74,7 +74,10 @@ void PasswdMgr::restrictFilesPermission(void) + { + if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR)) + { +- chmod(passwdFileName, S_IRUSR | S_IWUSR); ++ if (chmod(passwdFileName, S_IRUSR | S_IWUSR) == -1) ++ { ++ log<level::DEBUG>("Error setting chmod for ipmi_pass file"); ++ } + } + } + +@@ -82,7 +85,10 @@ void PasswdMgr::restrictFilesPermission(void) + { + if ((st.st_mode & modeMask) != (S_IRUSR | S_IWUSR)) + { +- chmod(encryptKeyFileName, S_IRUSR | S_IWUSR); ++ if (chmod(encryptKeyFileName, S_IRUSR | S_IWUSR) == -1) ++ { ++ log<level::DEBUG>("Error setting chmod for key_file file"); ++ } + } + } + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host_%.bbappend index 9225fb36d..7debf20e8 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host_%.bbappend @@ -11,6 +11,8 @@ SRC_URI += "file://phosphor-ipmi-host.service \ file://0060-Move-Get-SOL-config-parameter-to-host-ipmid.patch \ file://0063-Save-the-pre-timeout-interrupt-in-dbus-property.patch \ file://0064-user_mgmt-Fix-for-user-privilege-race-condition.patch \ + file://0065--Refactor-DCMI-IPMI-commands.patch \ + file://0066-Fix-for-static-analyser-tool-reported-issues.patch \ " EXTRA_OECONF:append = " --disable-i2c-whitelist-check" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/0004-Fix-for-Coverity-Issues.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/0004-Fix-for-Coverity-Issues.patch new file mode 100644 index 000000000..600cff949 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/0004-Fix-for-Coverity-Issues.patch @@ -0,0 +1,49 @@ +From 68dc114230d309f2214500978ed0406335fd5036 Mon Sep 17 00:00:00 2001 +From: PavanKumarIntel <pavanx.kumar.martha@intel.com> +Date: Wed, 13 Sep 2023 13:20:22 +0000 +Subject: [PATCH] This Commit resolves the Coverity issues + +Signed-off-by: PavanKumarIntel <pavanx.kumar.martha@intel.com> +--- + ipmbbridged.cpp | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/ipmbbridged.cpp b/ipmbbridged.cpp +index 0508fcc..d54df31 100644 +--- a/ipmbbridged.cpp ++++ b/ipmbbridged.cpp +@@ -27,6 +27,7 @@ + #include <boost/asio/write.hpp> + #include <filesystem> + #include <fstream> ++#include <list> + #include <nlohmann/json.hpp> + #include <phosphor-logging/log.hpp> + #include <tuple> +@@ -320,10 +321,6 @@ bool IpmbChannel::seqNumGet(uint8_t &seq) + for (int i = 0; i < ipmbMaxOutstandingRequestsCount; i++) + { + seqNum = ++seqNum & ipmbSeqMask; +- if (seqNum == ipmbMaxOutstandingRequestsCount) +- { +- seqNum = 0; +- } + + if (outstandingRequests[seqNum] == nullptr) + { +@@ -363,6 +360,12 @@ void IpmbChannel::processI2cEvent() + lseek(ipmbi2cSlaveFd, 0, SEEK_SET); + int r = read(ipmbi2cSlaveFd, buffer.data(), ipmbMaxFrameLength); + ++ // Handle error cases. ++ if (r < 0) ++ { ++ goto end; ++ } ++ + /* Substract first byte len size from total frame length */ + r--; + +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb_%.bbappend index caf25fdd6..3d8fb96fb 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb_%.bbappend @@ -4,6 +4,7 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://0001-Add-dbus-method-SlotIpmbRequest.patch \ file://0002-Add-log-count-limitation-to-requestAdd.patch \ file://0003-Fix-for-clearing-outstanding-requests.patch \ + file://0004-Fix-for-Coverity-Issues.patch \ file://ipmb-channels.json \ " diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb index 5ea48b234..1ae391889 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb @@ -6,6 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" SRC_URI = "git://git@github.com/Intel-BMC/nvme-mi.git;protocol=ssh;branch=master" SRCREV = "b6f50e04516962a4e94fe9340251999f154197c4" + +SRC_URI += " \ + file://0001-Static-analyser-issue-resolution.patch \ + " + S = "${WORKDIR}/git" PV = "1.0+git${SRCPV}" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon/0001-Static-analyser-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon/0001-Static-analyser-issue-resolution.patch new file mode 100644 index 000000000..3070be429 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon/0001-Static-analyser-issue-resolution.patch @@ -0,0 +1,103 @@ +From 926403c3e73db3fb59661b6360890c1b4efc46f2 Mon Sep 17 00:00:00 2001 +From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +Date: Tue, 17 Oct 2023 23:07:09 -0700 +Subject: [PATCH] Fix for static analyser tool reported issues. + +Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +--- + main.cpp | 17 +++++++++++++---- + protocol/admin/admin_cmd.hpp | 4 ++-- + protocol/mi/subsystem_hs_poll.hpp | 5 ++--- + protocol/mi_msg.hpp | 4 ++-- + 4 files changed, 19 insertions(+), 11 deletions(-) + +diff --git a/main.cpp b/main.cpp +index 25f4aa3..3914a37 100644 +--- a/main.cpp ++++ b/main.cpp +@@ -256,8 +256,17 @@ void DeviceUpdateHandler::operator()( + + int main() + { +- Application app; +- app.init(); +- app.run(); +- return 0; ++ try ++ { ++ Application app; ++ app.init(); ++ app.run(); ++ return 0; ++ } ++ catch(const std::exception& e) ++ { ++ phosphor::logging::log<phosphor::logging::level::ERR>( ++ (std::string( "Error running nvme-mi application") + e.what()).c_str()); ++ return -1; ++ } + } +diff --git a/protocol/admin/admin_cmd.hpp b/protocol/admin/admin_cmd.hpp +index 6bac094..fc5d2b4 100644 +--- a/protocol/admin/admin_cmd.hpp ++++ b/protocol/admin/admin_cmd.hpp +@@ -151,7 +151,7 @@ class AdminCommand<uint8_t*> : public NVMeMessage<uint8_t*>, + { + return buffer; + } +- void setAdminOpCode(AdminOpCode opCode) noexcept ++ void setAdminOpCode(AdminOpCode opCode) + { + buffer->opCode = opCode; + setCRC(); +@@ -234,4 +234,4 @@ AdminCommand(T&) -> AdminCommand<uint8_t*>; + template <typename T> + AdminCommand(T&, AdminOpCode) -> AdminCommand<uint8_t*>; + +-} // namespace nvmemi::protocol +\ No newline at end of file ++} // namespace nvmemi::protocol +diff --git a/protocol/mi/subsystem_hs_poll.hpp b/protocol/mi/subsystem_hs_poll.hpp +index d3fa139..196197b 100644 +--- a/protocol/mi/subsystem_hs_poll.hpp ++++ b/protocol/mi/subsystem_hs_poll.hpp +@@ -92,8 +92,7 @@ static inline int8_t convertToCelsius(uint8_t tempByte) + } + + constexpr uint8_t negativeMin = 0xC5; +- constexpr uint8_t negativeMax = 0xFF; +- if (negativeMin <= tempByte && tempByte <= negativeMax) ++ if (negativeMin <= tempByte) + { + auto tempVal = static_cast<int8_t>(-1 * (256 - tempByte)); + return tempVal; +@@ -104,4 +103,4 @@ static inline int8_t convertToCelsius(uint8_t tempByte) + } + } + +-} // namespace nvmemi::protocol::subsystemhs +\ No newline at end of file ++} // namespace nvmemi::protocol::subsystemhs +diff --git a/protocol/mi_msg.hpp b/protocol/mi_msg.hpp +index 88f20ef..730b696 100644 +--- a/protocol/mi_msg.hpp ++++ b/protocol/mi_msg.hpp +@@ -123,7 +123,7 @@ class ManagementInterfaceMessage<uint8_t*> + { + return buffer; + } +- void setMiOpCode(MiOpCode opCode) noexcept ++ void setMiOpCode(MiOpCode opCode) + { + this->buffer->opCode = opCode; + setCRC(); +@@ -174,4 +174,4 @@ template <typename T> + ManagementInterfaceMessage(T&, MiOpCode) + -> ManagementInterfaceMessage<uint8_t*>; + +-} // namespace nvmemi::protocol +\ No newline at end of file ++} // namespace nvmemi::protocol +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager.bb index d6196b75e..c11b532e6 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager.bb +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager.bb @@ -9,6 +9,10 @@ DEPENDS = "boost sdbusplus" PV = "0.1+git${SRCPV}" SRCREV = "26067f6af051ccf8feff251a081aa46e45dfa4dc" +SRC_URI += " \ + file://0001-Static-analyser-issue-resolution.patch \ + " + S = "${WORKDIR}/git/callback-manager" SYSTEMD_SERVICE:${PN} += "callback-manager.service" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager/0001-Static-analyser-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager/0001-Static-analyser-issue-resolution.patch new file mode 100644 index 000000000..8c03fea0b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager/0001-Static-analyser-issue-resolution.patch @@ -0,0 +1,44 @@ +From a13b83e8058f2507dbd783985794790df8137f61 Mon Sep 17 00:00:00 2001 +From: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +Date: Thu, 5 Oct 2023 12:55:06 +0000 +Subject: [PATCH] Fix for static analyser tool reported issues. + +In this code, we first save the original format flags of std::cerr +using std::ios_base::fmtflags originalFlags = std::cerr.flags(). +Then, we can modify the format flags as needed. Finally, after +using the modified format flags, we restore the original format +flags using std::cerr.flags(originalFlags); + +Signed-off-by: Yaswanth Reddy M <yaswanthx.reddy.munukuru@intel.com> +--- + callback-manager/src/callback_manager.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/callback_manager.cpp b/src/callback_manager.cpp +index 5050205..6651ae1 100644 +--- a/src/callback_manager.cpp ++++ b/src/callback_manager.cpp +@@ -110,17 +110,20 @@ void updateLedStatus(std::shared_ptr<sdbusplus::asio::connection>& conn, + { + conn->async_method_call( + [ledPair](const boost::system::error_code ec) { ++ std::ios_base::fmtflags originalFlags = std::cerr.flags(); + if (ec) + { + std::cerr << "Cannot set " << ledPair.first << " to " + << std::boolalpha + << std::get<bool>(ledPair.second) << "\n"; ++ std::cerr.flags(originalFlags); + } + if constexpr (debug) + { + std::cerr << "Set " << ledPair.first << " to " + << std::boolalpha + << std::get<bool>(ledPair.second) << "\n"; ++ std::cerr.flags(originalFlags); + } + }, + ledManagerBusname, ledPair.first, +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry/0001-Coverity-2770238.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry/0001-Coverity-2770238.patch new file mode 100644 index 000000000..fa13847ba --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry/0001-Coverity-2770238.patch @@ -0,0 +1,40 @@ +From 50e811dee326936f3de8cb9df6c623d8d4858577 Mon Sep 17 00:00:00 2001 +From: Wojciech Tempczyk <wojciechx.tempczyk@intel.com> +Date: Tue, 19 Sep 2023 14:32:05 +0200 +Subject: [PATCH] Coverity 2770238 + +--- + src/report.cpp | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/report.cpp b/src/report.cpp +index 26fcd0b..c480675 100644 +--- a/src/report.cpp ++++ b/src/report.cpp +@@ -409,10 +409,19 @@ void Report::timerProcForOnChangeReport(boost::system::error_code ec, + + void Report::scheduleTimerForPeriodicReport(Milliseconds timerInterval) + { +- timer.expires_after(timerInterval); +- timer.async_wait([this](boost::system::error_code ec) { +- timerProcForPeriodicReport(ec, *this); +- }); ++ try ++ { ++ timer.expires_after(timerInterval); ++ timer.async_wait([this](boost::system::error_code ec) { ++ timerProcForPeriodicReport(ec, *this); ++ }); ++ } ++ catch (const boost::system::system_error& exception) ++ { ++ phosphor::logging::log<phosphor::logging::level::ERR>( ++ "Failed to schedule timer for periodic report: ", ++ phosphor::logging::entry("EXCEPTION_MSG=%s", exception.what())); ++ } + } + + void Report::scheduleTimerForOnChangeReport() +-- +2.34.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend index 5e2ba584c..590d5ceeb 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend @@ -1,6 +1,12 @@ SRC_URI = "git://github.com/openbmc/telemetry.git" SRCREV = "aa4a9dc5ccae9f210d0d63f99b22154c97e53c19" +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += " \ + file://0001-Coverity-2770238.patch \ +" + EXTRA_OEMESON += " -Dmax-reports=10" EXTRA_OEMESON += " -Dmax-triggers=0" EXTRA_OEMESON += " -Dmax-append-limit=0" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0002-Hack-webpack-to-not-use-MD4.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0002-Hack-webpack-to-not-use-MD4.patch new file mode 100644 index 000000000..cdd9220cd --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0002-Hack-webpack-to-not-use-MD4.patch @@ -0,0 +1,51 @@ +From 0be88e6e4dff8a9e0b1ae1d72d1736186ba28a33 Mon Sep 17 00:00:00 2001 +From: Gunnar Mills <gmills@us.ibm.com> +Date: Fri, 14 Jan 2022 19:52:33 +0000 +Subject: [PATCH] Hack webpack to not use MD4 + +No longer have support for MD4, the default hashFunction. +Mess with webpack to use sha256. + +This solution is from: +https://github.com/webpack/webpack/issues/13572#issuecomment-923736472 + +And was added to phosphor-webui here: +https://github.com/openbmc/phosphor-webui/commit/85884002164aacfeac8ca40e6fd169b0a2de43f0 + +Ideally --openssl-legacy-provider would work as +https://github.com/webpack/webpack/issues/14532 describes but Node 16 +supports linking with SSL 3.0 but doesn't support +openssl-legacy-provider. See +https://github.com/nodejs/node/issues/40948. + +This should enable the new Yocto bump to pass. + +Tested: Build Witherspoon Tacoma with +https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/48473 and the 3 +and this change. The webui looked good. + +Change-Id: I66f2cc45af85096f9abe935d269838c6a680bc9b +Signed-off-by: Gunnar Mills <gmills@us.ibm.com> +--- + vue.config.js | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/vue.config.js b/vue.config.js +index 0268002..de0ad12 100644 +--- a/vue.config.js ++++ b/vue.config.js +@@ -55,6 +55,11 @@ module.exports = { + }, + productionSourceMap: false, + configureWebpack: (config) => { ++ const crypto = require('crypto'); ++ const crypto_orig_createHash = crypto.createHash; ++ crypto.createHash = (algorithm) => ++ crypto_orig_createHash(algorithm == 'md4' ? 'sha256' : algorithm); ++ + const envName = process.env.VUE_APP_ENV_NAME; + const hasCustomStore = process.env.CUSTOM_STORE === 'true' ? true : false; + const hasCustomRouter = process.env.CUSTOM_ROUTER === 'true' ? true : false; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue_%.bbappend index 412e88501..51eaa69fe 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue_%.bbappend @@ -7,8 +7,17 @@ SRC_URI += " \ file://login-company-logo.svg \ file://logo-header.svg \ file://0001-Old-password-input-in-change-password-screen.patch \ + file://0002-Hack-webpack-to-not-use-MD4.patch \ " +# Workaround_1 (adapted from upstream) +# Upstream commit reference: f1f90e183 webui-vue: enable network access during build +# https://github.com/openbmc/openbmc/commit/14cef4e6c4d3e206d43cc9653e479a5a331f06ab + +# Network access from task are disabled by default on Yocto 3.5 +# https://git.yoctoproject.org/poky/tree/documentation/migration-guides/migration-3.5.rst#n25 +do_compile[network] = "1" + do_compile:prepend() { cp -vf ${S}/.env.intel ${S}/.env cp -vf ${WORKDIR}/login-company-logo.svg ${S}/src/assets/images diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch new file mode 100644 index 000000000..9385c1421 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch @@ -0,0 +1,41 @@ +From c28e9478cb2548848eca9b765d0d409bfb18668c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 22 Jan 2024 23:54:08 +0100 +Subject: [PATCH] openssl: when verifystatus fails, remove session id from + cache + +To prevent that it gets used in a subsequent transfer that skips the +verifystatus check since that check can't be done when the session id is +reused. + +Reported-by: Hiroki Kurosawa +Closes #12760 +--- + lib/vtls/openssl.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 0e36dc6aa7e1e4..8d6087022b32c2 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -4351,6 +4351,20 @@ static CURLcode servercert(struct Curl_cfilter *cf, + /* don't do this after Session ID reuse */ + result = verifystatus(cf, data); + if(result) { ++ /* when verifystatus failed, remove the session id from the cache again ++ if present */ ++ if(!Curl_ssl_cf_is_proxy(cf)) { ++ void *old_ssl_sessionid = NULL; ++ bool incache; ++ Curl_ssl_sessionid_lock(data); ++ incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL)); ++ if(incache) { ++ infof(data, "Remove session ID again from cache"); ++ Curl_ssl_delsessionid(data, old_ssl_sessionid); ++ } ++ Curl_ssl_sessionid_unlock(data); ++ } ++ + X509_free(backend->server_cert); + backend->server_cert = NULL; + return result; diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests index 92056bd8c..419022091 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/disable-tests @@ -1,14 +1,23 @@ +# Intermittently fails e.g. https://autobuilder.yocto.io/pub/non-release/20231220-28/testresults/qemux86-64-ptest/curl.log +# https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +337 # These CRL test (alt-avc) are failing 356 412 413 # These CRL tests are scanning docs 971 +# Intermittently hangs e.g http://autobuilder.yocto.io/pub/non-release/20231228-18/testresults/qemux86-64-ptest/curl.log +1091 +# Intermittently hangs e.g https://autobuilder.yocto.io/pub/non-release/20231220-27/testresults/qemux86-64-ptest/curl.log +1096 +# These CRL tests are scanning docs 1119 1132 1135 -# These CRL tests are scnning headers +# These CRL tests are scanning headers 1167 +1477 # These CRL tests are scanning man pages 1139 1140 @@ -18,7 +27,10 @@ 1165 # This CRL test is looking for src files 1185 +# This test is scanning the source tree +1222 # These CRL tests need --libcurl option to be enabled +1279 1400 1401 1402 diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest index 614e82292..8f9c20f34 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/run-ptest @@ -1,6 +1,6 @@ #!/bin/sh cd tests -./runtests.pl -a -n -s | sed \ +{ ./runtests.pl -a -n -s -j4 !flaky || echo "FAIL: curl" ; } | sed \ -e 's|\([^ ]* *\) \([^ ]* *\)...OK|PASS: \1 \2|' \ -e 's|\([^ ]* *\) \([^ ]* *\)...FAILED|FAIL: \1 \2|' \ -e 's/Warning: test[0-9]\+ not present in tests\/data\/Makefile.inc//' diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.2.0.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb index 69597440f..c8450e929 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.2.0.bb +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb @@ -13,8 +13,9 @@ SRC_URI = " \ https://curl.se/download/${BP}.tar.xz \ file://run-ptest \ file://disable-tests \ + file://CVE-2024-0853.patch \ " -SRC_URI[sha256sum] = "2859ec79e2cd96e976a99493547359b8001af1d1e21f3a3a3b846544ef54500f" +SRC_URI[sha256sum] = "42ab8db9e20d8290a3b633e7fbb3cec15db34df65fd1015ef8ac1e4723750eeb" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" @@ -24,21 +25,26 @@ inherit autotools pkgconfig binconfig multilib_header ptest # Entropy source for random PACKAGECONFIG option RANDOM ?= "/dev/urandom" -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} libidn openssl proxy random threaded-resolver verbose zlib" +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} aws basic-auth bearer-auth digest-auth negotiate-auth libidn openssl proxy random threaded-resolver verbose zlib" PACKAGECONFIG:class-native = "ipv6 openssl proxy random threaded-resolver verbose zlib" PACKAGECONFIG:class-nativesdk = "ipv6 openssl proxy random threaded-resolver verbose zlib" # 'ares' and 'threaded-resolver' are mutually exclusive PACKAGECONFIG[ares] = "--enable-ares,--disable-ares,c-ares,,,threaded-resolver" +PACKAGECONFIG[aws] = "--enable-aws,--disable-aws" +PACKAGECONFIG[basic-auth] = "--enable-basic-auth,--disable-basic-auth" +PACKAGECONFIG[bearer-auth] = "--enable-bearer-auth,--disable-bearer-auth" PACKAGECONFIG[brotli] = "--with-brotli,--without-brotli,brotli" PACKAGECONFIG[builtinmanual] = "--enable-manual,--disable-manual" # Don't use this in production PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" PACKAGECONFIG[dict] = "--enable-dict,--disable-dict," +PACKAGECONFIG[digest-auth] = "--enable-digest-auth,--disable-digest-auth" PACKAGECONFIG[gnutls] = "--with-gnutls,--without-gnutls,gnutls" PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[kerberos-auth] = "--enable-kerberos-auth,--disable-kerberos-auth" PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap" PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap" @@ -47,6 +53,7 @@ PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" PACKAGECONFIG[mbedtls] = "--with-mbedtls=${STAGING_DIR_TARGET},--without-mbedtls,mbedtls" PACKAGECONFIG[mqtt] = "--enable-mqtt,--disable-mqtt," +PACKAGECONFIG[negotiate-auth] = "--enable-negotiate-auth,--disable-negotiate-auth" PACKAGECONFIG[nghttp2] = "--with-nghttp2,--without-nghttp2,nghttp2" PACKAGECONFIG[openssl] = "--with-openssl,--without-openssl,openssl" PACKAGECONFIG[pop3] = "--enable-pop3,--disable-pop3," @@ -56,7 +63,6 @@ PACKAGECONFIG[rtmpdump] = "--with-librtmp,--without-librtmp,rtmpdump" PACKAGECONFIG[rtsp] = "--enable-rtsp,--disable-rtsp," PACKAGECONFIG[smb] = "--enable-smb,--disable-smb," PACKAGECONFIG[smtp] = "--enable-smtp,--disable-smtp," -PACKAGECONFIG[nss] = "--with-nss,--without-nss,nss" PACKAGECONFIG[telnet] = "--enable-telnet,--disable-telnet," PACKAGECONFIG[tftp] = "--enable-tftp,--disable-tftp," PACKAGECONFIG[threaded-resolver] = "--enable-threaded-resolver,--disable-threaded-resolver,,,,ares" @@ -67,11 +73,10 @@ PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd" EXTRA_OECONF = " \ --disable-libcurl-option \ --disable-ntlm-wb \ - --enable-crypto-auth \ --with-ca-bundle=${sysconfdir}/ssl/certs/ca-certificates.crt \ --without-libpsl \ --enable-optimize \ - ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls nss openssl', d) == '') else ''} \ + ${@'--without-ssl' if (bb.utils.filter('PACKAGECONFIG', 'gnutls mbedtls openssl', d) == '') else ''} \ " do_install:append:class-target() { @@ -85,14 +90,18 @@ do_install:append:class-target() { } do_compile_ptest() { - oe_runmake test - oe_runmake -C ${B}/tests/server + oe_runmake -C ${B}/tests } do_install_ptest() { cat ${WORKDIR}/disable-tests >> ${S}/tests/data/DISABLED rm -f ${B}/tests/configurehelp.pm cp -rf ${B}/tests ${D}${PTEST_PATH} + rm -f ${D}${PTEST_PATH}/tests/libtest/.libs/libhostname.la + rm -f ${D}${PTEST_PATH}/tests/libtest/libhostname.la + mv ${D}${PTEST_PATH}/tests/libtest/.libs/* ${D}${PTEST_PATH}/tests/libtest/ + mv ${D}${PTEST_PATH}/tests/libtest/libhostname.so ${D}${PTEST_PATH}/tests/libtest/.libs/ + mv ${D}${PTEST_PATH}/tests/http/clients/.libs/* ${D}${PTEST_PATH}/tests/http/clients/ cp -rf ${S}/tests ${D}${PTEST_PATH} find ${D}${PTEST_PATH}/ -type f -name Makefile.am -o -name Makefile.in -o -name Makefile -delete install -d ${D}${PTEST_PATH}/src @@ -100,8 +109,23 @@ do_install_ptest() { cp -rf ${D}${bindir}/curl-config ${D}${PTEST_PATH} } -RDEPENDS:${PN}-ptest += "bash perl-modules perl-module-time-hires perl-module-digest-md5 \ - perl-module-digest perl-module-ipc-open2" +RDEPENDS:${PN}-ptest += " \ + bash \ + perl-module-b \ + perl-module-base \ + perl-module-cwd \ + perl-module-digest \ + perl-module-digest-md5 \ + perl-module-file-basename \ + perl-module-file-spec \ + perl-module-file-temp \ + perl-module-io-socket \ + perl-module-ipc-open2 \ + perl-module-list-util \ + perl-module-memoize \ + perl-module-storable \ + perl-module-time-hires \ +" PACKAGES =+ "lib${BPN}" |