From 848b831c34ae28e7b8132834656ad59dc6b51a87 Mon Sep 17 00:00:00 2001
From: P Dheeraj Srujan Kumar
Date: Sun, 11 Aug 2024 02:42:39 +0530
Subject: Update to internal 1-1.20
Signed-off-by: P Dheeraj Srujan Kumar
---
meta-openbmc-mods/Security.md | 6 +
.../avahi/avahi/CVE-2023-38470.patch | 52 +
.../avahi/avahi/CVE-2023-38471.patch | 68 +
.../avahi/avahi/CVE-2023-38472.patch | 40 +
.../avahi/avahi/CVE-2023-38473.patch | 104 +
.../recipes-connectivity/avahi/avahi_%.bbappend | 4 +
.../openssl/files/environment.d-openssl.sh | 4 +
.../0001-Configure-do-not-tweak-mips-cflags.patch | 39 +
...trip-sysroot-and-debug-prefix-map-from-co.patch | 42 +-
.../openssl/0001-skip-test_symbol_presence.patch | 46 -
...-support-for-io_pgetevents_time64-syscall.patch | 62 -
...-support-for-io_pgetevents_time64-syscall.patch | 99 -
.../openssl/openssl/CVE-2022-0778.patch | 69 -
.../CVE-2022-1292-Fix-openssl-c_rehash.patch | 76 -
...2022-2068-Fix-file-operations-in-c_rehash.patch | 257 --
...Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch | 73 -
.../openssl/openssl/CVE-2023-2975.patch | 58 +
.../openssl/openssl/CVE-2023-3446.patch | 76 +
.../openssl/openssl/CVE-2023-3817.patch | 61 +
.../openssl/openssl/CVE-2023-5363.patch | 81 +
.../openssl/openssl/CVE-2023-5678.patch | 177 ++
.../openssl/openssl/CVE-2024-0727.patch | 120 +
.../openssl/openssl/afalg.patch | 31 -
.../openssl/openssl/fix_random_labels.patch | 22 +
.../openssl/openssl/reproducible.patch | 32 -
.../recipes-connectivity/openssl/openssl/run-ptest | 2 +-
.../recipes-connectivity/openssl/openssl_1.1.1v.bb | 252 --
.../recipes-connectivity/openssl/openssl_3.1.1.bb | 268 ++
.../busybox/busybox/CVE-2022-48174.patch | 80 +
.../recipes-core/busybox/busybox/disable.cfg | 2 +
.../recipes-core/busybox/busybox_%.bbappend | 1 +
.../expat/expat/CVE-2022-40674_1.patch | 49 -
.../expat/expat/CVE-2022-40674_2.patch | 104 -
.../recipes-core/expat/expat/CVE-2022-43680.patch | 109 -
.../meta-common/recipes-core/expat/expat/run-ptest | 16 +-
.../meta-common/recipes-core/expat/expat_2.4.5.bb | 34 -
.../meta-common/recipes-core/expat/expat_2.6.1.bb | 33 +
.../recipes-core/glibc/glibc/CVE-2023-4813.patch | 982 +++++++
.../recipes-core/glibc/glibc/CVE-2023-4911.patch | 156 ++
.../recipes-core/glibc/glibc_%.bbappend | 2 +
.../0001-Static-analyser-issue-resolution.patch | 35 +
.../host-error-monitor_%.bbappend | 5 +
.../0001-static-analyzer-issue-resolution.patch | 28 +
.../recipes-core/ipmi/intel-ipmi-oem_%.bbappend | 2 +
.../recipes-core/zlib/zlib/CVE-2023-45853.patch | 38 +
.../meta-common/recipes-core/zlib/zlib_1.2.13.bb | 1 +
.../json-c/json-c/CVE-2021-32292.patch | 24 +
.../recipes-devtools/json-c/json-c_%.bbappend | 5 +
...isable-running-gyp-files-for-bundled-deps.patch | 22 +
.../0001-liftoff-Correct-function-signatures.patch | 71 +
...-ppc64-Do-not-use-mminimal-toc-with-clang.patch | 23 +
...0002-Install-both-binaries-and-use-libdir.patch | 96 +
.../nodejs/nodejs/0002-Using-native-binaries.patch | 70 +
.../nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch | 102 +
.../nodejs/nodejs/big-endian.patch | 18 +
.../recipes-devtools/nodejs/nodejs/libatomic.patch | 21 +
.../nodejs/nodejs/mips-less-memory.patch | 32 +
.../nodejs/nodejs/system-c-ares.patch | 24 +
.../recipes-devtools/nodejs/nodejs_16.11.1.bb | 202 ++
.../pam/libpam/CVE-2024-22365.patch | 55 +
.../recipes-extended/pam/libpam_1.5.2.bb | 1 +
.../shadow/shadow/CVE-2023-4641.patch | 142 +
.../recipes-extended/shadow/shadow_%.bbappend | 1 +
.../meta-common/recipes-extended/xz/xz_5.4.4.bb | 44 +
.../linux/linux-aspeed/CVE-2021-33631.patch | 107 +
.../linux/linux-aspeed/CVE-2021-46923.patch | 44 +
.../linux/linux-aspeed/CVE-2021-46933.patch | 118 +
.../linux/linux-aspeed/CVE-2021-46934.patch | 38 +
.../linux/linux-aspeed/CVE-2021-46936.patch | 88 +
.../linux/linux-aspeed/CVE-2021-47087.patch | 43 +
.../linux/linux-aspeed/CVE-2022-0847.patch | 43 +
.../linux/linux-aspeed/CVE-2022-40982.patch | 77 +
.../linux/linux-aspeed/CVE-2022-48425.patch | 136 +
.../linux/linux-aspeed/CVE-2022-48659.patch | 73 +
.../linux/linux-aspeed/CVE-2022-48660.patch | 69 +
.../linux/linux-aspeed/CVE-2022-48672.patch | 39 +
.../linux/linux-aspeed/CVE-2022-48687.patch | 76 +
.../linux/linux-aspeed/CVE-2022-48689.patch | 167 ++
.../linux/linux-aspeed/CVE-2023-0386.patch | 48 +
.../linux/linux-aspeed/CVE-2023-0458.patch | 34 +
.../linux/linux-aspeed/CVE-2023-2176.patch | 317 +++
.../linux/linux-aspeed/CVE-2023-2235.patch | 35 +
.../linux/linux-aspeed/CVE-2023-2860.patch | 73 +
.../linux/linux-aspeed/CVE-2023-31085.patch | 40 +
.../linux/linux-aspeed/CVE-2023-34256.patch | 99 +
.../linux/linux-aspeed/CVE-2023-4004.patch | 58 +
.../linux/linux-aspeed/CVE-2023-42754.patch | 48 +
.../linux/linux-aspeed/CVE-2023-45863.patch | 143 +
.../linux/linux-aspeed/CVE-2023-5178.patch | 61 +
.../linux/linux-aspeed/CVE-2023-52435.patch | 115 +
.../linux/linux-aspeed/CVE-2023-52449.patch | 83 +
.../linux/linux-aspeed/CVE-2023-52458.patch | 67 +
.../linux/linux-aspeed/CVE-2023-52467.patch | 38 +
.../linux/linux-aspeed/CVE-2023-52522.patch | 46 +
.../linux/linux-aspeed/CVE-2023-52580.patch | 121 +
.../linux/linux-aspeed/CVE-2023-52597.patch | 68 +
.../linux/linux-aspeed/CVE-2023-52598.patch | 69 +
.../linux/linux-aspeed/CVE-2023-52612.patch | 55 +
.../linux/linux-aspeed/CVE-2023-52615.patch | 120 +
.../linux/linux-aspeed/CVE-2023-52619.patch | 45 +
.../linux/linux-aspeed/CVE-2023-52622.patch | 131 +
.../linux/linux-aspeed/CVE-2024-0562.patch | 143 +
.../linux/linux-aspeed/CVE-2024-0639.patch | 52 +
.../linux/linux-aspeed/CVE-2024-0775.patch | 62 +
.../linux/linux-aspeed/CVE-2024-26001.patch | 67 +
.../linux/linux-aspeed/CVE-2024-26602.patch | 89 +
.../linux/linux-aspeed/CVE-2024-26631.patch | 76 +
.../linux/linux-aspeed/CVE-2024-26671.patch | 70 +
.../linux/linux-aspeed/CVE-2024-26676.patch | 107 +
.../linux/linux-aspeed/CVE-2024-26679.patch | 44 +
.../linux/linux-aspeed/CVE-2024-26686.patch | 161 ++
.../linux/linux-aspeed/CVE-2024-26704.patch | 71 +
.../linux/linux-aspeed/CVE-2024-26720.patch | 49 +
.../linux/linux-aspeed/CVE-2024-26735.patch | 72 +
.../linux/linux-aspeed/CVE-2024-26772.patch | 52 +
.../linux/linux-aspeed/CVE-2024-26773.patch | 63 +
.../linux/linux-aspeed/CVE-2024-26774.patch | 36 +
.../linux/linux-aspeed/CVE-2024-26795.patch | 48 +
.../linux/linux-aspeed/CVE-2024-26900.patch | 67 +
.../linux/linux-aspeed/CVE-2024-35984.patch | 63 +
.../linux/linux-aspeed/CVE-2024-36008.patch | 81 +
.../recipes-kernel/linux/linux-aspeed_%.bbappend | 57 +
...icate-replacement-URI-response-error-code.patch | 3 +-
.../0065--Refactor-DCMI-IPMI-commands.patch | 2845 ++++++++++++++++++++
...-for-static-analyser-tool-reported-issues.patch | 186 ++
.../ipmi/phosphor-ipmi-host_%.bbappend | 2 +
.../0004-Fix-for-Coverity-Issues.patch | 49 +
.../ipmi/phosphor-ipmi-ipmb_%.bbappend | 1 +
.../recipes-phosphor/pmci/nvmemi-daemon.bb | 5 +
.../0001-Static-analyser-issue-resolution.patch | 103 +
.../recipes-phosphor/system/callback-manager.bb | 4 +
.../0001-Static-analyser-issue-resolution.patch | 44 +
.../telemetry/0001-Coverity-2770238.patch | 40 +
.../telemetry/telemetry_%.bbappend | 6 +
.../0002-Hack-webpack-to-not-use-MD4.patch | 51 +
.../recipes-phosphor/webui/webui-vue_%.bbappend | 9 +
.../recipes-support/curl/curl/CVE-2024-0853.patch | 41 +
.../recipes-support/curl/curl/disable-tests | 14 +-
.../recipes-support/curl/curl/run-ptest | 2 +-
.../meta-common/recipes-support/curl/curl_8.2.0.bb | 116 -
.../meta-common/recipes-support/curl/curl_8.5.0.bb | 140 +
141 files changed, 11625 insertions(+), 1449 deletions(-)
create mode 100644 meta-openbmc-mods/Security.md
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-43680.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0458.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2176.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2235.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-2860.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-31085.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-34256.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-42754.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-45863.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-5178.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52435.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52449.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52458.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52467.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52522.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52580.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52597.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52598.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52612.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52615.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52619.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-52622.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0562.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0639.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-0775.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26001.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26602.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26631.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26671.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26676.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26679.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26686.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26704.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26720.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26735.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26772.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26773.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26774.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26795.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-26900.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-35984.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2024-36008.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0065--Refactor-DCMI-IPMI-commands.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-host/0066-Fix-for-static-analyser-tool-reported-issues.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/ipmi/phosphor-ipmi-ipmb/0004-Fix-for-Coverity-Issues.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon/0001-Static-analyser-issue-resolution.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/system/callback-manager/0001-Static-analyser-issue-resolution.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry/0001-Coverity-2770238.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/webui/webui-vue/0002-Hack-webpack-to-not-use-MD4.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2024-0853.patch
delete mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.2.0.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl_8.5.0.bb
diff --git a/meta-openbmc-mods/Security.md b/meta-openbmc-mods/Security.md
new file mode 100644
index 000000000..d5f1e5eac
--- /dev/null
+++ b/meta-openbmc-mods/Security.md
@@ -0,0 +1,6 @@
+# Security Policy
+Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation.
+
+## Reporting a Vulnerability
+Please report any security vulnerabilities in this project [utilizing the guidelines here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html).
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch
new file mode 100644
index 000000000..dc451eac9
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38470.patch
@@ -0,0 +1,52 @@
+From 94cb6489114636940ac683515417990b55b5d66c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?=
+Date: Tue, 11 Apr 2023 15:29:59 +0200
+Subject: [PATCH] Ensure each label is at least one byte long
+
+The only allowed exception is single dot, where it should return empty
+string.
+
+Fixes #454.
+---
+ avahi-common/domain-test.c | 14 ++++++++++++++
+ avahi-common/domain.c | 2 +-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c
+index cf763eca6..3acc1c1e4 100644
+--- a/avahi-common/domain-test.c
++++ b/avahi-common/domain-test.c
+@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+ printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo."));
+ avahi_free(s);
+
++ printf("%s\n", s = avahi_normalize_name_strdup("."));
++ avahi_free(s);
++
++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}."
++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}"
++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`"
++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?."
++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}."
++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?"
++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM."
++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?."
++ "}.?.?.?.}.=.?.?.}");
++ assert(s == NULL);
++
+ printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff"));
+ printf("%i\n", avahi_domain_equal("A", "a"));
+
+diff --git a/avahi-common/domain.c b/avahi-common/domain.c
+index 3b1ab6834..e66d2416c 100644
+--- a/avahi-common/domain.c
++++ b/avahi-common/domain.c
+@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) {
+ }
+
+ if (!empty) {
+- if (size < 1)
++ if (size < 2)
+ return NULL;
+
+ *(r++) = '.';
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch
new file mode 100644
index 000000000..e099bd2b7
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38471.patch
@@ -0,0 +1,68 @@
+From 894f085f402e023a98cbb6f5a3d117bd88d93b09 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar
+Date: Mon, 23 Oct 2023 13:38:35 +0200
+Subject: [PATCH] core: extract host name using avahi_unescape_label()
+
+Previously we could create invalid escape sequence when we split the
+string on dot. For example, from valid host name "foo\\.bar" we have
+created invalid name "foo\\" and tried to set that as the host name
+which crashed the daemon.
+
+Fixes #453
+
+CVE-2023-38471
+---
+ avahi-core/server.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-core/server.c b/avahi-core/server.c
+index c32637af8..f6a21bb77 100644
+--- a/avahi-core/server.c
++++ b/avahi-core/server.c
+@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) {
+ }
+
+ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+- char *hn = NULL;
++ char label_escaped[AVAHI_LABEL_MAX*4+1];
++ char label[AVAHI_LABEL_MAX];
++ char *hn = NULL, *h;
++ size_t len;
++
+ assert(s);
+
+ AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) {
+ else
+ hn = avahi_normalize_name_strdup(host_name);
+
+- hn[strcspn(hn, ".")] = 0;
++ h = hn;
++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) {
++ avahi_free(h);
++ return AVAHI_ERR_INVALID_HOST_NAME;
++ }
++
++ avahi_free(h);
++
++ h = label_escaped;
++ len = sizeof(label_escaped);
++ if (!avahi_escape_label(label, strlen(label), &h, &len))
++ return AVAHI_ERR_INVALID_HOST_NAME;
+
+- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) {
+- avahi_free(hn);
++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION)
+ return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE);
+- }
+
+ withdraw_host_rrs(s);
+
+ avahi_free(s->host_name);
+- s->host_name = hn;
++ s->host_name = avahi_strdup(label_escaped);
++ if (!s->host_name)
++ return AVAHI_ERR_NO_MEMORY;
+
+ update_fqdn(s);
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch
new file mode 100644
index 000000000..2cd778829
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38472.patch
@@ -0,0 +1,40 @@
+From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar
+Date: Thu, 19 Oct 2023 17:36:44 +0200
+Subject: [PATCH] core: make sure there is rdata to process before parsing it
+
+Fixes #452
+
+CVE-2023-38472
+---
+ avahi-client/client-test.c | 3 +++
+ avahi-daemon/dbus-entry-group.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index b3366d848..ba9799881 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -258,6 +258,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+ printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL)));
+ printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6));
+
++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
++ assert(error != AVAHI_OK);
++
+ avahi_entry_group_commit (group);
+
+ domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-daemon/dbus-entry-group.c b/avahi-daemon/dbus-entry-group.c
+index 4e879a5ba..aa23d4b6b 100644
+--- a/avahi-daemon/dbus-entry-group.c
++++ b/avahi-daemon/dbus-entry-group.c
+@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_group_impl(DBusConnection *c, DBusMessage
+ if (!(r = avahi_record_new_full (name, clazz, type, ttl)))
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL);
+
+- if (avahi_rdata_parse (r, rdata, size) < 0) {
++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) {
+ avahi_record_unref (r);
+ return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL);
+ }
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch
new file mode 100644
index 000000000..8dd8d03e2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi/CVE-2023-38473.patch
@@ -0,0 +1,104 @@
+From b448c9f771bada14ae8de175695a9729f8646797 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar
+Date: Wed, 11 Oct 2023 17:45:44 +0200
+Subject: [PATCH] common: derive alternative host name from its unescaped
+ version
+
+Normalization of input makes sure we don't have to deal with special
+cases like unescaped dot at the end of label.
+
+Fixes #451 #487
+CVE-2023-38473
+---
+ avahi-common/alternative-test.c | 3 +++
+ avahi-common/alternative.c | 27 +++++++++++++++++++--------
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c
+index 9255435ec..681fc15b8 100644
+--- a/avahi-common/alternative-test.c
++++ b/avahi-common/alternative-test.c
+@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+ const char* const test_strings[] = {
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü",
++ ").",
++ "\\.",
++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\",
+ "gurke",
+ "-",
+ " #",
+diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c
+index b3d39f0ed..a094e6d76 100644
+--- a/avahi-common/alternative.c
++++ b/avahi-common/alternative.c
+@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) {
+ }
+
+ char *avahi_alternative_host_name(const char *s) {
++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1];
++ char *alt, *r, *ret;
+ const char *e;
+- char *r;
++ size_t len;
+
+ assert(s);
+
+ if (!avahi_is_valid_host_name(s))
+ return NULL;
+
+- if ((e = strrchr(s, '-'))) {
++ if (!avahi_unescape_label(&s, label, sizeof(label)))
++ return NULL;
++
++ if ((e = strrchr(label, '-'))) {
+ const char *p;
+
+ e++;
+@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) {
+
+ if (e) {
+ char *c, *m;
+- size_t l;
+ int n;
+
+ n = atoi(e)+1;
+ if (!(m = avahi_strdup_printf("%i", n)))
+ return NULL;
+
+- l = e-s-1;
++ len = e-label-1;
+
+- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1)
+- l = AVAHI_LABEL_MAX-1-strlen(m)-1;
++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1)
++ len = AVAHI_LABEL_MAX-1-strlen(m)-1;
+
+- if (!(c = avahi_strndup(s, l))) {
++ if (!(c = avahi_strndup(label, len))) {
+ avahi_free(m);
+ return NULL;
+ }
+@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) {
+ } else {
+ char *c;
+
+- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2)))
++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2)))
+ return NULL;
+
+ drop_incomplete_utf8(c);
+@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) {
+ avahi_free(c);
+ }
+
++ alt = alternative;
++ len = sizeof(alternative);
++ ret = avahi_escape_label(r, strlen(r), &alt, &len);
++
++ avahi_free(r);
++ r = avahi_strdup(ret);
++
+ assert(avahi_is_valid_host_name(r));
+
+ return r;
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend
index 06343a29d..7007454b1 100644
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/avahi/avahi_%.bbappend
@@ -2,4 +2,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://CVE-2023-1981.patch \
+ file://CVE-2023-38470.patch \
+ file://CVE-2023-38471.patch \
+ file://CVE-2023-38472.patch \
+ file://CVE-2023-38473.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7a..6f23490c8 100644
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,5 @@
export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
+export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 000000000..502a7aaf3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,39 @@
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin
+Date: Tue, 30 May 2023 09:11:27 -0700
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin
+
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/Configure b/Configure
+index 4569952..adf019b 100755
+--- a/Configure
++++ b/Configure
+@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+ push @{$config{shared_ldflag}}, "-mno-cygwin";
+ }
+
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+- # minimally required architecture flags for assembly modules
+- my $value;
+- $value = '-mips2' if ($target =~ /mips32/);
+- $value = '-mips3' if ($target =~ /mips64/);
+- unshift @{$config{cflags}}, $value;
+- unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+ if ($auto_threads) {
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 949c78834..bafdbaa46 100644
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -1,4 +1,4 @@
-From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
+From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?=
Date: Tue, 6 Nov 2018 14:50:47 +0100
Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
@@ -21,20 +21,24 @@ https://patchwork.openembedded.org/patch/147229/
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Martin Hundebøll
-
Update to fix buildpaths qa issue for '-fmacro-prefix-map'.
Signed-off-by: Kai Kang
+
+Update to fix buildpaths qa issue for '-ffile-prefix-map'.
+
+Signed-off-by: Khem Raj
+
---
- Configurations/unix-Makefile.tmpl | 10 +++++++++-
+ Configurations/unix-Makefile.tmpl | 12 +++++++++++-
crypto/build.info | 2 +-
- 2 files changed, 10 insertions(+), 2 deletions(-)
+ 2 files changed, 12 insertions(+), 2 deletions(-)
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 16af4d2087..54c162784c 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
+===================================================================
+--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
++++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
+@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
@@ -49,6 +53,7 @@ index 16af4d2087..54c162784c 100644
+CFLAGS_Q={- for (@{$config{CFLAGS}}) {
+ s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
+ s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
++ s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
+ }
+ join(' ', @{$config{CFLAGS}}) -}
+
@@ -58,19 +63,16 @@ index 16af4d2087..54c162784c 100644
PERLASM_SCHEME= {- $target{perlasm_scheme} -}
# For x86 assembler: Set PROCESSOR to 386 if you want to support
-diff --git a/crypto/build.info b/crypto/build.info
-index b515b7318e..8c9cee2a09 100644
---- a/crypto/build.info
-+++ b/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
- ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+Index: openssl-3.0.4/crypto/build.info
+===================================================================
+--- openssl-3.0.4.orig/crypto/build.info
++++ openssl-3.0.4/crypto/build.info
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
+ DEPEND[info.o]=buildinf.h
DEPEND[cversion.o]=buildinf.h
-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
- DEPEND[buildinf.h]=../configdata.pm
- GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
---
-2.19.1
-
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
deleted file mode 100644
index d8d9651b6..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia
-Date: Tue, 2 Oct 2018 23:58:24 +0800
-Subject: [PATCH] skip test_symbol_presence
-
-We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared'
-as INSTALL told us the shared libraries will not be built.
-
-[INSTALL snip]
- Notes on shared libraries
- -------------------------
-
- For most systems the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl. On these systems
- the shared libraries will be created by default. This can be suppressed and
- only static libraries created by using the "no-shared" option. On systems
- where OpenSSL does not know how to build shared libraries the "no-shared"
- option will be forced and only static libraries will be created.
-[INSTALL snip]
-
-Hence directly modification the case to skip it.
-
-Upstream-Status: Inappropriate [OE Specific]
-
-Signed-off-by: Hongxu Jia
----
- test/recipes/01-test_symbol_presence.t | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7f2a2d7..0b93745 100644
---- a/test/recipes/01-test_symbol_presence.t
-+++ b/test/recipes/01-test_symbol_presence.t
-@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils;
-
- setup("test_symbol_presence");
-
--plan skip_all => "Only useful when building shared libraries"
-- if disabled("shared");
-+plan skip_all => "The case needs debug symbols then we just disable it";
-
- my @libnames = ("crypto", "ssl");
- my $testcount = scalar @libnames;
---
-2.7.4
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch
deleted file mode 100644
index d62b9344c..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0003-Add-support-for-io_pgetevents_time64-syscall.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
-From: Alistair Francis
-Date: Thu, 29 Aug 2019 13:56:21 -0700
-Subject: [PATCH] Add support for io_pgetevents_time64 syscall
-
-32-bit architectures that are y2038 safe don't include syscalls that use
-32-bit time_t. Instead these architectures have suffixed syscalls that
-always use a 64-bit time_t. In the case of the io_getevents syscall the
-syscall has been replaced with the io_pgetevents_time64 syscall instead.
-
-This patch changes the io_getevents() function to use the correct
-syscall based on the avaliable syscalls and the time_t size. We will
-only use the new 64-bit time_t syscall if the architecture is using a
-64-bit time_t. This is to avoid having to deal with 32/64-bit
-conversions and relying on a 64-bit timespec struct on 32-bit time_t
-platforms. As of Linux 5.3 there are no 32-bit time_t architectures
-without __NR_io_getevents. In the future if a 32-bit time_t architecture
-wants to use the 64-bit syscalls we can handle the conversion.
-
-This fixes build failures on 32-bit RISC-V.
-
-Signed-off-by: Alistair Francis
-
-Reviewed-by: Richard Levitte
-Reviewed-by: Paul Dale
-(Merged from https://github.com/openssl/openssl/pull/9819)
-Upstream-Status: Accepted
----
- engines/e_afalg.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/engines/e_afalg.c b/engines/e_afalg.c
-index dacbe358cb..99516cb1bb 100644
---- a/engines/e_afalg.c
-+++ b/engines/e_afalg.c
-@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
- struct io_event *events,
- struct timespec *timeout)
- {
-+#if defined(__NR_io_getevents)
- return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
-+#elif defined(__NR_io_pgetevents_time64)
-+ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
-+ * This simplifies the code for us as we don't need to use a 64-bit
-+ * version of timespec with a 32-bit time_t and handle converting
-+ * between 64-bit and 32-bit times and check for overflows.
-+ */
-+ if (sizeof(timeout->tv_sec) == 8)
-+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
-+ else {
-+ errno = ENOSYS;
-+ return -1;
-+ }
-+#else
-+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
-+#endif
- }
-
- static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
---
-2.30.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch
deleted file mode 100644
index c8bc6f5c6..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/0004-Fixup-support-for-io_pgetevents_time64-syscall.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From e5499a3cac1e823c3e0697e8667e952317b70cc8 Mon Sep 17 00:00:00 2001
-From: Alistair Francis
-Date: Thu, 4 Mar 2021 12:10:11 -0500
-Subject: [PATCH] Fixup support for io_pgetevents_time64 syscall
-
-This is a fixup for the original commit 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
-"Add support for io_pgetevents_time64 syscall" that didn't correctly
-work for 32-bit architecutres with a 64-bit time_t that aren't RISC-V.
-
-For a full discussion of the issue see:
-https://github.com/openssl/openssl/commit/5b5e2985f355c8e99c196d9ce5d02c15bebadfbc
-
-Signed-off-by: Alistair Francis
-
-Reviewed-by: Tomas Mraz
-Reviewed-by: Paul Dale
-(Merged from https://github.com/openssl/openssl/pull/14432)
-Upstream-Status: Accepted
----
- engines/e_afalg.c | 55 ++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 42 insertions(+), 13 deletions(-)
-
-diff --git a/engines/e_afalg.c b/engines/e_afalg.c
-index 9480d7c24b..4e9d67db2d 100644
---- a/engines/e_afalg.c
-+++ b/engines/e_afalg.c
-@@ -124,27 +124,56 @@ static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb)
- return syscall(__NR_io_submit, ctx, n, iocb);
- }
-
-+/* A version of 'struct timespec' with 32-bit time_t and nanoseconds. */
-+struct __timespec32
-+{
-+ __kernel_long_t tv_sec;
-+ __kernel_long_t tv_nsec;
-+};
-+
- static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
- struct io_event *events,
- struct timespec *timeout)
- {
-+#if defined(__NR_io_pgetevents_time64)
-+ /* Check if we are a 32-bit architecture with a 64-bit time_t */
-+ if (sizeof(*timeout) != sizeof(struct __timespec32)) {
-+ int ret = syscall(__NR_io_pgetevents_time64, ctx, min, max, events,
-+ timeout, NULL);
-+ if (ret == 0 || errno != ENOSYS)
-+ return ret;
-+ }
-+#endif
-+
- #if defined(__NR_io_getevents)
-- return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
--#elif defined(__NR_io_pgetevents_time64)
-- /* Let's only support the 64 suffix syscalls for 64-bit time_t.
-- * This simplifies the code for us as we don't need to use a 64-bit
-- * version of timespec with a 32-bit time_t and handle converting
-- * between 64-bit and 32-bit times and check for overflows.
-- */
-- if (sizeof(timeout->tv_sec) == 8)
-- return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
-+ if (sizeof(*timeout) == sizeof(struct __timespec32))
-+ /*
-+ * time_t matches our architecture length, we can just use
-+ * __NR_io_getevents
-+ */
-+ return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
- else {
-- errno = ENOSYS;
-- return -1;
-+ /*
-+ * We don't have __NR_io_pgetevents_time64, but we are using a
-+ * 64-bit time_t on a 32-bit architecture. If we can fit the
-+ * timeout value in a 32-bit time_t, then let's do that
-+ * and then use the __NR_io_getevents syscall.
-+ */
-+ if (timeout && timeout->tv_sec == (long)timeout->tv_sec) {
-+ struct __timespec32 ts32;
-+
-+ ts32.tv_sec = (__kernel_long_t) timeout->tv_sec;
-+ ts32.tv_nsec = (__kernel_long_t) timeout->tv_nsec;
-+
-+ return syscall(__NR_io_getevents, ctx, min, max, events, ts32);
-+ } else {
-+ return syscall(__NR_io_getevents, ctx, min, max, events, NULL);
-+ }
- }
--#else
--# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
- #endif
-+
-+ errno = ENOSYS;
-+ return -1;
- }
-
- static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
---
-2.30.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch
deleted file mode 100644
index 1cae7daac..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz
-Date: Mon, 28 Feb 2022 18:26:21 +0100
-Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
-
-The calculation in some cases does not finish for non-prime p.
-
-This fixes CVE-2022-0778.
-
-Based on patch by David Benjamin .
-
-Reviewed-by: Paul Dale
-Reviewed-by: Matt Caswell
----
- crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
- 1 file changed, 18 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
-index 1723d5ded5..53b0f55985 100644
---- a/crypto/bn/bn_sqrt.c
-+++ b/crypto/bn/bn_sqrt.c
-@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
- /*
- * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
- * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
-- * Theory", algorithm 1.5.1). 'p' must be prime!
-+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
-+ * an incorrect "result" will be returned.
- */
- {
- BIGNUM *ret = in;
-@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
- goto vrfy;
- }
-
-- /* find smallest i such that b^(2^i) = 1 */
-- i = 1;
-- if (!BN_mod_sqr(t, b, p, ctx))
-- goto end;
-- while (!BN_is_one(t)) {
-- i++;
-- if (i == e) {
-- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
-- goto end;
-+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
-+ for (i = 1; i < e; i++) {
-+ if (i == 1) {
-+ if (!BN_mod_sqr(t, b, p, ctx))
-+ goto end;
-+
-+ } else {
-+ if (!BN_mod_mul(t, t, t, p, ctx))
-+ goto end;
- }
-- if (!BN_mod_mul(t, t, t, p, ctx))
-- goto end;
-+ if (BN_is_one(t))
-+ break;
-+ }
-+ /* If not found, a is not a square or p is not prime. */
-+ if (i >= e) {
-+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
-+ goto end;
- }
-
- /* t := y^2^(e - i - 1) */
---
-2.25.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
deleted file mode 100644
index ec4daf015..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz
-Date: Tue, 26 Apr 2022 12:40:24 +0200
-Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
-
-Except on VMS where it is safe.
-
-This fixes CVE-2022-1292.
-
-Reviewed-by: Matthias St. Pierre
-Reviewed-by: Matt Caswell
----
- tools/c_rehash.in | 29 +++++++++++++++++++++++++----
- 1 file changed, 25 insertions(+), 4 deletions(-)
-
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index fa7c6c9fef..83c1cc80e0 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -152,6 +152,23 @@ sub check_file {
- return ($is_cert, $is_crl);
- }
-
-+sub compute_hash {
-+ my $fh;
-+ if ( $^O eq "VMS" ) {
-+ # VMS uses the open through shell
-+ # The file names are safe there and list form is unsupported
-+ if (!open($fh, "-|", join(' ', @_))) {
-+ print STDERR "Cannot compute hash on '$fname'\n";
-+ return;
-+ }
-+ } else {
-+ if (!open($fh, "-|", @_)) {
-+ print STDERR "Cannot compute hash on '$fname'\n";
-+ return;
-+ }
-+ }
-+ return (<$fh>, <$fh>);
-+}
-
- # Link a certificate to its subject name hash value, each hash is of
- # the form . where n is an integer. If the hash value already exists
-@@ -161,10 +178,12 @@ sub check_file {
-
- sub link_hash_cert {
- my $fname = $_[0];
-- $fname =~ s/\"/\\\"/g;
-- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
-+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
-+ "-fingerprint", "-noout",
-+ "-in", $fname);
- chomp $hash;
- chomp $fprint;
-+ return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
-@@ -202,10 +221,12 @@ sub link_hash_cert {
-
- sub link_hash_crl {
- my $fname = $_[0];
-- $fname =~ s/'/'\\''/g;
-- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
-+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
-+ "-fingerprint", "-noout",
-+ "-in", $fname);
- chomp $hash;
- chomp $fprint;
-+ return if !$hash;
- $fprint =~ s/^.*=//;
- $fprint =~ tr/://d;
- my $suffix = 0;
---
-2.25.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
deleted file mode 100644
index 04e75877a..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
-From: Daniel Fiala
-Date: Sun, 29 May 2022 20:11:24 +0200
-Subject: [PATCH] Fix file operations in c_rehash.
-
-CVE-2022-2068
-
-Reviewed-by: Matt Caswell
-Reviewed-by: Richard Levitte
----
- tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
- 1 file changed, 107 insertions(+), 109 deletions(-)
-
-diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index cfd18f5da1..9d2a6f6db7 100644
---- a/tools/c_rehash.in
-+++ b/tools/c_rehash.in
-@@ -104,52 +104,78 @@ foreach (@dirlist) {
- }
- exit($errorcount);
-
-+sub copy_file {
-+ my ($src_fname, $dst_fname) = @_;
-+
-+ if (open(my $in, "<", $src_fname)) {
-+ if (open(my $out, ">", $dst_fname)) {
-+ print $out $_ while (<$in>);
-+ close $out;
-+ } else {
-+ warn "Cannot open $dst_fname for write, $!";
-+ }
-+ close $in;
-+ } else {
-+ warn "Cannot open $src_fname for read, $!";
-+ }
-+}
-+
- sub hash_dir {
-- my %hashlist;
-- print "Doing $_[0]\n";
-- chdir $_[0];
-- opendir(DIR, ".");
-- my @flist = sort readdir(DIR);
-- closedir DIR;
-- if ( $removelinks ) {
-- # Delete any existing symbolic links
-- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-- if (-l $_) {
-- print "unlink $_" if $verbose;
-- unlink $_ || warn "Can't unlink $_, $!\n";
-- }
-- }
-- }
-- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
-- # Check to see if certificates and/or CRLs present.
-- my ($cert, $crl) = check_file($fname);
-- if (!$cert && !$crl) {
-- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-- next;
-- }
-- link_hash_cert($fname) if ($cert);
-- link_hash_crl($fname) if ($crl);
-- }
-+ my $dir = shift;
-+ my %hashlist;
-+
-+ print "Doing $dir\n";
-+
-+ if (!chdir $dir) {
-+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
-+ return;
-+ }
-+
-+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
-+ my @flist = sort readdir(DIR);
-+ closedir DIR;
-+ if ( $removelinks ) {
-+ # Delete any existing symbolic links
-+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
-+ if (-l $_) {
-+ print "unlink $_\n" if $verbose;
-+ unlink $_ || warn "Can't unlink $_, $!\n";
-+ }
-+ }
-+ }
-+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
-+ # Check to see if certificates and/or CRLs present.
-+ my ($cert, $crl) = check_file($fname);
-+ if (!$cert && !$crl) {
-+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
-+ next;
-+ }
-+ link_hash_cert($fname) if ($cert);
-+ link_hash_crl($fname) if ($crl);
-+ }
-+
-+ chdir $pwd;
- }
-
- sub check_file {
-- my ($is_cert, $is_crl) = (0,0);
-- my $fname = $_[0];
-- open IN, $fname;
-- while() {
-- if (/^-----BEGIN (.*)-----/) {
-- my $hdr = $1;
-- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-- $is_cert = 1;
-- last if ($is_crl);
-- } elsif ($hdr eq "X509 CRL") {
-- $is_crl = 1;
-- last if ($is_cert);
-- }
-- }
-- }
-- close IN;
-- return ($is_cert, $is_crl);
-+ my ($is_cert, $is_crl) = (0,0);
-+ my $fname = $_[0];
-+
-+ open(my $in, "<", $fname);
-+ while(<$in>) {
-+ if (/^-----BEGIN (.*)-----/) {
-+ my $hdr = $1;
-+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
-+ $is_cert = 1;
-+ last if ($is_crl);
-+ } elsif ($hdr eq "X509 CRL") {
-+ $is_crl = 1;
-+ last if ($is_cert);
-+ }
-+ }
-+ }
-+ close $in;
-+ return ($is_cert, $is_crl);
- }
-
- sub compute_hash {
-@@ -177,76 +203,48 @@ sub compute_hash {
- # certificate fingerprints
-
- sub link_hash_cert {
-- my $fname = $_[0];
-- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
-- "-fingerprint", "-noout",
-- "-in", $fname);
-- chomp $hash;
-- chomp $fprint;
-- return if !$hash;
-- $fprint =~ s/^.*=//;
-- $fprint =~ tr/://d;
-- my $suffix = 0;
-- # Search for an unused hash filename
-- while(exists $hashlist{"$hash.$suffix"}) {
-- # Hash matches: if fingerprint matches its a duplicate cert
-- if ($hashlist{"$hash.$suffix"} eq $fprint) {
-- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
-- return;
-- }
-- $suffix++;
-- }
-- $hash .= ".$suffix";
-- if ($symlink_exists) {
-- print "link $fname -> $hash\n" if $verbose;
-- symlink $fname, $hash || warn "Can't symlink, $!";
-- } else {
-- print "copy $fname -> $hash\n" if $verbose;
-- if (open($in, "<", $fname)) {
-- if (open($out,">", $hash)) {
-- print $out $_ while (<$in>);
-- close $out;
-- } else {
-- warn "can't open $hash for write, $!";
-- }
-- close $in;
-- } else {
-- warn "can't open $fname for read, $!";
-- }
-- }
-- $hashlist{$hash} = $fprint;
-+ link_hash($_[0], 'cert');
- }
-
- # Same as above except for a CRL. CRL links are of the form .r
-
- sub link_hash_crl {
-- my $fname = $_[0];
-- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
-- "-fingerprint", "-noout",
-- "-in", $fname);
-- chomp $hash;
-- chomp $fprint;
-- return if !$hash;
-- $fprint =~ s/^.*=//;
-- $fprint =~ tr/://d;
-- my $suffix = 0;
-- # Search for an unused hash filename
-- while(exists $hashlist{"$hash.r$suffix"}) {
-- # Hash matches: if fingerprint matches its a duplicate cert
-- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
-- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
-- return;
-- }
-- $suffix++;
-- }
-- $hash .= ".r$suffix";
-- if ($symlink_exists) {
-- print "link $fname -> $hash\n" if $verbose;
-- symlink $fname, $hash || warn "Can't symlink, $!";
-- } else {
-- print "cp $fname -> $hash\n" if $verbose;
-- system ("cp", $fname, $hash);
-- warn "Can't copy, $!" if ($? >> 8) != 0;
-- }
-- $hashlist{$hash} = $fprint;
-+ link_hash($_[0], 'crl');
-+}
-+
-+sub link_hash {
-+ my ($fname, $type) = @_;
-+ my $is_cert = $type eq 'cert';
-+
-+ my ($hash, $fprint) = compute_hash($openssl,
-+ $is_cert ? "x509" : "crl",
-+ $is_cert ? $x509hash : $crlhash,
-+ "-fingerprint", "-noout",
-+ "-in", $fname);
-+ chomp $hash;
-+ chomp $fprint;
-+ return if !$hash;
-+ $fprint =~ s/^.*=//;
-+ $fprint =~ tr/://d;
-+ my $suffix = 0;
-+ # Search for an unused hash filename
-+ my $crlmark = $is_cert ? "" : "r";
-+ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
-+ # Hash matches: if fingerprint matches its a duplicate cert
-+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
-+ my $what = $is_cert ? 'certificate' : 'CRL';
-+ print STDERR "WARNING: Skipping duplicate $what $fname\n";
-+ return;
-+ }
-+ $suffix++;
-+ }
-+ $hash .= ".$crlmark$suffix";
-+ if ($symlink_exists) {
-+ print "link $fname -> $hash\n" if $verbose;
-+ symlink $fname, $hash || warn "Can't symlink, $!";
-+ } else {
-+ print "copy $fname -> $hash\n" if $verbose;
-+ copy_file($fname, $hash);
-+ }
-+ $hashlist{$hash} = $fprint;
- }
---
-2.25.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
deleted file mode 100644
index aa5bbb604..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
-From: Alex Chernyakhovsky
-Date: Thu, 16 Jun 2022 12:00:22 +1000
-Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
-that performs operations on 6 16-byte blocks concurrently (the
-"grandloop") and then proceeds to handle the "short" tail (which can
-be anywhere from 0 to 5 blocks) that remain.
-
-As part of initialization, the assembly initializes $len to the true
-length, less 96 bytes and converts it to a pointer so that the $inp
-can be compared to it. Each iteration of "grandloop" checks to see if
-there's a full 96-byte chunk to process, and if so, continues. Once
-this has been exhausted, it falls through to "short", which handles
-the remaining zero to five blocks.
-
-Unfortunately, the jump at the end of "grandloop" had a fencepost
-error, doing a `jb` ("jump below") rather than `jbe` (jump below or
-equal). This should be `jbe`, as $inp is pointing to the *end* of the
-chunk currently being handled. If $inp == $len, that means that
-there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
-then there's 5 or fewer 16-byte blocks left to be handled, and the
-fall-through is intended.
-
-The net effect of `jb` instead of `jbe` is that the last 16-byte block
-of the last 96-byte chunk was completely omitted. The contents of
-`out` in this position were never written to. Additionally, since
-those bytes were never processed, the authentication tag generated is
-also incorrect.
-
-The same fencepost error, and identical logic, exists in both
-aesni_ocb_encrypt and aesni_ocb_decrypt.
-
-This addresses CVE-2022-2097.
-
-Co-authored-by: Alejandro Sedeño
-Co-authored-by: David Benjamin
-
-Reviewed-by: Paul Dale
-Reviewed-by: Tomas Mraz
----
- crypto/aes/asm/aesni-x86.pl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
-index fe2b26542a..812758e02e 100644
---- a/crypto/aes/asm/aesni-x86.pl
-+++ b/crypto/aes/asm/aesni-x86.pl
-@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
- &movdqu (&QWP(-16*2,$out,$inp),$inout4);
- &movdqu (&QWP(-16*1,$out,$inp),$inout5);
- &cmp ($inp,$len); # done yet?
-- &jb (&label("grandloop"));
-+ &jbe (&label("grandloop"));
-
- &set_label("short");
- &add ($len,16*6);
-@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
- &pxor ($rndkey1,$inout5);
- &movdqu (&QWP(-16*1,$out,$inp),$inout5);
- &cmp ($inp,$len); # done yet?
-- &jb (&label("grandloop"));
-+ &jbe (&label("grandloop"));
-
- &set_label("short");
- &add ($len,16*6);
---
-2.25.1
-
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
new file mode 100644
index 000000000..8e8d4f2a5
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-2975.patch
@@ -0,0 +1,58 @@
+From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Tue, 4 Jul 2023 17:30:35 +0200
+Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
+
+The AES-SIV mode allows for multiple associated data items
+authenticated separately with any of these being 0 length.
+
+The provided implementation ignores such empty associated data
+which is incorrect in regards to the RFC 5297 and is also
+a security issue because such empty associated data then become
+unauthenticated if an application expects to authenticate them.
+
+Fixes CVE-2023-2975
+
+Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21384]
+Reviewed-by: Matt Caswell
+Reviewed-by: Paul Dale
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
+---
+ .../implementations/ciphers/cipher_aes_siv.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
+index 45010b90db..b396c8651a 100644
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
++++ b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
+ if (!ossl_prov_is_running())
+ return 0;
+
+- if (inl == 0) {
+- *outl = 0;
+- return 1;
+- }
++ /* Ignore just empty encryption/decryption call and not AAD. */
++ if (out != NULL) {
++ if (inl == 0) {
++ if (outl != NULL)
++ *outl = 0;
++ return 1;
++ }
+
+- if (outsize < inl) {
+- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+- return 0;
++ if (outsize < inl) {
++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
++ return 0;
++ }
+ }
+
+ if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+--
+2.34.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
new file mode 100644
index 000000000..ff1e415c5
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3446.patch
@@ -0,0 +1,76 @@
+From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
+From: Matt Caswell
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21451]
+
+Reviewed-by: Paul Dale
+Reviewed-by: Tom Cosgrove
+Reviewed-by: Bernd Edlinger
+Reviewed-by: Tomas Mraz
+(Merged from https://github.com/openssl/openssl/pull/21451)
+
+(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
+---
+ crypto/dh/dh_check.c | 6 ++++++
+ include/openssl/dh.h | 6 +++++-
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 0b391910d6..84a926998e 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
+ if (nid != NID_undef)
+ return 1;
+
++ /* Don't do any checks at all with an excessively large modulus */
++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ if (!DH_check_params(dh, ret))
+ return 0;
+
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index b97871eca7..36420f51d8 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
+ # include
+
+ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
+-# define OPENSSL_DH_MAX_MODULUS_BITS 10000
++# define OPENSSL_DH_MAX_MODULUS_BITS 10000
++# endif
++
++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
+ # endif
+
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+--
+2.34.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch
new file mode 100644
index 000000000..ded0a0eb1
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-3817.patch
@@ -0,0 +1,61 @@
+From 6a1eb62c29db6cb5eec707f9338aee00f44e26f5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Tue, 25 Jul 2023 15:22:48 +0200
+Subject: [PATCH] DH_check(): Do not try checking q properties if it is
+ obviously invalid
+
+If |q| >= |p| then the q value is obviously wrong as q
+is supposed to be a prime divisor of p-1.
+
+We check if p is overly large so this added test implies that
+q is not large either when performing subsequent tests using that
+q value.
+
+Otherwise if it is too large these additional checks of the q value
+such as the primality test can then trigger DoS by doing overly long
+computations.
+
+Fixes CVE-2023-3817
+
+Upstream-Status: Accepted [https://github.com/openssl/openssl/pull/21550]
+Reviewed-by: Matt Caswell
+Reviewed-by: Paul Dale
+Reviewed-by: Tom Cosgrove
+Reviewed-by: Todd Short
+(Merged from https://github.com/openssl/openssl/pull/21550)
+
+(cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de)
+---
+ crypto/dh/dh_check.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index aef6f9b1b7..fbe2797569 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
+ #ifdef FIPS_MODULE
+ return DH_check_params(dh, ret);
+ #else
+- int ok = 0, r;
++ int ok = 0, r, q_good = 0;
+ BN_CTX *ctx = NULL;
+ BIGNUM *t1 = NULL, *t2 = NULL;
+ int nid = DH_get_nid((DH *)dh);
+@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret)
+ goto err;
+
+ if (dh->params.q != NULL) {
++ if (BN_ucmp(dh->params.p, dh->params.q) > 0)
++ q_good = 1;
++ else
++ *ret |= DH_CHECK_INVALID_Q_VALUE;
++ }
++
++ if (q_good) {
+ if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
+--
+2.34.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch
new file mode 100644
index 000000000..60797cd1a
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5363.patch
@@ -0,0 +1,81 @@
+From 0df40630850fb2740e6be6890bb905d3fc623b2d Mon Sep 17 00:00:00 2001
+From: Pauli
+Date: Fri, 6 Oct 2023 10:26:23 +1100
+Subject: [PATCH] evp: process key length and iv length early if present
+
+evp_cipher_init_internal() takes a params array argument and this is processed
+late in the initialisation process for some ciphers (AEAD ones).
+
+This means that changing the IV length as a parameter will either truncate the
+IV (very bad if SP 800-38d section 8.2.1 is used) or grab extra uninitialised
+bytes.
+
+Truncation is very bad if SP 800-38d section 8.2.1 is being used to
+contruct a deterministic IV. This leads to an instant loss of confidentiality.
+
+Grabbing extra bytes isn't so serious, it will most likely result in a bad
+decryption.
+
+Problem reported by Tony Battersby of Cybernetics.com but earlier discovered
+and raised as issue #19822.
+
+Fixes CVE-2023-5363
+Fixes #19822
+
+Reviewed-by: Hugo Landau
+Reviewed-by: Matt Caswell
+(cherry picked from commit 5f69f5c65e483928c4b28ed16af6e5742929f1ee)
+---
+ crypto/evp/evp_enc.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
+index d2ed3fd378..6a819590e6 100644
+--- a/crypto/evp/evp_enc.c
++++ b/crypto/evp/evp_enc.c
+@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx,
+ return 0;
+ }
+
++#ifndef FIPS_MODULE
++ /*
++ * Fix for CVE-2023-5363
++ * Passing in a size as part of the init call takes effect late
++ * so, force such to occur before the initialisation.
++ *
++ * The FIPS provider's internal library context is used in a manner
++ * such that this is not an issue.
++ */
++ if (params != NULL) {
++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END,
++ OSSL_PARAM_END };
++ OSSL_PARAM *q = param_lens;
++ const OSSL_PARAM *p;
++
++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN);
++ if (p != NULL)
++ memcpy(q++, p, sizeof(*q));
++
++ /*
++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for
++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here.
++ */
++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN);
++ if (p != NULL)
++ memcpy(q++, p, sizeof(*q));
++
++ if (q != param_lens) {
++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) {
++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH);
++ return 0;
++ }
++ }
++ }
++#endif
++
+ if (enc) {
+ if (ctx->cipher->einit == NULL) {
+ ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR);
+--
+2.34.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
new file mode 100644
index 000000000..afb23ade3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
@@ -0,0 +1,177 @@
+From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
+From: Richard Levitte
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ. DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q. This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz
+Reviewed-by: Matt Caswell
+Reviewed-by: Hugo Landau
+(Merged from https://github.com/openssl/openssl/pull/22518)
+
+(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
+---
+ crypto/dh/dh_check.c | 12 ++++++++++++
+ crypto/dh/dh_err.c | 3 ++-
+ crypto/dh/dh_key.c | 12 ++++++++++++
+ crypto/err/openssl.txt | 1 +
+ include/crypto/dherr.h | 2 +-
+ include/openssl/dh.h | 6 +++---
+ include/openssl/dherr.h | 3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 7ba2beae7f..e20eb62081 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
+ */
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
++ /* Don't do any checks at all with an excessively large modulus */
++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
++ return 0;
++ }
++
++ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
++ return 1;
++ }
++
+ return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
+ }
+
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 4152397426..f76ac0dd14 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+ "parameter encoding error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+ "unable to check generator"},
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index d84ea99241..afc49f5cdc 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+ goto err;
+ }
+
++ if (dh->params.q != NULL
++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++ goto err;
++ }
++
+ if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+ return 0;
+@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
+ return 0;
+ }
+
++ if (dh->params.q != NULL
++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++ return 0;
++ }
++
+ if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+ return 0;
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index e51504b7ab..36de321b74 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
++DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
+diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
+index bb24d131eb..519327f795 100644
+--- a/include/crypto/dherr.h
++++ b/include/crypto/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index 6533260f20..50e0cf54be 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
+ # define DH_GENERATOR_3 3
+ # define DH_GENERATOR_5 5
+
+-/* DH_check error codes */
++/* DH_check error codes, some of them shared with DH_check_pub_key */
+ /*
+ * NB: These values must align with the equivalently named macros in
+ * internal/ffc.h.
+@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
+ # define DH_UNABLE_TO_CHECK_GENERATOR 0x04
+ # define DH_NOT_SUITABLE_GENERATOR 0x08
+ # define DH_CHECK_Q_NOT_PRIME 0x10
+-# define DH_CHECK_INVALID_Q_VALUE 0x20
++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
+ # define DH_CHECK_INVALID_J_VALUE 0x40
+ # define DH_MODULUS_TOO_SMALL 0x80
+-# define DH_MODULUS_TOO_LARGE 0x100
++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
+
+ /* DH_check_pub_key error codes */
+ # define DH_CHECK_PUBKEY_TOO_SMALL 0x01
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index 5d2a762a96..074a70145f 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+ * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+@@ -50,6 +50,7 @@
+ # define DH_R_NO_PRIVATE_VALUE 100
+ # define DH_R_PARAMETER_ENCODING_ERROR 105
+ # define DH_R_PEER_KEY_ERROR 111
++# define DH_R_Q_TOO_LARGE 130
+ # define DH_R_SHARED_INFO_ERROR 113
+ # define DH_R_UNABLE_TO_CHECK_GENERATOR 121
+
+--
+2.34.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
new file mode 100644
index 000000000..8c8e0ba21
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
@@ -0,0 +1,120 @@
+From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+CVE-2024-0727
+
+Reviewed-by: Tomas Mraz
+Reviewed-by: Hugo Landau
+Reviewed-by: Neil Horman
+(Merged from https://github.com/openssl/openssl/pull/23362)
+
+(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
+---
+ crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c | 5 +++++
+ crypto/pkcs12/p12_npas.c | 5 +++--
+ crypto/pkcs7/pk7_mime.c | 7 +++++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
+index 6fd4184af5a52..80ce31b3bca66 100644
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
+ return NULL;
+ }
++
++ if (p7->d.data == NULL) {
++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+
+@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
+ {
+ if (!PKCS7_type_is_encrypted(p7))
+ return NULL;
++
++ if (p7->d.encrypted == NULL) {
++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
+ ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+ pass, passlen,
+@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
+ return NULL;
+ }
++
++ if (p12->authsafes->d.data == NULL) {
++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ p7s = ASN1_item_unpack(p12->authsafes->d.data,
+ ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+ if (p7s != NULL) {
+diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
+index 67a885a45f89e..68ff54d0e90ee 100644
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
+ return 0;
+ }
+
++ if (p12->authsafes->d.data == NULL) {
++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
++ return 0;
++ }
++
+ salt = p12->mac->salt->data;
+ saltlen = p12->mac->salt->length;
+ if (p12->mac->iter == NULL)
+diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
+index 62230bc6187ff..1e5b5495991a4 100644
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
+ bags = PKCS12_unpack_p7data(p7);
+ } else if (bagnid == NID_pkcs7_encrypted) {
+ bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+- &pbe_nid, &pbe_iter, &pbe_saltlen))
++ if (p7->d.encrypted == NULL
++ || !alg_get(p7->d.encrypted->enc_data->algorithm,
++ &pbe_nid, &pbe_iter, &pbe_saltlen))
+ goto err;
+ } else {
+ continue;
+diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
+index 49a0da5f819c4..8228315eeaa3a 100644
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
+ int ctype_nid = OBJ_obj2nid(p7->type);
+ const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
+
+- if (ctype_nid == NID_pkcs7_signed)
++ if (ctype_nid == NID_pkcs7_signed) {
++ if (p7->d.sign == NULL)
++ return 0;
+ mdalgs = p7->d.sign->md_algs;
+- else
++ } else {
+ mdalgs = NULL;
++ }
+
+ flags ^= SMIME_OLDMIME;
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton
-
-diff --git a/Configure b/Configure
-index 3baa8ce..9ef52ed 100755
---- a/Configure
-+++ b/Configure
-@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
- unless ($disabled{afalgeng}) {
- $config{afalgeng}="";
- if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
-- my $minver = 4*10000 + 1*100 + 0;
-- if ($config{CROSS_COMPILE} eq "") {
-- my $verstr = `uname -r`;
-- my ($ma, $mi1, $mi2) = split("\\.", $verstr);
-- ($mi2) = $mi2 =~ /(\d+)/;
-- my $ver = $ma*10000 + $mi1*100 + $mi2;
-- if ($ver < $minver) {
-- disable('too-old-kernel', 'afalgeng');
-- } else {
-- push @{$config{engdirs}}, "afalg";
-- }
-- } else {
-- disable('cross-compiling', 'afalgeng');
-- }
-+ push @{$config{engdirs}}, "afalg";
- } else {
- disable('not-linux', 'afalgeng');
- }
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch
new file mode 100644
index 000000000..78dcd8168
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/fix_random_labels.patch
@@ -0,0 +1,22 @@
+The perl script adds random suffixes to the local function names to ensure
+it doesn't clash with other parts of openssl. Set the random number seed
+to something predictable so the assembler files are generated consistently
+and our own reproducible builds tests pass.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie
+
+Index: openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
+===================================================================
+--- openssl-3.1.0.orig/crypto/modes/asm/aes-gcm-avx512.pl
++++ openssl-3.1.0/crypto/modes/asm/aes-gcm-avx512.pl
+@@ -191,6 +191,9 @@ my $CTX_OFFSET_HTable = (16 * 6);
+ # ;;; Helper functions
+ # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
++# Ensure the local labels are reproduicble
++srand(10000);
++
+ # ; Generates "random" local labels
+ sub random_string() {
+ my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch
deleted file mode 100644
index a24260c95..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/reproducible.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-The value for perl_archname can vary depending on the host, e.g.
-x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which
-makes the ptest package non-reproducible. Its unused other than
-these references so drop it.
-
-RP 2020/2/6
-
-Upstream-Status: Pending
-Signed-off-by: Richard Purdie
-
-Index: openssl-1.1.1d/Configure
-===================================================================
---- openssl-1.1.1d.orig/Configure
-+++ openssl-1.1.1d/Configure
-@@ -286,7 +286,7 @@ if (defined env($local_config_envname))
- # Save away perl command information
- $config{perl_cmd} = $^X;
- $config{perl_version} = $Config{version};
--$config{perl_archname} = $Config{archname};
-+#$config{perl_archname} = $Config{archname};
-
- $config{prefix}="";
- $config{openssldir}="";
-@@ -2517,7 +2517,7 @@ _____
- @{$config{perlargv}}), "\n";
- print "\nPerl information:\n\n";
- print ' ',$config{perl_cmd},"\n";
-- print ' ',$config{perl_version},' for ',$config{perl_archname},"\n";
-+ print ' ',$config{perl_version},"\n";
- }
- if ($dump || $options) {
- my $longest = 0;
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest
index 3fb22471f..8dff79101 100644
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/run-ptest
@@ -9,4 +9,4 @@ export TOP=.
# OPENSSL_ENGINES is relative from the test binaries
export OPENSSL_ENGINES=../engines
-perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'
+perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb
deleted file mode 100644
index 5353a9421..000000000
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1v.bb
+++ /dev/null
@@ -1,252 +0,0 @@
-SUMMARY = "Secure Socket Layer"
-DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
-HOMEPAGE = "http://www.openssl.org/"
-BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
-SECTION = "libs/network"
-
-# "openssl" here actually means both OpenSSL and SSLeay licenses apply
-# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
-LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
-
-DEPENDS = "hostperl-runtime-native"
-
-PV = "1.0+git${SRCPV}"
-
-S = "${WORKDIR}/git"
-
-SRCREV = "5dae6451aac56bdf5be8dc5f20519da0bc55451a"
-
-SRC_URI = "git://github.com/openssl/openssl.git;branch=OpenSSL_1_1_1-stable;protocol=https \
- file://run-ptest \
- file://0001-skip-test_symbol_presence.patch \
- file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
- file://afalg.patch \
- file://reproducible.patch \
- "
-
-SRC_URI:append:class-nativesdk = " \
- file://environment.d-openssl.sh \
- "
-
-SRC_URI:append:riscv32 = " \
- file://0003-Add-support-for-io_pgetevents_time64-syscall.patch \
- file://0004-Fixup-support-for-io_pgetevents_time64-syscall.patch \
- "
-
-inherit lib_package multilib_header multilib_script ptest
-MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-
-PACKAGECONFIG ?= ""
-PACKAGECONFIG:class-native = ""
-PACKAGECONFIG:class-nativesdk = ""
-
-PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-PACKAGECONFIG[no-tls1] = "no-tls1"
-PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
-
-B = "${WORKDIR}/build"
-do_configure[cleandirs] = "${B}"
-
-#| ./libcrypto.so: undefined reference to `getcontext'
-#| ./libcrypto.so: undefined reference to `setcontext'
-#| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF:append:libc-musl = " no-async"
-EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
-
-# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
-# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
-
-# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-
-# Disable deprecated crypto algorithms
-# Retained for compatibilty
-# des (curl)
-# dh (python-ssl)
-# dsa (rpm)
-# md4 (cyrus-sasl freeradius hostapd)
-# bf (wvstreams postgresql x11vnc crda znc cfengine)
-# rc4 (freerdp librtorrent ettercap xrdp transmission pam-ssh-agent-auth php)
-# rc2 (mailx)
-# psk (qt5)
-# srp (libest)
-# whirlpool (qca)
-DEPRECATED_CRYPTO_FLAGS = "no-ssl no-idea no-rc5 no-md2 no-camellia no-mdc2 no-scrypt no-seed no-siphash no-sm2 no-sm3 no-sm4"
-
-do_configure () {
- os=${HOST_OS}
- case $os in
- linux-gnueabi |\
- linux-gnuspe |\
- linux-musleabi |\
- linux-muslspe |\
- linux-musl )
- os=linux
- ;;
- *)
- ;;
- esac
- target="$os-${HOST_ARCH}"
- case $target in
- linux-arm*)
- target=linux-armv4
- ;;
- linux-aarch64*)
- target=linux-aarch64
- ;;
- linux-i?86 | linux-viac3)
- target=linux-x86
- ;;
- linux-gnux32-x86_64 | linux-muslx32-x86_64 )
- target=linux-x32
- ;;
- linux-gnu64-x86_64)
- target=linux-x86_64
- ;;
- linux-mips | linux-mipsel)
- # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
- target="linux-mips32 ${TARGET_CC_ARCH}"
- ;;
- linux-gnun32-mips*)
- target=linux-mips64
- ;;
- linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
- target=linux64-mips64
- ;;
- linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
- target=linux-generic32
- ;;
- linux-powerpc)
- target=linux-ppc
- ;;
- linux-powerpc64)
- target=linux-ppc64
- ;;
- linux-powerpc64le)
- target=linux-ppc64le
- ;;
- linux-riscv32)
- target=linux-generic32
- ;;
- linux-riscv64)
- target=linux-generic64
- ;;
- linux-sparc | linux-supersparc)
- target=linux-sparcv9
- ;;
- mingw32-x86_64)
- target=mingw64
- ;;
- esac
-
- useprefix=${prefix}
- if [ "x$useprefix" = "x" ]; then
- useprefix=/
- fi
- # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
- # environment variables set by bitbake. Adjust the environment variables instead.
- HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
- perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
- perl ${B}/configdata.pm --dump
-}
-
-do_install () {
- oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-
- oe_multilib_header openssl/opensslconf.h
-
- # Create SSL structure for packages such as ca-certificates which
- # contain hard-coded paths to /etc/ssl. Debian does the same.
- install -d ${D}${sysconfdir}/ssl
- mv ${D}${libdir}/ssl-1.1/certs \
- ${D}${libdir}/ssl-1.1/private \
- ${D}${libdir}/ssl-1.1/openssl.cnf \
- ${D}${sysconfdir}/ssl/
-
- # Although absolute symlinks would be OK for the target, they become
- # invalid if native or nativesdk are relocated from sstate.
- ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs
- ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private
- ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf
-}
-
-do_install:append:class-native () {
- create_wrapper ${D}${bindir}/openssl \
- OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
- SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
- SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
- OPENSSL_ENGINES=${libdir}/engines-1.1
-}
-
-do_install:append:class-nativesdk () {
- mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
- install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
- sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-}
-
-PTEST_BUILD_HOST_FILES += "configdata.pm"
-PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
- # Prune the build tree
- rm -f ${B}/fuzz/*.* ${B}/test/*.*
-
- cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
- cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-
- # For test_shlibload
- ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
- ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
-
- install -d ${D}${PTEST_PATH}/apps
- ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
- install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
- install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-
- install -d ${D}${PTEST_PATH}/engines
- install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
-
- # seems to be needed with perl 5.32.1
- install -d ${D}${PTEST_PATH}/util/perl/recipes
- cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
-}
-
-# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
-# package RRECOMMENDS on this package. This will enable the configuration
-# file to be installed for both the openssl-bin package and the libcrypto
-# package since the openssl-bin package depends on the libcrypto package.
-
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
-
-FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES:libssl = "${libdir}/libssl${SOLIBS}"
-FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
- ${libdir}/ssl-1.1/openssl.cnf* \
- "
-FILES:${PN}-engines = "${libdir}/engines-1.1"
-# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
-FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-1_1"
-FILES:${PN}-misc = "${libdir}/ssl-1.1/misc ${bindir}/c_rehash"
-FILES:${PN} =+ "${libdir}/ssl-1.1/*"
-FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
-
-CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
-
-RRECOMMENDS:libcrypto += "openssl-conf"
-RDEPENDS:${PN}-misc = "perl"
-RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash"
-
-RDEPENDS:${PN}-bin += "openssl-conf"
-
-BBCLASSEXTEND = "native nativesdk"
-
-CVE_PRODUCT = "openssl:openssl"
-
-CVE_VERSION_SUFFIX = "alphabetical"
-
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
-# Apache in meta-webserver is already recent enough
-CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb
new file mode 100644
index 000000000..42157af0f
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -0,0 +1,268 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+ file://run-ptest \
+ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+ file://0001-Configure-do-not-tweak-mips-cflags.patch \
+ file://fix_random_labels.patch \
+ "
+
+SRC_URI += " \
+ file://CVE-2023-5678.patch \
+ file://CVE-2023-2975.patch \
+ file://CVE-2023-3446.patch \
+ file://CVE-2023-3817.patch \
+ file://CVE-2023-5363.patch \
+ file://CVE-2024-0727.patch \
+ "
+
+SRC_URI:append:class-nativesdk = " \
+ file://environment.d-openssl.sh \
+ "
+
+SRC_URI[sha256sum] = "b3aa61334233b852b63ddb048df181177c2c659eb9d4376008118f9c08d07674"
+
+inherit lib_package multilib_header multilib_script ptest perlnative
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+
+do_configure () {
+ # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+ # the issue really clear that perl isn't functional due to symbol mismatch issues.
+ cat <<- EOF > ${WORKDIR}/perltest
+ #!/usr/bin/env perl
+ use POSIX;
+ EOF
+ chmod a+x ${WORKDIR}/perltest
+ ${WORKDIR}/perltest
+
+ os=${HOST_OS}
+ case $os in
+ linux-gnueabi |\
+ linux-gnuspe |\
+ linux-musleabi |\
+ linux-muslspe |\
+ linux-musl )
+ os=linux
+ ;;
+ *)
+ ;;
+ esac
+ target="$os-${HOST_ARCH}"
+ case $target in
+ linux-arc | linux-microblaze*)
+ target=linux-latomic
+ ;;
+ linux-arm*)
+ target=linux-armv4
+ ;;
+ linux-aarch64*)
+ target=linux-aarch64
+ ;;
+ linux-i?86 | linux-viac3)
+ target=linux-x86
+ ;;
+ linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+ target=linux-x32
+ ;;
+ linux-gnu64-x86_64)
+ target=linux-x86_64
+ ;;
+ linux-mips | linux-mipsel)
+ # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+ target="linux-mips32 ${TARGET_CC_ARCH}"
+ ;;
+ linux-gnun32-mips*)
+ target=linux-mips64
+ ;;
+ linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+ target=linux64-mips64
+ ;;
+ linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+ target=linux-generic32
+ ;;
+ linux-powerpc)
+ target=linux-ppc
+ ;;
+ linux-powerpc64)
+ target=linux-ppc64
+ ;;
+ linux-powerpc64le)
+ target=linux-ppc64le
+ ;;
+ linux-riscv32)
+ target=linux-latomic
+ ;;
+ linux-riscv64)
+ target=linux-generic64
+ ;;
+ linux-sparc | linux-supersparc)
+ target=linux-sparcv9
+ ;;
+ mingw32-x86_64)
+ target=mingw64
+ ;;
+ esac
+
+ useprefix=${prefix}
+ if [ "x$useprefix" = "x" ]; then
+ useprefix=/
+ fi
+ # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+ # environment variables set by bitbake. Adjust the environment variables instead.
+ PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+ test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+ HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+ perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+ perl ${B}/configdata.pm --dump
+}
+
+do_install () {
+ oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
+
+ oe_multilib_header openssl/opensslconf.h
+ oe_multilib_header openssl/configuration.h
+
+ # Create SSL structure for packages such as ca-certificates which
+ # contain hard-coded paths to /etc/ssl. Debian does the same.
+ install -d ${D}${sysconfdir}/ssl
+ mv ${D}${libdir}/ssl-3/certs \
+ ${D}${libdir}/ssl-3/private \
+ ${D}${libdir}/ssl-3/openssl.cnf \
+ ${D}${sysconfdir}/ssl/
+
+ # Although absolute symlinks would be OK for the target, they become
+ # invalid if native or nativesdk are relocated from sstate.
+ ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+ ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+ ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+}
+
+do_install:append:class-native () {
+ create_wrapper ${D}${bindir}/openssl \
+ OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
+ SSL_CERT_DIR=${libdir}/ssl-3/certs \
+ SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
+ OPENSSL_ENGINES=${libdir}/engines-3 \
+ OPENSSL_MODULES=${libdir}/ossl-modules
+}
+
+do_install:append:class-nativesdk () {
+ mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+ install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+ sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest () {
+ install -d ${D}${PTEST_PATH}/test
+ install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+ install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
+
+ # Prune the build tree
+ rm -f ${B}/fuzz/*.* ${B}/test/*.*
+
+ cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+ sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
+ cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
+
+ # For test_shlibload
+ ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+ ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+
+ install -d ${D}${PTEST_PATH}/apps
+ ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+ install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
+ install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
+
+ install -d ${D}${PTEST_PATH}/engines
+ install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
+ install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
+ install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
+
+ install -d ${D}${PTEST_PATH}/providers
+ install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+
+ install -d ${D}${PTEST_PATH}/Configurations
+ cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
+
+ # seems to be needed with perl 5.32.1
+ install -d ${D}${PTEST_PATH}/util/perl/recipes
+ cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+
+ sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+}
+
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+ ${libdir}/ssl-3/openssl.cnf* \
+ "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+
+RDEPENDS:${PN}-bin += "openssl-conf"
+
+BBCLASSEXTEND = "native nativesdk"
+
+CVE_PRODUCT = "openssl:openssl"
+
+CVE_VERSION_SUFFIX = "alphabetical"
+
+# Apache in meta-webserver is already recent enough
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch
new file mode 100644
index 000000000..7547770d3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-48174.patch
@@ -0,0 +1,80 @@
+From e39d97700f78586fcbf0837478681ec481433b94 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko
+Date: Mon, 12 Jun 2023 17:48:47 +0200
+Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
+
+function old new delta
+evaluate_string 1011 1053 +42
+
+Signed-off-by: Denys Vlasenko
+---
+ shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
+ 1 file changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 2942cdd..e9bd62b 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -582,6 +582,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
+ # endif
+ #endif
+
++//TODO: much better estimation than expr_len/2? Such as:
++//static unsigned estimate_nums_and_names(const char *expr)
++//{
++// unsigned count = 0;
++// while (*(expr = skip_whitespace(expr)) != '\0') {
++// const char *p;
++// if (isdigit(*expr)) {
++// while (isdigit(*++expr))
++// continue;
++// count++;
++// continue;
++// }
++// p = endofname(expr);
++// if (p != expr) {
++// expr = p;
++// count++;
++// continue;
++// }
++// }
++// return count;
++//}
++
+ static arith_t
+ evaluate_string(arith_state_t *math_state, const char *expr)
+ {
+@@ -589,10 +611,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ const char *errmsg;
+ const char *start_expr = expr = skip_whitespace(expr);
+ unsigned expr_len = strlen(expr) + 2;
+- /* Stack of integers */
+- /* The proof that there can be no more than strlen(startbuf)/2+1
+- * integers in any given correct or incorrect expression
+- * is left as an exercise to the reader. */
++ /* Stack of integers/names */
++ /* There can be no more than strlen(startbuf)/2+1
++ * integers/names in any given correct or incorrect expression.
++ * (modulo "09v09v09v09v09v" case,
++ * but we have code to detect that early)
++ */
+ var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ var_or_num_t *numstackptr = numstack;
+ /* Stack of operator tokens */
+@@ -661,6 +685,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ numstackptr->var = NULL;
+ errno = 0;
+ numstackptr->val = strto_arith_t(expr, (char**) &expr);
++ /* A number can't be followed by another number, or a variable name.
++ * We'd catch this later anyway, but this would require numstack[]
++ * to be twice as deep to handle strings where _every_ char is
++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
++ */
++ if (isalnum(*expr) || *expr == '_')
++ goto err;
+ if (errno)
+ numstackptr->val = 0; /* bash compat */
+ goto num;
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg
index 2550ffaf5..f94ca156d 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/disable.cfg
@@ -4,3 +4,5 @@ CONFIG_TELNET=n
CONFIG_TFTP=n
CONFIG_WGET=n
CONFIG_UDHCPD=n
+#To mitigate cpio utility CVE, 2023-39810
+CONFIG_CPIO=n
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
index b9c654068..d6c8fcc36 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
@@ -5,6 +5,7 @@ SRC_URI += " \
file://CVE-2022-28391_1.patch \
file://CVE-2022-28391_2.patch \
file://CVE-2022-30065.patch \
+ file://CVE-2022-48174.patch \
"
SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
deleted file mode 100644
index 80ddcb4f2..000000000
--- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
-From: Rhodri James
-Date: Wed, 17 Aug 2022 18:26:18 +0100
-Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
-
-It is possible to concoct a situation in which parsing is
-suspended while substituting in an internal entity, so that
-XML_ResumeParser directly uses internalEntityProcessor as
-its processor. If the subsequent parse includes some unclosed
-tags, this will return without calling storeRawNames to ensure
-that the raw versions of the tag names are stored in memory other
-than the parse buffer itself. If the parse buffer is then changed
-or reallocated (for example if processing a file line by line),
-badness will ensue.
-
-This patch ensures storeRawNames is always called when needed
-after calling doContent. The earlier call do doContent does
-not need the same protection; it only deals with entity
-substitution, which cannot leave unbalanced tags, and in any
-case the raw names will be pointing into the stored entity
-value not the parse buffer.
----
- lib/xmlparse.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 7bcabf7f4..d73f419cf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
- {
- parser->m_processor = contentProcessor;
- /* see externalEntityContentProcessor vs contentProcessor */
-- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
-- s, end, nextPtr,
-- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
-- XML_ACCOUNT_DIRECT);
-+ result = doContent(parser, parser->m_parentParser ? 1 : 0,
-+ parser->m_encoding, s, end, nextPtr,
-+ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
-+ XML_ACCOUNT_DIRECT);
-+ if (result == XML_ERROR_NONE) {
-+ if (! storeRawNames(parser))
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+ return result;
- }
- }
-
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
deleted file mode 100644
index affd97faf..000000000
--- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From a7ce80a013f2a08cb1ac4aac368f2250eea03ebf Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping
-Date: Sun, 11 Sep 2022 19:34:33 +0200
-Subject: [PATCH 1/2] tests: Cover heap use-after-free issue in doContent
-
----
- tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 74 insertions(+)
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index ea371b42f..ab3aff65b 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -4990,6 +4990,78 @@ START_TEST(test_suspend_resume_internal_entity) {
- }
- END_TEST
-
-+void
-+suspending_comment_handler(void *userData, const XML_Char *data) {
-+ UNUSED_P(data);
-+ XML_Parser parser = (XML_Parser)userData;
-+ XML_StopParser(parser, XML_TRUE);
-+}
-+
-+START_TEST(test_suspend_resume_internal_entity_issue_629) {
-+ const char *const text
-+ = "a'>]>&e;\n"
-+ "<"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "/>"
-+ "";
-+ const size_t firstChunkSizeBytes = 54;
-+
-+ XML_Parser parser = XML_ParserCreate(NULL);
-+ XML_SetUserData(parser, parser);
-+ XML_SetCommentHandler(parser, suspending_comment_handler);
-+
-+ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
-+ != XML_STATUS_SUSPENDED)
-+ xml_failure(parser);
-+ if (XML_ResumeParser(parser) != XML_STATUS_OK)
-+ xml_failure(parser);
-+ if (XML_Parse(parser, text + firstChunkSizeBytes,
-+ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
-+ != XML_STATUS_OK)
-+ xml_failure(parser);
-+ XML_ParserFree(parser);
-+}
-+END_TEST
-+
- /* Test syntax error is caught at parse resumption */
- START_TEST(test_resume_entity_with_syntax_error) {
- const char *text = "
-Date: Tue, 20 Sep 2022 02:44:34 +0200
-Subject: [PATCH 1/3] lib: Fix overeager DTD destruction in
- XML_ExternalEntityParserCreate
-
----
- lib/xmlparse.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index aacd6e7fc..57bf103cc 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -1068,6 +1068,14 @@ parserCreate(const XML_Char *encodingName,
- parserInit(parser, encodingName);
-
- if (encodingName && ! parser->m_protocolEncodingName) {
-+ if (dtd) {
-+ // We need to stop the upcoming call to XML_ParserFree from happily
-+ // destroying parser->m_dtd because the DTD is shared with the parent
-+ // parser and the only guard that keeps XML_ParserFree from destroying
-+ // parser->m_dtd is parser->m_isParamEntity but it will be set to
-+ // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
-+ parser->m_dtd = NULL;
-+ }
- XML_ParserFree(parser);
- return NULL;
- }
-
-From 43992e4ae25fc3dc0eec0cd3a29313555d56aee2 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping
-Date: Mon, 19 Sep 2022 18:16:15 +0200
-Subject: [PATCH 2/3] tests: Cover overeager DTD destruction in
- XML_ExternalEntityParserCreate
-
----
- tests/runtests.c | 49 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 49 insertions(+)
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index 245fe9bda..acb744dd4 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -10208,6 +10208,53 @@ START_TEST(test_alloc_long_notation) {
- }
- END_TEST
-
-+static int XMLCALL
-+external_entity_parser_create_alloc_fail_handler(XML_Parser parser,
-+ const XML_Char *context,
-+ const XML_Char *base,
-+ const XML_Char *systemId,
-+ const XML_Char *publicId) {
-+ UNUSED_P(base);
-+ UNUSED_P(systemId);
-+ UNUSED_P(publicId);
-+
-+ if (context != NULL)
-+ fail("Unexpected non-NULL context");
-+
-+ // The following number intends to fail the upcoming allocation in line
-+ // "parser->m_protocolEncodingName = copyString(encodingName,
-+ // &(parser->m_mem));" in function parserInit.
-+ allocation_count = 3;
-+
-+ const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
-+ const XML_Parser ext_parser
-+ = XML_ExternalEntityParserCreate(parser, context, encodingName);
-+ if (ext_parser != NULL)
-+ fail(
-+ "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
-+
-+ allocation_count = ALLOC_ALWAYS_SUCCEED;
-+ return XML_STATUS_ERROR;
-+}
-+
-+START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
-+ const char *const text = "";
-+
-+ XML_SetExternalEntityRefHandler(
-+ g_parser, external_entity_parser_create_alloc_fail_handler);
-+ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
-+
-+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
-+ != XML_STATUS_ERROR)
-+ fail("Call to parse was expected to fail");
-+
-+ if (XML_GetErrorCode(g_parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
-+ fail("Call to parse was expected to fail from the external entity handler");
-+
-+ XML_ParserReset(g_parser, NULL);
-+}
-+END_TEST
-+
- static void
- nsalloc_setup(void) {
- XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
-@@ -12401,6 +12448,8 @@ make_suite(void) {
- tcase_add_test(tc_alloc, test_alloc_long_public_id);
- tcase_add_test(tc_alloc, test_alloc_long_entity_value);
- tcase_add_test(tc_alloc, test_alloc_long_notation);
-+ tcase_add_test__ifdef_xml_dtd(
-+ tc_alloc, test_alloc_reset_after_external_entity_parser_create_fail);
-
- suite_add_tcase(s, tc_nsalloc);
- tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);
-
-
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest
index 2cd3637d8..ff7986db3 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest
+++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/run-ptest
@@ -1,23 +1,9 @@
#!/bin/bash
-output=${1:-"expat_tests.log"} # default log file
-
-# logging function
-function testCheck() {
- testExec="$1"
- shift
- echo && echo ${testExec} && ./${testExec} "$@"
- error=$?
- result=$([[ ${error} -eq 0 ]] && echo "PASS" || echo "FAIL")
- echo "${result}: ${testExec}" && echo "============================"
-}
-
-export output
-export -f testCheck
TIME=$(which time)
echo "runtests"
${TIME} -f 'Execution time: %e s' bash -c "./runtests -v"
echo "runtestspp"
-${TIME} -f 'Execution time: %e s' bash -c "./runtestspp -v"
+${TIME} -f 'Execution time: %e s' bash -c "./runtests_cxx -v"
echo
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb
deleted file mode 100644
index 616838aa3..000000000
--- a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.4.5.bb
+++ /dev/null
@@ -1,34 +0,0 @@
-SUMMARY = "A stream-oriented XML parser library"
-DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)"
-HOMEPAGE = "http://expat.sourceforge.net/"
-SECTION = "libs"
-LICENSE = "MIT"
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
-
-VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
-
-SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
- file://run-ptest \
- file://CVE-2022-40674_1.patch \
- file://CVE-2022-40674_2.patch \
- file://CVE-2022-43680.patch \
- "
-
-UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
-
-SRC_URI[sha256sum] = "fbb430f964c7a2db2626452b6769e6a8d5d23593a453ccbc21701b74deabedff"
-
-EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"
-
-RDEPENDS:${PN}-ptest += "bash"
-
-inherit cmake lib_package ptest
-
-do_install_ptest:class-target() {
- install -m 755 ${B}/tests/* ${D}${PTEST_PATH}
-}
-
-BBCLASSEXTEND += "native nativesdk"
-
-CVE_PRODUCT = "expat libexpat"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb
new file mode 100644
index 000000000..9bdc3b620
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat_2.6.1.bb
@@ -0,0 +1,33 @@
+SUMMARY = "A stream-oriented XML parser library"
+DESCRIPTION = "Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags)"
+HOMEPAGE = "https://github.com/libexpat/libexpat"
+SECTION = "libs"
+LICENSE = "MIT"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=7b3b078238d0901d3b339289117cb7fb"
+
+VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
+
+SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
+ file://run-ptest \
+ "
+
+GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
+UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P.+)"
+
+SRC_URI[sha256sum] = "4677d957c0c6cb2a3321101944574c24113b637c7ab1cf0659a27c5babc201fd"
+
+EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"
+
+RDEPENDS:${PN}-ptest += "bash"
+
+inherit cmake lib_package ptest github-releases
+
+do_install_ptest:class-target() {
+ install -m 755 ${B}/tests/runtests* ${D}${PTEST_PATH}
+ install -m 755 ${B}/tests/benchmark/benchmark ${D}${PTEST_PATH}
+}
+
+BBCLASSEXTEND += "native nativesdk"
+
+CVE_PRODUCT = "expat libexpat"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch
new file mode 100644
index 000000000..899a14ead
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4813.patch
@@ -0,0 +1,982 @@
+From 1c37b8022e8763fedbb3f79c02e05c6acfe5a215 Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar
+Date: Thu, 17 Mar 2022 11:44:34 +0530
+Subject: [PATCH] [PATCH] Simplify allocations and fix merge and continue
+ actions [BZ #28931]
+
+Allocations for address tuples is currently a bit confusing because of
+the pointer chasing through PAT, making it hard to observe the sequence
+in which allocations have been made. Narrow scope of the pointer
+chasing through PAT so that it is only used where necessary.
+
+This also tightens actions behaviour with the hosts database in
+getaddrinfo to comply with the manual text. The "continue" action
+discards previous results and the "merge" action results in an immedate
+lookup failure. Consequently, chaining of allocations across modules is
+no longer necessary, thus opening up cleanup opportunities.
+
+A test has been added that checks some combinations to ensure that they
+work correctly.
+
+Resolves: BZ #28931
+
+Signed-off-by: Siddhesh Poyarekar
+Reviewed-by: DJ Delorie
+---
+ nss/Makefile | 1 +
+ nss/tst-nss-gai-actions.c | 149 ++++++
+ nss/tst-nss-gai-actions.root/etc/host.conf | 1 +
+ nss/tst-nss-gai-actions.root/etc/hosts | 508 +++++++++++++++++++++
+ sysdeps/posix/getaddrinfo.c | 143 +++---
+ 5 files changed, 750 insertions(+), 52 deletions(-)
+ create mode 100644 nss/tst-nss-gai-actions.c
+ create mode 100644 nss/tst-nss-gai-actions.root/etc/host.conf
+ create mode 100644 nss/tst-nss-gai-actions.root/etc/hosts
+
+diff --git a/nss/Makefile b/nss/Makefile
+index bccf9f2806..637cbcb769 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -67,6 +67,7 @@ tests-container = \
+ tst-nss-compat1 \
+ tst-nss-test3 \
+ tst-nss-files-hosts-long \
++ tst-nss-gai-actions \
+ tst-nss-db-endpwent \
+ tst-nss-db-endgrent \
+ tst-reload1 tst-reload2
+diff --git a/nss/tst-nss-gai-actions.c b/nss/tst-nss-gai-actions.c
+new file mode 100644
+index 0000000000..efca6cd183
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.c
+@@ -0,0 +1,149 @@
++/* Test continue and merge NSS actions for getaddrinfo.
++ Copyright The GNU Toolchain Authors.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ . */
++
++#include
++#include
++#include
++#include
++#include
++#include
++
++#include
++#include
++#include
++#include
++#include
++
++enum
++{
++ ACTION_MERGE = 0,
++ ACTION_CONTINUE,
++};
++
++static const char *
++family_str (int family)
++{
++ switch (family)
++ {
++ case AF_UNSPEC:
++ return "AF_UNSPEC";
++ case AF_INET:
++ return "AF_INET";
++ default:
++ __builtin_unreachable ();
++ }
++}
++
++static const char *
++action_str (int action)
++{
++ switch (action)
++ {
++ case ACTION_MERGE:
++ return "merge";
++ case ACTION_CONTINUE:
++ return "continue";
++ default:
++ __builtin_unreachable ();
++ }
++}
++
++static void
++do_one_test (int action, int family, bool canon)
++{
++ struct addrinfo hints =
++ {
++ .ai_family = family,
++ };
++
++ struct addrinfo *ai;
++
++ if (canon)
++ hints.ai_flags = AI_CANONNAME;
++
++ printf ("***** Testing \"files [SUCCESS=%s] files\" for family %s, %s\n",
++ action_str (action), family_str (family),
++ canon ? "AI_CANONNAME" : "");
++
++ int ret = getaddrinfo ("example.org", "80", &hints, &ai);
++
++ switch (action)
++ {
++ case ACTION_MERGE:
++ if (ret == 0)
++ {
++ char *formatted = support_format_addrinfo (ai, ret);
++
++ printf ("merge unexpectedly succeeded:\n %s\n", formatted);
++ support_record_failure ();
++ free (formatted);
++ }
++ else
++ return;
++ case ACTION_CONTINUE:
++ {
++ char *formatted = support_format_addrinfo (ai, ret);
++
++ /* Verify that the result appears exactly once. */
++ const char *expected = "address: STREAM/TCP 192.0.0.1 80\n"
++ "address: DGRAM/UDP 192.0.0.1 80\n"
++ "address: RAW/IP 192.0.0.1 80\n";
++
++ const char *contains = strstr (formatted, expected);
++ const char *contains2 = NULL;
++
++ if (contains != NULL)
++ contains2 = strstr (contains + strlen (expected), expected);
++
++ if (contains == NULL || contains2 != NULL)
++ {
++ printf ("continue failed:\n%s\n", formatted);
++ support_record_failure ();
++ }
++
++ free (formatted);
++ break;
++ }
++ default:
++ __builtin_unreachable ();
++ }
++}
++
++static void
++do_one_test_set (int action)
++{
++ char buf[32];
++
++ snprintf (buf, sizeof (buf), "files [SUCCESS=%s] files",
++ action_str (action));
++ __nss_configure_lookup ("hosts", buf);
++
++ do_one_test (action, AF_UNSPEC, false);
++ do_one_test (action, AF_INET, false);
++ do_one_test (action, AF_INET, true);
++}
++
++static int
++do_test (void)
++{
++ do_one_test_set (ACTION_CONTINUE);
++ do_one_test_set (ACTION_MERGE);
++ return 0;
++}
++
++#include
+diff --git a/nss/tst-nss-gai-actions.root/etc/host.conf b/nss/tst-nss-gai-actions.root/etc/host.conf
+new file mode 100644
+index 0000000000..d1a59f73a9
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.root/etc/host.conf
+@@ -0,0 +1 @@
++multi on
+diff --git a/nss/tst-nss-gai-actions.root/etc/hosts b/nss/tst-nss-gai-actions.root/etc/hosts
+new file mode 100644
+index 0000000000..50ce9774dc
+--- /dev/null
++++ b/nss/tst-nss-gai-actions.root/etc/hosts
+@@ -0,0 +1,508 @@
++192.0.0.1 example.org
++192.0.0.2 example.org
++192.0.0.3 example.org
++192.0.0.4 example.org
++192.0.0.5 example.org
++192.0.0.6 example.org
++192.0.0.7 example.org
++192.0.0.8 example.org
++192.0.0.9 example.org
++192.0.0.10 example.org
++192.0.0.11 example.org
++192.0.0.12 example.org
++192.0.0.13 example.org
++192.0.0.14 example.org
++192.0.0.15 example.org
++192.0.0.16 example.org
++192.0.0.17 example.org
++192.0.0.18 example.org
++192.0.0.19 example.org
++192.0.0.20 example.org
++192.0.0.21 example.org
++192.0.0.22 example.org
++192.0.0.23 example.org
++192.0.0.24 example.org
++192.0.0.25 example.org
++192.0.0.26 example.org
++192.0.0.27 example.org
++192.0.0.28 example.org
++192.0.0.29 example.org
++192.0.0.30 example.org
++192.0.0.31 example.org
++192.0.0.32 example.org
++192.0.0.33 example.org
++192.0.0.34 example.org
++192.0.0.35 example.org
++192.0.0.36 example.org
++192.0.0.37 example.org
++192.0.0.38 example.org
++192.0.0.39 example.org
++192.0.0.40 example.org
++192.0.0.41 example.org
++192.0.0.42 example.org
++192.0.0.43 example.org
++192.0.0.44 example.org
++192.0.0.45 example.org
++192.0.0.46 example.org
++192.0.0.47 example.org
++192.0.0.48 example.org
++192.0.0.49 example.org
++192.0.0.50 example.org
++192.0.0.51 example.org
++192.0.0.52 example.org
++192.0.0.53 example.org
++192.0.0.54 example.org
++192.0.0.55 example.org
++192.0.0.56 example.org
++192.0.0.57 example.org
++192.0.0.58 example.org
++192.0.0.59 example.org
++192.0.0.60 example.org
++192.0.0.61 example.org
++192.0.0.62 example.org
++192.0.0.63 example.org
++192.0.0.64 example.org
++192.0.0.65 example.org
++192.0.0.66 example.org
++192.0.0.67 example.org
++192.0.0.68 example.org
++192.0.0.69 example.org
++192.0.0.70 example.org
++192.0.0.71 example.org
++192.0.0.72 example.org
++192.0.0.73 example.org
++192.0.0.74 example.org
++192.0.0.75 example.org
++192.0.0.76 example.org
++192.0.0.77 example.org
++192.0.0.78 example.org
++192.0.0.79 example.org
++192.0.0.80 example.org
++192.0.0.81 example.org
++192.0.0.82 example.org
++192.0.0.83 example.org
++192.0.0.84 example.org
++192.0.0.85 example.org
++192.0.0.86 example.org
++192.0.0.87 example.org
++192.0.0.88 example.org
++192.0.0.89 example.org
++192.0.0.90 example.org
++192.0.0.91 example.org
++192.0.0.92 example.org
++192.0.0.93 example.org
++192.0.0.94 example.org
++192.0.0.95 example.org
++192.0.0.96 example.org
++192.0.0.97 example.org
++192.0.0.98 example.org
++192.0.0.99 example.org
++192.0.0.100 example.org
++192.0.0.101 example.org
++192.0.0.102 example.org
++192.0.0.103 example.org
++192.0.0.104 example.org
++192.0.0.105 example.org
++192.0.0.106 example.org
++192.0.0.107 example.org
++192.0.0.108 example.org
++192.0.0.109 example.org
++192.0.0.110 example.org
++192.0.0.111 example.org
++192.0.0.112 example.org
++192.0.0.113 example.org
++192.0.0.114 example.org
++192.0.0.115 example.org
++192.0.0.116 example.org
++192.0.0.117 example.org
++192.0.0.118 example.org
++192.0.0.119 example.org
++192.0.0.120 example.org
++192.0.0.121 example.org
++192.0.0.122 example.org
++192.0.0.123 example.org
++192.0.0.124 example.org
++192.0.0.125 example.org
++192.0.0.126 example.org
++192.0.0.127 example.org
++192.0.0.128 example.org
++192.0.0.129 example.org
++192.0.0.130 example.org
++192.0.0.131 example.org
++192.0.0.132 example.org
++192.0.0.133 example.org
++192.0.0.134 example.org
++192.0.0.135 example.org
++192.0.0.136 example.org
++192.0.0.137 example.org
++192.0.0.138 example.org
++192.0.0.139 example.org
++192.0.0.140 example.org
++192.0.0.141 example.org
++192.0.0.142 example.org
++192.0.0.143 example.org
++192.0.0.144 example.org
++192.0.0.145 example.org
++192.0.0.146 example.org
++192.0.0.147 example.org
++192.0.0.148 example.org
++192.0.0.149 example.org
++192.0.0.150 example.org
++192.0.0.151 example.org
++192.0.0.152 example.org
++192.0.0.153 example.org
++192.0.0.154 example.org
++192.0.0.155 example.org
++192.0.0.156 example.org
++192.0.0.157 example.org
++192.0.0.158 example.org
++192.0.0.159 example.org
++192.0.0.160 example.org
++192.0.0.161 example.org
++192.0.0.162 example.org
++192.0.0.163 example.org
++192.0.0.164 example.org
++192.0.0.165 example.org
++192.0.0.166 example.org
++192.0.0.167 example.org
++192.0.0.168 example.org
++192.0.0.169 example.org
++192.0.0.170 example.org
++192.0.0.171 example.org
++192.0.0.172 example.org
++192.0.0.173 example.org
++192.0.0.174 example.org
++192.0.0.175 example.org
++192.0.0.176 example.org
++192.0.0.177 example.org
++192.0.0.178 example.org
++192.0.0.179 example.org
++192.0.0.180 example.org
++192.0.0.181 example.org
++192.0.0.182 example.org
++192.0.0.183 example.org
++192.0.0.184 example.org
++192.0.0.185 example.org
++192.0.0.186 example.org
++192.0.0.187 example.org
++192.0.0.188 example.org
++192.0.0.189 example.org
++192.0.0.190 example.org
++192.0.0.191 example.org
++192.0.0.192 example.org
++192.0.0.193 example.org
++192.0.0.194 example.org
++192.0.0.195 example.org
++192.0.0.196 example.org
++192.0.0.197 example.org
++192.0.0.198 example.org
++192.0.0.199 example.org
++192.0.0.200 example.org
++192.0.0.201 example.org
++192.0.0.202 example.org
++192.0.0.203 example.org
++192.0.0.204 example.org
++192.0.0.205 example.org
++192.0.0.206 example.org
++192.0.0.207 example.org
++192.0.0.208 example.org
++192.0.0.209 example.org
++192.0.0.210 example.org
++192.0.0.211 example.org
++192.0.0.212 example.org
++192.0.0.213 example.org
++192.0.0.214 example.org
++192.0.0.215 example.org
++192.0.0.216 example.org
++192.0.0.217 example.org
++192.0.0.218 example.org
++192.0.0.219 example.org
++192.0.0.220 example.org
++192.0.0.221 example.org
++192.0.0.222 example.org
++192.0.0.223 example.org
++192.0.0.224 example.org
++192.0.0.225 example.org
++192.0.0.226 example.org
++192.0.0.227 example.org
++192.0.0.228 example.org
++192.0.0.229 example.org
++192.0.0.230 example.org
++192.0.0.231 example.org
++192.0.0.232 example.org
++192.0.0.233 example.org
++192.0.0.234 example.org
++192.0.0.235 example.org
++192.0.0.236 example.org
++192.0.0.237 example.org
++192.0.0.238 example.org
++192.0.0.239 example.org
++192.0.0.240 example.org
++192.0.0.241 example.org
++192.0.0.242 example.org
++192.0.0.243 example.org
++192.0.0.244 example.org
++192.0.0.245 example.org
++192.0.0.246 example.org
++192.0.0.247 example.org
++192.0.0.248 example.org
++192.0.0.249 example.org
++192.0.0.250 example.org
++192.0.0.251 example.org
++192.0.0.252 example.org
++192.0.0.253 example.org
++192.0.0.254 example.org
++192.0.1.1 example.org
++192.0.1.2 example.org
++192.0.1.3 example.org
++192.0.1.4 example.org
++192.0.1.5 example.org
++192.0.1.6 example.org
++192.0.1.7 example.org
++192.0.1.8 example.org
++192.0.1.9 example.org
++192.0.1.10 example.org
++192.0.1.11 example.org
++192.0.1.12 example.org
++192.0.1.13 example.org
++192.0.1.14 example.org
++192.0.1.15 example.org
++192.0.1.16 example.org
++192.0.1.17 example.org
++192.0.1.18 example.org
++192.0.1.19 example.org
++192.0.1.20 example.org
++192.0.1.21 example.org
++192.0.1.22 example.org
++192.0.1.23 example.org
++192.0.1.24 example.org
++192.0.1.25 example.org
++192.0.1.26 example.org
++192.0.1.27 example.org
++192.0.1.28 example.org
++192.0.1.29 example.org
++192.0.1.30 example.org
++192.0.1.31 example.org
++192.0.1.32 example.org
++192.0.1.33 example.org
++192.0.1.34 example.org
++192.0.1.35 example.org
++192.0.1.36 example.org
++192.0.1.37 example.org
++192.0.1.38 example.org
++192.0.1.39 example.org
++192.0.1.40 example.org
++192.0.1.41 example.org
++192.0.1.42 example.org
++192.0.1.43 example.org
++192.0.1.44 example.org
++192.0.1.45 example.org
++192.0.1.46 example.org
++192.0.1.47 example.org
++192.0.1.48 example.org
++192.0.1.49 example.org
++192.0.1.50 example.org
++192.0.1.51 example.org
++192.0.1.52 example.org
++192.0.1.53 example.org
++192.0.1.54 example.org
++192.0.1.55 example.org
++192.0.1.56 example.org
++192.0.1.57 example.org
++192.0.1.58 example.org
++192.0.1.59 example.org
++192.0.1.60 example.org
++192.0.1.61 example.org
++192.0.1.62 example.org
++192.0.1.63 example.org
++192.0.1.64 example.org
++192.0.1.65 example.org
++192.0.1.66 example.org
++192.0.1.67 example.org
++192.0.1.68 example.org
++192.0.1.69 example.org
++192.0.1.70 example.org
++192.0.1.71 example.org
++192.0.1.72 example.org
++192.0.1.73 example.org
++192.0.1.74 example.org
++192.0.1.75 example.org
++192.0.1.76 example.org
++192.0.1.77 example.org
++192.0.1.78 example.org
++192.0.1.79 example.org
++192.0.1.80 example.org
++192.0.1.81 example.org
++192.0.1.82 example.org
++192.0.1.83 example.org
++192.0.1.84 example.org
++192.0.1.85 example.org
++192.0.1.86 example.org
++192.0.1.87 example.org
++192.0.1.88 example.org
++192.0.1.89 example.org
++192.0.1.90 example.org
++192.0.1.91 example.org
++192.0.1.92 example.org
++192.0.1.93 example.org
++192.0.1.94 example.org
++192.0.1.95 example.org
++192.0.1.96 example.org
++192.0.1.97 example.org
++192.0.1.98 example.org
++192.0.1.99 example.org
++192.0.1.100 example.org
++192.0.1.101 example.org
++192.0.1.102 example.org
++192.0.1.103 example.org
++192.0.1.104 example.org
++192.0.1.105 example.org
++192.0.1.106 example.org
++192.0.1.107 example.org
++192.0.1.108 example.org
++192.0.1.109 example.org
++192.0.1.110 example.org
++192.0.1.111 example.org
++192.0.1.112 example.org
++192.0.1.113 example.org
++192.0.1.114 example.org
++192.0.1.115 example.org
++192.0.1.116 example.org
++192.0.1.117 example.org
++192.0.1.118 example.org
++192.0.1.119 example.org
++192.0.1.120 example.org
++192.0.1.121 example.org
++192.0.1.122 example.org
++192.0.1.123 example.org
++192.0.1.124 example.org
++192.0.1.125 example.org
++192.0.1.126 example.org
++192.0.1.127 example.org
++192.0.1.128 example.org
++192.0.1.129 example.org
++192.0.1.130 example.org
++192.0.1.131 example.org
++192.0.1.132 example.org
++192.0.1.133 example.org
++192.0.1.134 example.org
++192.0.1.135 example.org
++192.0.1.136 example.org
++192.0.1.137 example.org
++192.0.1.138 example.org
++192.0.1.139 example.org
++192.0.1.140 example.org
++192.0.1.141 example.org
++192.0.1.142 example.org
++192.0.1.143 example.org
++192.0.1.144 example.org
++192.0.1.145 example.org
++192.0.1.146 example.org
++192.0.1.147 example.org
++192.0.1.148 example.org
++192.0.1.149 example.org
++192.0.1.150 example.org
++192.0.1.151 example.org
++192.0.1.152 example.org
++192.0.1.153 example.org
++192.0.1.154 example.org
++192.0.1.155 example.org
++192.0.1.156 example.org
++192.0.1.157 example.org
++192.0.1.158 example.org
++192.0.1.159 example.org
++192.0.1.160 example.org
++192.0.1.161 example.org
++192.0.1.162 example.org
++192.0.1.163 example.org
++192.0.1.164 example.org
++192.0.1.165 example.org
++192.0.1.166 example.org
++192.0.1.167 example.org
++192.0.1.168 example.org
++192.0.1.169 example.org
++192.0.1.170 example.org
++192.0.1.171 example.org
++192.0.1.172 example.org
++192.0.1.173 example.org
++192.0.1.174 example.org
++192.0.1.175 example.org
++192.0.1.176 example.org
++192.0.1.177 example.org
++192.0.1.178 example.org
++192.0.1.179 example.org
++192.0.1.180 example.org
++192.0.1.181 example.org
++192.0.1.182 example.org
++192.0.1.183 example.org
++192.0.1.184 example.org
++192.0.1.185 example.org
++192.0.1.186 example.org
++192.0.1.187 example.org
++192.0.1.188 example.org
++192.0.1.189 example.org
++192.0.1.190 example.org
++192.0.1.191 example.org
++192.0.1.192 example.org
++192.0.1.193 example.org
++192.0.1.194 example.org
++192.0.1.195 example.org
++192.0.1.196 example.org
++192.0.1.197 example.org
++192.0.1.198 example.org
++192.0.1.199 example.org
++192.0.1.200 example.org
++192.0.1.201 example.org
++192.0.1.202 example.org
++192.0.1.203 example.org
++192.0.1.204 example.org
++192.0.1.205 example.org
++192.0.1.206 example.org
++192.0.1.207 example.org
++192.0.1.208 example.org
++192.0.1.209 example.org
++192.0.1.210 example.org
++192.0.1.211 example.org
++192.0.1.212 example.org
++192.0.1.213 example.org
++192.0.1.214 example.org
++192.0.1.215 example.org
++192.0.1.216 example.org
++192.0.1.217 example.org
++192.0.1.218 example.org
++192.0.1.219 example.org
++192.0.1.220 example.org
++192.0.1.221 example.org
++192.0.1.222 example.org
++192.0.1.223 example.org
++192.0.1.224 example.org
++192.0.1.225 example.org
++192.0.1.226 example.org
++192.0.1.227 example.org
++192.0.1.228 example.org
++192.0.1.229 example.org
++192.0.1.230 example.org
++192.0.1.231 example.org
++192.0.1.232 example.org
++192.0.1.233 example.org
++192.0.1.234 example.org
++192.0.1.235 example.org
++192.0.1.236 example.org
++192.0.1.237 example.org
++192.0.1.238 example.org
++192.0.1.239 example.org
++192.0.1.240 example.org
++192.0.1.241 example.org
++192.0.1.242 example.org
++192.0.1.243 example.org
++192.0.1.244 example.org
++192.0.1.245 example.org
++192.0.1.246 example.org
++192.0.1.247 example.org
++192.0.1.248 example.org
++192.0.1.249 example.org
++192.0.1.250 example.org
++192.0.1.251 example.org
++192.0.1.252 example.org
++192.0.1.253 example.org
++192.0.1.254 example.org
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 838a68f022..085c0b8370 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -458,11 +458,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+
+ if (name != NULL)
+ {
+- at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
+- at->family = AF_UNSPEC;
+- at->scopeid = 0;
+- at->next = NULL;
+-
+ if (req->ai_flags & AI_IDN)
+ {
+ char *out;
+@@ -473,13 +468,21 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ malloc_name = true;
+ }
+
+- if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
++ uint32_t addr[4];
++ if (__inet_aton_exact (name, (struct in_addr *) addr) != 0)
+ {
++ at = alloca_account (sizeof (struct gaih_addrtuple), alloca_used);
++ at->scopeid = 0;
++ at->next = NULL;
++
+ if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+- at->family = AF_INET;
++ {
++ memcpy (at->addr, addr, sizeof (at->addr));
++ at->family = AF_INET;
++ }
+ else if (req->ai_family == AF_INET6 && (req->ai_flags & AI_V4MAPPED))
+ {
+- at->addr[3] = at->addr[0];
++ at->addr[3] = addr[0];
+ at->addr[2] = htonl (0xffff);
+ at->addr[1] = 0;
+ at->addr[0] = 0;
+@@ -493,49 +496,62 @@ gaih_inet (const char *name, const struct gaih_service *service,
+
+ if (req->ai_flags & AI_CANONNAME)
+ canon = name;
++
++ goto process_list;
+ }
+- else if (at->family == AF_UNSPEC)
++
++ char *scope_delim = strchr (name, SCOPE_DELIMITER);
++ int e;
++
++ if (scope_delim == NULL)
++ e = inet_pton (AF_INET6, name, addr);
++ else
++ e = __inet_pton_length (AF_INET6, name, scope_delim - name, addr);
++
++ if (e > 0)
+ {
+- char *scope_delim = strchr (name, SCOPE_DELIMITER);
+- int e;
+- if (scope_delim == NULL)
+- e = inet_pton (AF_INET6, name, at->addr);
++ at = alloca_account (sizeof (struct gaih_addrtuple),
++ alloca_used);
++ at->scopeid = 0;
++ at->next = NULL;
++
++ if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
++ {
++ memcpy (at->addr, addr, sizeof (at->addr));
++ at->family = AF_INET6;
++ }
++ else if (req->ai_family == AF_INET
++ && IN6_IS_ADDR_V4MAPPED (addr))
++ {
++ at->addr[0] = addr[3];
++ at->addr[1] = addr[1];
++ at->addr[2] = addr[2];
++ at->addr[3] = addr[3];
++ at->family = AF_INET;
++ }
+ else
+- e = __inet_pton_length (AF_INET6, name, scope_delim - name,
+- at->addr);
+- if (e > 0)
+ {
+- if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET6)
+- at->family = AF_INET6;
+- else if (req->ai_family == AF_INET
+- && IN6_IS_ADDR_V4MAPPED (at->addr))
+- {
+- at->addr[0] = at->addr[3];
+- at->family = AF_INET;
+- }
+- else
+- {
+- result = -EAI_ADDRFAMILY;
+- goto free_and_return;
+- }
+-
+- if (scope_delim != NULL
+- && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
+- scope_delim + 1,
+- &at->scopeid) != 0)
+- {
+- result = -EAI_NONAME;
+- goto free_and_return;
+- }
++ result = -EAI_ADDRFAMILY;
++ goto free_and_return;
++ }
+
+- if (req->ai_flags & AI_CANONNAME)
+- canon = name;
++ if (scope_delim != NULL
++ && __inet6_scopeid_pton ((struct in6_addr *) at->addr,
++ scope_delim + 1,
++ &at->scopeid) != 0)
++ {
++ result = -EAI_NONAME;
++ goto free_and_return;
+ }
++
++ if (req->ai_flags & AI_CANONNAME)
++ canon = name;
++
++ goto process_list;
+ }
+
+- if (at->family == AF_UNSPEC && (req->ai_flags & AI_NUMERICHOST) == 0)
++ if ((req->ai_flags & AI_NUMERICHOST) == 0)
+ {
+- struct gaih_addrtuple **pat = &at;
+ int no_data = 0;
+ int no_inet6_data = 0;
+ nss_action_list nip;
+@@ -543,6 +559,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ enum nss_status status = NSS_STATUS_UNAVAIL;
+ int no_more;
+ struct resolv_context *res_ctx = NULL;
++ bool do_merge = false;
+
+ /* If we do not have to look for IPv6 addresses or the canonical
+ name, use the simple, old functions, which do not support
+@@ -579,7 +596,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ result = -EAI_MEMORY;
+ goto free_and_return;
+ }
+- *pat = addrmem;
++ at = addrmem;
+ }
+ else
+ {
+@@ -632,6 +649,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ }
+
+ struct gaih_addrtuple *addrfree = addrmem;
++ struct gaih_addrtuple **pat = &at;
++
+ for (int i = 0; i < air->naddrs; ++i)
+ {
+ socklen_t size = (air->family[i] == AF_INET
+@@ -695,12 +714,6 @@ gaih_inet (const char *name, const struct gaih_service *service,
+
+ free (air);
+
+- if (at->family == AF_UNSPEC)
+- {
+- result = -EAI_NONAME;
+- goto free_and_return;
+- }
+-
+ goto process_list;
+ }
+ else if (err == 0)
+@@ -732,6 +745,22 @@ gaih_inet (const char *name, const struct gaih_service *service,
+
+ while (!no_more)
+ {
++ /* Always start afresh; continue should discard previous results
++ and the hosts database does not support merge. */
++ at = NULL;
++ free (canonbuf);
++ free (addrmem);
++ canon = canonbuf = NULL;
++ addrmem = NULL;
++ got_ipv6 = false;
++
++ if (do_merge)
++ {
++ __set_h_errno (NETDB_INTERNAL);
++ __set_errno (EBUSY);
++ break;
++ }
++
+ no_data = 0;
+ nss_gethostbyname4_r *fct4 = NULL;
+
+@@ -744,12 +773,14 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ {
+ while (1)
+ {
+- status = DL_CALL_FCT (fct4, (name, pat,
++ status = DL_CALL_FCT (fct4, (name, &at,
+ tmpbuf->data, tmpbuf->length,
+ &errno, &h_errno,
+ NULL));
+ if (status == NSS_STATUS_SUCCESS)
+ break;
++ /* gethostbyname4_r may write into AT, so reset it. */
++ at = NULL;
+ if (status != NSS_STATUS_TRYAGAIN
+ || errno != ERANGE || h_errno != NETDB_INTERNAL)
+ {
+@@ -774,7 +805,9 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ no_data = 1;
+
+ if ((req->ai_flags & AI_CANONNAME) != 0 && canon == NULL)
+- canon = (*pat)->name;
++ canon = at->name;
++
++ struct gaih_addrtuple **pat = &at;
+
+ while (*pat != NULL)
+ {
+@@ -826,6 +859,8 @@ gaih_inet (const char *name, const struct gaih_service *service,
+
+ if (fct != NULL)
+ {
++ struct gaih_addrtuple **pat = &at;
++
+ if (req->ai_family == AF_INET6
+ || req->ai_family == AF_UNSPEC)
+ {
+@@ -899,6 +934,10 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ if (nss_next_action (nip, status) == NSS_ACTION_RETURN)
+ break;
+
++ /* The hosts database does not support MERGE. */
++ if (nss_next_action (nip, status) == NSS_ACTION_MERGE)
++ do_merge = true;
++
+ nip++;
+ if (nip->module == NULL)
+ no_more = -1;
+@@ -930,7 +969,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ }
+
+ process_list:
+- if (at->family == AF_UNSPEC)
++ if (at == NULL)
+ {
+ result = -EAI_NONAME;
+ goto free_and_return;
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch
new file mode 100644
index 000000000..cae176613
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/CVE-2023-4911.patch
@@ -0,0 +1,156 @@
+From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar
+Date: Tue, 19 Sep 2023 18:39:32 -0400
+Subject: [PATCH] tunables: Terminate if end of input is reached
+(CVE-2023-4911)
+
+The string parsing routine may end up writing beyond bounds of tunestr
+if the input tunable string is malformed, of the form name=name=val.
+This gets processed twice, first as name=name=val and next as name=val,
+resulting in tunestr being name=name=val:name=val, thus overflowing
+tunestr.
+
+Terminate the parsing loop at the first instance itself so that tunestr
+does not overflow.
+
+This also fixes up tst-env-setuid-tunables to actually handle failures
+correct and add new tests to validate the fix for this CVE.
+
+Signed-off-by: Siddhesh Poyarekar
+Reviewed-by: Carlos O'Donell
+---
+ elf/dl-tunables.c | 16 ++++++++-------
+ elf/tst-env-setuid-tunables.c | 38 ++++++++++++++++++++++++++---------
+ 2 files changed, 38 insertions(+), 16 deletions(-)
+
+diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
+index 8009e54ee5..a5a5d52ee1 100644
+--- a/elf/dl-tunables.c
++++ b/elf/dl-tunables.c
+@@ -188,11 +188,7 @@ parse_tunables (char *tunestr, char *valstring)
+ /* If we reach the end of the string before getting a valid name-value
+ pair, bail out. */
+ if (p[len] == '\0')
+- {
+- if (__libc_enable_secure)
+- tunestr[off] = '\0';
+- return;
+- }
++ break;
+
+ /* We did not find a valid name-value pair before encountering the
+ colon. */
+@@ -252,9 +248,15 @@ parse_tunables (char *tunestr, char *valstring)
+ }
+ }
+
+- if (p[len] != '\0')
+- p += len + 1;
++ /* We reached the end while processing the tunable string. */
++ if (p[len] == '\0')
++ break;
++
++ p+= len +1;
+ }
++ /* Terminate tunestr before we leave. */
++ if (__libc_enable_secure)
++ tunestr[off] = '\0';
+ }
+ #endif
+
+diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
+index 05619c9adc..907aa6601f 100644
+--- a/elf/tst-env-setuid-tunables.c
++++ b/elf/tst-env-setuid-tunables.c
+@@ -52,6 +52,8 @@ const char *teststrings[] =
+ "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
+ "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
+ "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.check=2",
+ "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
+ "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
+ ":glibc.malloc.garbage=2:glibc.malloc.check=1",
+@@ -70,6 +72,8 @@ const char *resultstrings[] =
+ "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
+ "glibc.malloc.mmap_threshold=4096",
+ "glibc.malloc.mmap_threshold=4096",
++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
++ "",
+ "",
+ "",
+ "",
+@@ -83,12 +87,19 @@ test_child (int off)
+ {
+ const char *val = getenv ("GLIBC_TUNABLES");
+
++ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val);
++ fflush (stdout);
+ #if HAVE_TUNABLES
+ if (val != NULL && strcmp (val, resultstrings[off]) == 0)
+ return 0;
+
+ if (val != NULL)
+- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
++ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
++ off, val, resultstrings[off]);
++ else:
++ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off);
++
++ fflush(stdout);
+
+ return 1;
+ #else
+@@ -116,22 +127,26 @@ do_test (int argc, char **argv)
+
+ if (ret != 0)
+ exit (1);
+-
+- exit (EXIT_SUCCESS);
++ /* Special return code to make sure that the child executed all the way
++ through. */
++ exit(42);
+ }
+ else
+ {
+- int ret = 0;
+-
+ /* Spawn tests. */
+ for (int i = 0; i < array_length (teststrings); i++)
+ {
+ char buf[INT_BUFSIZE_BOUND (int)];
+
+- printf ("Spawned test for %s (%d)\n", teststrings[i], i);
++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
+ snprintf (buf, sizeof (buf), "%d\n", i);
++ fflush (stdout);
+ if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
+- exit (1);
++ {
++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i);
++ support_record_failure ();
++ continue;
++ }
+
+ int status = support_capture_subprogram_self_sgid (buf);
+
+@@ -139,9 +154,14 @@ do_test (int argc, char **argv)
+ if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
+ return EXIT_UNSUPPORTED;
+
+- ret |= status;
++ if (WEXITSTATUS (status) != 42)
++ {
++ printf (" [%d] child failed with status %d\n", i,
++ WEXITSTATUS (status));
++ support_record_failure ();
++ }
+ }
+- return ret;
++ return 0;
+ }
+ }
+
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
index 96c4947ad..375ef8804 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
@@ -10,4 +10,6 @@ SRC_URI += " \
file://CVE-2021-43396.patch \
file://CVE-2021-3998.patch \
file://CVE-2023-0687.patch \
+ file://CVE-2023-4813.patch \
+ file://CVE-2023-4911.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch
new file mode 100644
index 000000000..7440df946
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor/0001-Static-analyser-issue-resolution.patch
@@ -0,0 +1,35 @@
+From a9d4919f7eb92fecbcea141200ca04507fa8c73b Mon Sep 17 00:00:00 2001
+From: Yaswanth Reddy M
+Date: Thu, 5 Oct 2023 12:50:39 +0000
+Subject: [PATCH] Fix for static analyser tool reported issues.
+
+In this code, we first save the original format flags of std::cerr
+using std::ios_base::fmtflags originalFlags = std::cerr.flags().
+Then, we can modify the format flags as needed. Finally, after
+using the modified format flags, we restore the original format
+flags using std::cerr.flags(originalFlags);
+
+Signed-off-by: Yaswanth Reddy M
+---
+ include/host_error_monitor.hpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/host_error_monitor.hpp b/include/host_error_monitor.hpp
+index 4bccdcc..a4aa5a3 100644
+--- a/include/host_error_monitor.hpp
++++ b/include/host_error_monitor.hpp
+@@ -169,9 +169,11 @@ static inline bool peciError(EPECIStatus peciStatus, uint8_t cc)
+ static void printPECIError(const std::string& reg, const size_t addr,
+ const EPECIStatus peciStatus, const size_t cc)
+ {
++ std::ios_base::fmtflags originalFlags = std::cerr.flags();
+ std::cerr << "Failed to read " << reg << " on CPU address " << std::dec
+ << addr << ". Error: " << peciStatus << ": cc: 0x" << std::hex
+ << cc << "\n";
++ std::cerr.flags(originalFlags);
+ }
+
+ static void beep(std::shared_ptr conn,
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend
index 26e9a2ea5..0479c2b6f 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/host-error-monitor/host-error-monitor_%.bbappend
@@ -1,6 +1,11 @@
# The URI is required for the autobump script but keep it commented
# to not override the upstream value
# SRC_URI = "git://github.com/openbmc/host-error-monitor;branch=master;protocol=https"
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
SRCREV = "ed6972aefe37a039d5b41d183eafc8c48549be67"
+SRC_URI += " \
+ file://0001-Static-analyser-issue-resolution.patch \
+ "
EXTRA_OECMAKE = "-DYOCTO=1"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch
new file mode 100644
index 000000000..9ffed06d3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem/0001-static-analyzer-issue-resolution.patch
@@ -0,0 +1,28 @@
+From f62ee5b5ccc0496c864ad2844af93b2a99ed0ed2 Mon Sep 17 00:00:00 2001
+From: "Munukuru, YaswanthX Reddy"
+Date: Fri, 6 Oct 2023 05:01:55 -0700
+Subject: [PATCH] This Commit fixes the Uninitialized scalar variable issue
+
+Variable is declared but not initialized before it's used.
+
+Signed-off-by: Munukuru, YaswanthX Reddy
+---
+ src/manufacturingcommands.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/manufacturingcommands.cpp b/src/manufacturingcommands.cpp
+index 9f16d95..14dc96a 100644
+--- a/src/manufacturingcommands.cpp
++++ b/src/manufacturingcommands.cpp
+@@ -642,7 +642,7 @@ ipmi::RspType<> appMTMSetSignal(ipmi::Context::ptr ctx, uint8_t signalTypeByte,
+ return ipmi::responseUnspecifiedError();
+ }
+
+- struct input_event event;
++ struct input_event event = {0};
+ event.type = EV_SND;
+ event.code = SND_TONE;
+ event.value = 2000;
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
index 1892a3d44..ec3aa0c80 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend
@@ -6,3 +6,5 @@ SRCREV = "6346e98cd5f33be2328478f865b34edc7203a99d"
FILESEXTRAPATHS:append := ":${THISDIR}/${PN}"
+SRC_URI += "file://0001-static-analyzer-issue-resolution.patch \
+ "
diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 000000000..4c5dacd76
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,38 @@
+From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001
+From: Hans Wennborg
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] minizip: Check length of comment, filename, and extra field,
+ in zipOpenNewFileInZip4_64
+
+These are stored in 16-bit fields in the zip file format. Passing longer
+values would generate an invalid file.
+
+Passing very long values could also cause the computation of
+zi->ci.size_centralheader to overflow, which would cause heap buffer
+overflow on subsequent writes to zi->ci.central_header.
+---
+ contrib/minizip/zip.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
++++ b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
+ return ZIP_PARAMERROR;
+ #endif
+
++ // The filename and comment length must fit in 16 bits.
++ if ((filename!=NULL) && (strlen(filename)>0xffff))
++ return ZIP_PARAMERROR;
++ if ((comment!=NULL) && (strlen(comment)>0xffff))
++ return ZIP_PARAMERROR;
++ // The extra field length must fit in 16 bits. If the member also requires
++ // a Zip64 extra block, that will also need to fit within that 16-bit
++ // length, but that will be checked for later.
++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
++ return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+
+ if (zi->in_opened_file_inzip == 1)
diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb
index ec977a303..9d12f49f3 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb
+++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_1.2.13.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
SRC_URI = "https://zlib.net/${BP}.tar.gz \
file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
file://run-ptest \
+ file://CVE-2023-45853.patch \
"
UPSTREAM_CHECK_URI = "http://zlib.net/"
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
new file mode 100644
index 000000000..bfbdce690
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c/CVE-2021-32292.patch
@@ -0,0 +1,24 @@
+From 4e9e44e5258dee7654f74948b0dd5da39c28beec Mon Sep 17 00:00:00 2001
+From: Marc <34656315+MarcT512@users.noreply.github.com>
+Date: Fri, 7 Aug 2020 10:49:45 +0100
+Subject: [PATCH] Fix read past end of buffer
+
+Resolves https://github.com/json-c/json-c/issues/654
+---
+ apps/json_parse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/json_parse.c b/apps/json_parse.c
+index bba4622183..72b31a860a 100644
+--- a/apps/json_parse.c
++++ b/apps/json_parse.c
+@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *))
+ int parse_end = json_tokener_get_parse_end(tok);
+ if (obj == NULL && jerr != json_tokener_continue)
+ {
+- char *aterr = &buf[start_pos + parse_end];
++ char *aterr = (start_pos + parse_end < sizeof(buf)) ?
++ &buf[start_pos + parse_end] : "";
+ fflush(stdout);
+ int fail_offset = total_read - ret + start_pos + parse_end;
+ fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset,
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend
new file mode 100644
index 000000000..c0c43ff17
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/json-c/json-c_%.bbappend
@@ -0,0 +1,5 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += " \
+ file://CVE-2021-32292.patch \
+ "
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
new file mode 100644
index 000000000..d6e439ba2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps.patch
@@ -0,0 +1,22 @@
+From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova
+Date: Thu, 27 Apr 2017 14:25:42 +0200
+Subject: [PATCH] Disable running gyp on shared deps
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 93d63110..79caaec2 100644
+--- a/Makefile
++++ b/Makefile
+@@ -138,7 +138,7 @@ with-code-cache test-code-cache:
+ $(warning '$@' target is a noop)
+
+ out/Makefile: config.gypi common.gypi node.gyp \
+- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
++ deps/llhttp/llhttp.gyp \
+ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
+ $(PYTHON) tools/gyp_node.py -f make
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch
new file mode 100644
index 000000000..d7005ae97
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-liftoff-Correct-function-signatures.patch
@@ -0,0 +1,71 @@
+From dc3652c0abcdf8573fd044907b19d8eda7ca1124 Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Wed, 20 Oct 2021 12:49:58 -0700
+Subject: [PATCH] [liftoff] Correct function signatures
+
+Fixes builds on mips where clang reports an error
+../deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h:661:5: error: no matching member function for call to 'Move'
+ Move(tmp, src, type.value_type());
+ ^~~~
+
+Upstream-Status: Submitted [https://chromium-review.googlesource.com/c/v8/v8/+/3235674]
+Signed-off-by: Khem Raj
+---
+ src/wasm/baseline/liftoff-assembler.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/deps/v8/src/wasm/baseline/liftoff-assembler.h
++++ b/deps/v8/src/wasm/baseline/liftoff-assembler.h
+@@ -613,7 +613,7 @@ class LiftoffAssembler : public TurboAss
+ void FinishCall(const ValueKindSig*, compiler::CallDescriptor*);
+
+ // Move {src} into {dst}. {src} and {dst} must be different.
+- void Move(LiftoffRegister dst, LiftoffRegister src, ValueKind);
++ void Move(LiftoffRegister dst, LiftoffRegister src, ValueKind kind);
+
+ // Parallel register move: For a list of tuples , move the
+ // {src} register of kind {kind} into {dst}. If {src} equals {dst}, ignore
+@@ -759,8 +759,8 @@ class LiftoffAssembler : public TurboAss
+ inline void MoveStackValue(uint32_t dst_offset, uint32_t src_offset,
+ ValueKind);
+
+- inline void Move(Register dst, Register src, ValueKind);
+- inline void Move(DoubleRegister dst, DoubleRegister src, ValueKind);
++ inline void Move(Register dst, Register src, ValueKind kind);
++ inline void Move(DoubleRegister dst, DoubleRegister src, ValueKind kind);
+
+ inline void Spill(int offset, LiftoffRegister, ValueKind);
+ inline void Spill(int offset, WasmValue);
+--- a/deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h
++++ b/deps/v8/src/wasm/baseline/mips/liftoff-assembler-mips.h
+@@ -658,7 +658,7 @@ void LiftoffAssembler::Store(Register ds
+ pinned = pinned | LiftoffRegList::ForRegs(dst_op.rm(), src);
+ LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned);
+ // Save original value.
+- Move(tmp, src, type.value_type());
++ Move(tmp, src, type.value_type().kind());
+
+ src = tmp;
+ pinned.set(tmp);
+--- a/deps/v8/src/wasm/baseline/mips64/liftoff-assembler-mips64.h
++++ b/deps/v8/src/wasm/baseline/mips64/liftoff-assembler-mips64.h
+@@ -596,7 +596,7 @@ void LiftoffAssembler::Store(Register ds
+ pinned.set(dst_op.rm());
+ LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned);
+ // Save original value.
+- Move(tmp, src, type.value_type());
++ Move(tmp, src, type.value_type().kind());
+
+ src = tmp;
+ pinned.set(tmp);
+--- a/deps/v8/src/wasm/baseline/riscv64/liftoff-assembler-riscv64.h
++++ b/deps/v8/src/wasm/baseline/riscv64/liftoff-assembler-riscv64.h
+@@ -580,7 +580,7 @@ void LiftoffAssembler::Store(Register ds
+ pinned.set(dst_op.rm());
+ LiftoffRegister tmp = GetUnusedRegister(src.reg_class(), pinned);
+ // Save original value.
+- Move(tmp, src, type.value_type());
++ Move(tmp, src, type.value_type().kind());
+
+ src = tmp;
+ pinned.set(tmp);
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
new file mode 100644
index 000000000..4773f0510
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch
@@ -0,0 +1,23 @@
+From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001
+From: Khem Raj
+Date: Tue, 15 Jun 2021 19:01:31 -0700
+Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang
+
+clang does not support this option
+
+Signed-off-by: Khem Raj
+---
+ common.gypi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/common.gypi
++++ b/common.gypi
+@@ -417,7 +417,7 @@
+ 'ldflags': [ '-m32' ],
+ }],
+ [ 'target_arch=="ppc64" and OS!="aix"', {
+- 'cflags': [ '-m64', '-mminimal-toc' ],
++ 'cflags': [ '-m64' ],
+ 'ldflags': [ '-m64' ],
+ }],
+ [ 'target_arch=="s390x"', {
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch
new file mode 100644
index 000000000..5cb2e9701
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Install-both-binaries-and-use-libdir.patch
@@ -0,0 +1,96 @@
+From 62ddf8499747fb1e366477d666c0634ad50039a9 Mon Sep 17 00:00:00 2001
+From: Elliott Sales de Andrade
+Date: Tue, 19 Mar 2019 23:22:40 -0400
+Subject: [PATCH 2/2] Install both binaries and use libdir.
+
+This allows us to build with a shared library for other users while
+still providing the normal executable.
+
+Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch
+
+Upstream-Status: Pending
+
+Signed-off-by: Elliott Sales de Andrade
+Signed-off-by: Andreas Müller
+Signed-off-by: Khem Raj
+---
+ configure.py | 7 +++++++
+ tools/install.py | 21 +++++++++------------
+ 2 files changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/configure.py b/configure.py
+index 6efb98c2316f089f3167e486282593245373af3f..a6d2ec939e4480dfae703f3978067537abf9f0f0 100755
+--- a/configure.py
++++ b/configure.py
+@@ -721,10 +721,16 @@ parser.add_argument('--shared',
+ dest='shared',
+ default=None,
+ help='compile shared library for embedding node in another project. ' +
+ '(This mode is not officially supported for regular applications)')
+
++parser.add_argument('--libdir',
++ action='store',
++ dest='libdir',
++ default='lib',
++ help='a directory to install the shared library into')
++
+ parser.add_argument('--without-v8-platform',
+ action='store_true',
+ dest='without_v8_platform',
+ default=False,
+ help='do not initialize v8 platform during node.js startup. ' +
+@@ -1305,10 +1311,11 @@ def configure_node(o):
+ o['variables']['debug_nghttp2'] = 'false'
+
+ o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
+
+ o['variables']['node_shared'] = b(options.shared)
++ o['variables']['libdir'] = options.libdir
+ node_module_version = getmoduleversion.get_version()
+
+ if options.dest_os == 'android':
+ shlib_suffix = 'so'
+ elif sys.platform == 'darwin':
+diff --git a/tools/install.py b/tools/install.py
+index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..11208f9e7166ab60da46d5ace2257c239a7e9263 100755
+--- a/tools/install.py
++++ b/tools/install.py
+@@ -128,26 +128,23 @@ def subdir_files(path, dest, action):
+ for subdir, files_in_path in ret.items():
+ action(files_in_path, subdir + '/')
+
+ def files(action):
+ is_windows = sys.platform == 'win32'
+- output_file = 'node'
+ output_prefix = 'out/Release/'
++ output_libprefix = output_prefix
+
+- if 'false' == variables.get('node_shared'):
+- if is_windows:
+- output_file += '.exe'
++ if is_windows:
++ output_bin = 'node.exe'
++ output_lib = 'node.dll'
+ else:
+- if is_windows:
+- output_file += '.dll'
+- else:
+- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix')
++ output_bin = 'node'
++ output_lib = 'libnode.' + variables.get('shlib_suffix')
+
+- if 'false' == variables.get('node_shared'):
+- action([output_prefix + output_file], 'bin/' + output_file)
+- else:
+- action([output_prefix + output_file], 'lib/' + output_file)
++ action([output_prefix + output_bin], 'bin/' + output_bin)
++ if 'true' == variables.get('node_shared'):
++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
+
+ if 'true' == variables.get('node_use_dtrace'):
+ action(['out/Release/node.d'], 'lib/dtrace/node.d')
+
+ # behave similarly for systemtap
+--
+2.33.0
+
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch
new file mode 100644
index 000000000..8db1f1dd5
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries.patch
@@ -0,0 +1,70 @@
+From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001
+From: Guillaume Burel
+Date: Fri, 3 Jan 2020 11:25:54 +0100
+Subject: [PATCH] Using native binaries
+
+---
+ node.gyp | 4 ++--
+ tools/v8_gypfiles/v8.gyp | 11 ++++-------
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/node.gyp
++++ b/node.gyp
+@@ -294,6 +294,7 @@
+ 'action_name': 'run_mkcodecache',
+ 'process_outputs_as_sources': 1,
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(mkcodecache_exec)',
+ ],
+ 'outputs': [
+@@ -319,6 +320,7 @@
+ 'action_name': 'node_mksnapshot',
+ 'process_outputs_as_sources': 1,
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(node_mksnapshot_exec)',
+ ],
+ 'outputs': [
+--- a/tools/v8_gypfiles/v8.gyp
++++ b/tools/v8_gypfiles/v8.gyp
+@@ -68,6 +68,7 @@
+ {
+ 'action_name': 'run_torque_action',
+ 'inputs': [ # Order matters.
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)',
+ '<@(torque_files)',
+ ],
+@@ -99,6 +100,7 @@
+ '<@(torque_outputs_inc)',
+ ],
+ 'action': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)',
+ '-o', '<(SHARED_INTERMEDIATE_DIR)/torque-generated',
+ '-v8-root', '<(V8_ROOT)',
+@@ -225,6 +227,7 @@
+ {
+ 'action_name': 'generate_bytecode_builtins_list_action',
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)',
+ ],
+ 'outputs': [
+@@ -415,6 +418,7 @@
+ ],
+ },
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(mksnapshot_exec)',
+ ],
+ 'outputs': [
+@@ -1548,6 +1552,7 @@
+ {
+ 'action_name': 'run_gen-regexp-special-case_action',
+ 'inputs': [
++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh',
+ '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)',
+ ],
+ 'outputs': [
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch
new file mode 100644
index 000000000..97ed972ce
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/0004-v8-don-t-override-ARM-CFLAGS.patch
@@ -0,0 +1,102 @@
+From 47ee5cc5501289205d3e8e9f27ea9daf18cebac1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?=
+Date: Sat, 9 Nov 2019 14:45:30 +0000
+Subject: [PATCH] v8: don't override ARM CFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This overrides yocto-provided build flags with its own, e.g we get
+ arm-poky-linux-musleabi-g++ -mthumb -mfpu=neon -mfloat-abi=hard -mcpu=cortex-a7 \
+ ... \
+ -march=armv7-a -mfpu=neon -mfloat-abi=hard -marm
+
+Causing the latter to override the former, and compiler warnings:
+ cc1plus: warning: switch '-mcpu=cortex-a7' conflicts with '-march=armv7-a' switch
+
+Patch this out, so that yocto-provided flags take precedence.
+Note that in reality the same should probably be done for all the other
+supported architectures, too.
+
+Note that this also switches to Thumb(2) mode (in my case). No obvious
+problems have been noted during compilation or runtime.
+
+Upstream-Status: Inappropriate [oe-specific]
+Signed-off-by: André Draszik
+---
+ tools/v8_gypfiles/toolchain.gypi | 52 ++------------------------------
+ 1 file changed, 2 insertions(+), 50 deletions(-)
+
+diff --git a/tools/v8_gypfiles/toolchain.gypi b/tools/v8_gypfiles/toolchain.gypi
+index 264b3e478e..0b41848145 100644
+--- a/tools/v8_gypfiles/toolchain.gypi
++++ b/tools/v8_gypfiles/toolchain.gypi
+@@ -211,31 +211,7 @@
+ 'target_conditions': [
+ ['_toolset=="host"', {
+ 'conditions': [
+- ['v8_target_arch==host_arch', {
+- # Host built with an Arm CXX compiler.
+- 'conditions': [
+- [ 'arm_version==7', {
+- 'cflags': ['-march=armv7-a',],
+- }],
+- [ 'arm_version==7 or arm_version=="default"', {
+- 'conditions': [
+- [ 'arm_fpu!="default"', {
+- 'cflags': ['-mfpu=<(arm_fpu)',],
+- }],
+- ],
+- }],
+- [ 'arm_float_abi!="default"', {
+- 'cflags': ['-mfloat-abi=<(arm_float_abi)',],
+- }],
+- [ 'arm_thumb==1', {
+- 'cflags': ['-mthumb',],
+- }],
+- [ 'arm_thumb==0', {
+- 'cflags': ['-marm',],
+- }],
+- ],
+- }, {
+- # 'v8_target_arch!=host_arch'
++ ['v8_target_arch!=host_arch', {
+ # Host not built with an Arm CXX compiler (simulator build).
+ 'conditions': [
+ [ 'arm_float_abi=="hard"', {
+@@ -254,31 +230,7 @@
+ }], # _toolset=="host"
+ ['_toolset=="target"', {
+ 'conditions': [
+- ['v8_target_arch==target_arch', {
+- # Target built with an Arm CXX compiler.
+- 'conditions': [
+- [ 'arm_version==7', {
+- 'cflags': ['-march=armv7-a',],
+- }],
+- [ 'arm_version==7 or arm_version=="default"', {
+- 'conditions': [
+- [ 'arm_fpu!="default"', {
+- 'cflags': ['-mfpu=<(arm_fpu)',],
+- }],
+- ],
+- }],
+- [ 'arm_float_abi!="default"', {
+- 'cflags': ['-mfloat-abi=<(arm_float_abi)',],
+- }],
+- [ 'arm_thumb==1', {
+- 'cflags': ['-mthumb',],
+- }],
+- [ 'arm_thumb==0', {
+- 'cflags': ['-marm',],
+- }],
+- ],
+- }, {
+- # 'v8_target_arch!=target_arch'
++ ['v8_target_arch!=target_arch', {
+ # Target not built with an Arm CXX compiler (simulator build).
+ 'conditions': [
+ [ 'arm_float_abi=="hard"', {
+--
+2.20.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch
new file mode 100644
index 000000000..529381842
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/big-endian.patch
@@ -0,0 +1,18 @@
+
+https://github.com/v8/v8/commit/878ccb33bd3cf0e6dc018ff8d15843f585ac07be
+
+did some automated cleanups but it missed big-endian code.
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj
+--- a/deps/v8/src/runtime/runtime-utils.h
++++ b/deps/v8/src/runtime/runtime-utils.h
+@@ -126,7 +126,7 @@ static inline ObjectPair MakePair(Object
+ #if defined(V8_TARGET_LITTLE_ENDIAN)
+ return x.ptr() | (static_cast(y.ptr()) << 32);
+ #elif defined(V8_TARGET_BIG_ENDIAN)
+- return y->ptr() | (static_cast(x->ptr()) << 32);
++ return y.ptr() | (static_cast(x.ptr()) << 32);
+ #else
+ #error Unknown endianness
+ #endif
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch
new file mode 100644
index 000000000..cb0237309
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/libatomic.patch
@@ -0,0 +1,21 @@
+Link mksnapshot with libatomic on x86
+
+Clang-12 on x86 emits atomic builtins
+
+Fixes
+| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un
+defined reference to `__atomic_load'
+
+Upstream-Status: Pending
+Signed-off-by: Khem Raj
+
+--- a/tools/v8_gypfiles/v8.gyp
++++ b/tools/v8_gypfiles/v8.gyp
+@@ -1436,6 +1436,7 @@
+ {
+ 'target_name': 'mksnapshot',
+ 'type': 'executable',
++ 'libraries': [ '-latomic' ],
+ 'dependencies': [
+ 'v8_base_without_compiler',
+ 'v8_compiler_for_mksnapshot',
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch
new file mode 100644
index 000000000..56e93c50c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/mips-less-memory.patch
@@ -0,0 +1,32 @@
+Description: mksnapshot uses too much memory on 32-bit mipsel
+Author: Jérémy Lal
+Last-Update: 2020-06-03
+Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586
+
+This ensures that we reserve 500M instead of 2G range for codegen
+ensures that qemu-mips can allocate such large ranges
+
+Signed-off-by: Khem Raj
+
+--- a/deps/v8/src/common/globals.h
++++ b/deps/v8/src/common/globals.h
+@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize =
+ constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux
+ #elif V8_TARGET_ARCH_MIPS
+ constexpr bool kPlatformRequiresCodeRange = false;
+-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB;
++constexpr size_t kMaximalCodeRangeSize = 512 * MB;
+ constexpr size_t kMinimumCodeRangeSize = 0 * MB;
+ constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page.
+ #else
+--- a/deps/v8/src/codegen/mips/constants-mips.h
++++ b/deps/v8/src/codegen/mips/constants-mips.h
+@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn
+ namespace v8 {
+ namespace internal {
+
+-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096;
++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024;
+
+ // -----------------------------------------------------------------------------
+ // Registers and FPURegisters.
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch
new file mode 100644
index 000000000..141889ad2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs/system-c-ares.patch
@@ -0,0 +1,24 @@
+keep nodejs compatible with c-ares 1.17.1
+
+Upstream-Status: Inappropriate [c-ares specific]
+Signed-off-by: Khem Raj
+
+--- a/src/cares_wrap.h
++++ b/src/cares_wrap.h
+@@ -22,7 +22,15 @@
+ # include
+ #endif // __POSIX__
+
+-# include
++#if defined(__ANDROID__) || \
++ defined(__MINGW32__) || \
++ defined(__OpenBSD__) || \
++ defined(_MSC_VER)
++
++# include
++#else
++# include
++#endif
+
+ namespace node {
+ namespace cares_wrap {
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb
new file mode 100644
index 000000000..beed833c0
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/nodejs/nodejs_16.11.1.bb
@@ -0,0 +1,202 @@
+DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript"
+HOMEPAGE = "http://nodejs.org"
+LICENSE = "MIT & BSD & Artistic-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=12f6b053282af96a218353ae7aff7cd8"
+
+DEPENDS = "openssl"
+DEPENDS:append:class-target = " qemu-native"
+DEPENDS:append:class-native = " c-ares-native"
+
+inherit pkgconfig python3native qemu
+
+COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*"
+COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*"
+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
+
+COMPATIBLE_HOST:riscv64 = "null"
+COMPATIBLE_HOST:riscv32 = "null"
+
+SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \
+ file://0001-Disable-running-gyp-files-for-bundled-deps.patch \
+ file://0002-Install-both-binaries-and-use-libdir.patch \
+ file://0004-v8-don-t-override-ARM-CFLAGS.patch \
+ file://big-endian.patch \
+ file://mips-less-memory.patch \
+ file://system-c-ares.patch \
+ file://0001-liftoff-Correct-function-signatures.patch \
+ "
+SRC_URI:append:class-target = " \
+ file://0002-Using-native-binaries.patch \
+ "
+SRC_URI:append:toolchain-clang:x86 = " \
+ file://libatomic.patch \
+ "
+SRC_URI:append:toolchain-clang:powerpc64le = " \
+ file://0001-ppc64-Do-not-use-mminimal-toc-with-clang.patch \
+ "
+SRC_URI[sha256sum] = "67587f4de25e30a9cc0b51a6033eca3bc82d7b4e0d79bb84a265e88f76ab6278"
+
+S = "${WORKDIR}/node-v${PV}"
+
+# v8 errors out if you have set CCACHE
+CCACHE = ""
+
+def map_nodejs_arch(a, d):
+ import re
+
+ if re.match('i.86$', a): return 'ia32'
+ elif re.match('x86_64$', a): return 'x64'
+ elif re.match('aarch64$', a): return 'arm64'
+ elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64'
+ elif re.match('powerpc$', a): return 'ppc'
+ return a
+
+ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \
+ ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \
+ bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \
+ bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \
+ '--with-arm-fpu=vfp', d), d), d)}"
+ARCHFLAGS:append:mips = " --v8-lite-mode"
+ARCHFLAGS:append:mipsel = " --v8-lite-mode"
+ARCHFLAGS ?= ""
+
+PACKAGECONFIG ??= "ares brotli icu zlib"
+
+PACKAGECONFIG[ares] = "--shared-cares,,c-ares"
+PACKAGECONFIG[brotli] = "--shared-brotli,,brotli"
+PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu"
+PACKAGECONFIG[libuv] = "--shared-libuv,,libuv"
+PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2"
+PACKAGECONFIG[shared] = "--shared"
+PACKAGECONFIG[zlib] = "--shared-zlib,,zlib"
+
+# We don't want to cross-compile during target compile,
+# and we need to use the right flags during host compile,
+# too.
+EXTRA_OEMAKE = "\
+ CC.host='${CC}' \
+ CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \
+ CXX.host='${CXX}' \
+ CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \
+ LDFLAGS.host='${LDFLAGS}' \
+ AR.host='${AR}' \
+ \
+ builddir_name=./ \
+"
+
+python do_unpack() {
+ import shutil
+
+ bb.build.exec_func('base_do_unpack', d)
+ shutil.rmtree(d.getVar('S') + '/deps/openssl', True)
+ if 'ares' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/cares', True)
+ if 'brotli' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/brotli', True)
+ if 'libuv' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/uv', True)
+ if 'nghttp2' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True)
+ if 'zlib' in d.getVar('PACKAGECONFIG'):
+ shutil.rmtree(d.getVar('S') + '/deps/zlib', True)
+}
+
+# V8's JIT infrastructure requires binaries such as mksnapshot and
+# mkpeephole to be run in the host during the build. However, these
+# binaries must have the same bit-width as the target (e.g. a x86_64
+# host targeting ARMv6 needs to produce a 32-bit binary). Instead of
+# depending on a third Yocto toolchain, we just build those binaries
+# for the target and run them on the host with QEMU.
+python do_create_v8_qemu_wrapper () {
+ """Creates a small wrapper that invokes QEMU to run some target V8 binaries
+ on the host."""
+ qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'),
+ d.expand('${STAGING_DIR_HOST}${base_libdir}')]
+ qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True),
+ qemu_libdirs)
+ wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh')
+ with open(wrapper_path, 'w') as wrapper_file:
+ wrapper_file.write("""#!/bin/sh
+
+# This file has been generated automatically.
+# It invokes QEMU to run binaries built for the target in the host during the
+# build process.
+
+%s "$@"
+""" % qemu_cmd)
+ os.chmod(wrapper_path, 0o755)
+}
+
+do_create_v8_qemu_wrapper[dirs] = "${B}"
+addtask create_v8_qemu_wrapper after do_configure before do_compile
+
+LDFLAGS:append:x86 = " -latomic"
+
+# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi
+do_configure () {
+ export LD="${CXX}"
+ GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES
+ # $TARGET_ARCH settings don't match --dest-cpu settings
+ python3 configure.py --prefix=${prefix} --cross-compiling \
+ --shared-openssl \
+ --without-dtrace \
+ --without-etw \
+ --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \
+ --dest-os=linux \
+ --libdir=${D}${libdir} \
+ ${ARCHFLAGS} \
+ ${PACKAGECONFIG_CONFARGS}
+}
+
+do_compile () {
+ export LD="${CXX}"
+ install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh
+ oe_runmake BUILDTYPE=Release
+}
+
+do_install () {
+ oe_runmake install DESTDIR=${D}
+
+ # wasn't updated since 2009 and is the only thing requiring python2 in runtime
+ # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps]
+ rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples
+}
+
+do_install:append:class-native() {
+ # use node from PATH instead of absolute path to sysroot
+ # node-v0.10.25/tools/install.py is using:
+ # shebang = os.path.join(node_prefix, 'bin/node')
+ # update_shebang(link_path, shebang)
+ # and node_prefix can be very long path to bindir in native sysroot and
+ # when it exceeds 128 character shebang limit it's stripped to incorrect path
+ # and npm fails to execute like in this case with 133 characters show in log.do_install:
+ # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node
+ # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js
+ # use sed on npm-cli.js because otherwise symlink is replaced with normal file and
+ # npm-cli.js continues to use old shebang
+ sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
+
+ # Install the native binaries to provide it within sysroot for the target compilation
+ install -d ${D}${bindir}
+ install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque
+ install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator
+ if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then
+ install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case
+ fi
+ install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache
+ install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot
+}
+
+do_install:append:class-target() {
+ sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js
+}
+
+PACKAGES =+ "${PN}-npm"
+FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx"
+RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \
+ python3-misc python3-multiprocessing"
+
+PACKAGES =+ "${PN}-systemtap"
+FILES:${PN}-systemtap = "${datadir}/systemtap"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch
new file mode 100644
index 000000000..781101372
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam/CVE-2024-22365.patch
@@ -0,0 +1,55 @@
+From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
+ local DoS situations
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index 2528cff86..f72d67189 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ int dfd = AT_FDCWD;
+ int dfd_next;
+ int save_errno;
+- int flags = O_RDONLY;
++ int flags = O_RDONLY | O_DIRECTORY;
+ int rv = -1;
+ struct stat st;
+
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ rv = openat(dfd, dir, flags);
+ }
+
+- if (rv != -1) {
+- if (fstat(rv, &st) != 0) {
+- save_errno = errno;
+- close(rv);
+- rv = -1;
+- errno = save_errno;
+- goto error;
+- }
+- if (!S_ISDIR(st.st_mode)) {
+- close(rv);
+- errno = ENOTDIR;
+- rv = -1;
+- goto error;
+- }
+- }
+-
+ if (flags & O_NOFOLLOW) {
+ /* we are inside user-owned dir - protect */
+ if (protect_mount(rv, p, idata) == -1) {
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb
index 5197f1813..74a9c8579 100644
--- a/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb
+++ b/meta-openbmc-mods/meta-common/recipes-extended/pam/libpam_1.5.2.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/Linux-PAM-${PV}.tar.xz \
file://run-ptest \
file://pam-volatiles.conf \
file://CVE-2022-28321-0002.patch \
+ file://CVE-2024-22365.patch \
"
SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d"
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch
new file mode 100644
index 000000000..4b5891dd2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow/CVE-2023-4641.patch
@@ -0,0 +1,142 @@
+From 65c88a43a23c2391dcc90c0abda3e839e9c57904 Mon Sep 17 00:00:00 2001
+From: Alejandro Colomar
+Date: Sat, 10 Jun 2023 16:20:05 +0200
+Subject: [PATCH] gpasswd(1): Fix password leak
+
+How to trigger this password leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When gpasswd(1) asks for the new password, it asks twice (as is usual
+for confirming the new password). Each of those 2 password prompts
+uses agetpass() to get the password. If the second agetpass() fails,
+the first password, which has been copied into the 'static' buffer
+'pass' via STRFCPY(), wasn't being zeroed.
+
+agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and
+can fail for any of the following reasons:
+
+- malloc(3) or readpassphrase(3) failure.
+
+ These are going to be difficult to trigger. Maybe getting the system
+ to the limits of memory utilization at that exact point, so that the
+ next malloc(3) gets ENOMEM, and possibly even the OOM is triggered.
+ About readpassphrase(3), ENFILE and EINTR seem the only plausible
+ ones, and EINTR probably requires privilege or being the same user;
+ but I wouldn't discard ENFILE so easily, if a process starts opening
+ files.
+
+- The password is longer than PASS_MAX.
+
+ The is plausible with physical access. However, at that point, a
+ keylogger will be a much simpler attack.
+
+And, the attacker must be able to know when the second password is being
+introduced, which is not going to be easy.
+
+How to read the password after the leak?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Provoking the leak yourself at the right point by entering a very long
+password is easy, and inspecting the process stack at that point should
+be doable. Try to find some consistent patterns.
+
+Then, search for those patterns in free memory, right after the victim
+leaks their password.
+
+Once you get the leak, a program should read all the free memory
+searching for patterns that gpasswd(1) leaves nearby the leaked
+password.
+
+On 6/10/23 03:14, Seth Arnold wrote:
+> An attacker process wouldn't be able to use malloc(3) for this task.
+> There's a handful of tools available for userspace to allocate memory:
+>
+> - brk / sbrk
+> - mmap MAP_ANONYMOUS
+> - mmap /dev/zero
+> - mmap some other file
+> - shm_open
+> - shmget
+>
+> Most of these return only pages of zeros to a process. Using mmap of an
+> existing file, you can get some of the contents of the file demand-loaded
+> into the memory space on the first use.
+>
+> The MAP_UNINITIALIZED flag only works if the kernel was compiled with
+> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare.
+>
+> malloc(3) doesn't zero memory, to our collective frustration, but all the
+> garbage in the allocations is from previous allocations in the current
+> process. It isn't leftover from other processes.
+>
+> The avenues available for reading the memory:
+> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot)
+> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA)
+> - ptrace (requires ptrace privileges, mediated by YAMA)
+> - causing memory to be swapped to disk, and then inspecting the swap
+>
+> These all require a certain amount of privileges.
+
+How to fix it?
+~~~~~~~~~~~~~~
+
+memzero(), which internally calls explicit_bzero(3), or whatever
+alternative the system provides with a slightly different name, will
+make sure that the buffer is zeroed in memory, and optimizations are not
+allowed to impede this zeroing.
+
+This is not really 100% effective, since compilers may place copies of
+the string somewhere hidden in the stack. Those copies won't get zeroed
+by explicit_bzero(3). However, that's arguably a compiler bug, since
+compilers should make everything possible to avoid optimizing strings
+that are later passed to explicit_bzero(3). But we all know that
+sometimes it's impossible to have perfect knowledge in the compiler, so
+this is plausible. Nevertheless, there's nothing we can do against such
+issues, except minimizing the time such passwords are stored in plain
+text.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+We believe this isn't easy to exploit. Nevertheless, and since the fix
+is trivial, this fix should probably be applied soon, and backported to
+all supported distributions, to prevent someone else having more
+imagination than us to find a way.
+
+Affected versions
+~~~~~~~~~~~~~~~~~
+
+All. Bug introduced in shadow 19990709. That's the second commit in
+the git history.
+
+Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)")
+Reported-by: Alejandro Colomar
+Cc: Serge Hallyn
+Cc: Iker Pedrosa
+Cc: Seth Arnold
+Cc: Christian Brauner
+Cc: Balint Reczey
+Cc: Sam James
+Cc: David Runge
+Cc: Andreas Jaeger
+Cc: <~hallyn/shadow@lists.sr.ht>
+Signed-off-by: Alejandro Colomar
+---
+ src/gpasswd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/gpasswd.c b/src/gpasswd.c
+index a43d9a5..f69eb85 100644
+--- a/src/gpasswd.c
++++ b/src/gpasswd.c
+@@ -919,6 +919,7 @@ static void change_passwd (struct group *gr)
+ strzero (cp);
+ cp = getpass (_("Re-enter new password: "));
+ if (NULL == cp) {
++ memzero (pass, sizeof pass);
+ exit (1);
+ }
+
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend
index 15fd63096..c3d1864a2 100644
--- a/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-extended/shadow/shadow_%.bbappend
@@ -5,4 +5,5 @@ PAM_SRC_URI += "file://pam.d/login \
SRC_URI += " \
file://CVE-2023-29383_1.patch \
file://CVE-2023-29383_2.patch \
+ file://CVE-2023-4641.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb b/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb
new file mode 100644
index 000000000..90f4c3d82
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/xz/xz_5.4.4.bb
@@ -0,0 +1,44 @@
+SUMMARY = "Utilities for managing LZMA compressed files"
+HOMEPAGE = "https://tukaani.org/xz/"
+DESCRIPTION = "XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils."
+SECTION = "base"
+
+# The source includes bits of PD, GPL-2.0, GPL-3.0, LGPL-2.1-or-later, but the
+# only file which is GPL-3.0 is an m4 macro which isn't shipped in any of our
+# packages, and the LGPL bits are under lib/, which appears to be used for
+# libgnu, which appears to be used for DOS builds. So we're left with
+# GPL-2.0-or-later and PD.
+LICENSE = "GPL-2.0-or-later & GPL-3.0-with-autoconf-exception & LGPL-2.1-or-later & PD"
+LICENSE:${PN} = "GPL-2.0-or-later"
+LICENSE:${PN}-dev = "GPL-2.0-or-later"
+LICENSE:${PN}-staticdev = "GPL-2.0-or-later"
+LICENSE:${PN}-doc = "GPL-2.0-or-later"
+LICENSE:${PN}-dbg = "GPL-2.0-or-later"
+LICENSE:${PN}-locale = "GPL-2.0-or-later"
+LICENSE:liblzma = "PD"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=c8ea84ebe7b93cce676b54355dc6b2c0 \
+ file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+ file://COPYING.GPLv3;md5=1ebbd3e34237af26da5dc08a4e440464 \
+ file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c \
+ file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \
+ "
+
+SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz"
+SRC_URI[sha256sum] = "aae39544e254cfd27e942d35a048d592959bd7a79f9a624afb0498bb5613bdf8"
+UPSTREAM_CHECK_REGEX = "xz-(?P\d+(\.\d+)+)\.tar"
+
+CACHED_CONFIGUREVARS += "gl_cv_posix_shell=/bin/sh"
+
+inherit autotools gettext
+
+PACKAGES =+ "liblzma"
+
+FILES:liblzma = "${libdir}/liblzma*${SOLIBS}"
+
+inherit update-alternatives
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE:${PN} = "xz xzcat unxz \
+ lzma lzcat unlzma"
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch
new file mode 100644
index 000000000..4c12c53a1
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-33631.patch
@@ -0,0 +1,107 @@
+From 5c099c4fdc438014d5893629e70a8ba934433ee8 Mon Sep 17 00:00:00 2001
+From: Ye Bin
+Date: Tue, 6 Dec 2022 22:41:34 +0800
+Subject: ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
+
+Syzbot report follow issue:
+------------[ cut here ]------------
+kernel BUG at fs/ext4/inline.c:227!
+invalid opcode: 0000 [#1] PREEMPT SMP KASAN
+CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
+RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227
+RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000
+RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006
+RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199
+R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b
+R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82
+FS: 000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0
+Call Trace:
+
+ ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768
+ ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313
+ ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063
+ generic_perform_write+0x316/0x570 mm/filemap.c:3764
+ ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
+ ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700
+ call_write_iter include/linux/fs.h:2191 [inline]
+ do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
+ do_iter_write+0x182/0x700 fs/read_write.c:861
+ vfs_iter_write+0x74/0xa0 fs/read_write.c:902
+ iter_file_splice_write+0x745/0xc90 fs/splice.c:686
+ do_splice_from fs/splice.c:764 [inline]
+ direct_splice_actor+0x114/0x180 fs/splice.c:931
+ splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886
+ do_splice_direct+0x1ab/0x280 fs/splice.c:974
+ do_sendfile+0xb19/0x1270 fs/read_write.c:1255
+ __do_sys_sendfile64 fs/read_write.c:1323 [inline]
+ __se_sys_sendfile64 fs/read_write.c:1309 [inline]
+ __x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x63/0xcd
+---[ end trace 0000000000000000 ]---
+
+Above issue may happens as follows:
+ext4_da_write_begin
+ ext4_da_write_inline_data_begin
+ ext4_da_convert_inline_data_to_extent
+ ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
+ext4_da_write_end
+
+ext4_run_li_request
+ ext4_mb_prefetch
+ ext4_read_block_bitmap_nowait
+ ext4_validate_block_bitmap
+ ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT)
+ percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free);
+ -> sbi->s_freeclusters_counter become zero
+ext4_da_write_begin
+ if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true
+ *fsdata = (void *)FALL_BACK_TO_NONDELALLOC;
+ ext4_write_begin
+ext4_da_write_end
+ if (write_mode == FALL_BACK_TO_NONDELALLOC)
+ ext4_write_end
+ if (inline_data)
+ ext4_write_inline_data_end
+ ext4_write_inline_data
+ BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+ -> As inode is already convert to extent, so 'pos + len' > inline_size
+ -> then trigger BUG.
+
+To solve this issue, instead of checking ext4_has_inline_data() which
+is only cleared after data has been written back, check the
+EXT4_STATE_MAY_INLINE_DATA flag in ext4_write_end().
+
+Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data")
+Reported-by: syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com
+Reported-by: Jun Nie
+Signed-off-by: Ye Bin
+Link: https://lore.kernel.org/r/20221206144134.1919987-1-yebin@huaweicloud.com
+Signed-off-by: Theodore Ts'o
+Cc: stable@kernel.org
+---
+ fs/ext4/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 181bc161b1ac3d..a0f4d4197a0b71 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -1315,7 +1315,8 @@ static int ext4_write_end(struct file *file,
+
+ trace_ext4_write_end(inode, pos, len, copied);
+
+- if (ext4_has_inline_data(inode))
++ if (ext4_has_inline_data(inode) &&
++ ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
+ return ext4_write_inline_data_end(inode, pos, len, copied, page);
+
+ copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch
new file mode 100644
index 000000000..eb2b5cc93
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46923.patch
@@ -0,0 +1,44 @@
+From 012e332286e2bb9f6ac77d195f17e74b2963d663 Mon Sep 17 00:00:00 2001
+From: Christian Brauner
+Date: Thu, 30 Dec 2021 20:23:09 +0100
+Subject: fs/mount_setattr: always cleanup mount_kattr
+
+Make sure that finish_mount_kattr() is called after mount_kattr was
+succesfully built in both the success and failure case to prevent
+leaking any references we took when we built it. We returned early if
+path lookup failed thereby risking to leak an additional reference we
+took when building mount_kattr when an idmapped mount was requested.
+
+Cc: linux-fsdevel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Fixes: 9caccd41541a ("fs: introduce MOUNT_ATTR_IDMAP")
+Signed-off-by: Christian Brauner
+Signed-off-by: Linus Torvalds
+---
+ fs/namespace.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 659a8f39c61afb..b696543adab848 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -4263,12 +4263,11 @@ SYSCALL_DEFINE5(mount_setattr, int, dfd, const char __user *, path,
+ return err;
+
+ err = user_path_at(dfd, path, kattr.lookup_flags, &target);
+- if (err)
+- return err;
+-
+- err = do_mount_setattr(&target, &kattr);
++ if (!err) {
++ err = do_mount_setattr(&target, &kattr);
++ path_put(&target);
++ }
+ finish_mount_kattr(&kattr);
+- path_put(&target);
+ return err;
+ }
+
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch
new file mode 100644
index 000000000..74c9cac10
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46933.patch
@@ -0,0 +1,118 @@
+From 1c4ace3e6b8575745c50dca9e76e0021e697d645 Mon Sep 17 00:00:00 2001
+From: Vincent Pelletier
+Date: Sat, 18 Dec 2021 02:18:40 +0000
+Subject: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear.
+
+commit b1e0887379422975f237d43d8839b751a6bcf154 upstream.
+
+ffs_data_clear is indirectly called from both ffs_fs_kill_sb and
+ffs_ep0_release, so it ends up being called twice when userland closes ep0
+and then unmounts f_fs.
+If userland provided an eventfd along with function's USB descriptors, it
+ends up calling eventfd_ctx_put as many times, causing a refcount
+underflow.
+NULL-ify ffs_eventfd to prevent these extraneous eventfd_ctx_put calls.
+
+Also, set epfiles to NULL right after de-allocating it, for readability.
+
+For completeness, ffs_data_clear actually ends up being called thrice, the
+last call being before the whole ffs structure gets freed, so when this
+specific sequence happens there is a second underflow happening (but not
+being reported):
+
+/sys/kernel/debug/tracing# modprobe usb_f_fs
+/sys/kernel/debug/tracing# echo ffs_data_clear > set_ftrace_filter
+/sys/kernel/debug/tracing# echo function > current_tracer
+/sys/kernel/debug/tracing# echo 1 > tracing_on
+(setup gadget, run and kill function userland process, teardown gadget)
+/sys/kernel/debug/tracing# echo 0 > tracing_on
+/sys/kernel/debug/tracing# cat trace
+ smartcard-openp-436 [000] ..... 1946.208786: ffs_data_clear <-ffs_data_closed
+ smartcard-openp-431 [000] ..... 1946.279147: ffs_data_clear <-ffs_data_closed
+ smartcard-openp-431 [000] .n... 1946.905512: ffs_data_clear <-ffs_data_put
+
+Warning output corresponding to above trace:
+[ 1946.284139] WARNING: CPU: 0 PID: 431 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x15c
+[ 1946.293094] refcount_t: underflow; use-after-free.
+[ 1946.298164] Modules linked in: usb_f_ncm(E) u_ether(E) usb_f_fs(E) hci_uart(E) btqca(E) btrtl(E) btbcm(E) btintel(E) bluetooth(E) nls_ascii(E) nls_cp437(E) vfat(E) fat(E) bcm2835_v4l2(CE) bcm2835_mmal_vchiq(CE) videobuf2_vmalloc(E) videobuf2_memops(E) sha512_generic(E) videobuf2_v4l2(E) sha512_arm(E) videobuf2_common(E) videodev(E) cpufreq_dt(E) snd_bcm2835(CE) brcmfmac(E) mc(E) vc4(E) ctr(E) brcmutil(E) snd_soc_core(E) snd_pcm_dmaengine(E) drbg(E) snd_pcm(E) snd_timer(E) snd(E) soundcore(E) drm_kms_helper(E) cec(E) ansi_cprng(E) rc_core(E) syscopyarea(E) raspberrypi_cpufreq(E) sysfillrect(E) sysimgblt(E) cfg80211(E) max17040_battery(OE) raspberrypi_hwmon(E) fb_sys_fops(E) regmap_i2c(E) ecdh_generic(E) rfkill(E) ecc(E) bcm2835_rng(E) rng_core(E) vchiq(CE) leds_gpio(E) libcomposite(E) fuse(E) configfs(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sdhci_iproc(E) sdhci_pltfm(E) sdhci(E)
+[ 1946.399633] CPU: 0 PID: 431 Comm: smartcard-openp Tainted: G C OE 5.15.0-1-rpi #1 Debian 5.15.3-1
+[ 1946.417950] Hardware name: BCM2835
+[ 1946.425442] Backtrace:
+[ 1946.432048] [] (dump_backtrace) from [] (show_stack+0x20/0x24)
+[ 1946.448226] r7:00000009 r6:0000001c r5:c04a948c r4:c0a64e2c
+[ 1946.458412] [] (show_stack) from [] (dump_stack+0x28/0x30)
+[ 1946.470380] [] (dump_stack) from [] (__warn+0xe8/0x154)
+[ 1946.482067] r5:c04a948c r4:c0a71dc8
+[ 1946.490184] [] (__warn) from [] (warn_slowpath_fmt+0xa0/0xe4)
+[ 1946.506758] r7:00000009 r6:0000001c r5:c0a71dc8 r4:c0a71e04
+[ 1946.517070] [] (warn_slowpath_fmt) from [] (refcount_warn_saturate+0x110/0x15c)
+[ 1946.535309] r8:c0100224 r7:c0dfcb84 r6:ffffffff r5:c3b84c00 r4:c24a17c0
+[ 1946.546708] [] (refcount_warn_saturate) from [] (eventfd_ctx_put+0x48/0x74)
+[ 1946.564476] [] (eventfd_ctx_put) from [] (ffs_data_clear+0xd0/0x118 [usb_f_fs])
+[ 1946.582664] r5:c3b84c00 r4:c2695b00
+[ 1946.590668] [] (ffs_data_clear [usb_f_fs]) from [] (ffs_data_closed+0x9c/0x150 [usb_f_fs])
+[ 1946.609608] r5:bf54d014 r4:c2695b00
+[ 1946.617522] [] (ffs_data_closed [usb_f_fs]) from [] (ffs_fs_kill_sb+0x2c/0x30 [usb_f_fs])
+[ 1946.636217] r7:c0dfcb84 r6:c3a12260 r5:bf54d014 r4:c229f000
+[ 1946.646273] [] (ffs_fs_kill_sb [usb_f_fs]) from [] (deactivate_locked_super+0x54/0x9c)
+[ 1946.664893] r5:bf54d014 r4:c229f000
+[ 1946.672921] [] (deactivate_locked_super) from [] (deactivate_super+0x60/0x64)
+[ 1946.690722] r5:c2a09000 r4:c229f000
+[ 1946.698706] [] (deactivate_super) from [] (cleanup_mnt+0xe4/0x14c)
+[ 1946.715553] r5:c2a09000 r4:00000000
+[ 1946.723528] [] (cleanup_mnt) from [] (__cleanup_mnt+0x1c/0x20)
+[ 1946.739922] r7:c0dfcb84 r6:c3a12260 r5:c3a126fc r4:00000000
+[ 1946.750088] [] (__cleanup_mnt) from [] (task_work_run+0x84/0xb8)
+[ 1946.766602] [] (task_work_run) from [] (do_work_pending+0x470/0x56c)
+[ 1946.783540] r7:5ac3c35a r6:c0d0424c r5:c200bfb0 r4:c200a000
+[ 1946.793614] [] (do_work_pending) from [] (slow_work_pending+0xc/0x20)
+[ 1946.810553] Exception stack(0xc200bfb0 to 0xc200bff8)
+[ 1946.820129] bfa0: 00000000 00000000 000000aa b5e21430
+[ 1946.837104] bfc0: bef867a0 00000001 bef86840 00000034 bef86838 bef86790 bef86794 bef867a0
+[ 1946.854125] bfe0: 00000000 bef86798 b67b7a1c b6d626a4 60000010 b5a23760
+[ 1946.865335] r10:00000000 r9:c200a000 r8:c0100224 r7:00000034 r6:bef86840 r5:00000001
+[ 1946.881914] r4:bef867a0
+[ 1946.888793] ---[ end trace 7387f2a9725b28d0 ]---
+
+Fixes: 5e33f6fdf735 ("usb: gadget: ffs: add eventfd notification about ffs events")
+Cc: stable
+Signed-off-by: Vincent Pelletier
+Link: https://lore.kernel.org/r/f79eeea29f3f98de6782a064ec0f7351ad2f598f.1639793920.git.plr.vincent@gmail.com
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/usb/gadget/function/f_fs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 725e35167837eb..cbb7947f366f93 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -1772,11 +1772,15 @@ static void ffs_data_clear(struct ffs_data *ffs)
+
+ BUG_ON(ffs->gadget);
+
+- if (ffs->epfiles)
++ if (ffs->epfiles) {
+ ffs_epfiles_destroy(ffs->epfiles, ffs->eps_count);
++ ffs->epfiles = NULL;
++ }
+
+- if (ffs->ffs_eventfd)
++ if (ffs->ffs_eventfd) {
+ eventfd_ctx_put(ffs->ffs_eventfd);
++ ffs->ffs_eventfd = NULL;
++ }
+
+ kfree(ffs->raw_descs_data);
+ kfree(ffs->raw_strings);
+@@ -1789,7 +1793,6 @@ static void ffs_data_reset(struct ffs_data *ffs)
+
+ ffs_data_clear(ffs);
+
+- ffs->epfiles = NULL;
+ ffs->raw_descs_data = NULL;
+ ffs->raw_descs = NULL;
+ ffs->raw_strings = NULL;
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch
new file mode 100644
index 000000000..a8aa64856
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46934.patch
@@ -0,0 +1,38 @@
+From 407c8708fb1bf2d4afc5337ef50635cf540c364b Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin
+Date: Fri, 31 Dec 2021 01:47:50 +0300
+Subject: i2c: validate user data in compat ioctl
+
+[ Upstream commit bb436283e25aaf1533ce061605d23a9564447bdf ]
+
+Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.
+Userspace should not be able to trigger warnings, so this patch adds
+validation checks for user data in compact ioctl to prevent reported
+warnings
+
+Reported-and-tested-by: syzbot+e417648b303855b91d8a@syzkaller.appspotmail.com
+Fixes: 7d5cb45655f2 ("i2c compat ioctls: move to ->compat_ioctl()")
+Signed-off-by: Pavel Skripkin
+Signed-off-by: Wolfram Sang
+Signed-off-by: Sasha Levin
+---
+ drivers/i2c/i2c-dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
+index 57aece80984166..140dd074fdee5a 100644
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -544,6 +544,9 @@ static long compat_i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned lo
+ sizeof(rdwr_arg)))
+ return -EFAULT;
+
++ if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
++ return -EINVAL;
++
+ if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
+ return -EINVAL;
+
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch
new file mode 100644
index 000000000..9a3605809
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-46936.patch
@@ -0,0 +1,88 @@
+From 08eacbd141e2495d2fcdde84358a06c4f95cbb13 Mon Sep 17 00:00:00 2001
+From: Muchun Song
+Date: Tue, 28 Dec 2021 18:41:45 +0800
+Subject: net: fix use-after-free in tw_timer_handler
+
+commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream.
+
+A real world panic issue was found as follow in Linux 5.4.
+
+ BUG: unable to handle page fault for address: ffffde49a863de28
+ PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
+ RIP: 0010:tw_timer_handler+0x20/0x40
+ Call Trace:
+
+ call_timer_fn+0x2b/0x120
+ run_timer_softirq+0x1ef/0x450
+ __do_softirq+0x10d/0x2b8
+ irq_exit+0xc7/0xd0
+ smp_apic_timer_interrupt+0x68/0x120
+ apic_timer_interrupt+0xf/0x20
+
+This issue was also reported since 2017 in the thread [1],
+unfortunately, the issue was still can be reproduced after fixing
+DCCP.
+
+The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
+namespace is destroyed since tcp_sk_ops is registered befrore
+ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
+in the list of pernet_list. There will be a use-after-free on
+net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
+if there are some inflight time-wait timers.
+
+This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
+NET_ADD_STATS_BH") since the net_statistics is a global variable
+instead of dynamic allocation and freeing. Actually, commit
+61a7e26028b9 ("mib: put net statistics on struct net") introduces
+the bug since it put net statistics on struct net and free it when
+net namespace is destroyed.
+
+Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
+and replace pr_crit() with panic() since continuing is meaningless
+when init_ipv4_mibs() fails.
+
+[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
+
+Fixes: 61a7e26028b9 ("mib: put net statistics on struct net")
+Signed-off-by: Muchun Song
+Cc: Cong Wang
+Cc: Fam Zheng
+Cc:
+Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com
+Signed-off-by: Jakub Kicinski
+Signed-off-by: Greg Kroah-Hartman
+---
+ net/ipv4/af_inet.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 3a9422a5873eb4..dcea653a5204ad 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -2004,6 +2004,10 @@ static int __init inet_init(void)
+
+ ip_init();
+
++ /* Initialise per-cpu ipv4 mibs */
++ if (init_ipv4_mibs())
++ panic("%s: Cannot init ipv4 mibs\n", __func__);
++
+ /* Setup TCP slab cache for open requests. */
+ tcp_init();
+
+@@ -2034,12 +2038,6 @@ static int __init inet_init(void)
+
+ if (init_inet_pernet_ops())
+ pr_crit("%s: Cannot init ipv4 inet pernet ops\n", __func__);
+- /*
+- * Initialise per-cpu ipv4 mibs
+- */
+-
+- if (init_ipv4_mibs())
+- pr_crit("%s: Cannot init ipv4 mibs\n", __func__);
+
+ ipv4_proc_init();
+
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch
new file mode 100644
index 000000000..a92a8002b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-47087.patch
@@ -0,0 +1,43 @@
+From 806142c805cacd098e61bdc0f72c778a2389fe4a Mon Sep 17 00:00:00 2001
+From: Sumit Garg
+Date: Thu, 16 Dec 2021 11:17:25 +0530
+Subject: tee: optee: Fix incorrect page free bug
+
+commit 18549bf4b21c739a9def39f27dcac53e27286ab5 upstream.
+
+Pointer to the allocated pages (struct page *page) has already
+progressed towards the end of allocation. It is incorrect to perform
+__free_pages(page, order) using this pointer as we would free any
+arbitrary pages. Fix this by stop modifying the page pointer.
+
+Fixes: ec185dd3ab25 ("optee: Fix memory leak when failing to register shm pages")
+Cc: stable@vger.kernel.org
+Reported-by: Patrik Lantz
+Signed-off-by: Sumit Garg
+Reviewed-by: Tyler Hicks
+Signed-off-by: Jens Wiklander
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/tee/optee/shm_pool.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tee/optee/shm_pool.c b/drivers/tee/optee/shm_pool.c
+index c41a9a501a6e9d..fa75024f16f7f1 100644
+--- a/drivers/tee/optee/shm_pool.c
++++ b/drivers/tee/optee/shm_pool.c
+@@ -41,10 +41,8 @@ static int pool_op_alloc(struct tee_shm_pool_mgr *poolm,
+ goto err;
+ }
+
+- for (i = 0; i < nr_pages; i++) {
+- pages[i] = page;
+- page++;
+- }
++ for (i = 0; i < nr_pages; i++)
++ pages[i] = page + i;
+
+ shm->flags |= TEE_SHM_REGISTER;
+ rc = optee_shm_register(shm->ctx, shm, pages, nr_pages,
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch
new file mode 100644
index 000000000..c4be1a8d1
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0847.patch
@@ -0,0 +1,43 @@
+From 9d2231c5d74e13b2a0546fee6737ee4446017903 Mon Sep 17 00:00:00 2001
+From: Max Kellermann
+Date: Mon, 21 Feb 2022 11:03:13 +0100
+Subject: lib/iov_iter: initialize "flags" in new pipe_buffer
+
+The functions copy_page_to_iter_pipe() and push_pipe() can both
+allocate a new pipe_buffer, but the "flags" member initializer is
+missing.
+
+Fixes: 241699cd72a8 ("new iov_iter flavour: pipe-backed")
+To: Alexander Viro
+To: linux-fsdevel@vger.kernel.org
+To: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Kellermann
+Signed-off-by: Al Viro
+---
+ lib/iov_iter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index b0e0acdf96c15..6dd5330f7a995 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -414,6 +414,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
+ return 0;
+
+ buf->ops = &page_cache_pipe_buf_ops;
++ buf->flags = 0;
+ get_page(page);
+ buf->page = page;
+ buf->offset = offset;
+@@ -577,6 +578,7 @@ static size_t push_pipe(struct iov_iter *i, size_t size,
+ break;
+
+ buf->ops = &default_pipe_buf_ops;
++ buf->flags = 0;
+ buf->page = page;
+ buf->offset = 0;
+ buf->len = min_t(ssize_t, left, PAGE_SIZE);
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch
new file mode 100644
index 000000000..96f861bcf
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40982.patch
@@ -0,0 +1,77 @@
+From 8974eb588283b7d44a7c91fa09fcbaf380339f3a Mon Sep 17 00:00:00 2001
+From: Daniel Sneddon
+Date: Wed, 12 Jul 2023 19:43:11 -0700
+Subject: [PATCH] x86/speculation: Add Gather Data Sampling mitigation
+
+Gather Data Sampling (GDS) is a hardware vulnerability which allows
+unprivileged speculative access to data which was previously stored in
+vector registers.
+
+Intel processors that support AVX2 and AVX512 have gather instructions
+that fetch non-contiguous data elements from memory. On vulnerable
+hardware, when a gather instruction is transiently executed and
+encounters a fault, stale data from architectural or internal vector
+registers may get transiently stored to the destination vector
+register allowing an attacker to infer the stale data using typical
+side channel techniques like cache timing attacks.
+
+This mitigation is different from many earlier ones for two reasons.
+First, it is enabled by default and a bit must be set to *DISABLE* it.
+This is the opposite of normal mitigation polarity. This means GDS can
+be mitigated simply by updating microcode and leaving the new control
+bit alone.
+
+Second, GDS has a "lock" bit. This lock bit is there because the
+mitigation affects the hardware security features KeyLocker and SGX.
+It needs to be enabled and *STAY* enabled for these features to be
+mitigated against GDS.
+
+The mitigation is enabled in the microcode by default. Disable it by
+setting gather_data_sampling=off or by disabling all mitigations with
+mitigations=off. The mitigation status can be checked by reading:
+
+ /sys/devices/system/cpu/vulnerabilities/gather_data_sampling
+
+Signed-off-by: Daniel Sneddon
+Signed-off-by: Dave Hansen
+Acked-by: Josh Poimboeuf
+---
+ drivers/base/cpu.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/base/cpu.c b/drivers/base/cpu.c
+index 5fc258073bc7..3dd3fe80f8fc 100644
+--- a/drivers/base/cpu.c
++++ b/drivers/base/cpu.c
+@@ -564,6 +564,12 @@ ssize_t __weak cpu_show_srbds(struct device *dev,
+ return sysfs_emit(buf, "Not affected\n");
+ }
+
++ssize_t __weak cpu_show_gds(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sysfs_emit(buf, "Not affected\n");
++}
++
+ static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL);
+ static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL);
+ static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL);
+@@ -573,6 +579,7 @@ static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL);
+ static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL);
+ static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL);
+ static DEVICE_ATTR(srbds, 0444, cpu_show_srbds, NULL);
++static DEVICE_ATTR(gather_data_sampling, 0444, cpu_show_gds, NULL);
+
+ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_meltdown.attr,
+@@ -584,6 +591,7 @@ static struct attribute *cpu_root_vulnerabilities_attrs[] = {
+ &dev_attr_tsx_async_abort.attr,
+ &dev_attr_itlb_multihit.attr,
+ &dev_attr_srbds.attr,
++ &dev_attr_gather_data_sampling.attr,
+ NULL
+ };
+
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch
new file mode 100644
index 000000000..10014562c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48425.patch
@@ -0,0 +1,136 @@
+From 98bea253aa28ad8be2ce565a9ca21beb4a9419e5 Mon Sep 17 00:00:00 2001
+From: Edward Lo
+Date: Sat, 5 Nov 2022 23:39:44 +0800
+Subject: fs/ntfs3: Validate MFT flags before replaying logs
+
+Log load and replay is part of the metadata handle flow during mount
+operation. The $MFT record will be loaded and used while replaying logs.
+However, a malformed $MFT record, say, has RECORD_FLAG_DIR flag set and
+contains an ATTR_ROOT attribute will misguide kernel to treat it as a
+directory, and try to free the allocated resources when the
+corresponding inode is freed, which will cause an invalid kfree because
+the memory hasn't actually been allocated.
+
+[ 101.368647] BUG: KASAN: invalid-free in kvfree+0x2c/0x40
+[ 101.369457]
+[ 101.369986] CPU: 0 PID: 198 Comm: mount Not tainted 6.0.0-rc7+ #5
+[ 101.370529] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 101.371362] Call Trace:
+[ 101.371795]
+[ 101.372157] dump_stack_lvl+0x49/0x63
+[ 101.372658] print_report.cold+0xf5/0x689
+[ 101.373022] ? ni_write_inode+0x754/0xd90
+[ 101.373378] ? kvfree+0x2c/0x40
+[ 101.373698] kasan_report_invalid_free+0x77/0xf0
+[ 101.374058] ? kvfree+0x2c/0x40
+[ 101.374352] ? kvfree+0x2c/0x40
+[ 101.374668] __kasan_slab_free+0x189/0x1b0
+[ 101.374992] ? kvfree+0x2c/0x40
+[ 101.375271] kfree+0x168/0x3b0
+[ 101.375717] kvfree+0x2c/0x40
+[ 101.376002] indx_clear+0x26/0x60
+[ 101.376316] ni_clear+0xc5/0x290
+[ 101.376661] ntfs_evict_inode+0x45/0x70
+[ 101.377001] evict+0x199/0x280
+[ 101.377432] iput.part.0+0x286/0x320
+[ 101.377819] iput+0x32/0x50
+[ 101.378166] ntfs_loadlog_and_replay+0x143/0x320
+[ 101.378656] ? ntfs_bio_fill_1+0x510/0x510
+[ 101.378968] ? iput.part.0+0x286/0x320
+[ 101.379367] ntfs_fill_super+0xecb/0x1ba0
+[ 101.379729] ? put_ntfs+0x1d0/0x1d0
+[ 101.380046] ? vsprintf+0x20/0x20
+[ 101.380542] ? mutex_unlock+0x81/0xd0
+[ 101.380914] ? set_blocksize+0x95/0x150
+[ 101.381597] get_tree_bdev+0x232/0x370
+[ 101.382254] ? put_ntfs+0x1d0/0x1d0
+[ 101.382699] ntfs_fs_get_tree+0x15/0x20
+[ 101.383094] vfs_get_tree+0x4c/0x130
+[ 101.383675] path_mount+0x654/0xfe0
+[ 101.384203] ? putname+0x80/0xa0
+[ 101.384540] ? finish_automount+0x2e0/0x2e0
+[ 101.384943] ? putname+0x80/0xa0
+[ 101.385362] ? kmem_cache_free+0x1c4/0x440
+[ 101.385968] ? putname+0x80/0xa0
+[ 101.386666] do_mount+0xd6/0xf0
+[ 101.387228] ? path_mount+0xfe0/0xfe0
+[ 101.387585] ? __kasan_check_write+0x14/0x20
+[ 101.387979] __x64_sys_mount+0xca/0x110
+[ 101.388436] do_syscall_64+0x3b/0x90
+[ 101.388757] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 101.389289] RIP: 0033:0x7fa0f70e948a
+[ 101.390048] Code: 48 8b 0d 11 fa 2a 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 008
+[ 101.391297] RSP: 002b:00007ffc24fdecc8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
+[ 101.391988] RAX: ffffffffffffffda RBX: 000055932c183060 RCX: 00007fa0f70e948a
+[ 101.392494] RDX: 000055932c183260 RSI: 000055932c1832e0 RDI: 000055932c18bce0
+[ 101.393053] RBP: 0000000000000000 R08: 000055932c183280 R09: 0000000000000020
+[ 101.393577] R10: 00000000c0ed0000 R11: 0000000000000202 R12: 000055932c18bce0
+[ 101.394044] R13: 000055932c183260 R14: 0000000000000000 R15: 00000000ffffffff
+[ 101.394747]
+[ 101.395402]
+[ 101.396047] Allocated by task 198:
+[ 101.396724] kasan_save_stack+0x26/0x50
+[ 101.397400] __kasan_slab_alloc+0x6d/0x90
+[ 101.397974] kmem_cache_alloc_lru+0x192/0x5a0
+[ 101.398524] ntfs_alloc_inode+0x23/0x70
+[ 101.399137] alloc_inode+0x3b/0xf0
+[ 101.399534] iget5_locked+0x54/0xa0
+[ 101.400026] ntfs_iget5+0xaf/0x1780
+[ 101.400414] ntfs_loadlog_and_replay+0xe5/0x320
+[ 101.400883] ntfs_fill_super+0xecb/0x1ba0
+[ 101.401313] get_tree_bdev+0x232/0x370
+[ 101.401774] ntfs_fs_get_tree+0x15/0x20
+[ 101.402224] vfs_get_tree+0x4c/0x130
+[ 101.402673] path_mount+0x654/0xfe0
+[ 101.403160] do_mount+0xd6/0xf0
+[ 101.403537] __x64_sys_mount+0xca/0x110
+[ 101.404058] do_syscall_64+0x3b/0x90
+[ 101.404333] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+[ 101.404816]
+[ 101.405067] The buggy address belongs to the object at ffff888008cc9ea0
+[ 101.405067] which belongs to the cache ntfs_inode_cache of size 992
+[ 101.406171] The buggy address is located 232 bytes inside of
+[ 101.406171] 992-byte region [ffff888008cc9ea0, ffff888008cca280)
+[ 101.406995]
+[ 101.408559] The buggy address belongs to the physical page:
+[ 101.409320] page:00000000dccf19dd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cc8
+[ 101.410654] head:00000000dccf19dd order:2 compound_mapcount:0 compound_pincount:0
+[ 101.411533] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
+[ 101.412665] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888003695140
+[ 101.413209] raw: 0000000000000000 00000000800e000e 00000001ffffffff 0000000000000000
+[ 101.413799] page dumped because: kasan: bad access detected
+[ 101.414213]
+[ 101.414427] Memory state around the buggy address:
+[ 101.414991] ffff888008cc9e80: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00
+[ 101.415785] ffff888008cc9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 101.416933] >ffff888008cc9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 101.417857] ^
+[ 101.418566] ffff888008cca000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 101.419704] ffff888008cca080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+Signed-off-by: Edward Lo
+Signed-off-by: Konstantin Komarov
+---
+ fs/ntfs3/inode.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index ce6bb3bd86b6e..059f288784580 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -100,6 +100,12 @@ static struct inode *ntfs_read_mft(struct inode *inode,
+ /* Record should contain $I30 root. */
+ is_dir = rec->flags & RECORD_FLAG_DIR;
+
++ /* MFT_REC_MFT is not a dir */
++ if (is_dir && ino == MFT_REC_MFT) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ inode->i_generation = le16_to_cpu(rec->seq);
+
+ /* Enumerate all struct Attributes MFT. */
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch
new file mode 100644
index 000000000..840e2de82
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48659.patch
@@ -0,0 +1,73 @@
+From 016b150992eebc32c4a18f783cf2bb6e2545a3d9 Mon Sep 17 00:00:00 2001
+From: Chao Yu
+Date: Wed, 31 Aug 2022 22:54:54 +0800
+Subject: mm/slub: fix to return errno if kmalloc() fails
+
+commit 7e9c323c52b379d261a72dc7bd38120a761a93cd upstream.
+
+In create_unique_id(), kmalloc(, GFP_KERNEL) can fail due to
+out-of-memory, if it fails, return errno correctly rather than
+triggering panic via BUG_ON();
+
+kernel BUG at mm/slub.c:5893!
+Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
+
+Call trace:
+ sysfs_slab_add+0x258/0x260 mm/slub.c:5973
+ __kmem_cache_create+0x60/0x118 mm/slub.c:4899
+ create_cache mm/slab_common.c:229 [inline]
+ kmem_cache_create_usercopy+0x19c/0x31c mm/slab_common.c:335
+ kmem_cache_create+0x1c/0x28 mm/slab_common.c:390
+ f2fs_kmem_cache_create fs/f2fs/f2fs.h:2766 [inline]
+ f2fs_init_xattr_caches+0x78/0xb4 fs/f2fs/xattr.c:808
+ f2fs_fill_super+0x1050/0x1e0c fs/f2fs/super.c:4149
+ mount_bdev+0x1b8/0x210 fs/super.c:1400
+ f2fs_mount+0x44/0x58 fs/f2fs/super.c:4512
+ legacy_get_tree+0x30/0x74 fs/fs_context.c:610
+ vfs_get_tree+0x40/0x140 fs/super.c:1530
+ do_new_mount+0x1dc/0x4e4 fs/namespace.c:3040
+ path_mount+0x358/0x914 fs/namespace.c:3370
+ do_mount fs/namespace.c:3383 [inline]
+ __do_sys_mount fs/namespace.c:3591 [inline]
+ __se_sys_mount fs/namespace.c:3568 [inline]
+ __arm64_sys_mount+0x2f8/0x408 fs/namespace.c:3568
+
+Cc:
+Fixes: 81819f0fc8285 ("SLUB core")
+Reported-by: syzbot+81684812ea68216e08c5@syzkaller.appspotmail.com
+Reviewed-by: Muchun Song
+Reviewed-by: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Signed-off-by: Chao Yu
+Acked-by: David Rientjes
+Signed-off-by: Vlastimil Babka
+Signed-off-by: Greg Kroah-Hartman
+---
+ mm/slub.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/mm/slub.c b/mm/slub.c
+index 5211496f6d24fc..17e663cf38f69b 100644
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -5743,7 +5743,8 @@ static char *create_unique_id(struct kmem_cache *s)
+ char *name = kmalloc(ID_STR_LENGTH, GFP_KERNEL);
+ char *p = name;
+
+- BUG_ON(!name);
++ if (!name)
++ return ERR_PTR(-ENOMEM);
+
+ *p++ = ':';
+ /*
+@@ -5825,6 +5826,8 @@ static int sysfs_slab_add(struct kmem_cache *s)
+ * for the symlinks.
+ */
+ name = create_unique_id(s);
++ if (IS_ERR(name))
++ return PTR_ERR(name);
+ }
+
+ s->kobj.kset = kset;
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch
new file mode 100644
index 000000000..c6538d9ac
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48660.patch
@@ -0,0 +1,69 @@
+From 657803b918e097e47d99d1489da83a603c36bcdd Mon Sep 17 00:00:00 2001
+From: Meng Li
+Date: Wed, 21 Sep 2022 11:20:20 +0800
+Subject: gpiolib: cdev: Set lineevent_state::irq after IRQ register
+ successfully
+
+commit 69bef19d6b9700e96285f4b4e28691cda3dcd0d1 upstream.
+
+When running gpio test on nxp-ls1028 platform with below command
+gpiomon --num-events=3 --rising-edge gpiochip1 25
+There will be a warning trace as below:
+Call trace:
+free_irq+0x204/0x360
+lineevent_free+0x64/0x70
+gpio_ioctl+0x598/0x6a0
+__arm64_sys_ioctl+0xb4/0x100
+invoke_syscall+0x5c/0x130
+......
+el0t_64_sync+0x1a0/0x1a4
+The reason of this issue is that calling request_threaded_irq()
+function failed, and then lineevent_free() is invoked to release
+the resource. Since the lineevent_state::irq was already set, so
+the subsequent invocation of free_irq() would trigger the above
+warning call trace. To fix this issue, set the lineevent_state::irq
+after the IRQ register successfully.
+
+Fixes: 468242724143 ("gpiolib: cdev: refactor lineevent cleanup into lineevent_free")
+Cc: stable@vger.kernel.org
+Signed-off-by: Meng Li
+Reviewed-by: Kent Gibson
+Signed-off-by: Bartosz Golaszewski
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/gpio/gpiolib-cdev.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index 2613881a66e662..381cfa26a4a1a0 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -1769,7 +1769,6 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip)
+ ret = -ENODEV;
+ goto out_free_le;
+ }
+- le->irq = irq;
+
+ if (eflags & GPIOEVENT_REQUEST_RISING_EDGE)
+ irqflags |= test_bit(FLAG_ACTIVE_LOW, &desc->flags) ?
+@@ -1783,7 +1782,7 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip)
+ init_waitqueue_head(&le->wait);
+
+ /* Request a thread to read the events */
+- ret = request_threaded_irq(le->irq,
++ ret = request_threaded_irq(irq,
+ lineevent_irq_handler,
+ lineevent_irq_thread,
+ irqflags,
+@@ -1792,6 +1791,8 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip)
+ if (ret)
+ goto out_free_le;
+
++ le->irq = irq;
++
+ fd = get_unused_fd_flags(O_RDONLY | O_CLOEXEC);
+ if (fd < 0) {
+ ret = fd;
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch
new file mode 100644
index 000000000..93d21e5da
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48672.patch
@@ -0,0 +1,39 @@
+From 2133f451311671c7c42b5640d2b999326b39aa0e Mon Sep 17 00:00:00 2001
+From: Sergey Shtylyov
+Date: Sat, 13 Aug 2022 23:34:16 +0300
+Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes()
+
+[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ]
+
+Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")
+forgot to fix up the depth check in the loop body in unflatten_dt_nodes()
+which makes it possible to overflow the nps[] buffer...
+
+Found by Linux Verification Center (linuxtesting.org) with the SVACE static
+analysis tool.
+
+Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree")
+Signed-off-by: Sergey Shtylyov
+Signed-off-by: Rob Herring
+Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru
+Signed-off-by: Sasha Levin
+---
+ drivers/of/fdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
+index 520ed965bb7a4e..583ca847a39cba 100644
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -314,7 +314,7 @@ static int unflatten_dt_nodes(const void *blob,
+ for (offset = 0;
+ offset >= 0 && depth >= initial_depth;
+ offset = fdt_next_node(blob, offset, &depth)) {
+- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH))
++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1))
+ continue;
+
+ if (!IS_ENABLED(CONFIG_OF_KOBJ) &&
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch
new file mode 100644
index 000000000..53b751d83
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48687.patch
@@ -0,0 +1,76 @@
+From 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa Mon Sep 17 00:00:00 2001
+From: David Lebrun
+Date: Fri, 2 Sep 2022 10:45:06 +0100
+Subject: ipv6: sr: fix out-of-bounds read when setting HMAC data.
+
+[ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ]
+
+The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
+Segment Routing Headers. This configuration is realised via netlink through
+four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
+SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
+length of the SECRET attribute, it is possible to provide invalid combinations
+(e.g., secret = "", secretlen = 64). This case is not checked in the code and
+with an appropriately crafted netlink message, an out-of-bounds read of up
+to 64 bytes (max secret length) can occur past the skb end pointer and into
+skb_shared_info:
+
+Breakpoint 1, seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208
+208 memcpy(hinfo->secret, secret, slen);
+(gdb) bt
+ #0 seg6_genl_sethmac (skb=, info=) at net/ipv6/seg6.c:208
+ #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
+ extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=,
+ family=) at net/netlink/genetlink.c:731
+ #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
+ family=0xffffffff82fef6c0 ) at net/netlink/genetlink.c:775
+ #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
+ #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 )
+ at net/netlink/af_netlink.c:2501
+ #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
+ #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
+ at net/netlink/af_netlink.c:1319
+ #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=)
+ at net/netlink/af_netlink.c:1345
+ #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=, msg=0xffffc90000ba7e48, len=) at net/netlink/af_netlink.c:1921
+...
+(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
+$1 = 0xffff88800b1b76c0
+(gdb) p/x secret
+$2 = 0xffff88800b1b76c0
+(gdb) p slen
+$3 = 64 '@'
+
+The OOB data can then be read back from userspace by dumping HMAC state. This
+commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
+SECRET.
+
+Reported-by: Lucas Leong
+Tested: verified that EINVAL is correctly returned when secretlen > len(secret)
+Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure")
+Signed-off-by: David Lebrun
+Signed-off-by: David S. Miller
+Signed-off-by: Sasha Levin
+---
+ net/ipv6/seg6.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
+index d2f8138e5a73a5..2278c0234c4979 100644
+--- a/net/ipv6/seg6.c
++++ b/net/ipv6/seg6.c
+@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
+ goto out_unlock;
+ }
+
++ if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
++
+ if (hinfo) {
+ err = seg6_hmac_info_del(net, hmackeyid);
+ if (err)
+--
+cgit 1.2.3-korg
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch
new file mode 100644
index 000000000..136878aaf
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-48689.patch
@@ -0,0 +1,167 @@
+From 3261400639463a853ba2b3be8bd009c2a8089775 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet
+Date: Wed, 31 Aug 2022 23:38:09 +0000
+Subject: [PATCH] tcp: TX zerocopy should not sense pfmemalloc status
+
+We got a recent syzbot report [1] showing a possible misuse
+of pfmemalloc page status in TCP zerocopy paths.
+
+Indeed, for pages coming from user space or other layers,
+using page_is_pfmemalloc() is moot, and possibly could give
+false positives.
+
+There has been attempts to make page_is_pfmemalloc() more robust,
+but not using it in the first place in this context is probably better,
+removing cpu cycles.
+
+Note to stable teams :
+
+You need to backport 84ce071e38a6 ("net: introduce
+__skb_fill_page_desc_noacc") as a prereq.
+
+Race is more probable after commit c07aea3ef4d4
+("mm: add a signature in struct page") because page_is_pfmemalloc()
+is now using low order bit from page->lru.next, which can change
+more often than page->index.
+
+Low order bit should never be set for lru.next (when used as an anchor
+in LRU list), so KCSAN report is mostly a false positive.
+
+Backporting to older kernel versions seems not necessary.
+
+[1]
+BUG: KCSAN: data-race in lru_add_fn / tcp_build_frag
+
+write to 0xffffea0004a1d2c8 of 8 bytes by task 18600 on cpu 0:
+__list_add include/linux/list.h:73 [inline]
+list_add include/linux/list.h:88 [inline]
+lruvec_add_folio include/linux/mm_inline.h:105 [inline]
+lru_add_fn+0x440/0x520 mm/swap.c:228
+folio_batch_move_lru+0x1e1/0x2a0 mm/swap.c:246
+folio_batch_add_and_move mm/swap.c:263 [inline]
+folio_add_lru+0xf1/0x140 mm/swap.c:490
+filemap_add_folio+0xf8/0x150 mm/filemap.c:948
+__filemap_get_folio+0x510/0x6d0 mm/filemap.c:1981
+pagecache_get_page+0x26/0x190 mm/folio-compat.c:104
+grab_cache_page_write_begin+0x2a/0x30 mm/folio-compat.c:116
+ext4_da_write_begin+0x2dd/0x5f0 fs/ext4/inode.c:2988
+generic_perform_write+0x1d4/0x3f0 mm/filemap.c:3738
+ext4_buffered_write_iter+0x235/0x3e0 fs/ext4/file.c:270
+ext4_file_write_iter+0x2e3/0x1210
+call_write_iter include/linux/fs.h:2187 [inline]
+new_sync_write fs/read_write.c:491 [inline]
+vfs_write+0x468/0x760 fs/read_write.c:578
+ksys_write+0xe8/0x1a0 fs/read_write.c:631
+__do_sys_write fs/read_write.c:643 [inline]
+__se_sys_write fs/read_write.c:640 [inline]
+__x64_sys_write+0x3e/0x50 fs/read_write.c:640
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+read to 0xffffea0004a1d2c8 of 8 bytes by task 18611 on cpu 1:
+page_is_pfmemalloc include/linux/mm.h:1740 [inline]
+__skb_fill_page_desc include/linux/skbuff.h:2422 [inline]
+skb_fill_page_desc include/linux/skbuff.h:2443 [inline]
+tcp_build_frag+0x613/0xb20 net/ipv4/tcp.c:1018
+do_tcp_sendpages+0x3e8/0xaf0 net/ipv4/tcp.c:1075
+tcp_sendpage_locked net/ipv4/tcp.c:1140 [inline]
+tcp_sendpage+0x89/0xb0 net/ipv4/tcp.c:1150
+inet_sendpage+0x7f/0xc0 net/ipv4/af_inet.c:833
+kernel_sendpage+0x184/0x300 net/socket.c:3561
+sock_sendpage+0x5a/0x70 net/socket.c:1054
+pipe_to_sendpage+0x128/0x160 fs/splice.c:361
+splice_from_pipe_feed fs/splice.c:415 [inline]
+__splice_from_pipe+0x222/0x4d0 fs/splice.c:559
+splice_from_pipe fs/splice.c:594 [inline]
+generic_splice_sendpage+0x89/0xc0 fs/splice.c:743
+do_splice_from fs/splice.c:764 [inline]
+direct_splice_actor+0x80/0xa0 fs/splice.c:931
+splice_direct_to_actor+0x305/0x620 fs/splice.c:886
+do_splice_direct+0xfb/0x180 fs/splice.c:974
+do_sendfile+0x3bf/0x910 fs/read_write.c:1249
+__do_sys_sendfile64 fs/read_write.c:1317 [inline]
+__se_sys_sendfile64 fs/read_write.c:1303 [inline]
+__x64_sys_sendfile64+0x10c/0x150 fs/read_write.c:1303
+do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
+entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+value changed: 0x0000000000000000 -> 0xffffea0004a1d288
+
+Reported by Kernel Concurrency Sanitizer on:
+CPU: 1 PID: 18611 Comm: syz-executor.4 Not tainted 6.0.0-rc2-syzkaller-00248-ge022620b5d05-dirty #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
+
+Fixes: c07aea3ef4d4 ("mm: add a signature in struct page")
+Reported-by: syzbot
+Signed-off-by: Eric Dumazet
+Cc: Shakeel Butt
+Reviewed-by: Shakeel Butt
+Signed-off-by: David S. Miller
+---
+ include/linux/skbuff.h | 20 ++++++++++++++++++++
+ net/core/datagram.c | 2 +-
+ net/ipv4/tcp.c | 2 +-
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 841e2f0f5240..051843e918c8 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2211,6 +2211,26 @@ static inline void skb_fill_page_desc(struct sk_buff *skb, int i,
+ skb_shinfo(skb)->nr_frags = i + 1;
+ }
+
++/**
++ * skb_fill_page_desc_noacc - initialise a paged fragment in an skb
++ * @skb: buffer containing fragment to be initialised
++ * @i: paged fragment index to initialise
++ * @page: the page to use for this fragment
++ * @off: the offset to the data with @page
++ * @size: the length of the data
++ *
++ * Variant of skb_fill_page_desc() which does not deal with
++ * pfmemalloc, if page is not owned by us.
++ */
++static inline void skb_fill_page_desc_noacc(struct sk_buff *skb, int i,
++ struct page *page, int off,
++ int size)
++{
++ struct skb_shared_info *shinfo = skb_shinfo(skb);
++
++ shinfo->nr_frags = i + 1;
++}
++
+ void skb_add_rx_frag(struct sk_buff *skb, int i, struct page *page, int off,
+ int size, unsigned int truesize);
+
+diff --git a/net/core/datagram.c b/net/core/datagram.c
+index 15ab9ffb27fe..28e5f921dcaf 100644
+--- a/net/core/datagram.c
++++ b/net/core/datagram.c
+@@ -677,7 +677,7 @@ int __zerocopy_sg_from_iter(struct sock *sk, struct sk_buff *skb,
+ page_ref_sub(last_head, refs);
+ refs = 0;
+ }
+- skb_fill_page_desc(skb, frag++, head, start, size);
++ skb_fill_page_desc_noacc(skb, frag++, head, start, size);
+ }
+ if (refs)
+ page_ref_sub(last_head, refs);
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index c86d27d653be..d066d780010d 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1002,7 +1002,7 @@ struct sk_buff *tcp_build_frag(struct sock *sk, int size_goal, int flags,
+ skb_frag_size_add(&skb_shinfo(skb)->frags[i - 1], copy);
+ } else {
+ get_page(page);
+- skb_fill_page_desc(skb, i, page, offset, copy);
++ skb_fill_page_desc_noacc(skb, i, page, offset, copy);
+ }
+
+ if (!(flags & MSG_NO_SHARED_FRAGS))
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch
new file mode 100644
index 000000000..0c457f4a2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-0386.patch
@@ -0,0 +1,48 @@
+From 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi
+Date: Tue, 24 Jan 2023 16:41:18 +0100
+Subject: ovl: fail on invalid uid/gid mapping at copy up
+
+If st_uid/st_gid doesn't have a mapping in the mounter's user_ns, then
+copy-up should fail, just like it would fail if the mounter task was doing
+the copy using "cp -a".
+
+There's a corner case where the "cp -a" would succeed but copy up fail: if
+there's a mapping of the invalid uid/gid (65534 by default) in the user
+namespace. This is because stat(2) will return this value if the mapping
+doesn't exist in the current user_ns and "cp -a" will in turn be able to
+create a file with this uid/gid.
+
+This behavior would be inconsistent with POSIX ACL's, which return -1 for
+invalid uid/gid which result in a failed copy.
+
+For consistency and simplicity fail the copy of the st_uid/st_gid are
+invalid.
+
+Fixes: 459c7c565ac3 ("ovl: unprivieged mounts")
+Cc: # v5.11
+Signed-off-by: Miklos Szeredi