diff options
Diffstat (limited to 'poky/meta')
504 files changed, 30125 insertions, 3001 deletions
diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass index dca4271a69..4a5865d7b5 100644 --- a/poky/meta/classes/archiver.bbclass +++ b/poky/meta/classes/archiver.bbclass @@ -461,7 +461,7 @@ def is_work_shared(d): pn = d.getVar('PN') return pn.startswith('gcc-source') or \ bb.data.inherits_class('kernel', d) or \ - (bb.data.inherits_class('kernelsrc', d) and d.getVar('S') == d.getVar('STAGING_KERNEL_DIR')) + (bb.data.inherits_class('kernelsrc', d) and d.expand("${TMPDIR}/work-shared") in d.getVar('S')) # Run do_unpack and do_patch python do_unpack_and_patch() { diff --git a/poky/meta/classes/baremetal-image.bbclass b/poky/meta/classes/baremetal-image.bbclass index cb9e250350..3a96df1f2d 100644 --- a/poky/meta/classes/baremetal-image.bbclass +++ b/poky/meta/classes/baremetal-image.bbclass @@ -95,6 +95,17 @@ QB_OPT_APPEND:append:qemuriscv32 = " -bios none" CFLAGS:append:qemuriscv64 = " -mcmodel=medany" +## Emulate image.bbclass +# Handle inherits of any of the image classes we need +IMAGE_CLASSES ??= "" +IMGCLASSES = " ${IMAGE_CLASSES}" +inherit ${IMGCLASSES} +# Set defaults to satisfy IMAGE_FEATURES check +IMAGE_FEATURES ?= "" +IMAGE_FEATURES[type] = "list" +IMAGE_FEATURES[validitems] += "" + + # This next part is necessary to trick the build system into thinking # its building an image recipe so it generates the qemuboot.conf addtask do_rootfs before do_image after do_install diff --git a/poky/meta/classes/base.bbclass b/poky/meta/classes/base.bbclass index cb9da78ab6..b15c5839b6 100644 --- a/poky/meta/classes/base.bbclass +++ b/poky/meta/classes/base.bbclass @@ -132,7 +132,7 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True): # /usr/local/bin/ccache/gcc -> /usr/bin/ccache, then which(gcc) # would return /usr/local/bin/ccache/gcc, but what we need is # /usr/bin/gcc, this code can check and fix that. - if "ccache" in srctool: + if os.path.islink(srctool) and os.path.basename(os.readlink(srctool)) == 'ccache': srctool = bb.utils.which(path, tool, executable=True, direction=1) if srctool: os.symlink(srctool, desttool) diff --git a/poky/meta/classes/cargo_common.bbclass b/poky/meta/classes/cargo_common.bbclass index 39f32829fd..1e9d284b5d 100644 --- a/poky/meta/classes/cargo_common.bbclass +++ b/poky/meta/classes/cargo_common.bbclass @@ -50,7 +50,7 @@ cargo_common_do_configure () { [source.crates-io] replace-with = "bitbake" - local-registry = "/nonexistant" + local-registry = "/nonexistent" EOF fi @@ -88,7 +88,7 @@ cargo_common_do_configure () { cat <<- EOF >> ${CARGO_HOME}/config [build] - # Use out of tree build destination to avoid poluting the source tree + # Use out of tree build destination to avoid polluting the source tree target-dir = "${B}/target" EOF fi diff --git a/poky/meta/classes/core-image.bbclass b/poky/meta/classes/core-image.bbclass index 740a6c1d3d..803727da0e 100644 --- a/poky/meta/classes/core-image.bbclass +++ b/poky/meta/classes/core-image.bbclass @@ -62,7 +62,7 @@ IMAGE_FEATURES_REPLACES_ssh-server-openssh = "ssh-server-dropbear" # Do not install openssh complementary packages if either packagegroup-core-ssh-dropbear or dropbear # is installed # to avoid openssh-dropbear conflict # see [Yocto #14858] for more information -PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTALL', 'packagegroup-core-ssh-dropbear dropbear', 'openssh', '' , d)}" +PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTALL', 'packagegroup-core-ssh-dropbear dropbear', ' openssh', '' , d)}" # IMAGE_FEATURES_CONFLICTS_foo = 'bar1 bar2' # An error exception would be raised if both image features foo and bar1(or bar2) are included diff --git a/poky/meta/classes/create-spdx.bbclass b/poky/meta/classes/create-spdx.bbclass index d735f20c20..349ecfe6ab 100644 --- a/poky/meta/classes/create-spdx.bbclass +++ b/poky/meta/classes/create-spdx.bbclass @@ -19,12 +19,12 @@ SPDX_TOOL_VERSION ??= "1.0" SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" SPDX_INCLUDE_SOURCES ??= "0" -SPDX_INCLUDE_PACKAGED ??= "0" SPDX_ARCHIVE_SOURCES ??= "0" SPDX_ARCHIVE_PACKAGED ??= "0" SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdoc" +SPDX_PRETTY ??= "0" SPDX_LICENSES ??= "${COREBASE}/meta/files/spdx-licenses.json" @@ -76,6 +76,11 @@ def recipe_spdx_is_native(d, recipe): def is_work_shared_spdx(d): return bb.data.inherits_class('kernel', d) or ('work-shared' in d.getVar('WORKDIR')) +def get_json_indent(d): + if d.getVar("SPDX_PRETTY") == "1": + return 2 + return None + python() { import json if d.getVar("SPDX_LICENSE_DATA"): @@ -423,7 +428,6 @@ python do_create_spdx() { deploy_dir_spdx = Path(d.getVar("DEPLOY_DIR_SPDX")) spdx_workdir = Path(d.getVar("SPDXWORK")) - include_packaged = d.getVar("SPDX_INCLUDE_PACKAGED") == "1" include_sources = d.getVar("SPDX_INCLUDE_SOURCES") == "1" archive_sources = d.getVar("SPDX_ARCHIVE_SOURCES") == "1" archive_packaged = d.getVar("SPDX_ARCHIVE_PACKAGED") == "1" @@ -451,6 +455,7 @@ python do_create_spdx() { for s in d.getVar('SRC_URI').split(): if not s.startswith("file://"): + s = s.split(';')[0] recipe.downloadLocation = s break else: @@ -515,7 +520,7 @@ python do_create_spdx() { dep_recipes = collect_dep_recipes(d, doc, recipe) - doc_sha1 = oe.sbom.write_doc(d, doc, "recipes") + doc_sha1 = oe.sbom.write_doc(d, doc, "recipes", indent=get_json_indent(d)) dep_recipes.append(oe.sbom.DepRecipe(doc, doc_sha1, recipe)) recipe_ref = oe.spdx.SPDXExternalDocumentRef() @@ -580,7 +585,7 @@ python do_create_spdx() { add_package_sources_from_debug(d, package_doc, spdx_package, package, package_files, sources) - oe.sbom.write_doc(d, package_doc, "packages") + oe.sbom.write_doc(d, package_doc, "packages", indent=get_json_indent(d)) } # NOTE: depending on do_unpack is a hack that is necessary to get it's dependencies for archive the source addtask do_create_spdx after do_package do_packagedata do_unpack before do_populate_sdk do_build do_rm_work @@ -744,7 +749,7 @@ python do_create_runtime_spdx() { ) seen_deps.add(dep) - oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy) + oe.sbom.write_doc(d, runtime_doc, "runtime", spdx_deploy, indent=get_json_indent(d)) } addtask do_create_runtime_spdx after do_create_spdx before do_build do_rm_work @@ -788,6 +793,7 @@ def spdx_get_src(d): bb.build.exec_func('do_unpack', d) # Copy source of kernel to spdx_workdir if is_work_shared_spdx(d): + share_src = d.getVar('WORKDIR') d.setVar('WORKDIR', spdx_workdir) d.setVar('STAGING_DIR_NATIVE', spdx_sysroot_native) src_dir = spdx_workdir + "/" + d.getVar('PN')+ "-" + d.getVar('PV') + "-" + d.getVar('PR') @@ -795,8 +801,8 @@ def spdx_get_src(d): if bb.data.inherits_class('kernel',d): share_src = d.getVar('STAGING_KERNEL_DIR') cmd_copy_share = "cp -rf " + share_src + "/* " + src_dir + "/" - cmd_copy_kernel_result = os.popen(cmd_copy_share).read() - bb.note("cmd_copy_kernel_result = " + cmd_copy_kernel_result) + cmd_copy_shared_res = os.popen(cmd_copy_share).read() + bb.note("cmd_copy_shared_result = " + cmd_copy_shared_res) git_path = src_dir + "/.git" if os.path.exists(git_path): @@ -939,7 +945,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages): image_spdx_path = rootfs_deploydir / (rootfs_name + ".spdx.json") with image_spdx_path.open("wb") as f: - doc.to_json(f, sort_keys=True) + doc.to_json(f, sort_keys=True, indent=get_json_indent(d)) num_threads = int(d.getVar("BB_NUMBER_THREADS")) @@ -997,7 +1003,11 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages): index["documents"].sort(key=lambda x: x["filename"]) - index_str = io.BytesIO(json.dumps(index, sort_keys=True).encode("utf-8")) + index_str = io.BytesIO(json.dumps( + index, + sort_keys=True, + indent=get_json_indent(d), + ).encode("utf-8")) info = tarfile.TarInfo() info.name = "index.json" @@ -1011,4 +1021,4 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages): spdx_index_path = rootfs_deploydir / (rootfs_name + ".spdx.index.json") with spdx_index_path.open("w") as f: - json.dump(index, f, sort_keys=True) + json.dump(index, f, sort_keys=True, indent=get_json_indent(d)) diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 16466586a7..3c922b27af 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -42,8 +42,8 @@ CVE_CHECK_LOG_JSON ?= "${T}/cve.json" CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" -CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" -CVE_CHECK_MANIFEST_JSON ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.json" +CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" +CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.json" CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" @@ -196,7 +196,7 @@ python cve_check_write_rootfs_manifest () { recipies.add(pkg_data["PN"]) bb.note("Writing rootfs CVE manifest") - deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") + deploy_dir = d.getVar("IMGDEPLOYDIR") link_name = d.getVar("IMAGE_LINK_NAME") json_data = {"version":"1", "package": []} @@ -254,7 +254,7 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - from oe.cve_check import Version + from oe.cve_check import Version, convert_cve_version pn = d.getVar("PN") real_pv = d.getVar("PV") @@ -318,6 +318,9 @@ def check_cves(d, patched_cves): if cve in cve_ignore: ignored = True + version_start = convert_cve_version(version_start) + version_end = convert_cve_version(version_end) + if (operator_start == '=' and pv == version_start) or version_start == '-': vulnerable = True else: diff --git a/poky/meta/classes/devshell.bbclass b/poky/meta/classes/devshell.bbclass index 247d04478c..26c01c080a 100644 --- a/poky/meta/classes/devshell.bbclass +++ b/poky/meta/classes/devshell.bbclass @@ -2,8 +2,6 @@ inherit terminal DEVSHELL = "${SHELL}" -PATH:prepend:task-devshell = "${COREBASE}/scripts/git-intercept:" - python do_devshell () { if d.getVarFlag("do_devshell", "manualfakeroot"): d.prependVar("DEVSHELL", "pseudo ") diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index 8136d25cb1..a649bcdff8 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -60,7 +60,7 @@ python () { if externalsrcbuild: d.setVar('B', externalsrcbuild) else: - d.setVar('B', '${WORKDIR}/${BPN}-${PV}/') + d.setVar('B', '${WORKDIR}/${BPN}-${PV}') local_srcuri = [] fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d) @@ -211,8 +211,8 @@ def srctree_hash_files(d, srcdir=None): try: git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) - top_git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], - stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) + top_git_dir = os.path.join(d.getVar("TOPDIR"), + subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) if git_dir == top_git_dir: git_dir = None except subprocess.CalledProcessError: @@ -229,15 +229,16 @@ def srctree_hash_files(d, srcdir=None): env['GIT_INDEX_FILE'] = tmp_index.name subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env) git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8") - submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8") - for line in submodule_helper.splitlines(): - module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) - if os.path.isdir(module_dir): - proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) - proc.communicate() - proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) - stdout, _ = proc.communicate() - git_sha1 += stdout.decode("utf-8") + if os.path.exists(os.path.join(s_dir, ".gitmodules")) and os.path.getsize(os.path.join(s_dir, ".gitmodules")) > 0: + submodule_helper = subprocess.check_output(["git", "config", "--file", ".gitmodules", "--get-regexp", "path"], cwd=s_dir, env=env).decode("utf-8") + for line in submodule_helper.splitlines(): + module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) + if os.path.isdir(module_dir): + proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + proc.communicate() + proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) + stdout, _ = proc.communicate() + git_sha1 += stdout.decode("utf-8") sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest() with open(oe_hash_file, 'w') as fobj: fobj.write(sha1) diff --git a/poky/meta/classes/fs-uuid.bbclass b/poky/meta/classes/fs-uuid.bbclass index 9b53dfba7a..731ea575bd 100644 --- a/poky/meta/classes/fs-uuid.bbclass +++ b/poky/meta/classes/fs-uuid.bbclass @@ -4,7 +4,7 @@ def get_rootfs_uuid(d): import subprocess rootfs = d.getVar('ROOTFS') - output = subprocess.check_output(['tune2fs', '-l', rootfs]) + output = subprocess.check_output(['tune2fs', '-l', rootfs], text=True) for line in output.split('\n'): if line.startswith('Filesystem UUID:'): uuid = line.split()[-1] diff --git a/poky/meta/classes/gnomebase.bbclass b/poky/meta/classes/gnomebase.bbclass index 9a5bd9a232..99ac472080 100644 --- a/poky/meta/classes/gnomebase.bbclass +++ b/poky/meta/classes/gnomebase.bbclass @@ -1,5 +1,5 @@ def gnome_verdir(v): - return ".".join(v.split(".")[:-1]) + return ".".join(v.split(".")[:-1]) or v GNOME_COMPRESS_TYPE ?= "xz" diff --git a/poky/meta/classes/gtk-icon-cache.bbclass b/poky/meta/classes/gtk-icon-cache.bbclass index 6808339b90..f999b891f3 100644 --- a/poky/meta/classes/gtk-icon-cache.bbclass +++ b/poky/meta/classes/gtk-icon-cache.bbclass @@ -3,7 +3,7 @@ FILES:${PN} += "${datadir}/icons/hicolor" GTKIC_VERSION ??= '3' GTKPN = "${@ 'gtk4' if d.getVar('GTKIC_VERSION') == '4' else 'gtk+3' }" -GTKIC_CMD = "${@ 'gtk-update-icon-cache-3.0.0' if d.getVar('GTKIC_VERSION') == '4' else 'gtk4-update-icon-cache' }" +GTKIC_CMD = "${@ 'gtk4-update-icon-cache' if d.getVar('GTKIC_VERSION') == '4' else 'gtk-update-icon-cache-3.0' }" #gtk+3/gtk4 require GTK3DISTROFEATURES, DEPENDS on it make all the #recipes inherit this class require GTK3DISTROFEATURES diff --git a/poky/meta/classes/image.bbclass b/poky/meta/classes/image.bbclass index 2139a7e576..00413d56d1 100644 --- a/poky/meta/classes/image.bbclass +++ b/poky/meta/classes/image.bbclass @@ -177,8 +177,7 @@ python () { IMAGE_POSTPROCESS_COMMAND ?= "" -# some default locales -IMAGE_LINGUAS ?= "de-de fr-fr en-gb" +IMAGE_LINGUAS ??= "" LINGUAS_INSTALL ?= "${@" ".join(map(lambda s: "locale-base-%s" % s, d.getVar('IMAGE_LINGUAS').split()))}" @@ -314,7 +313,7 @@ fakeroot python do_image_qa () { except oe.utils.ImageQAFailed as e: qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (e.name, e.description) except Exception as e: - qamsg = qamsg + '\tImage QA function %s failed\n' % cmd + qamsg = qamsg + '\tImage QA function %s failed: %s\n' % (cmd, e) if qamsg: imgname = d.getVar('IMAGE_NAME') @@ -441,7 +440,7 @@ python () { localdata.delVar('DATE') localdata.delVar('TMPDIR') localdata.delVar('IMAGE_VERSION_SUFFIX') - vardepsexclude = (d.getVarFlag('IMAGE_CMD:' + realt, 'vardepsexclude', True) or '').split() + vardepsexclude = (d.getVarFlag('IMAGE_CMD:' + realt, 'vardepsexclude') or '').split() for dep in vardepsexclude: localdata.delVar(dep) diff --git a/poky/meta/classes/image_types.bbclass b/poky/meta/classes/image_types.bbclass index 960dab1a60..79081d9f98 100644 --- a/poky/meta/classes/image_types.bbclass +++ b/poky/meta/classes/image_types.bbclass @@ -187,7 +187,10 @@ multiubi_mkfs() { fi } +MULTIUBI_ARGS = "MKUBIFS_ARGS UBINIZE_ARGS" + IMAGE_CMD:multiubi () { + ${@' '.join(['%s_%s="%s";' % (arg, name, d.getVar('%s_%s' % (arg, name))) for arg in d.getVar('MULTIUBI_ARGS').split() for name in d.getVar('MULTIUBI_BUILD').split()])} # Split MKUBIFS_ARGS_<name> and UBINIZE_ARGS_<name> for name in ${MULTIUBI_BUILD}; do eval local mkubifs_args=\"\$MKUBIFS_ARGS_${name}\" diff --git a/poky/meta/classes/image_types_wic.bbclass b/poky/meta/classes/image_types_wic.bbclass index 5374d6125e..6453dd1b74 100644 --- a/poky/meta/classes/image_types_wic.bbclass +++ b/poky/meta/classes/image_types_wic.bbclass @@ -85,7 +85,7 @@ do_image_wic[deptask] += "do_image_complete" WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 'i686' ], "syslinux-native", "",d)}' WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native" # Unified kernel images need objcopy -WKS_FILE_DEPENDS_DEFAULT += "virtual/${TARGET_PREFIX}binutils" +WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils" WKS_FILE_DEPENDS_BOOTLOADERS = "" WKS_FILE_DEPENDS_BOOTLOADERS:x86 = "syslinux grub-efi systemd-boot os-release" WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux grub-efi systemd-boot os-release" diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass index 0d93d50e58..dfda70bad6 100644 --- a/poky/meta/classes/insane.bbclass +++ b/poky/meta/classes/insane.bbclass @@ -552,7 +552,10 @@ python populate_lic_qa_checksum() { import hashlib lineno = 0 license = [] - m = hashlib.new('MD5', usedforsecurity=False) + try: + m = hashlib.new('MD5', usedforsecurity=False) + except TypeError: + m = hashlib.new('MD5') for line in f: lineno += 1 if (lineno >= beginline): diff --git a/poky/meta/classes/kernel-arch.bbclass b/poky/meta/classes/kernel-arch.bbclass index 348a3adf22..4cd08b96fb 100644 --- a/poky/meta/classes/kernel-arch.bbclass +++ b/poky/meta/classes/kernel-arch.bbclass @@ -64,5 +64,5 @@ HOST_AR_KERNEL_ARCH ?= "${TARGET_AR_KERNEL_ARCH}" KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} -fuse-ld=bfd ${DEBUG_PREFIX_MAP} -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH}" KERNEL_LD = "${CCACHE}${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}" KERNEL_AR = "${CCACHE}${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}" -TOOLCHAIN = "gcc" +TOOLCHAIN ?= "gcc" diff --git a/poky/meta/classes/kernel-fitimage.bbclass b/poky/meta/classes/kernel-fitimage.bbclass index 983392c23a..27e17db951 100644 --- a/poky/meta/classes/kernel-fitimage.bbclass +++ b/poky/meta/classes/kernel-fitimage.bbclass @@ -67,6 +67,9 @@ FIT_CONF_PREFIX[doc] = "Prefix to use for FIT configuration node name" FIT_SUPPORTED_INITRAMFS_FSTYPES ?= "cpio.lz4 cpio.lzo cpio.lzma cpio.xz cpio.zst cpio.gz ext2.gz cpio" +# Allow user to select the default DTB for FIT image when multiple dtb's exists. +FIT_CONF_DEFAULT_DTB ?= "" + # Keys used to sign individually image nodes. # The keys to sign image nodes must be different from those used to sign # configuration nodes, otherwise the "required" property, from @@ -369,6 +372,7 @@ fitimage_emit_section_config() { bootscr_line="" setup_line="" default_line="" + default_dtb_image="${FIT_CONF_DEFAULT_DTB}" # conf node name is selected based on dtb ID if it is present, # otherwise its selected based on kernel ID @@ -411,7 +415,17 @@ fitimage_emit_section_config() { # default node is selected based on dtb ID if it is present, # otherwise its selected based on kernel ID if [ -n "$dtb_image" ]; then - default_line="default = \"${FIT_CONF_PREFIX}$dtb_image\";" + # Select default node as user specified dtb when + # multiple dtb exists. + if [ -n "$default_dtb_image" ]; then + if [ -s "${EXTERNAL_KERNEL_DEVICETREE}/$default_dtb_image" ]; then + default_line="default = \"${FIT_CONF_PREFIX}$default_dtb_image\";" + else + bbwarn "Couldn't find a valid user specified dtb in ${EXTERNAL_KERNEL_DEVICETREE}/$default_dtb_image" + fi + else + default_line="default = \"${FIT_CONF_PREFIX}$dtb_image\";" + fi else default_line="default = \"${FIT_CONF_PREFIX}$kernel_id\";" fi @@ -540,10 +554,11 @@ fitimage_assemble() { if [ -n "${EXTERNAL_KERNEL_DEVICETREE}" ]; then dtbcount=1 - for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" \( -name '*.dtb' -o -name '*.dtbo' \) -printf '%P\n' | sort); do + for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" -name '*.dtb' -printf '%P\n' | sort) \ + $(find "${EXTERNAL_KERNEL_DEVICETREE}" -name '*.dtbo' -printf '%P\n' | sort); do DTB=$(echo "$DTB" | tr '/' '_') - # Skip DTB if we've picked it up previously + # Skip DTB/DTBO if we've picked it up previously echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue DTBS="$DTBS $DTB" diff --git a/poky/meta/classes/kernel-yocto.bbclass b/poky/meta/classes/kernel-yocto.bbclass index e8046bb8f6..4f8e391428 100644 --- a/poky/meta/classes/kernel-yocto.bbclass +++ b/poky/meta/classes/kernel-yocto.bbclass @@ -206,7 +206,7 @@ do_kernel_metadata() { # SRC_URI. If they were supplied, we convert them into include directives # for the update part of the process for f in ${feat_dirs}; do - if [ -d "${WORKDIR}/$f/meta" ]; then + if [ -d "${WORKDIR}/$f/kernel-meta" ]; then includes="$includes -I${WORKDIR}/$f/kernel-meta" elif [ -d "${WORKDIR}/../oe-local-files/$f" ]; then includes="$includes -I${WORKDIR}/../oe-local-files/$f" @@ -500,7 +500,7 @@ python do_config_analysis() { try: analysis = subprocess.check_output(['symbol_why.py', '--dotconfig', '{}'.format( d.getVar('B') + '/.config' ), '--blame', c], cwd=s, env=env ).decode('utf-8') except subprocess.CalledProcessError as e: - bb.fatal( "config analysis failed: %s" % e.output.decode('utf-8')) + bb.fatal( "config analysis failed when running '%s': %s" % (" ".join(e.cmd), e.output.decode('utf-8'))) outfile = d.getVar( 'CONFIG_ANALYSIS_FILE' ) @@ -508,7 +508,7 @@ python do_config_analysis() { try: analysis = subprocess.check_output(['symbol_why.py', '--dotconfig', '{}'.format( d.getVar('B') + '/.config' ), '--summary', '--extended', '--sanity', c], cwd=s, env=env ).decode('utf-8') except subprocess.CalledProcessError as e: - bb.fatal( "config analysis failed: %s" % e.output.decode('utf-8')) + bb.fatal( "config analysis failed when running '%s': %s" % (" ".join(e.cmd), e.output.decode('utf-8'))) outfile = d.getVar( 'CONFIG_AUDIT_FILE' ) @@ -569,7 +569,7 @@ python do_kernel_configcheck() { try: analysis = subprocess.check_output(['symbol_why.py', '--dotconfig', '{}'.format( d.getVar('B') + '/.config' ), '--mismatches', extra_params], cwd=s, env=env ).decode('utf-8') except subprocess.CalledProcessError as e: - bb.fatal( "config analysis failed: %s" % e.output.decode('utf-8')) + bb.fatal( "config analysis failed when running '%s': %s" % (" ".join(e.cmd), e.output.decode('utf-8'))) if analysis: outfile = "{}/{}/cfg/mismatch.txt".format( s, kmeta ) @@ -591,7 +591,7 @@ python do_kernel_configcheck() { try: analysis = subprocess.check_output(['symbol_why.py', '--dotconfig', '{}'.format( d.getVar('B') + '/.config' ), '--invalid', extra_params], cwd=s, env=env ).decode('utf-8') except subprocess.CalledProcessError as e: - bb.fatal( "config analysis failed: %s" % e.output.decode('utf-8')) + bb.fatal( "config analysis failed when running '%s': %s" % (" ".join(e.cmd), e.output.decode('utf-8'))) if analysis: outfile = "{}/{}/cfg/invalid.txt".format(s,kmeta) @@ -610,7 +610,7 @@ python do_kernel_configcheck() { try: analysis = subprocess.check_output(['symbol_why.py', '--dotconfig', '{}'.format( d.getVar('B') + '/.config' ), '--sanity'], cwd=s, env=env ).decode('utf-8') except subprocess.CalledProcessError as e: - bb.fatal( "config analysis failed: %s" % e.output.decode('utf-8')) + bb.fatal( "config analysis failed when running '%s': %s" % (" ".join(e.cmd), e.output.decode('utf-8'))) if analysis: outfile = "{}/{}/cfg/redefinition.txt".format(s,kmeta) diff --git a/poky/meta/classes/kernel.bbclass b/poky/meta/classes/kernel.bbclass index 8dff68612d..b315737fd2 100644 --- a/poky/meta/classes/kernel.bbclass +++ b/poky/meta/classes/kernel.bbclass @@ -204,9 +204,6 @@ PACKAGES_DYNAMIC += "^${KERNEL_PACKAGE_NAME}-firmware-.*" export OS = "${TARGET_OS}" export CROSS_COMPILE = "${TARGET_PREFIX}" -export KBUILD_BUILD_VERSION = "1" -export KBUILD_BUILD_USER ?= "oe-user" -export KBUILD_BUILD_HOST ?= "oe-host" KERNEL_RELEASE ?= "${KERNEL_VERSION}" @@ -361,6 +358,10 @@ kernel_do_compile() { export KBUILD_BUILD_TIMESTAMP="$ts" export KCONFIG_NOTIMESTAMP=1 bbnote "KBUILD_BUILD_TIMESTAMP: $ts" + else + ts=`LC_ALL=C date` + export KBUILD_BUILD_TIMESTAMP="$ts" + bbnote "KBUILD_BUILD_TIMESTAMP: $ts" fi # The $use_alternate_initrd is only set from # do_bundle_initramfs() This variable is specifically for the @@ -406,6 +407,10 @@ do_compile_kernelmodules() { export KBUILD_BUILD_TIMESTAMP="$ts" export KCONFIG_NOTIMESTAMP=1 bbnote "KBUILD_BUILD_TIMESTAMP: $ts" + else + ts=`LC_ALL=C date` + export KBUILD_BUILD_TIMESTAMP="$ts" + bbnote "KBUILD_BUILD_TIMESTAMP: $ts" fi if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then oe_runmake -C ${B} ${PARALLEL_MAKE} modules ${KERNEL_EXTRA_ARGS} @@ -436,8 +441,8 @@ kernel_do_install() { oe_runmake DEPMOD=echo MODLIB=${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION} INSTALL_FW_PATH=${D}${nonarch_base_libdir}/firmware modules_install rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/build" rm "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source" - # If the kernel/ directory is empty remove it to prevent QA issues - rmdir --ignore-fail-on-non-empty "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel" + # Remove empty module directories to prevent QA issues + find "${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel" -type d -empty -delete else bbnote "no modules to install" fi @@ -585,12 +590,26 @@ do_shared_workdir () { cp tools/objtool/objtool ${kerneldir}/tools/objtool/ fi fi + + # When building with CONFIG_MODVERSIONS=y and CONFIG_RANDSTRUCT=y we need + # to copy the build assets generated for the randstruct seed to + # STAGING_KERNEL_BUILDDIR, otherwise the out-of-tree modules build will + # generate those assets which will result in a different + # RANDSTRUCT_HASHED_SEED + if [ -d scripts/basic ]; then + mkdir -p ${kerneldir}/scripts + cp -r scripts/basic ${kerneldir}/scripts + fi + + if [ -d scripts/gcc-plugins ]; then + mkdir -p ${kerneldir}/scripts + cp -r scripts/gcc-plugins ${kerneldir}/scripts + fi + } # We don't need to stage anything, not the modules/firmware since those would clash with linux-firmware -sysroot_stage_all () { - : -} +SYSROOT_DIRS = "" KERNEL_CONFIG_COMMAND ?= "oe_runmake_call -C ${S} O=${B} olddefconfig || oe_runmake -C ${S} O=${B} oldnoconfig" @@ -635,7 +654,7 @@ do_savedefconfig() { do_savedefconfig[nostamp] = "1" addtask savedefconfig after do_configure -inherit cml1 +inherit cml1 pkgconfig # Need LD, HOSTLDFLAGS and more for config operations KCONFIG_CONFIG_COMMAND:append = " ${EXTRA_OEMAKE}" diff --git a/poky/meta/classes/libc-package.bbclass b/poky/meta/classes/libc-package.bbclass index 13ef8cdc0d..baab8fc9a9 100644 --- a/poky/meta/classes/libc-package.bbclass +++ b/poky/meta/classes/libc-package.bbclass @@ -45,6 +45,7 @@ PACKAGE_NO_GCONV ?= "0" OVERRIDES:append = ":${TARGET_ARCH}-${TARGET_OS}" locale_base_postinst_ontarget() { +mkdir ${libdir}/locale localedef --inputfile=${datadir}/i18n/locales/%s --charmap=%s %s } diff --git a/poky/meta/classes/license_image.bbclass b/poky/meta/classes/license_image.bbclass index 3213ea758e..1c06a02951 100644 --- a/poky/meta/classes/license_image.bbclass +++ b/poky/meta/classes/license_image.bbclass @@ -229,7 +229,7 @@ def get_deployed_dependencies(d): deploy = {} # Get all the dependencies for the current task (rootfs). taskdata = d.getVar("BB_TASKDEPDATA", False) - pn = d.getVar("PN", True) + pn = d.getVar("PN") depends = list(set([dep[0] for dep in list(taskdata.values()) if not dep[0].endswith("-native") and not dep[0] == pn])) diff --git a/poky/meta/classes/linux-kernel-base.bbclass b/poky/meta/classes/linux-kernel-base.bbclass index ba59222c24..73a6fe36d9 100644 --- a/poky/meta/classes/linux-kernel-base.bbclass +++ b/poky/meta/classes/linux-kernel-base.bbclass @@ -37,5 +37,9 @@ def linux_module_packages(s, d): suffix = "" return " ".join(map(lambda s: "kernel-module-%s%s" % (s.lower().replace('_', '-').replace('@', '+'), suffix), s.split())) +export KBUILD_BUILD_VERSION = "1" +export KBUILD_BUILD_USER ?= "oe-user" +export KBUILD_BUILD_HOST ?= "oe-host" + # that's all diff --git a/poky/meta/classes/mirrors.bbclass b/poky/meta/classes/mirrors.bbclass index ffdccff5fb..3720c00ae5 100644 --- a/poky/meta/classes/mirrors.bbclass +++ b/poky/meta/classes/mirrors.bbclass @@ -61,8 +61,7 @@ osc://.*/.* http://sources.openembedded.org/ \ https?://.*/.* http://sources.openembedded.org/ \ ftp://.*/.* http://sources.openembedded.org/ \ npm://.*/?.* http://sources.openembedded.org/ \ -${CPAN_MIRROR} http://cpan.metacpan.org/ \ -${CPAN_MIRROR} http://search.cpan.org/CPAN/ \ +${CPAN_MIRROR} https://cpan.metacpan.org/ \ https?://downloads.yoctoproject.org/releases/uninative/ https://mirrors.kernel.org/yocto/uninative/ \ https?://downloads.yoctoproject.org/mirror/sources/ https://mirrors.kernel.org/yocto-sources/ \ " @@ -84,6 +83,7 @@ BB_GIT_SHALLOW:pn-binutils-cross-${TARGET_ARCH} = "1" BB_GIT_SHALLOW:pn-binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "1" BB_GIT_SHALLOW:pn-binutils-cross-testsuite = "1" BB_GIT_SHALLOW:pn-binutils-crosssdk-${SDK_SYS} = "1" +BB_GIT_SHALLOW:pn-binutils-native = "1" BB_GIT_SHALLOW:pn-glibc = "1" PREMIRRORS += "git://sourceware.org/git/glibc.git https://downloads.yoctoproject.org/mirror/sources/ \ git://sourceware.org/git/binutils-gdb.git https://downloads.yoctoproject.org/mirror/sources/" diff --git a/poky/meta/classes/multilib.bbclass b/poky/meta/classes/multilib.bbclass index 5859ca8d21..a0be559970 100644 --- a/poky/meta/classes/multilib.bbclass +++ b/poky/meta/classes/multilib.bbclass @@ -45,6 +45,7 @@ python multilib_virtclass_handler () { e.data.setVar("RECIPE_SYSROOT", "${WORKDIR}/recipe-sysroot") e.data.setVar("STAGING_DIR_TARGET", "${WORKDIR}/recipe-sysroot") e.data.setVar("STAGING_DIR_HOST", "${WORKDIR}/recipe-sysroot") + e.data.setVar("RECIPE_SYSROOT_MANIFEST_SUBDIR", "nativesdk-" + variant) e.data.setVar("MLPREFIX", variant + "-") override = ":virtclass-multilib-" + variant e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override) diff --git a/poky/meta/classes/native.bbclass b/poky/meta/classes/native.bbclass index fc7422c5d7..4de96cd59b 100644 --- a/poky/meta/classes/native.bbclass +++ b/poky/meta/classes/native.bbclass @@ -153,7 +153,7 @@ python native_virtclass_handler () { newdeps.append(dep.replace(pn, bpn) + "-native") else: newdeps.append(dep) - d.setVar(varname, " ".join(newdeps), parsing=True) + d.setVar(varname, " ".join(newdeps)) map_dependencies("DEPENDS", e.data, selfref=False) for pkg in e.data.getVar("PACKAGES", False).split(): diff --git a/poky/meta/classes/overlayfs-etc.bbclass b/poky/meta/classes/overlayfs-etc.bbclass index 91afee695c..40116e4c6e 100644 --- a/poky/meta/classes/overlayfs-etc.bbclass +++ b/poky/meta/classes/overlayfs-etc.bbclass @@ -34,6 +34,7 @@ OVERLAYFS_ETC_DEVICE ??= "" OVERLAYFS_ETC_USE_ORIG_INIT_NAME ??= "1" OVERLAYFS_ETC_MOUNT_OPTIONS ??= "defaults" OVERLAYFS_ETC_INIT_TEMPLATE ??= "${COREBASE}/meta/files/overlayfs-etc-preinit.sh.in" +OVERLAYFS_ETC_EXPOSE_LOWER ??= "0" python create_overlayfs_etc_preinit() { overlayEtcMountPoint = d.getVar("OVERLAYFS_ETC_MOUNT_POINT") @@ -54,13 +55,15 @@ python create_overlayfs_etc_preinit() { preinitPath = oe.path.join(d.getVar("IMAGE_ROOTFS"), d.getVar("base_sbindir"), "preinit") initBaseName = oe.path.join(d.getVar("base_sbindir"), "init") origInitNameSuffix = ".orig" + exposeLower = oe.types.boolean(d.getVar('OVERLAYFS_ETC_EXPOSE_LOWER')) args = { 'OVERLAYFS_ETC_MOUNT_POINT': overlayEtcMountPoint, 'OVERLAYFS_ETC_MOUNT_OPTIONS': d.getVar('OVERLAYFS_ETC_MOUNT_OPTIONS'), 'OVERLAYFS_ETC_FSTYPE': overlayEtcFsType, 'OVERLAYFS_ETC_DEVICE': overlayEtcDevice, - 'SBIN_INIT_NAME': initBaseName + origInitNameSuffix if useOrigInit else initBaseName + 'SBIN_INIT_NAME': initBaseName + origInitNameSuffix if useOrigInit else initBaseName, + 'OVERLAYFS_ETC_EXPOSE_LOWER': "true" if exposeLower else "false" } if useOrigInit: diff --git a/poky/meta/classes/overlayfs.bbclass b/poky/meta/classes/overlayfs.bbclass index f7069edd41..c3564b6ec1 100644 --- a/poky/meta/classes/overlayfs.bbclass +++ b/poky/meta/classes/overlayfs.bbclass @@ -96,7 +96,11 @@ python do_create_overlayfs_units() { overlayMountPoints = d.getVarFlags("OVERLAYFS_MOUNT_POINT") for mountPoint in overlayMountPoints: bb.debug(1, "Process variable flag %s" % mountPoint) - for lower in d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint).split(): + lowerList = d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint) + if not lowerList: + bb.note("No mount points defined for %s flag, skipping" % (mountPoint)) + continue + for lower in lowerList.split(): bb.debug(1, "Prepare mount unit for %s with data mount point %s" % (lower, d.getVarFlag('OVERLAYFS_MOUNT_POINT', mountPoint))) prepareUnits(d.getVarFlag('OVERLAYFS_MOUNT_POINT', mountPoint), lower) diff --git a/poky/meta/classes/own-mirrors.bbclass b/poky/meta/classes/own-mirrors.bbclass index ef972740ce..30c7ccd8e7 100644 --- a/poky/meta/classes/own-mirrors.bbclass +++ b/poky/meta/classes/own-mirrors.bbclass @@ -11,4 +11,5 @@ https?://.*/.* ${SOURCE_MIRROR_URL} \ ftp://.*/.* ${SOURCE_MIRROR_URL} \ npm://.*/?.* ${SOURCE_MIRROR_URL} \ s3://.*/.* ${SOURCE_MIRROR_URL} \ +crate://.*/.* ${SOURCE_MIRROR_URL} \ " diff --git a/poky/meta/classes/package.bbclass b/poky/meta/classes/package.bbclass index 97e97d2703..67acc278d1 100644 --- a/poky/meta/classes/package.bbclass +++ b/poky/meta/classes/package.bbclass @@ -484,16 +484,31 @@ def inject_minidebuginfo(file, dvar, dv, d): bb.debug(1, 'ELF file {} has no debuginfo, skipping minidebuginfo injection'.format(file)) return + # minidebuginfo does not make sense to apply to ELF objects other than + # executables and shared libraries, skip applying the minidebuginfo + # generation for objects like kernel modules. + for line in subprocess.check_output([readelf, '-h', debugfile], universal_newlines=True).splitlines(): + if not line.strip().startswith("Type:"): + continue + elftype = line.split(":")[1].strip() + if not any(elftype.startswith(i) for i in ["EXEC", "DYN"]): + bb.debug(1, 'ELF file {} is not executable/shared, skipping minidebuginfo injection'.format(file)) + return + break + # Find non-allocated PROGBITS, NOTE, and NOBITS sections in the debuginfo. # We will exclude all of these from minidebuginfo to save space. remove_section_names = [] for line in subprocess.check_output([readelf, '-W', '-S', debugfile], universal_newlines=True).splitlines(): - fields = line.split() - if len(fields) < 8: + # strip the leading " [ 1]" section index to allow splitting on space + if ']' not in line: + continue + fields = line[line.index(']') + 1:].split() + if len(fields) < 7: continue name = fields[0] type = fields[1] - flags = fields[7] + flags = fields[6] # .debug_ sections will be removed by objcopy -S so no need to explicitly remove them if name.startswith('.debug_'): continue @@ -621,6 +636,13 @@ def copydebugsources(debugsrcdir, sources, d): # Same check as above for externalsrc if workdir not in sdir: if os.path.exists(dvar + debugsrcdir + sdir): + # Special case for /build since we need to move into + # /usr/src/debug/build so rename sdir to build.build + if sdir == "/build" or sdir.find("/build/") == 0: + cmd = "mv %s%s%s %s%s%s" % (dvar, debugsrcdir, "/build", dvar, debugsrcdir, "/build.build") + subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) + sdir = sdir.replace("/build", "/build.build", 1) + cmd = "mv %s%s%s/* %s%s" % (dvar, debugsrcdir, sdir, dvar,debugsrcdir) subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) diff --git a/poky/meta/classes/populate_sdk_ext.bbclass b/poky/meta/classes/populate_sdk_ext.bbclass index e2019f9bbf..a673af7e7b 100644 --- a/poky/meta/classes/populate_sdk_ext.bbclass +++ b/poky/meta/classes/populate_sdk_ext.bbclass @@ -114,7 +114,7 @@ python write_host_sdk_ext_manifest () { f.write("%s %s %s\n" % (info[1], info[2], info[3])) } -SDK_POSTPROCESS_COMMAND:append:task-populate-sdk-ext = "write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; " +SDK_POSTPROCESS_COMMAND:append:task-populate-sdk-ext = " write_target_sdk_ext_manifest; write_host_sdk_ext_manifest; " SDK_TITLE:task-populate-sdk-ext = "${@d.getVar('DISTRO_NAME') or d.getVar('DISTRO')} Extensible SDK" @@ -714,7 +714,7 @@ sdk_ext_postinst() { # A bit of another hack, but we need this in the path only for devtool # so put it at the end of $PATH. - echo "export PATH=$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH" >> $env_setup_script + echo "export PATH=\"$target_sdk_dir/sysroots/${SDK_SYS}${bindir_nativesdk}:\$PATH\"" >> $env_setup_script echo "printf 'SDK environment now set up; additionally you may now run devtool to perform development tasks.\nRun devtool --help for further details.\n'" >> $env_setup_script diff --git a/poky/meta/classes/qemuboot.bbclass b/poky/meta/classes/qemuboot.bbclass index ad8489902a..f2ebe94ca4 100644 --- a/poky/meta/classes/qemuboot.bbclass +++ b/poky/meta/classes/qemuboot.bbclass @@ -7,6 +7,7 @@ # QB_OPT_APPEND: options to append to qemu, e.g., "-device usb-mouse" # # QB_DEFAULT_KERNEL: default kernel to boot, e.g., "bzImage" +# e.g., "bzImage-initramfs-qemux86-64.bin" if INITRAMFS_IMAGE_BUNDLE is set to 1. # # QB_DEFAULT_FSTYPE: default FSTYPE to boot, e.g., "ext4" # @@ -87,7 +88,7 @@ QB_MEM ?= "-m 256" QB_SMP ?= "" QB_SERIAL_OPT ?= "-serial mon:stdio -serial null" -QB_DEFAULT_KERNEL ?= "${KERNEL_IMAGETYPE}" +QB_DEFAULT_KERNEL ?= "${@bb.utils.contains("INITRAMFS_IMAGE_BUNDLE", "1", "${KERNEL_IMAGETYPE}-${INITRAMFS_LINK_NAME}.bin", "${KERNEL_IMAGETYPE}", d)}" QB_DEFAULT_FSTYPE ?= "ext4" QB_RNG ?= "-object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0" QB_OPT_APPEND ?= "" diff --git a/poky/meta/classes/recipe_sanity.bbclass b/poky/meta/classes/recipe_sanity.bbclass index 7fa4a849ea..df6e9a7db9 100644 --- a/poky/meta/classes/recipe_sanity.bbclass +++ b/poky/meta/classes/recipe_sanity.bbclass @@ -10,7 +10,7 @@ def bad_runtime_vars(cfgdata, d): for var in d.getVar("__recipe_sanity_badruntimevars").split(): val = d.getVar(var, False) if val and val != cfgdata.get(var): - __note("%s should be %s_${PN}" % (var, var), d) + __note("%s should be %s:${PN}" % (var, var), d) __recipe_sanity_reqvars = "DESCRIPTION" __recipe_sanity_reqdiffvars = "" diff --git a/poky/meta/classes/rm_work.bbclass b/poky/meta/classes/rm_work.bbclass index 5f12d5aaeb..f7ededff26 100644 --- a/poky/meta/classes/rm_work.bbclass +++ b/poky/meta/classes/rm_work.bbclass @@ -27,6 +27,13 @@ BB_SCHEDULER ?= "completion" BB_TASK_IONICE_LEVEL:task-rm_work = "3.0" do_rm_work () { + # Force using the HOSTTOOLS 'rm' - otherwise the SYSROOT_NATIVE 'rm' can be selected depending on PATH + # Avoids race-condition accessing 'rm' when deleting WORKDIR folders at the end of this function + RM_BIN="$(PATH=${HOSTTOOLS_DIR} command -v rm)" + if [ -z "${RM_BIN}" ]; then + bbfatal "Binary 'rm' not found in HOSTTOOLS_DIR, cannot remove WORKDIR data." + fi + # If the recipe name is in the RM_WORK_EXCLUDE, skip the recipe. for p in ${RM_WORK_EXCLUDE}; do if [ "$p" = "${PN}" ]; then @@ -73,7 +80,7 @@ do_rm_work () { # sstate version since otherwise we'd need to leave 'plaindirs' around # such as 'packages' and 'packages-split' and these can be large. No end # of chain tasks depend directly on do_package anymore. - rm -f -- $i; + "${RM_BIN}" -f -- $i; ;; *_setscene*) # Skip stamps which are already setscene versions @@ -90,7 +97,7 @@ do_rm_work () { ;; esac done - rm -f -- $i + "${RM_BIN}" -f -- $i esac done @@ -100,12 +107,14 @@ do_rm_work () { # Retain only logs and other files in temp, safely ignore # failures of removing pseudo folers on NFS2/3 server. if [ $dir = 'pseudo' ]; then - rm -rf -- $dir 2> /dev/null || true + "${RM_BIN}" -rf -- $dir 2> /dev/null || true elif ! echo "$excludes" | grep -q -w "$dir"; then - rm -rf -- $dir + "${RM_BIN}" -rf -- $dir fi done } +do_rm_work[vardepsexclude] += "SSTATETASKS" + do_rm_work_all () { : } @@ -172,7 +181,7 @@ python inject_rm_work() { # other recipes and thus will typically run much later than completion of # work in the recipe itself. # In practice, addtask() here merely updates the dependencies. - bb.build.addtask('do_rm_work', 'do_build', ' '.join(deps), d) + bb.build.addtask('do_rm_work', 'do_rm_work_all do_build', ' '.join(deps), d) # Always update do_build_without_rm_work dependencies. bb.build.addtask('do_build_without_rm_work', '', ' '.join(deps), d) diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass index a79e36b594..293e405f62 100644 --- a/poky/meta/classes/sanity.bbclass +++ b/poky/meta/classes/sanity.bbclass @@ -498,6 +498,14 @@ def check_tar_version(sanity_data): version = result.split()[3] if bb.utils.vercmp_string_op(version, "1.28", "<"): return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n" + + try: + result = subprocess.check_output(["tar", "--help"], stderr=subprocess.STDOUT).decode('utf-8') + if "--xattrs" not in result: + return "Your tar doesn't support --xattrs, please use GNU tar.\n" + except subprocess.CalledProcessError as e: + return "Unable to execute tar --help, exit code %d\n%s\n" % (e.returncode, e.output) + return None # We use git parameters and functionality only found in 1.7.8 or later @@ -859,7 +867,7 @@ def check_sanity_everybuild(status, d): mirror_vars = ['MIRRORS', 'PREMIRRORS', 'SSTATE_MIRRORS'] protocols = ['http', 'ftp', 'file', 'https', \ 'git', 'gitsm', 'hg', 'osc', 'p4', 'svn', \ - 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps'] + 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps', 'crate'] for mirror_var in mirror_vars: mirrors = (d.getVar(mirror_var) or '').replace('\\n', ' ').split() @@ -991,13 +999,6 @@ def check_sanity(sanity_data): if status.messages != "": raise_sanity_error(sanity_data.expand(status.messages), sanity_data, status.network_error) -# Create a copy of the datastore and finalise it to ensure appends and -# overrides are set - the datastore has yet to be finalised at ConfigParsed -def copy_data(e): - sanity_data = bb.data.createCopy(e.data) - sanity_data.finalize() - return sanity_data - addhandler config_reparse_eventhandler config_reparse_eventhandler[eventmask] = "bb.event.ConfigParsed" python config_reparse_eventhandler() { @@ -1008,13 +1009,13 @@ addhandler check_sanity_eventhandler check_sanity_eventhandler[eventmask] = "bb.event.SanityCheck bb.event.NetworkTest" python check_sanity_eventhandler() { if bb.event.getName(e) == "SanityCheck": - sanity_data = copy_data(e) + sanity_data = bb.data.createCopy(e.data) check_sanity(sanity_data) if e.generateevents: sanity_data.setVar("SANITY_USE_EVENTS", "1") bb.event.fire(bb.event.SanityCheckPassed(), e.data) elif bb.event.getName(e) == "NetworkTest": - sanity_data = copy_data(e) + sanity_data = bb.data.createCopy(e.data) if e.generateevents: sanity_data.setVar("SANITY_USE_EVENTS", "1") bb.event.fire(bb.event.NetworkTestFailed() if check_connectivity(sanity_data) else bb.event.NetworkTestPassed(), e.data) diff --git a/poky/meta/classes/scons.bbclass b/poky/meta/classes/scons.bbclass index 80f8382107..ffe43bb7c9 100644 --- a/poky/meta/classes/scons.bbclass +++ b/poky/meta/classes/scons.bbclass @@ -3,7 +3,9 @@ inherit python3native DEPENDS += "python3-scons-native" EXTRA_OESCONS ?= "" - +# This value below is derived from $(getconf ARG_MAX) +SCONS_MAXLINELENGTH ?= "MAXLINELENGTH=2097152" +EXTRA_OESCONS:append = " ${SCONS_MAXLINELENGTH}" do_configure() { if [ -n "${CONFIGURESTAMPFILE}" -a "${S}" = "${B}" ]; then if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then @@ -25,4 +27,8 @@ scons_do_install() { die "scons install execution failed." } +do_configure[vardepsexclude] = "SCONS_MAXLINELENGTH" +do_compile[vardepsexclude] = "SCONS_MAXLINELENGTH" +do_install[vardepsexclude] = "SCONS_MAXLINELENGTH" + EXPORT_FUNCTIONS do_compile do_install diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass index 3513269bca..dd6cf12920 100644 --- a/poky/meta/classes/sstate.bbclass +++ b/poky/meta/classes/sstate.bbclass @@ -1084,7 +1084,7 @@ def setscene_depvalid(task, taskdependees, notneeded, d, log=None): logit("Considering setscene task: %s" % (str(taskdependees[task])), log) - directtasks = ["do_populate_lic", "do_deploy_source_date_epoch", "do_shared_workdir", "do_stash_locale", "do_gcc_stash_builddir", "do_create_spdx"] + directtasks = ["do_populate_lic", "do_deploy_source_date_epoch", "do_shared_workdir", "do_stash_locale", "do_gcc_stash_builddir", "do_create_spdx", "do_deploy_archives"] def isNativeCross(x): return x.endswith("-native") or "-cross-" in x or "-crosssdk" in x or x.endswith("-cross") diff --git a/poky/meta/classes/staging.bbclass b/poky/meta/classes/staging.bbclass index bf8ca58b0b..044873c9ae 100644 --- a/poky/meta/classes/staging.bbclass +++ b/poky/meta/classes/staging.bbclass @@ -269,6 +269,10 @@ python extend_recipe_sysroot() { pn = d.getVar("PN") stagingdir = d.getVar("STAGING_DIR") sharedmanifests = d.getVar("COMPONENTS_DIR") + "/manifests" + # only needed by multilib cross-canadian since it redefines RECIPE_SYSROOT + manifestprefix = d.getVar("RECIPE_SYSROOT_MANIFEST_SUBDIR") + if manifestprefix: + sharedmanifests = sharedmanifests + "/" + manifestprefix recipesysroot = d.getVar("RECIPE_SYSROOT") recipesysrootnative = d.getVar("RECIPE_SYSROOT_NATIVE") diff --git a/poky/meta/classes/systemd.bbclass b/poky/meta/classes/systemd.bbclass index 09ec52792d..c07332d5b6 100644 --- a/poky/meta/classes/systemd.bbclass +++ b/poky/meta/classes/systemd.bbclass @@ -146,6 +146,7 @@ python systemd_populate_packages() { def systemd_check_services(): searchpaths = [oe.path.join(d.getVar("sysconfdir"), "systemd", "system"),] searchpaths.append(d.getVar("systemd_system_unitdir")) + searchpaths.append(d.getVar("systemd_user_unitdir")) systemd_packages = d.getVar('SYSTEMD_PACKAGES') keys = 'Also' diff --git a/poky/meta/classes/testimage.bbclass b/poky/meta/classes/testimage.bbclass index 8ffaeab284..34173ce68d 100644 --- a/poky/meta/classes/testimage.bbclass +++ b/poky/meta/classes/testimage.bbclass @@ -240,7 +240,7 @@ def testimage_main(d): with open(tdname, "r") as f: td = json.load(f) except FileNotFoundError as err: - bb.fatal('File %s not found (%s).\nHave you built the image with INHERIT += "testimage" in the conf/local.conf?' % (tdname, err)) + bb.fatal('File %s not found (%s).\nHave you built the image with IMAGE_CLASSES += "testimage" in the conf/local.conf?' % (tdname, err)) # Some variables need to be updates (mostly paths) with the # ones of the current environment because some tests require them. diff --git a/poky/meta/classes/toolchain-scripts.bbclass b/poky/meta/classes/toolchain-scripts.bbclass index 1d7c703748..d735d434e6 100644 --- a/poky/meta/classes/toolchain-scripts.bbclass +++ b/poky/meta/classes/toolchain-scripts.bbclass @@ -31,7 +31,7 @@ toolchain_create_sdk_env_script () { echo '# http://tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html#AEN80' >> $script echo '# http://xahlee.info/UnixResource_dir/_/ldpath.html' >> $script echo '# Only disable this check if you are absolutely know what you are doing!' >> $script - echo 'if [ ! -z "$LD_LIBRARY_PATH" ]; then' >> $script + echo 'if [ ! -z "${LD_LIBRARY_PATH:-}" ]; then' >> $script echo " echo \"Your environment is misconfigured, you probably need to 'unset LD_LIBRARY_PATH'\"" >> $script echo " echo \"but please check why this was set in the first place and that it's safe to unset.\"" >> $script echo ' echo "The SDK will not operate correctly in most cases when LD_LIBRARY_PATH is set."' >> $script @@ -47,7 +47,7 @@ toolchain_create_sdk_env_script () { for i in ${CANADIANEXTRAOS}; do EXTRAPATH="$EXTRAPATH:$sdkpathnative$bindir/${TARGET_ARCH}${TARGET_VENDOR}-$i" done - echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':$PATH' >> $script + echo "export PATH=$sdkpathnative$bindir:$sdkpathnative$sbindir:$sdkpathnative$base_bindir:$sdkpathnative$base_sbindir:$sdkpathnative$bindir/../${HOST_SYS}/bin:$sdkpathnative$bindir/${TARGET_SYS}"$EXTRAPATH':"$PATH"' >> $script echo 'export PKG_CONFIG_SYSROOT_DIR=$SDKTARGETSYSROOT' >> $script echo 'export PKG_CONFIG_PATH=$SDKTARGETSYSROOT'"$libdir"'/pkgconfig:$SDKTARGETSYSROOT'"$prefix"'/share/pkgconfig' >> $script echo 'export CONFIG_SITE=${SDKPATH}/site-config-'"${multimach_target_sys}" >> $script diff --git a/poky/meta/classes/uboot-sign.bbclass b/poky/meta/classes/uboot-sign.bbclass index eecdec9160..6bb4ddc600 100644 --- a/poky/meta/classes/uboot-sign.bbclass +++ b/poky/meta/classes/uboot-sign.bbclass @@ -292,7 +292,7 @@ do_uboot_generate_rsa_keys() { "${UBOOT_FIT_SIGN_NUMBITS}" echo "Generating certificate for signing U-Boot fitImage" - openssl req ${FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ + openssl req ${UBOOT_FIT_KEY_REQ_ARGS} "${UBOOT_FIT_KEY_SIGN_PKCS}" \ -key "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".key \ -out "${SPL_SIGN_KEYDIR}/${SPL_SIGN_KEYNAME}".crt fi diff --git a/poky/meta/classes/uninative.bbclass b/poky/meta/classes/uninative.bbclass index 6a9e862bcd..7f0591d49a 100644 --- a/poky/meta/classes/uninative.bbclass +++ b/poky/meta/classes/uninative.bbclass @@ -167,5 +167,7 @@ python uninative_changeinterp () { if not elf.isDynamic(): continue + os.chmod(f, s[stat.ST_MODE] | stat.S_IWUSR) subprocess.check_output(("patchelf-uninative", "--set-interpreter", d.getVar("UNINATIVE_LOADER"), f), stderr=subprocess.STDOUT) + os.chmod(f, s[stat.ST_MODE]) } diff --git a/poky/meta/classes/update-alternatives.bbclass b/poky/meta/classes/update-alternatives.bbclass index fc1ffd828c..7581a70439 100644 --- a/poky/meta/classes/update-alternatives.bbclass +++ b/poky/meta/classes/update-alternatives.bbclass @@ -1,5 +1,5 @@ # This class is used to help the alternatives system which is useful when -# multiple sources provide same command. You can use update-alternatives +# multiple sources provide the same command. You can use update-alternatives # command directly in your recipe, but in most cases this class simplifies # that job. # @@ -29,7 +29,7 @@ # A non-default link to create for a target # ALTERNATIVE_TARGET[name] = "target" # -# This is the name of the binary as it's been install by do_install +# This is the name of the binary as it's been installed by do_install # i.e. ALTERNATIVE_TARGET[sh] = "/bin/bash" # # A package specific link for a target @@ -62,7 +62,7 @@ ALTERNATIVE_PRIORITY = "10" # We need special processing for vardeps because it can not work on # modified flag values. So we aggregate the flags into a new variable -# and include that vairable in the set. +# and include that variable in the set. UPDALTVARS = "ALTERNATIVE ALTERNATIVE_LINK_NAME ALTERNATIVE_TARGET ALTERNATIVE_PRIORITY" PACKAGE_WRITE_DEPS += "virtual/update-alternatives-native" diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf index 516a30c963..82b115e3a2 100644 --- a/poky/meta/conf/bitbake.conf +++ b/poky/meta/conf/bitbake.conf @@ -671,7 +671,7 @@ export PYTHONHASHSEED = "0" export PERL_HASH_SEED = "0" export SOURCE_DATE_EPOCH ?= "${@get_source_date_epoch_value(d)}" # A SOURCE_DATE_EPOCH of '0' might be misinterpreted as no SDE -export SOURCE_DATE_EPOCH_FALLBACK ??= "1302044400" +SOURCE_DATE_EPOCH_FALLBACK ??= "1302044400" REPRODUCIBLE_TIMESTAMP_ROOTFS ??= "1520598896" ################################################################## diff --git a/poky/meta/conf/distro/include/cve-extra-exclusions.inc b/poky/meta/conf/distro/include/cve-extra-exclusions.inc index 8b5f8d49b8..cb2d920441 100644 --- a/poky/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/poky/meta/conf/distro/include/cve-extra-exclusions.inc @@ -15,6 +15,11 @@ # the aim of sharing that work and ensuring we don't duplicate it. # +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. +CVE_CHECK_IGNORE += "CVE-2022-46176" # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident diff --git a/poky/meta/conf/distro/include/ptest-packagelists.inc b/poky/meta/conf/distro/include/ptest-packagelists.inc index b51cce4d9e..5bcff83093 100644 --- a/poky/meta/conf/distro/include/ptest-packagelists.inc +++ b/poky/meta/conf/distro/include/ptest-packagelists.inc @@ -22,6 +22,7 @@ PTESTS_FAST = "\ gettext-ptest \ glib-networking-ptest \ gzip-ptest \ + json-c-ptest \ json-glib-ptest \ libconvert-asn1-perl-ptest \ liberror-perl-ptest \ @@ -99,7 +100,7 @@ PTESTS_SLOW = "\ " PTESTS_SLOW:remove:riscv64 = "valgrind-ptest" -PTESTS_PROBLEMS:append:riscv64 = "valgrind-ptest" +PTESTS_PROBLEMS:append:riscv64 = " valgrind-ptest" # ruby-ptest \ # Timeout # lz4-ptest \ # Needs a rewrite diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc index 411fe45a24..8a5cab5360 100644 --- a/poky/meta/conf/distro/include/yocto-uninative.inc +++ b/poky/meta/conf/distro/include/yocto-uninative.inc @@ -6,10 +6,10 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.35" -UNINATIVE_VERSION = "3.6" +UNINATIVE_MAXGLIBCVERSION = "2.37" +UNINATIVE_VERSION = "3.9" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "d64831cf2792c8e470c2e42230660e1a8e5de56a579cdd59978791f663c2f3ed" -UNINATIVE_CHECKSUM[i686] ?= "2f0ee9b66b1bb2c85e2b592fb3c9c7f5d77399fa638d74961330cdb8de34ca3b" -UNINATIVE_CHECKSUM[x86_64] ?= "9bfc4c970495b3716b2f9e52c4df9f968c02463a9a95000f6657fbc3fde1f098" +UNINATIVE_CHECKSUM[aarch64] ?= "de35708c95c34573af140da910132c3291ba4fd26ebf7b74b755ada432cdf07b" +UNINATIVE_CHECKSUM[i686] ?= "adac07b08adb88eb26fc7fd87fee0cec9d5be167bf7c5ffd3a549a2a6699c29c" +UNINATIVE_CHECKSUM[x86_64] ?= "3dd82c3fbdb59e87bf091c3eef555a05fae528eeda3083828f76cd4deaceca8b" diff --git a/poky/meta/files/overlayfs-etc-preinit.sh.in b/poky/meta/files/overlayfs-etc-preinit.sh.in index 43c9b04eb9..8db076f4ba 100644 --- a/poky/meta/files/overlayfs-etc-preinit.sh.in +++ b/poky/meta/files/overlayfs-etc-preinit.sh.in @@ -15,19 +15,32 @@ mount -t sysfs sysfs /sys [ -z "$CONSOLE" ] && CONSOLE="/dev/console" +BASE_OVERLAY_ETC_DIR={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc +UPPER_DIR=$BASE_OVERLAY_ETC_DIR/upper +WORK_DIR=$BASE_OVERLAY_ETC_DIR/work +LOWER_DIR=$BASE_OVERLAY_ETC_DIR/lower + mkdir -p {OVERLAYFS_ETC_MOUNT_POINT} if mount -n -t {OVERLAYFS_ETC_FSTYPE} \ -o {OVERLAYFS_ETC_MOUNT_OPTIONS} \ {OVERLAYFS_ETC_DEVICE} {OVERLAYFS_ETC_MOUNT_POINT} then - mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper - mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/work + mkdir -p $UPPER_DIR + mkdir -p $WORK_DIR + + if {OVERLAYFS_ETC_EXPOSE_LOWER}; then + mkdir -p $LOWER_DIR + + # provide read-only access to original /etc content + mount -o bind,ro /etc $LOWER_DIR + fi + mount -n -t overlay \ - -o upperdir={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper \ + -o upperdir=$UPPER_DIR \ -o lowerdir=/etc \ - -o workdir={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/work \ + -o workdir=$WORK_DIR \ -o index=off,xino=off,redirect_dir=off,metacopy=off \ - {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper /etc || \ + $UPPER_DIR /etc || \ echo "PREINIT: Mounting etc-overlay failed!" else echo "PREINIT: Mounting </data> failed!" diff --git a/poky/meta/lib/oe/cve_check.py b/poky/meta/lib/oe/cve_check.py index f40f16d7ab..42a77872e9 100644 --- a/poky/meta/lib/oe/cve_check.py +++ b/poky/meta/lib/oe/cve_check.py @@ -173,3 +173,42 @@ def update_symlinks(target_path, link_path): if os.path.exists(os.path.realpath(link_path)): os.remove(link_path) os.symlink(os.path.basename(target_path), link_path) + + +def convert_cve_version(version): + """ + This function converts from CVE format to Yocto version format. + eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 + + Unless it is redefined using CVE_VERSION in the recipe, + cve_check uses the version in the name of the recipe (${PV}) + to check vulnerabilities against a CVE in the database downloaded from NVD. + + When the version has an update, i.e. + "p1" in OpenSSH 8.3p1, + "-rc1" in linux kernel 6.2-rc1, + the database stores the version as version_update (8.3_p1, 6.2_rc1). + Therefore, we must transform this version before comparing to the + recipe version. + + In this case, the parameter of the function is 8.3_p1. + If the version uses the Release Candidate format, "rc", + this function replaces the '_' by '-'. + If the version uses the Update format, "p", + this function removes the '_' completely. + """ + import re + + matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) + + if not matches: + return version + + version = matches.group(1) + update = matches.group(2) + + if matches.group(3) == "rc": + return version + '-' + update + + return version + update + diff --git a/poky/meta/lib/oe/overlayfs.py b/poky/meta/lib/oe/overlayfs.py index b5d5e88e80..590c0de58a 100644 --- a/poky/meta/lib/oe/overlayfs.py +++ b/poky/meta/lib/oe/overlayfs.py @@ -38,7 +38,11 @@ def unitFileList(d): bb.fatal("Missing required mount point for OVERLAYFS_MOUNT_POINT[%s] in your MACHINE configuration" % mountPoint) for mountPoint in overlayMountPoints: - for path in d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint).split(): + mountPointList = d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint) + if not mountPointList: + bb.debug(1, "No mount points defined for %s flag, don't add to file list", mountPoint) + continue + for path in mountPointList.split(): fileList.append(mountUnitName(path)) fileList.append(helperUnitName(path)) diff --git a/poky/meta/lib/oe/package_manager/deb/__init__.py b/poky/meta/lib/oe/package_manager/deb/__init__.py index 86ddb130ad..910f217b62 100644 --- a/poky/meta/lib/oe/package_manager/deb/__init__.py +++ b/poky/meta/lib/oe/package_manager/deb/__init__.py @@ -80,15 +80,15 @@ class DpkgIndexer(Indexer): return oe.utils.multiprocess_launch(create_index, index_cmds, self.d) - if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1': - signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True)) + if self.d.getVar('PACKAGE_FEED_SIGN') == '1': + signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND')) else: signer = None if signer: for f in index_sign_files: signer.detach_sign(f, - self.d.getVar('PACKAGE_FEED_GPG_NAME', True), - self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True), + self.d.getVar('PACKAGE_FEED_GPG_NAME'), + self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE'), output_suffix="gpg", use_sha256=True) diff --git a/poky/meta/lib/oe/package_manager/rpm/__init__.py b/poky/meta/lib/oe/package_manager/rpm/__init__.py index b392581069..97ef387f3b 100644 --- a/poky/meta/lib/oe/package_manager/rpm/__init__.py +++ b/poky/meta/lib/oe/package_manager/rpm/__init__.py @@ -96,11 +96,15 @@ class RpmPM(PackageManager): archs = ["sdk_provides_dummy_target"] + archs confdir = "%s/%s" %(self.target_rootfs, "etc/dnf/vars/") bb.utils.mkdirhier(confdir) - open(confdir + "arch", 'w').write(":".join(archs)) + with open(confdir + "arch", 'w') as f: + f.write(":".join(archs)) + distro_codename = self.d.getVar('DISTRO_CODENAME') - open(confdir + "releasever", 'w').write(distro_codename if distro_codename is not None else '') + with open(confdir + "releasever", 'w') as f: + f.write(distro_codename if distro_codename is not None else '') - open(oe.path.join(self.target_rootfs, "etc/dnf/dnf.conf"), 'w').write("") + with open(oe.path.join(self.target_rootfs, "etc/dnf/dnf.conf"), 'w') as f: + f.write("") def _configure_rpm(self): @@ -110,14 +114,17 @@ class RpmPM(PackageManager): platformconfdir = "%s/%s" %(self.target_rootfs, "etc/rpm/") rpmrcconfdir = "%s/%s" %(self.target_rootfs, "etc/") bb.utils.mkdirhier(platformconfdir) - open(platformconfdir + "platform", 'w').write("%s-pc-linux" % self.primary_arch) + with open(platformconfdir + "platform", 'w') as f: + f.write("%s-pc-linux" % self.primary_arch) with open(rpmrcconfdir + "rpmrc", 'w') as f: f.write("arch_compat: %s: %s\n" % (self.primary_arch, self.archs if len(self.archs) > 0 else self.primary_arch)) f.write("buildarch_compat: %s: noarch\n" % self.primary_arch) - open(platformconfdir + "macros", 'w').write("%_transaction_color 7\n") + with open(platformconfdir + "macros", 'w') as f: + f.write("%_transaction_color 7\n") if self.d.getVar('RPM_PREFER_ELF_ARCH'): - open(platformconfdir + "macros", 'a').write("%%_prefer_color %s" % (self.d.getVar('RPM_PREFER_ELF_ARCH'))) + with open(platformconfdir + "macros", 'a') as f: + f.write("%%_prefer_color %s" % (self.d.getVar('RPM_PREFER_ELF_ARCH'))) if self.d.getVar('RPM_SIGN_PACKAGES') == '1': signer = get_signer(self.d, self.d.getVar('RPM_GPG_BACKEND')) @@ -164,13 +171,13 @@ class RpmPM(PackageManager): repo_uri = uri + "/" + arch repo_id = "oe-remote-repo" + "-".join(urlparse(repo_uri).path.split("/")) repo_name = "OE Remote Repo:" + " ".join(urlparse(repo_uri).path.split("/")) - open(oe.path.join(self.target_rootfs, "etc", "yum.repos.d", repo_base + ".repo"), 'a').write( - "[%s]\nname=%s\nbaseurl=%s\n%s\n" % (repo_id, repo_name, repo_uri, gpg_opts)) + with open(oe.path.join(self.target_rootfs, "etc", "yum.repos.d", repo_base + ".repo"), 'a') as f: + f.write("[%s]\nname=%s\nbaseurl=%s\n%s\n" % (repo_id, repo_name, repo_uri, gpg_opts)) else: repo_name = "OE Remote Repo:" + " ".join(urlparse(uri).path.split("/")) repo_uri = uri - open(oe.path.join(self.target_rootfs, "etc", "yum.repos.d", repo_base + ".repo"), 'w').write( - "[%s]\nname=%s\nbaseurl=%s\n%s" % (repo_base, repo_name, repo_uri, gpg_opts)) + with open(oe.path.join(self.target_rootfs, "etc", "yum.repos.d", repo_base + ".repo"), 'w') as f: + f.write("[%s]\nname=%s\nbaseurl=%s\n%s" % (repo_base, repo_name, repo_uri, gpg_opts)) def _prepare_pkg_transaction(self): os.environ['D'] = self.target_rootfs @@ -329,7 +336,8 @@ class RpmPM(PackageManager): return e.output.decode("utf-8") def dump_install_solution(self, pkgs): - open(self.solution_manifest, 'w').write(" ".join(pkgs)) + with open(self.solution_manifest, 'w') as f: + f.write(" ".join(pkgs)) return pkgs def load_old_install_solution(self): @@ -363,7 +371,8 @@ class RpmPM(PackageManager): bb.utils.mkdirhier(target_path) num = self._script_num_prefix(target_path) saved_script_name = oe.path.join(target_path, "%d-%s" % (num, pkg)) - open(saved_script_name, 'w').write(output) + with open(saved_script_name, 'w') as f: + f.write(output) os.chmod(saved_script_name, 0o755) def _handle_intercept_failure(self, registered_pkgs): diff --git a/poky/meta/lib/oe/reproducible.py b/poky/meta/lib/oe/reproducible.py index 2e815df190..768fd4f19c 100644 --- a/poky/meta/lib/oe/reproducible.py +++ b/poky/meta/lib/oe/reproducible.py @@ -113,7 +113,8 @@ def get_source_date_epoch_from_git(d, sourcedir): return None bb.debug(1, "git repository: %s" % gitpath) - p = subprocess.run(['git', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'], check=True, stdout=subprocess.PIPE) + p = subprocess.run(['git', '-c', 'log.showSignature=false', '--git-dir', gitpath, 'log', '-1', '--pretty=%ct'], + check=True, stdout=subprocess.PIPE) return int(p.stdout.decode('utf-8')) def get_source_date_epoch_from_youngest_file(d, sourcedir): diff --git a/poky/meta/lib/oe/sbom.py b/poky/meta/lib/oe/sbom.py index 3372f13a9d..52bf51440e 100644 --- a/poky/meta/lib/oe/sbom.py +++ b/poky/meta/lib/oe/sbom.py @@ -32,7 +32,7 @@ def get_sdk_spdxid(sdk): return "SPDXRef-SDK-%s" % sdk -def write_doc(d, spdx_doc, subdir, spdx_deploy=None): +def write_doc(d, spdx_doc, subdir, spdx_deploy=None, indent=None): from pathlib import Path if spdx_deploy is None: @@ -41,7 +41,7 @@ def write_doc(d, spdx_doc, subdir, spdx_deploy=None): dest = spdx_deploy / subdir / (spdx_doc.name + ".spdx.json") dest.parent.mkdir(exist_ok=True, parents=True) with dest.open("wb") as f: - doc_sha1 = spdx_doc.to_json(f, sort_keys=True) + doc_sha1 = spdx_doc.to_json(f, sort_keys=True, indent=indent) l = spdx_deploy / "by-namespace" / spdx_doc.documentNamespace.replace("/", "_") l.parent.mkdir(exist_ok=True, parents=True) diff --git a/poky/meta/lib/oe/sstatesig.py b/poky/meta/lib/oe/sstatesig.py index de65244932..30f27b0f4f 100644 --- a/poky/meta/lib/oe/sstatesig.py +++ b/poky/meta/lib/oe/sstatesig.py @@ -30,6 +30,12 @@ def sstate_rundepfilter(siggen, fn, recipename, task, dep, depname, dataCaches): depmc, _, deptaskname, depmcfn = bb.runqueue.split_tid_mcfn(dep) mc, _ = bb.runqueue.split_mc(fn) + # We can skip the rm_work task signature to avoid running the task + # when we remove some tasks from the dependencie chain + # i.e INHERIT:remove = "create-spdx" will trigger the do_rm_work + if task == "do_rm_work": + return False + # Keep all dependencies between SPDX tasks in the signature. SPDX documents # are linked together by hashes, which means if a dependent document changes, # all downstream documents must be re-written (even if they are "safe" @@ -461,11 +467,15 @@ def find_sstate_manifest(taskdata, taskdata2, taskname, d, multilibcache): pkgarchs.append('allarch') pkgarchs.append('${SDK_ARCH}_${SDK_ARCH}-${SDKPKGSUFFIX}') + searched_manifests = [] + for pkgarch in pkgarchs: manifest = d2.expand("${SSTATE_MANIFESTS}/manifest-%s-%s.%s" % (pkgarch, taskdata, taskname)) if os.path.exists(manifest): return manifest, d2 - bb.fatal("Manifest %s not found in %s (variant '%s')?" % (manifest, d2.expand(" ".join(pkgarchs)), variant)) + searched_manifests.append(manifest) + bb.fatal("The sstate manifest for task '%s:%s' (multilib variant '%s') could not be found.\nThe pkgarchs considered were: %s.\nBut none of these manifests exists:\n %s" + % (taskdata, taskname, variant, d2.expand(", ".join(pkgarchs)),"\n ".join(searched_manifests))) return None, d2 def OEOuthashBasic(path, sigfile, task, d): @@ -650,6 +660,10 @@ def OEOuthashBasic(path, sigfile, task, d): if f == 'fixmepath': continue process(os.path.join(root, f)) + + for dir in dirs: + if os.path.islink(os.path.join(root, dir)): + process(os.path.join(root, dir)) finally: os.chdir(prev_dir) diff --git a/poky/meta/lib/oeqa/core/target/ssh.py b/poky/meta/lib/oeqa/core/target/ssh.py index f956a7744f..4ab0cddb43 100644 --- a/poky/meta/lib/oeqa/core/target/ssh.py +++ b/poky/meta/lib/oeqa/core/target/ssh.py @@ -34,6 +34,8 @@ class OESSHTarget(OETarget): self.timeout = timeout self.user = user ssh_options = [ + '-o', 'ServerAliveCountMax=2', + '-o', 'ServerAliveInterval=30', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'StrictHostKeyChecking=no', '-o', 'LogLevel=ERROR' @@ -224,27 +226,33 @@ def SSHCall(command, logger, timeout=None, **opts): def run(): nonlocal output nonlocal process + output_raw = b'' starttime = time.time() process = subprocess.Popen(command, **options) if timeout: endtime = starttime + timeout eof = False + os.set_blocking(process.stdout.fileno(), False) while time.time() < endtime and not eof: - logger.debug('time: %s, endtime: %s' % (time.time(), endtime)) try: + logger.debug('Waiting for process output: time: %s, endtime: %s' % (time.time(), endtime)) if select.select([process.stdout], [], [], 5)[0] != []: - reader = codecs.getreader('utf-8')(process.stdout, 'ignore') - data = reader.read(1024, 4096) + # wait a bit for more data, tries to avoid reading single characters + time.sleep(0.2) + data = process.stdout.read() if not data: - process.stdout.close() eof = True else: - output += data - logger.debug('Partial data from SSH call: %s' % data) + output_raw += data + # ignore errors to capture as much as possible + logger.debug('Partial data from SSH call:\n%s' % data.decode('utf-8', errors='ignore')) endtime = time.time() + timeout except InterruptedError: + logger.debug('InterruptedError') continue + process.stdout.close() + # process hasn't returned yet if not eof: process.terminate() @@ -252,16 +260,30 @@ def SSHCall(command, logger, timeout=None, **opts): try: process.kill() except OSError: + logger.debug('OSError when killing process') pass endtime = time.time() - starttime lastline = ("\nProcess killed - no output for %d seconds. Total" " running time: %d seconds." % (timeout, endtime)) - logger.debug('Received data from SSH call %s ' % lastline) + logger.debug('Received data from SSH call:\n%s ' % lastline) output += lastline else: - output = process.communicate()[0].decode('utf-8', errors='ignore') - logger.debug('Data from SSH call: %s' % output.rstrip()) + output_raw = process.communicate()[0] + + output = output_raw.decode('utf-8', errors='ignore') + logger.debug('Data from SSH call:\n%s' % output.rstrip()) + + # timout or not, make sure process exits and is not hanging + if process.returncode == None: + try: + process.wait(timeout=5) + except TimeoutExpired: + try: + process.kill() + except OSError: + logger.debug('OSError') + pass options = { "stdout": subprocess.PIPE, @@ -290,4 +312,5 @@ def SSHCall(command, logger, timeout=None, **opts): process.kill() logger.debug('Something went wrong, killing SSH process') raise - return (process.wait(), output.rstrip()) + + return (process.returncode, output.rstrip()) diff --git a/poky/meta/lib/oeqa/core/utils/concurrencytest.py b/poky/meta/lib/oeqa/core/utils/concurrencytest.py index 161a2f6e90..fe6ea29525 100644 --- a/poky/meta/lib/oeqa/core/utils/concurrencytest.py +++ b/poky/meta/lib/oeqa/core/utils/concurrencytest.py @@ -57,6 +57,7 @@ class BBThreadsafeForwardingResult(ThreadsafeForwardingResult): self.outputbuf = output self.finalresult = finalresult self.finalresult.buffer = True + self.target = target def _add_result_with_semaphore(self, method, test, *args, **kwargs): self.semaphore.acquire() @@ -65,13 +66,14 @@ class BBThreadsafeForwardingResult(ThreadsafeForwardingResult): self.result.starttime[test.id()] = self._test_start.timestamp() self.result.threadprogress[self.threadnum].append(test.id()) totalprogress = sum(len(x) for x in self.result.threadprogress.values()) - self.result.progressinfo[test.id()] = "%s: %s/%s %s/%s (%ss) (%s)" % ( + self.result.progressinfo[test.id()] = "%s: %s/%s %s/%s (%ss) (%s failed) (%s)" % ( self.threadnum, len(self.result.threadprogress[self.threadnum]), self.totalinprocess, totalprogress, self.totaltests, "{0:.2f}".format(time.time()-self._test_start.timestamp()), + self.target.failed_tests, test.id()) finally: self.semaphore.release() diff --git a/poky/meta/lib/oeqa/runtime/cases/rpm.py b/poky/meta/lib/oeqa/runtime/cases/rpm.py index a4339116bf..5bdce3d522 100644 --- a/poky/meta/lib/oeqa/runtime/cases/rpm.py +++ b/poky/meta/lib/oeqa/runtime/cases/rpm.py @@ -49,21 +49,20 @@ class RpmBasicTest(OERuntimeTestCase): msg = 'status: %s. Cannot run rpm -qa: %s' % (status, output) self.assertEqual(status, 0, msg=msg) - def check_no_process_for_user(u): - _, output = self.target.run(self.tc.target_cmds['ps']) - if u + ' ' in output: - return False - else: - return True + def wait_for_no_process_for_user(u, timeout = 120): + timeout_at = time.time() + timeout + while time.time() < timeout_at: + _, output = self.target.run(self.tc.target_cmds['ps']) + if u + ' ' not in output: + return + time.sleep(1) + user_pss = [ps for ps in output.split("\n") if u + ' ' in ps] + msg = "There're %s 's process(es) still running: %s".format(u, "\n".join(user_pss)) + assertTrue(True, msg=msg) def unset_up_test_user(u): # ensure no test1 process in running - timeout = time.time() + 30 - while time.time() < timeout: - if check_no_process_for_user(u): - break - else: - time.sleep(1) + wait_for_no_process_for_user(u) status, output = self.target.run('userdel -r %s' % u) msg = 'Failed to erase user: %s' % output self.assertTrue(status == 0, msg=msg) diff --git a/poky/meta/lib/oeqa/runtime/cases/rtc.py b/poky/meta/lib/oeqa/runtime/cases/rtc.py index c4e6681324..39f4d29f23 100644 --- a/poky/meta/lib/oeqa/runtime/cases/rtc.py +++ b/poky/meta/lib/oeqa/runtime/cases/rtc.py @@ -1,5 +1,6 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends +from oeqa.core.decorator.data import skipIfFeature from oeqa.runtime.decorator.package import OEHasPackage import re @@ -16,12 +17,14 @@ class RTCTest(OERuntimeTestCase): self.logger.debug('Starting systemd-timesyncd daemon') self.target.run('systemctl enable --now --runtime systemd-timesyncd') + @skipIfFeature('read-only-rootfs', + 'Test does not work with read-only-rootfs in IMAGE_FEATURES') @OETestDepends(['ssh.SSHTest.test_ssh']) @OEHasPackage(['coreutils', 'busybox']) def test_rtc(self): (status, output) = self.target.run('hwclock -r') self.assertEqual(status, 0, msg='Failed to get RTC time, output: %s' % output) - + (status, current_datetime) = self.target.run('date +"%m%d%H%M%Y"') self.assertEqual(status, 0, msg='Failed to get system current date & time, output: %s' % current_datetime) @@ -32,7 +35,6 @@ class RTCTest(OERuntimeTestCase): (status, output) = self.target.run('date %s' % current_datetime) self.assertEqual(status, 0, msg='Failed to reset system date & time, output: %s' % output) - + (status, output) = self.target.run('hwclock -w') self.assertEqual(status, 0, msg='Failed to reset RTC time, output: %s' % output) - diff --git a/poky/meta/lib/oeqa/runtime/context.py b/poky/meta/lib/oeqa/runtime/context.py index 8092dd0bae..0c5d1869ab 100644 --- a/poky/meta/lib/oeqa/runtime/context.py +++ b/poky/meta/lib/oeqa/runtime/context.py @@ -67,11 +67,11 @@ class OERuntimeTestContextExecutor(OETestContextExecutor): % self.default_target_type) runtime_group.add_argument('--target-ip', action='store', default=self.default_target_ip, - help="IP address of device under test, default: %s" \ + help="IP address and optionally ssh port (default 22) of device under test, for example '192.168.0.7:22'. Default: %s" \ % self.default_target_ip) runtime_group.add_argument('--server-ip', action='store', default=self.default_target_ip, - help="IP address of device under test, default: %s" \ + help="IP address of the test host from test target machine, default: %s" \ % self.default_server_ip) runtime_group.add_argument('--host-dumper-dir', action='store', diff --git a/poky/meta/lib/oeqa/sdk/cases/buildepoxy.py b/poky/meta/lib/oeqa/sdk/cases/buildepoxy.py index f69f720cd6..1c41b04169 100644 --- a/poky/meta/lib/oeqa/sdk/cases/buildepoxy.py +++ b/poky/meta/lib/oeqa/sdk/cases/buildepoxy.py @@ -32,7 +32,7 @@ class EpoxyTest(OESDKTestCase): self.assertTrue(os.path.isdir(dirs["source"])) os.makedirs(dirs["build"]) - log = self._run("meson -Degl=no -Dglx=no -Dx11=false {build} {source}".format(**dirs)) + log = self._run("meson --warnlevel 1 -Degl=no -Dglx=no -Dx11=false {build} {source}".format(**dirs)) # Check that Meson thinks we're doing a cross build and not a native self.assertIn("Build type: cross build", log) self._run("ninja -C {build} -v".format(**dirs)) diff --git a/poky/meta/lib/oeqa/sdkext/cases/devtool.py b/poky/meta/lib/oeqa/sdkext/cases/devtool.py index a5c6a76e02..5ffb732556 100644 --- a/poky/meta/lib/oeqa/sdkext/cases/devtool.py +++ b/poky/meta/lib/oeqa/sdkext/cases/devtool.py @@ -112,7 +112,7 @@ class SdkUpdateTest(OESDKExtTestCase): cmd = 'oe-publish-sdk %s %s' % (tcname_new, self.publish_dir) subprocess.check_output(cmd, shell=True) - self.http_service = HTTPService(self.publish_dir) + self.http_service = HTTPService(self.publish_dir, logger=self.logger) self.http_service.start() self.http_url = "http://127.0.0.1:%d" % self.http_service.port diff --git a/poky/meta/lib/oeqa/selftest/cases/bbtests.py b/poky/meta/lib/oeqa/selftest/cases/bbtests.py index cfac7afcf4..b42bbb651d 100644 --- a/poky/meta/lib/oeqa/selftest/cases/bbtests.py +++ b/poky/meta/lib/oeqa/selftest/cases/bbtests.py @@ -350,4 +350,4 @@ INHERIT:remove = \"report-error\" self.write_config("DISTROOVERRIDES .= \":gitunpack-enable-recipe\"") result = bitbake('gitunpackoffline-fail -c fetch', ignore_status=True) - self.assertTrue("Recipe uses a floating tag/branch without a fixed SRCREV" in result.output, msg = "Recipe without PV set to SRCPV should have failed: %s" % result.output) + self.assertTrue(re.search("Recipe uses a floating tag/branch .* for repo .* without a fixed SRCREV yet doesn't call bb.fetch2.get_srcrev()", result.output), msg = "Recipe without PV set to SRCPV should have failed: %s" % result.output) diff --git a/poky/meta/lib/oeqa/selftest/cases/cve_check.py b/poky/meta/lib/oeqa/selftest/cases/cve_check.py index d0b2213703..22ffeffd29 100644 --- a/poky/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/poky/meta/lib/oeqa/selftest/cases/cve_check.py @@ -48,6 +48,25 @@ class CVECheck(OESelftestTestCase): self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'") + def test_convert_cve_version(self): + from oe.cve_check import convert_cve_version + + # Default format + self.assertEqual(convert_cve_version("8.3"), "8.3") + self.assertEqual(convert_cve_version(""), "") + + # OpenSSL format version + self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t") + + # OpenSSH format + self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1") + self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22") + + # Linux kernel format + self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8") + self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31") + + def test_recipe_report_json(self): config = """ INHERIT += "cve-check" diff --git a/poky/meta/lib/oeqa/selftest/cases/devtool.py b/poky/meta/lib/oeqa/selftest/cases/devtool.py index 34fc791f3a..f512ebc0a0 100644 --- a/poky/meta/lib/oeqa/selftest/cases/devtool.py +++ b/poky/meta/lib/oeqa/selftest/cases/devtool.py @@ -258,6 +258,7 @@ class DevtoolBase(DevtoolTestCase): cls.sstate_conf = 'SSTATE_DIR = "%s"\n' % cls.devtool_sstate cls.sstate_conf += ('SSTATE_MIRRORS += "file://.* file:///%s/PATH"\n' % cls.original_sstate) + cls.sstate_conf += ('BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"\n') @classmethod def tearDownClass(cls): diff --git a/poky/meta/lib/oeqa/selftest/cases/externalsrc.py b/poky/meta/lib/oeqa/selftest/cases/externalsrc.py new file mode 100644 index 0000000000..1d800dc82c --- /dev/null +++ b/poky/meta/lib/oeqa/selftest/cases/externalsrc.py @@ -0,0 +1,44 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# + +import os +import shutil +import tempfile + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import get_bb_var, runCmd + +class ExternalSrc(OESelftestTestCase): + # test that srctree_hash_files does not crash + # we should be actually checking do_compile[file-checksums] but oeqa currently does not support it + # so we check only that a recipe with externalsrc can be parsed + def test_externalsrc_srctree_hash_files(self): + test_recipe = "git-submodule-test" + git_url = "git://git.yoctoproject.org/git-submodule-test" + externalsrc_dir = tempfile.TemporaryDirectory(prefix="externalsrc").name + + self.write_config( + """ +INHERIT += "externalsrc" +EXTERNALSRC:pn-%s = "%s" +""" % (test_recipe, externalsrc_dir) + ) + + # test with git without submodules + runCmd('git clone %s %s' % (git_url, externalsrc_dir)) + os.unlink(externalsrc_dir + "/.gitmodules") + open(".gitmodules", 'w').close() # local file .gitmodules in cwd should not affect externalsrc parsing + self.assertEqual(get_bb_var("S", test_recipe), externalsrc_dir, msg = "S does not equal to EXTERNALSRC") + os.unlink(".gitmodules") + + # test with git with submodules + runCmd('git checkout .gitmodules', cwd=externalsrc_dir) + runCmd('git submodule update --init --recursive', cwd=externalsrc_dir) + self.assertEqual(get_bb_var("S", test_recipe), externalsrc_dir, msg = "S does not equal to EXTERNALSRC") + + # test without git + shutil.rmtree(os.path.join(externalsrc_dir, ".git")) + self.assertEqual(get_bb_var("S", test_recipe), externalsrc_dir, msg = "S does not equal to EXTERNALSRC") diff --git a/poky/meta/lib/oeqa/selftest/cases/lic_checksum.py b/poky/meta/lib/oeqa/selftest/cases/lic_checksum.py index 8f1226e6a5..bc0a2b5d8e 100644 --- a/poky/meta/lib/oeqa/selftest/cases/lic_checksum.py +++ b/poky/meta/lib/oeqa/selftest/cases/lic_checksum.py @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://%s;md5=d41d8cd98f00b204e9800998ecf8427e" SRC_URI = "file://%s;md5=d41d8cd98f00b204e9800998ecf8427e" """ % (urllib.parse.quote(lic_path), urllib.parse.quote(lic_path))) result = bitbake(bitbake_cmd) + self.delete_recipeinc('emptytest') # Verify that changing a license file that has an absolute path causes @@ -51,5 +52,6 @@ SRC_URI = "file://%s;md5=d41d8cd98f00b204e9800998ecf8427e" f.write("data") result = bitbake(bitbake_cmd, ignore_status=True) + self.delete_recipeinc('emptytest') if error_msg not in result.output: raise AssertionError(result.output) diff --git a/poky/meta/lib/oeqa/selftest/cases/locales.py b/poky/meta/lib/oeqa/selftest/cases/locales.py new file mode 100644 index 0000000000..433991abf9 --- /dev/null +++ b/poky/meta/lib/oeqa/selftest/cases/locales.py @@ -0,0 +1,45 @@ +# +# SPDX-License-Identifier: MIT +# + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.core.decorator import OETestTag +from oeqa.utils.commands import bitbake, runqemu + +class LocalesTest(OESelftestTestCase): + + @OETestTag("runqemu") + def test_locales_on(self): + """ + Summary: Test the locales are generated + Expected: 1. Check the locale exist in the locale-archive + 2. Check the locale exist for the glibc + 3. Check the locale can be generated + Product: oe-core + Author: Louis Rannou <lrannou@baylibre.com> + AutomatedBy: Louis Rannou <lrannou@baylibre.com> + """ + + features = [] + features.append('EXTRA_IMAGE_FEATURES = "empty-root-password allow-empty-password allow-root-login"') + features.append('IMAGE_INSTALL:append = " glibc-utils localedef"') + features.append('GLIBC_GENERATE_LOCALES = "en_US.UTF-8 fr_FR.UTF-8"') + features.append('IMAGE_LINGUAS:append = " en-us fr-fr"') + features.append('ENABLE_BINARY_LOCALE_GENERATION = "1"') + self.write_config("\n".join(features)) + + # Build a core-image-minimal + bitbake('core-image-minimal') + + with runqemu("core-image-minimal", ssh=False, runqemuparams='nographic') as qemu: + cmd = "locale -a" + status, output = qemu.run_serial(cmd) + # output must includes fr_FR or fr_FR.UTF-8 + self.assertEqual(status, 1, msg='locale test command failed: output: %s' % output) + self.assertIn("fr_FR", output, msg='locale -a test failed: output: %s' % output) + + cmd = "localedef --list-archive -v" + status, output = qemu.run_serial(cmd) + # output must includes fr_FR.utf8 + self.assertEqual(status, 1, msg='localedef test command failed: output: %s' % output) + self.assertIn("fr_FR.utf8", output, msg='localedef test failed: output: %s' % output) diff --git a/poky/meta/lib/oeqa/selftest/cases/minidebuginfo.py b/poky/meta/lib/oeqa/selftest/cases/minidebuginfo.py new file mode 100644 index 0000000000..414dad64a3 --- /dev/null +++ b/poky/meta/lib/oeqa/selftest/cases/minidebuginfo.py @@ -0,0 +1,49 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# +import os +import subprocess +import tempfile +import shutil + +from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_var, runCmd + + +class Minidebuginfo(OESelftestTestCase): + def test_minidebuginfo(self): + target_sys = get_bb_var("TARGET_SYS") + binutils = "binutils-cross-{}".format(get_bb_var("TARGET_ARCH")) + + self.write_config(""" +PACKAGE_MINIDEBUGINFO = "1" +IMAGE_FSTYPES = "tar.bz2" +""") + bitbake("core-image-minimal {}:do_addto_recipe_sysroot".format(binutils)) + + deploy_dir = get_bb_var("DEPLOY_DIR_IMAGE") + native_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", binutils) + readelf = get_bb_var("READELF", "core-image-minimal") + + # add usr/bin/${TARGET_SYS} to PATH + env = os.environ.copy() + paths = [os.path.join(native_sysroot, "usr", "bin", target_sys)] + paths += env["PATH"].split(":") + env["PATH"] = ":".join(paths) + + # confirm that executables and shared libraries contain an ELF section + # ".gnu_debugdata" which stores minidebuginfo. + with tempfile.TemporaryDirectory(prefix = "unpackfs-") as unpackedfs: + filename = os.path.join(deploy_dir, "core-image-minimal-{}.tar.bz2".format(self.td["MACHINE"])) + shutil.unpack_archive(filename, unpackedfs) + + r = runCmd([readelf, "-W", "-S", os.path.join(unpackedfs, "bin", "busybox")], + native_sysroot = native_sysroot, env = env) + self.assertIn(".gnu_debugdata", r.output) + + r = runCmd([readelf, "-W", "-S", os.path.join(unpackedfs, "lib", "libc.so.6")], + native_sysroot = native_sysroot, env = env) + self.assertIn(".gnu_debugdata", r.output) + diff --git a/poky/meta/lib/oeqa/selftest/cases/prservice.py b/poky/meta/lib/oeqa/selftest/cases/prservice.py index 10158ca7c2..a41812148a 100644 --- a/poky/meta/lib/oeqa/selftest/cases/prservice.py +++ b/poky/meta/lib/oeqa/selftest/cases/prservice.py @@ -75,7 +75,7 @@ class BitbakePrTests(OESelftestTestCase): exported_db_path = os.path.join(self.builddir, 'export.inc') export_result = runCmd("bitbake-prserv-tool export %s" % exported_db_path, ignore_status=True) self.assertEqual(export_result.status, 0, msg="PR Service database export failed: %s" % export_result.output) - self.assertTrue(os.path.exists(exported_db_path)) + self.assertTrue(os.path.exists(exported_db_path), msg="%s didn't exist, tool output %s" % (exported_db_path, export_result.output)) if replace_current_db: current_db_path = os.path.join(get_bb_var('PERSISTENT_DIR'), 'prserv.sqlite3') diff --git a/poky/meta/lib/oeqa/selftest/cases/recipetool.py b/poky/meta/lib/oeqa/selftest/cases/recipetool.py index 510dae6bad..db8790b57b 100644 --- a/poky/meta/lib/oeqa/selftest/cases/recipetool.py +++ b/poky/meta/lib/oeqa/selftest/cases/recipetool.py @@ -579,7 +579,10 @@ class RecipetoolTests(RecipetoolBase): commonlicdir = get_bb_var('COMMON_LICENSE_DIR') - d = bb.tinfoil.TinfoilDataStoreConnector + class DataConnectorCopy(bb.tinfoil.TinfoilDataStoreConnector): + pass + + d = DataConnectorCopy d.getVar = Mock(return_value=commonlicdir) srctree = tempfile.mkdtemp(prefix='recipetoolqa') diff --git a/poky/meta/lib/oeqa/selftest/cases/resulttooltests.py b/poky/meta/lib/oeqa/selftest/cases/resulttooltests.py index dac5c46801..490f3fc5cf 100644 --- a/poky/meta/lib/oeqa/selftest/cases/resulttooltests.py +++ b/poky/meta/lib/oeqa/selftest/cases/resulttooltests.py @@ -69,7 +69,7 @@ class ResultToolTests(OESelftestTestCase): self.assertTrue('target_result1' in results['runtime/mydistro/qemux86/image'], msg="Pair not correct:%s" % results) self.assertTrue('target_result3' in results['runtime/mydistro/qemux86-64/image'], msg="Pair not correct:%s" % results) - def test_regrresion_can_get_regression_result(self): + def test_regression_can_get_regression_result(self): base_result_data = {'result': {'test1': {'status': 'PASSED'}, 'test2': {'status': 'PASSED'}, 'test3': {'status': 'FAILED'}, diff --git a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py index 857737f730..29e82881d1 100644 --- a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -252,7 +252,8 @@ class TestImage(OESelftestTestCase): import subprocess, os distro = oe.lsb.distro_identifier() - if distro and (distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04'] or distro.startswith('almalinux')): + if distro and (distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04'] or + distro.startswith('almalinux') or distro.startswith('rocky')): self.skipTest('virgl headless cannot be tested with %s' %(distro)) render_hint = """If /dev/dri/renderD* is absent due to lack of suitable GPU, 'modprobe vgem' will create one suitable for mesa llvmpipe software renderer.""" @@ -263,7 +264,7 @@ class TestImage(OESelftestTestCase): except FileNotFoundError: self.fail("/dev/dri directory does not exist; no render nodes available on this machine. %s" %(render_hint)) try: - dripath = subprocess.check_output("pkg-config --variable=dridriverdir dri", shell=True) + dripath = subprocess.check_output("PATH=/bin:/usr/bin:$PATH pkg-config --variable=dridriverdir dri", shell=True) except subprocess.CalledProcessError as e: self.fail("Could not determine the path to dri drivers on the host via pkg-config.\nPlease install Mesa development files (particularly, dri.pc) on the host machine.") qemu_distrofeatures = get_bb_var('DISTRO_FEATURES', 'qemu-system-native') diff --git a/poky/meta/lib/oeqa/selftest/cases/tinfoil.py b/poky/meta/lib/oeqa/selftest/cases/tinfoil.py index c81d56d82b..4b261dad00 100644 --- a/poky/meta/lib/oeqa/selftest/cases/tinfoil.py +++ b/poky/meta/lib/oeqa/selftest/cases/tinfoil.py @@ -64,6 +64,20 @@ class TinfoilTests(OESelftestTestCase): localdata.setVar('PN', 'hello') self.assertEqual('hello', localdata.getVar('BPN')) + # The config_data API tp parse_recipe_file is used by: + # layerindex-web layerindex/update_layer.py + def test_parse_recipe_custom_data(self): + with bb.tinfoil.Tinfoil() as tinfoil: + tinfoil.prepare(config_only=False, quiet=2) + localdata = bb.data.createCopy(tinfoil.config_data) + localdata.setVar("TESTVAR", "testval") + testrecipe = 'mdadm' + best = tinfoil.find_best_provider(testrecipe) + if not best: + self.fail('Unable to find recipe providing %s' % testrecipe) + rd = tinfoil.parse_recipe_file(best[3], config_data=localdata) + self.assertEqual("testval", rd.getVar('TESTVAR')) + def test_list_recipes(self): with bb.tinfoil.Tinfoil() as tinfoil: tinfoil.prepare(config_only=False, quiet=2) diff --git a/poky/meta/lib/oeqa/utils/dump.py b/poky/meta/lib/oeqa/utils/dump.py index 95a79a571c..6fd5832051 100644 --- a/poky/meta/lib/oeqa/utils/dump.py +++ b/poky/meta/lib/oeqa/utils/dump.py @@ -91,37 +91,55 @@ class HostDumper(BaseDumper): self._write_dump(cmd.split()[0], result.output) class TargetDumper(BaseDumper): - """ Class to get dumps from target, it only works with QemuRunner """ + """ Class to get dumps from target, it only works with QemuRunner. + Will give up permanently after 5 errors from running commands over + serial console. This helps to end testing when target is really dead, hanging + or unresponsive. + """ def __init__(self, cmds, parent_dir, runner): super(TargetDumper, self).__init__(cmds, parent_dir) self.runner = runner + self.errors = 0 def dump_target(self, dump_dir=""): + if self.errors >= 5: + print("Too many errors when dumping data from target, assuming it is dead! Will not dump data anymore!") + return if dump_dir: self.dump_dir = dump_dir for cmd in self.cmds: # We can continue with the testing if serial commands fail try: (status, output) = self.runner.run_serial(cmd) + if status == 0: + self.errors = self.errors + 1 self._write_dump(cmd.split()[0], output) except: + self.errors = self.errors + 1 print("Tried to dump info from target but " "serial console failed") print("Failed CMD: %s" % (cmd)) class MonitorDumper(BaseDumper): - """ Class to get dumps via the Qemu Monitor, it only works with QemuRunner """ + """ Class to get dumps via the Qemu Monitor, it only works with QemuRunner + Will stop completely if there are more than 5 errors when dumping monitor data. + This helps to end testing when target is really dead, hanging or unresponsive. + """ def __init__(self, cmds, parent_dir, runner): super(MonitorDumper, self).__init__(cmds, parent_dir) self.runner = runner + self.errors = 0 def dump_monitor(self, dump_dir=""): if self.runner is None: return if dump_dir: self.dump_dir = dump_dir + if self.errors >= 5: + print("Too many errors when dumping data from qemu monitor, assuming it is dead! Will not dump data anymore!") + return for cmd in self.cmds: cmd_name = cmd.split()[0] try: @@ -135,4 +153,5 @@ class MonitorDumper(BaseDumper): output = self.runner.run_monitor(cmd_name) self._write_dump(cmd_name, output) except Exception as e: + self.errors = self.errors + 1 print("Failed to dump QMP CMD: %s with\nException: %s" % (cmd_name, e)) diff --git a/poky/meta/lib/oeqa/utils/httpserver.py b/poky/meta/lib/oeqa/utils/httpserver.py index 58d3c3b3f8..0d602e2dfa 100644 --- a/poky/meta/lib/oeqa/utils/httpserver.py +++ b/poky/meta/lib/oeqa/utils/httpserver.py @@ -38,6 +38,12 @@ class HTTPService(object): self.port = self.server.server_port self.process = multiprocessing.Process(target=self.server.server_start, args=[self.root_dir, self.logger]) + def handle_error(self, request, client_address): + import traceback + exception = traceback.format_exc() + self.logger.warn("Exception when handling %s: %s" % (request, exception)) + self.server.handle_error = handle_error + # The signal handler from testimage.bbclass can cause deadlocks here # if the HTTPServer is terminated before it can restore the standard #signal behaviour diff --git a/poky/meta/lib/oeqa/utils/qemurunner.py b/poky/meta/lib/oeqa/utils/qemurunner.py index c19164e6e7..925d05a339 100644 --- a/poky/meta/lib/oeqa/utils/qemurunner.py +++ b/poky/meta/lib/oeqa/utils/qemurunner.py @@ -195,7 +195,7 @@ class QemuRunner: qmp_file = "." + next(tempfile._get_candidate_names()) qmp_param = ' -S -qmp unix:./%s,server,wait' % (qmp_file) qmp_port = self.tmpdir + "/" + qmp_file - # Create a second socket connection for debugging use, + # Create a second socket connection for debugging use, # note this will NOT cause qemu to block waiting for the connection qmp_file2 = "." + next(tempfile._get_candidate_names()) qmp_param += ' -qmp unix:./%s,server,nowait' % (qmp_file2) @@ -342,6 +342,8 @@ class QemuRunner: return False try: + # set timeout value for all QMP calls + self.qmp.settimeout(self.runqemutime) self.qmp.connect() connect_time = time.time() self.logger.info("QMP connected to QEMU at %s and took %s seconds" % @@ -459,6 +461,8 @@ class QemuRunner: socklist.remove(self.server_socket) self.logger.debug("Connection from %s:%s" % addr) else: + # try to avoid reading only a single character at a time + time.sleep(0.1) data = data + sock.recv(1024) if data: bootlog += data @@ -532,10 +536,13 @@ class QemuRunner: except OSError as e: if e.errno != errno.ESRCH: raise - endtime = time.time() + self.runqemutime - while self.runqemu.poll() is None and time.time() < endtime: - time.sleep(1) - if self.runqemu.poll() is None: + try: + outs, errs = self.runqemu.communicate(timeout = self.runqemutime) + if outs: + self.logger.info("Output from runqemu:\n%s", outs.decode("utf-8")) + if errs: + self.logger.info("Stderr from runqemu:\n%s", errs.decode("utf-8")) + except TimeoutExpired: self.logger.debug("Sending SIGKILL to runqemu") os.killpg(os.getpgid(self.runqemu.pid), signal.SIGKILL) if not self.runqemu.stdout.closed: @@ -612,6 +619,7 @@ class QemuRunner: def run_monitor(self, command, args=None, timeout=60): if hasattr(self, 'qmp') and self.qmp: + self.qmp.settimeout(timeout) if args is not None: return self.qmp.cmd(command, args) else: @@ -639,6 +647,8 @@ class QemuRunner: except InterruptedError: continue if sread: + # try to avoid reading single character at a time + time.sleep(0.1) answer = self.server_socket.recv(1024) if answer: data += answer.decode('utf-8') diff --git a/poky/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb b/poky/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb index 11d8b9061d..be6571b3fa 100644 --- a/poky/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb +++ b/poky/meta/recipes-bsp/efibootmgr/efibootmgr_17.bb @@ -34,6 +34,4 @@ do_install () { } CLEANBROKEN = "1" -# https://github.com/rhboot/efivar/issues/202 -COMPATIBLE_HOST:libc-musl = 'null' diff --git a/poky/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/poky/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000000..efa00a3c6c --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch @@ -0,0 +1,115 @@ +From 1f511ae054fe42dce7aedfbfe0f234fa1e0a7a3e Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Fri, 5 Aug 2022 00:51:20 +0800 +Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() + +The length of memory allocation and file read may overflow. This patch +fixes the problem by using safemath macros. + +There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe +if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). +It is safe replacement for such code. It has safemath-like prototype. + +This patch also introduces grub_cast(value, pointer), it casts value to +typeof(*pointer) then store the value to *pointer. It returns true when +overflow occurs or false if there is no overflow. The semantics of arguments +and return value are designed to be consistent with other safemath macros. + +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport from +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c76ec09ae08155df27cd237eaea150b4f02f532] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> + +--- + grub-core/font/font.c | 17 +++++++++++++---- + include/grub/bitmap.h | 18 ++++++++++++++++++ + include/grub/safemath.h | 2 ++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index d09bb38..876b5b6 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + grub_int16_t xoff; + grub_int16_t yoff; + grub_int16_t dwidth; +- int len; ++ grub_ssize_t len; ++ grub_size_t sz; + + if (index_entry->glyph) + /* Return cached glyph. */ +@@ -766,9 +767,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + return 0; + } + +- len = (width * height + 7) / 8; +- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); +- if (!glyph) ++ /* Calculate real struct size of current glyph. */ ++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || ++ grub_add (sizeof (struct grub_font_glyph), len, &sz)) ++ { ++ remove_font (font); ++ return 0; ++ } ++ ++ /* Allocate and initialize the glyph struct. */ ++ glyph = grub_malloc (sz); ++ if (glyph == NULL) + { + remove_font (font); + return 0; +diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h +index 5728f8c..0d9603f 100644 +--- a/include/grub/bitmap.h ++++ b/include/grub/bitmap.h +@@ -23,6 +23,7 @@ + #include <grub/symbol.h> + #include <grub/types.h> + #include <grub/video.h> ++#include <grub/safemath.h> + + struct grub_video_bitmap + { +@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) + return bitmap->mode_info.height; + } + ++/* ++ * Calculate and store the size of data buffer of 1bit bitmap in result. ++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. ++ * Return true when overflow occurs or false if there is no overflow. ++ * This function is intentionally implemented as a macro instead of ++ * an inline function. Although a bit awkward, it preserves data types for ++ * safemath macros and reduces macro side effects as much as possible. ++ * ++ * XXX: Will report false overflow if width * height > UINT64_MAX. ++ */ ++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ ++({ \ ++ grub_uint64_t _bitmap_pixels; \ ++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ ++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ ++}) ++ + void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, + struct grub_video_mode_info *mode_info); + +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +index c17b89b..bb0f826 100644 +--- a/include/grub/safemath.h ++++ b/include/grub/safemath.h +@@ -30,6 +30,8 @@ + #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) + #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) + ++#define grub_cast(a, res) grub_add ((a), 0, (res)) ++ + #else + #error gcc 5.1 or newer or clang 3.8 or newer is required + #endif diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch new file mode 100644 index 0000000000..727c509694 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-2601.patch @@ -0,0 +1,85 @@ +From e8060722acf0bcca037982d7fb29472363ccdfd4 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Fri, 5 Aug 2022 01:58:27 +0800 +Subject: [PATCH] font: Fix several integer overflows in + grub_font_construct_glyph() + +This patch fixes several integer overflows in grub_font_construct_glyph(). +Glyphs of invalid size, zero or leading to an overflow, are rejected. +The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() +returns NULL is fixed too. + +Fixes: CVE-2022-2601 + +Reported-by: Zhang Boyang <zhangboyang.id@gmail.com> +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport from +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=768e1ef2fc159f6e14e7246e4be09363708ac39e] +CVE: CVE-2022-2601 + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> + +--- + grub-core/font/font.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 876b5b6..0ff5525 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1515,6 +1515,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, + struct grub_video_signed_rect bounds; + static struct grub_font_glyph *glyph = 0; + static grub_size_t max_glyph_size = 0; ++ grub_size_t cur_glyph_size; + + ensure_comb_space (glyph_id); + +@@ -1531,29 +1532,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, + if (!glyph_id->ncomb && !glyph_id->attributes) + return main_glyph; + +- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) ++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || ++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) ++ return main_glyph; ++ ++ if (max_glyph_size < cur_glyph_size) + { + grub_free (glyph); +- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; +- if (max_glyph_size < 8) +- max_glyph_size = 8; +- glyph = grub_malloc (max_glyph_size); ++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) ++ max_glyph_size = 0; ++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; + } + if (!glyph) + { ++ max_glyph_size = 0; + grub_errno = GRUB_ERR_NONE; + return main_glyph; + } + +- grub_memset (glyph, 0, sizeof (*glyph) +- + (bounds.width * bounds.height +- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); ++ grub_memset (glyph, 0, cur_glyph_size); + + glyph->font = main_glyph->font; +- glyph->width = bounds.width; +- glyph->height = bounds.height; +- glyph->offset_x = bounds.x; +- glyph->offset_y = bounds.y; ++ if (bounds.width == 0 || bounds.height == 0 || ++ grub_cast (bounds.width, &glyph->width) || ++ grub_cast (bounds.height, &glyph->height) || ++ grub_cast (bounds.x, &glyph->offset_x) || ++ grub_cast (bounds.y, &glyph->offset_y)) ++ return main_glyph; + + if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) + grub_font_blit_glyph_mirror (glyph, main_glyph, diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch new file mode 100644 index 0000000000..5741e53f42 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch @@ -0,0 +1,86 @@ +From 04c86e0bb7b58fc2f913f798cdb18934933e532d Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Tue, 5 Apr 2022 11:48:58 +0100 +Subject: [PATCH] loader/efi/chainloader: Use grub_loader_set_ex() + +This ports the EFI chainloader to use grub_loader_set_ex() in order to fix +a use-after-free bug that occurs when grub_cmd_chainloader() is executed +more than once before a boot attempt is performed. + +Fixes: CVE-2022-28736 + +Signed-off-by: Chris Coulson <chris.coulson@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport +CVE: CVE-2022-28736 + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=04c86e0bb7b58fc2f913f798cdb18934933e532d + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + grub-core/loader/efi/chainloader.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index d1602c89b..7557eb269 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -44,11 +44,10 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + static grub_dl_t my_mod; + +-static grub_efi_handle_t image_handle; +- + static grub_err_t +-grub_chainloader_unload (void) ++grub_chainloader_unload (void *context) + { ++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context; + grub_efi_loaded_image_t *loaded_image; + grub_efi_boot_services_t *b; + +@@ -64,8 +63,9 @@ grub_chainloader_unload (void) + } + + static grub_err_t +-grub_chainloader_boot (void) ++grub_chainloader_boot (void *context) + { ++ grub_efi_handle_t image_handle = (grub_efi_handle_t) context; + grub_efi_boot_services_t *b; + grub_efi_status_t status; + grub_efi_uintn_t exit_data_size; +@@ -225,6 +225,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_efi_physical_address_t address = 0; + grub_efi_uintn_t pages = 0; + grub_efi_char16_t *cmdline = NULL; ++ grub_efi_handle_t image_handle = NULL; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -405,7 +406,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + efi_call_2 (b->free_pages, address, pages); + grub_free (file_path); + +- grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); ++ grub_loader_set_ex (grub_chainloader_boot, grub_chainloader_unload, image_handle, 0); + return 0; + + fail: +@@ -423,10 +424,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + efi_call_2 (b->free_pages, address, pages); + + if (image_handle != NULL) +- { +- efi_call_1 (b->unload_image, image_handle); +- image_handle = NULL; +- } ++ efi_call_1 (b->unload_image, image_handle); + + grub_dl_unref (my_mod); + +-- +2.34.1 + diff --git a/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch b/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch new file mode 100644 index 0000000000..853efd0486 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/CVE-2022-3775.patch @@ -0,0 +1,95 @@ +From fdbe7209152ad6f09a1166f64f162017f2145ba3 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang <zhangboyang.id@gmail.com> +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens <dja@axtens.net> +Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport from +[https://git.savannah.gnu.org/cgit/grub.git/commit/?id=992c06191babc1e109caf40d6a07ec6fdef427af] +CVE: CVE-2022-3775 + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> + +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 0ff5525..7b1cbde 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1206,12 +1206,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1224,7 +1224,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1234,8 +1234,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1308,7 +1308,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1316,7 +1316,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; diff --git a/poky/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch b/poky/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch new file mode 100644 index 0000000000..a2c0530f04 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch @@ -0,0 +1,168 @@ +From 14ceb3b3ff6db664649138442b6562c114dcf56e Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Tue, 5 Apr 2022 10:58:28 +0100 +Subject: [PATCH] commands/boot: Add API to pass context to loader + +Loaders rely on global variables for saving context which is consumed +in the boot hook and freed in the unload hook. In the case where a loader +command is executed twice, calling grub_loader_set() a second time executes +the unload hook, but in some cases this runs when the loader's global +context has already been updated, resulting in the updated context being +freed and potential use-after-free bugs when the boot hook is subsequently +called. + +This adds a new API, grub_loader_set_ex(), which allows a loader to specify +context that is passed to its boot and unload hooks. This is an alternative +to requiring that loaders call grub_loader_unset() before mutating their +global context. + +Signed-off-by: Chris Coulson <chris.coulson@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=14ceb3b3ff6db664649138442b6562c114dcf56e + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + grub-core/commands/boot.c | 66 ++++++++++++++++++++++++++++++++++----- + include/grub/loader.h | 5 +++ + 2 files changed, 63 insertions(+), 8 deletions(-) + +diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c +index bbca81e94..61514788e 100644 +--- a/grub-core/commands/boot.c ++++ b/grub-core/commands/boot.c +@@ -27,10 +27,20 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + +-static grub_err_t (*grub_loader_boot_func) (void); +-static grub_err_t (*grub_loader_unload_func) (void); ++static grub_err_t (*grub_loader_boot_func) (void *context); ++static grub_err_t (*grub_loader_unload_func) (void *context); ++static void *grub_loader_context; + static int grub_loader_flags; + ++struct grub_simple_loader_hooks ++{ ++ grub_err_t (*boot) (void); ++ grub_err_t (*unload) (void); ++}; ++ ++/* Don't heap allocate this to avoid making grub_loader_set() fallible. */ ++static struct grub_simple_loader_hooks simple_loader_hooks; ++ + struct grub_preboot + { + grub_err_t (*preboot_func) (int); +@@ -44,6 +54,29 @@ static int grub_loader_loaded; + static struct grub_preboot *preboots_head = 0, + *preboots_tail = 0; + ++static grub_err_t ++grub_simple_boot_hook (void *context) ++{ ++ struct grub_simple_loader_hooks *hooks; ++ ++ hooks = (struct grub_simple_loader_hooks *) context; ++ return hooks->boot (); ++} ++ ++static grub_err_t ++grub_simple_unload_hook (void *context) ++{ ++ struct grub_simple_loader_hooks *hooks; ++ grub_err_t ret; ++ ++ hooks = (struct grub_simple_loader_hooks *) context; ++ ++ ret = hooks->unload (); ++ grub_memset (hooks, 0, sizeof (*hooks)); ++ ++ return ret; ++} ++ + int + grub_loader_is_loaded (void) + { +@@ -110,28 +143,45 @@ grub_loader_unregister_preboot_hook (struct grub_preboot *hnd) + } + + void +-grub_loader_set (grub_err_t (*boot) (void), +- grub_err_t (*unload) (void), +- int flags) ++grub_loader_set_ex (grub_err_t (*boot) (void *context), ++ grub_err_t (*unload) (void *context), ++ void *context, ++ int flags) + { + if (grub_loader_loaded && grub_loader_unload_func) +- grub_loader_unload_func (); ++ grub_loader_unload_func (grub_loader_context); + + grub_loader_boot_func = boot; + grub_loader_unload_func = unload; ++ grub_loader_context = context; + grub_loader_flags = flags; + + grub_loader_loaded = 1; + } + ++void ++grub_loader_set (grub_err_t (*boot) (void), ++ grub_err_t (*unload) (void), ++ int flags) ++{ ++ grub_loader_set_ex (grub_simple_boot_hook, ++ grub_simple_unload_hook, ++ &simple_loader_hooks, ++ flags); ++ ++ simple_loader_hooks.boot = boot; ++ simple_loader_hooks.unload = unload; ++} ++ + void + grub_loader_unset(void) + { + if (grub_loader_loaded && grub_loader_unload_func) +- grub_loader_unload_func (); ++ grub_loader_unload_func (grub_loader_context); + + grub_loader_boot_func = 0; + grub_loader_unload_func = 0; ++ grub_loader_context = 0; + + grub_loader_loaded = 0; + } +@@ -158,7 +208,7 @@ grub_loader_boot (void) + return err; + } + } +- err = (grub_loader_boot_func) (); ++ err = (grub_loader_boot_func) (grub_loader_context); + + for (cur = preboots_tail; cur; cur = cur->prev) + if (! err) +diff --git a/include/grub/loader.h b/include/grub/loader.h +index b20864282..97f231054 100644 +--- a/include/grub/loader.h ++++ b/include/grub/loader.h +@@ -40,6 +40,11 @@ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), + grub_err_t (*unload) (void), + int flags); + ++void EXPORT_FUNC (grub_loader_set_ex) (grub_err_t (*boot) (void *context), ++ grub_err_t (*unload) (void *context), ++ void *context, ++ int flags); ++ + /* Unset current loader, if any. */ + void EXPORT_FUNC (grub_loader_unset) (void); + +-- +2.34.1 + diff --git a/poky/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch b/poky/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch new file mode 100644 index 0000000000..a43025d425 --- /dev/null +++ b/poky/meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch @@ -0,0 +1,129 @@ +From 1469983ebb9674753ad333d37087fb8cb20e1dce Mon Sep 17 00:00:00 2001 +From: Chris Coulson <chris.coulson@canonical.com> +Date: Tue, 5 Apr 2022 10:02:04 +0100 +Subject: [PATCH] loader/efi/chainloader: Simplify the loader state + +The chainloader command retains the source buffer and device path passed +to LoadImage(), requiring the unload hook passed to grub_loader_set() to +free them. It isn't required to retain this state though - they aren't +required by StartImage() or anything else in the boot hook, so clean them +up before grub_cmd_chainloader() finishes. + +Signed-off-by: Chris Coulson <chris.coulson@canonical.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=1469983ebb9674753ad333d37087fb8cb20e1dce + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + grub-core/loader/efi/chainloader.c | 38 +++++++++++++++++------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index 2bd80f4db..d1602c89b 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -44,25 +44,20 @@ GRUB_MOD_LICENSE ("GPLv3+"); + + static grub_dl_t my_mod; + +-static grub_efi_physical_address_t address; +-static grub_efi_uintn_t pages; +-static grub_efi_device_path_t *file_path; + static grub_efi_handle_t image_handle; +-static grub_efi_char16_t *cmdline; + + static grub_err_t + grub_chainloader_unload (void) + { ++ grub_efi_loaded_image_t *loaded_image; + grub_efi_boot_services_t *b; + ++ loaded_image = grub_efi_get_loaded_image (image_handle); ++ if (loaded_image != NULL) ++ grub_free (loaded_image->load_options); ++ + b = grub_efi_system_table->boot_services; + efi_call_1 (b->unload_image, image_handle); +- efi_call_2 (b->free_pages, address, pages); +- +- grub_free (file_path); +- grub_free (cmdline); +- cmdline = 0; +- file_path = 0; + + grub_dl_unref (my_mod); + return GRUB_ERR_NONE; +@@ -140,7 +135,7 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + char *dir_start; + char *dir_end; + grub_size_t size; +- grub_efi_device_path_t *d; ++ grub_efi_device_path_t *d, *file_path; + + dir_start = grub_strchr (filename, ')'); + if (! dir_start) +@@ -222,11 +217,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_efi_status_t status; + grub_efi_boot_services_t *b; + grub_device_t dev = 0; +- grub_efi_device_path_t *dp = 0; ++ grub_efi_device_path_t *dp = NULL, *file_path = NULL; + grub_efi_loaded_image_t *loaded_image; + char *filename; + void *boot_image = 0; + grub_efi_handle_t dev_handle = 0; ++ grub_efi_physical_address_t address = 0; ++ grub_efi_uintn_t pages = 0; ++ grub_efi_char16_t *cmdline = NULL; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -234,11 +232,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + + grub_dl_ref (my_mod); + +- /* Initialize some global variables. */ +- address = 0; +- image_handle = 0; +- file_path = 0; +- + b = grub_efi_system_table->boot_services; + + file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE); +@@ -408,6 +401,10 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + grub_file_close (file); + grub_device_close (dev); + ++ /* We're finished with the source image buffer and file path now. */ ++ efi_call_2 (b->free_pages, address, pages); ++ grub_free (file_path); ++ + grub_loader_set (grub_chainloader_boot, grub_chainloader_unload, 0); + return 0; + +@@ -419,11 +416,18 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)), + if (file) + grub_file_close (file); + ++ grub_free (cmdline); + grub_free (file_path); + + if (address) + efi_call_2 (b->free_pages, address, pages); + ++ if (image_handle != NULL) ++ { ++ efi_call_1 (b->unload_image, image_handle); ++ image_handle = NULL; ++ } ++ + grub_dl_unref (my_mod); + + return grub_errno; +-- +2.34.1 + diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index 47ea561002..c14fe315d3 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -32,6 +32,12 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch \ file://CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch \ file://CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch \ + file://0001-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch \ + file://CVE-2022-2601.patch \ + file://CVE-2022-3775.patch \ + file://loader-efi-chainloader-Simplify-the-loader-state.patch \ + file://commands-boot-Add-API-to-pass-context-to-loader.patch \ + file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \ " SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" diff --git a/poky/meta/recipes-bsp/u-boot/u-boot.inc b/poky/meta/recipes-bsp/u-boot/u-boot.inc index f022aed732..b2f33e3826 100644 --- a/poky/meta/recipes-bsp/u-boot/u-boot.inc +++ b/poky/meta/recipes-bsp/u-boot/u-boot.inc @@ -5,7 +5,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" DEPENDS += "${@bb.utils.contains('UBOOT_ENV_SUFFIX', 'scr', 'u-boot-mkimage-native', '', d)}" -inherit uboot-config uboot-extlinux-config uboot-sign deploy cml1 python3native kernel-arch +inherit uboot-config uboot-extlinux-config uboot-sign deploy python3native kernel-arch DEPENDS += "swig-native" diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/0001-avoid-start-failure-with-bind-user.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/0001-avoid-start-failure-with-bind-user.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-avoid-start-failure-with-bind-user.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/bind-ensure-searching-for-json-headers-searches-sysr.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..f1abd179e8 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind-ensure-searching-for-json-headers-searches-sysr.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/bind9 b/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind9 index 968679ff7f..968679ff7f 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/bind9 +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/bind9 diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/conf.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch index aa3642acec..aa3642acec 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/conf.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/conf.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/generate-rndc-key.sh b/poky/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/generate-rndc-key.sh +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/generate-rndc-key.sh diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/init.d-add-support-for-read-only-rootfs.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/init.d-add-support-for-read-only-rootfs.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/init.d-add-support-for-read-only-rootfs.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/make-etc-initd-bind-stop-work.patch b/poky/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/make-etc-initd-bind-stop-work.patch +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/make-etc-initd-bind-stop-work.patch diff --git a/poky/meta/recipes-connectivity/bind/bind-9.18.7/named.service b/poky/meta/recipes-connectivity/bind/bind-9.18.11/named.service index cda56ef015..cda56ef015 100644 --- a/poky/meta/recipes-connectivity/bind/bind-9.18.7/named.service +++ b/poky/meta/recipes-connectivity/bind/bind-9.18.11/named.service diff --git a/poky/meta/recipes-connectivity/bind/bind_9.18.7.bb b/poky/meta/recipes-connectivity/bind/bind_9.18.11.bb index 11c8a4e9d3..0618129318 100644 --- a/poky/meta/recipes-connectivity/bind/bind_9.18.7.bb +++ b/poky/meta/recipes-connectivity/bind/bind_9.18.11.bb @@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" SECTION = "console/network" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a4a897f202c0710e07f2f2836bc2b62" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=d8cf7bd9c4fd5471a588e7e66e672408" DEPENDS = "openssl libcap zlib libuv" @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "9e2acf1698f49d70ad12ffbad39ec6716a7da524e9ebd98429c7c70ba1262981" +SRC_URI[sha256sum] = "8ff3352812230cbcbda42df87cad961f94163d3da457c5e4bef8057fd5df2158" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 diff --git a/poky/meta/recipes-connectivity/bluez5/bluez5.inc b/poky/meta/recipes-connectivity/bluez5/bluez5.inc index 79d4645ca8..a8eaba1dd6 100644 --- a/poky/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/poky/meta/recipes-connectivity/bluez5/bluez5.inc @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ file://COPYING.LIB;md5=fb504b67c50331fc78734fed90fb0e09 \ file://src/main.c;beginline=1;endline=24;md5=0ad83ca0dc37ab08af448777c581e7ac" DEPENDS = "dbus glib-2.0" +RDEPENDS:${PN} += "dbus" PROVIDES += "bluez-hcidump" RPROVIDES:${PN} += "bluez-hcidump" @@ -67,6 +68,8 @@ EXTRA_OECONF = "\ --without-zsh-completion-dir \ " +CFLAGS += "-DFIRMWARE_DIR=\\"${nonarch_base_libdir}/firmware\\"" + # bluez5 builds a large number of useful utilities but does not # install them. Specify which ones we want put into ${PN}-noinst-tools. NOINST_TOOLS_READLINE ??= "" diff --git a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb index ab6ffe986c..579fa95df7 100644 --- a/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb +++ b/poky/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb @@ -13,8 +13,13 @@ UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/" SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \ file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \ + file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \ + file://0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch \ + file://0002-privsep-Allow-newfstatat-syscall-as-well.patch \ + file://0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch \ file://dhcpcd.service \ file://dhcpcd@.service \ + file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \ " SRC_URI[sha256sum] = "819357634efed1ea5cf44ec01b24d3d3f8852fec8b4249925dcc5667c54e376c" diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch new file mode 100644 index 0000000000..6f90c88249 --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch @@ -0,0 +1,82 @@ +From 02acc4d875ee81e6fd19ef66d69c9f55b4b4a7e7 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Wed, 9 Nov 2022 16:33:18 +0800 +Subject: [PATCH] 20-resolv.conf: improve the sitation of working with systemd + +systemd's resolvconf implementation ignores the protocol part. +See https://github.com/systemd/systemd/issues/25032. + +When using 'dhcp server + dns server + dhcpcd + systemd', we +get an integration issue, that is dhcpcd runs 'resolvconf -d eth0.ra', +yet systemd's resolvconf treats it as eth0. This will delete the +DNS information set by 'resolvconf -a eth0.dhcp'. + +Fortunately, 20-resolv.conf has the ability to build the resolv.conf +file contents itself. We can just pass the generated contents to +systemd's resolvconf. This way, the DNS information is not incorrectly +deleted. Also, it does not cause behavior regression for dhcpcd +in other cases. + +Upstream-Status: Inappropriate [OE Specific] +This patch has been rejected by dhcpcd upstream. +See details in https://github.com/NetworkConfiguration/dhcpcd/pull/152 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + hooks/20-resolv.conf | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf +index 504a6c53..eb6e5845 100644 +--- a/hooks/20-resolv.conf ++++ b/hooks/20-resolv.conf +@@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming" + NL=" + " + : ${resolvconf:=resolvconf} ++resolvconf_from_systemd=false + if type "$resolvconf" >/dev/null 2>&1; then + have_resolvconf=true ++ if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then ++ resolvconf_from_systemd=true ++ fi + else + have_resolvconf=false + fi +@@ -69,8 +73,13 @@ build_resolv_conf() + else + echo "# /etc/resolv.conf.tail can replace this line" >> "$cf" + fi +- if change_file /etc/resolv.conf "$cf"; then +- chmod 644 /etc/resolv.conf ++ if $resolvconf_from_systemd; then ++ [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric" ++ "$resolvconf" -a "$ifname" <"$cf" ++ else ++ if change_file /etc/resolv.conf "$cf"; then ++ chmod 644 /etc/resolv.conf ++ fi + fi + rm -f "$cf" + } +@@ -170,7 +179,7 @@ add_resolv_conf() + for x in ${new_domain_name_servers}; do + conf="${conf}nameserver $x$NL" + done +- if $have_resolvconf; then ++ if $have_resolvconf && ! $resolvconf_from_systemd; then + [ -n "$ifmetric" ] && export IF_METRIC="$ifmetric" + printf %s "$conf" | "$resolvconf" -a "$ifname" + return $? +@@ -186,7 +195,7 @@ add_resolv_conf() + + remove_resolv_conf() + { +- if $have_resolvconf; then ++ if $have_resolvconf && ($if_down || ! $resolvconf_from_systemd); then + "$resolvconf" -d "$ifname" -f + else + if [ -e "$resolv_conf_dir/$ifname" ]; then +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch new file mode 100644 index 0000000000..12998aada4 --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch @@ -0,0 +1,46 @@ +From 4915a7e52fcea8fe283a842890a1e726b1e26b10 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Fri, 10 Mar 2023 03:48:46 +0000 +Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib. + +Error: Transaction test error: + file /usr/share/man/man8/dhcpcd.8 conflicts between attempted + installs of dhcpcd-doc-9.4.1-r0.cortexa57 and + lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon + +The differences between the two files are as follows: +@@ -821,7 +821,7 @@ + If you always use the same options, put them here. + .It Pa /usr/libexec/dhcpcd-run-hooks + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa /usr/lib64/dhcpcd/dev ++.It Pa /usr/lib/dhcpcd/dev + Linux + .Pa /dev + management modules. + +It is just a man file, there is no necessary to manage multiple +versions. + +Upstream-Status: Inappropriate [oe specific] +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + src/dhcpcd.8.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in +index bc6b3b5..791f2ba 100644 +--- a/src/dhcpcd.8.in ++++ b/src/dhcpcd.8.in +@@ -821,7 +821,7 @@ Configuration file for dhcpcd. + If you always use the same options, put them here. + .It Pa @SCRIPT@ + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa @LIBDIR@/dhcpcd/dev ++.It Pa /usr/<libdir>/dhcpcd/dev + Linux + .Pa /dev + management modules. +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch new file mode 100644 index 0000000000..68ab93416a --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch @@ -0,0 +1,30 @@ +From c6cdf0aee71ab4126d36b045f02428ee3c6ec50b Mon Sep 17 00:00:00 2001 +From: Roy Marples <roy@marples.name> +Date: Fri, 26 Aug 2022 09:08:36 +0100 +Subject: [PATCH 1/2] privsep: Allow getrandom sysctl for newer glibc + +Fixes #120 + +Upstream-Status: Backport [c6cdf0aee71ab4126d36b045f02428ee3c6ec50b] +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/privsep-linux.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index b238644b..479a1d82 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -300,6 +300,9 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_getpid + SECCOMP_ALLOW(__NR_getpid), + #endif ++#ifdef __NR_getrandom ++ SECCOMP_ALLOW(__NR_getrandom), ++#endif + #ifdef __NR_getsockopt + /* For route socket overflow */ + SECCOMP_ALLOW_ARG(__NR_getsockopt, 1, SOL_SOCKET), +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch new file mode 100644 index 0000000000..1c514f9b8c --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0001-privsep-linux-fix-SECCOMP_AUDIT_ARCH-missing-ppc64le.patch @@ -0,0 +1,34 @@ +From 7a2d9767585ed2c407d4985bd2d81552034fb90a Mon Sep 17 00:00:00 2001 +From: CHEN Xiangyu <xiangyu.chen@aol.com> +Date: Thu, 9 Feb 2023 18:41:52 +0800 +Subject: [PATCH] privsep-linux: fix SECCOMP_AUDIT_ARCH missing ppc64le (#181) + +when dhcpcd running on ppc64le platform, it would be killed by SIGSYS. + +Upstream-Status: Backport [7a2d9767585ed2c407d4985bd2d81552034fb90a] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + src/privsep-linux.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 7372d26b..6a301950 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -232,7 +232,11 @@ ps_root_sendnetlink(struct dhcpcd_ctx *ctx, int protocol, struct msghdr *msg) + #elif defined(__or1k__) + # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_OPENRISC + #elif defined(__powerpc64__) +-# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 ++# if (BYTE_ORDER == LITTLE_ENDIAN) ++# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64LE ++# else ++# define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC64 ++# endif + #elif defined(__powerpc__) + # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_PPC + #elif defined(__riscv) +-- +2.34.1 + diff --git a/poky/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch b/poky/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch new file mode 100644 index 0000000000..c5d2cba305 --- /dev/null +++ b/poky/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch @@ -0,0 +1,31 @@ +From 7625a555797f587a89dc2447fd9d621024d5165c Mon Sep 17 00:00:00 2001 +From: Roy Marples <roy@marples.name> +Date: Fri, 26 Aug 2022 09:24:50 +0100 +Subject: [PATCH 2/2] privsep: Allow newfstatat syscall as well + +Allows newer glibc variants to work apparently. +As reported in #84 and #89. + +Upstream-Status: Backport [7625a555797f587a89dc2447fd9d621024d5165c] +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/privsep-linux.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/privsep-linux.c b/src/privsep-linux.c +index 479a1d82..6327b1bc 100644 +--- a/src/privsep-linux.c ++++ b/src/privsep-linux.c +@@ -328,6 +328,9 @@ static struct sock_filter ps_seccomp_filter[] = { + #ifdef __NR_nanosleep + SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */ + #endif ++#ifdef __NR_newfstatat ++ SECCOMP_ALLOW(__NR_newfstatat), ++#endif + #ifdef __NR_ppoll + SECCOMP_ALLOW(__NR_ppoll), + #endif +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch index 78f475a495..451b409c88 100644 --- a/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch +++ b/poky/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch @@ -12,7 +12,7 @@ Subject: [PATCH] There are conflict of config files between kea and lib32-kea: Because they are all commented out, replace the expanded libdir path with '$libdir' in the config files to avoid conflict. -Upstream-Status: Pending +Upstream-Status: Submitted [https://gitlab.isc.org/isc-projects/kea/-/issues/2602] Signed-off-by: Kai Kang <kai.kang@windriver.com> --- diff --git a/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb b/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb index 4c1b8eed56..27e79276b5 100644 --- a/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb +++ b/poky/meta/recipes-connectivity/libuv/libuv_1.44.2.bb @@ -6,7 +6,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d" SRCREV = "0c1fa696aa502eb749c2c4735005f41ba00a27b8" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https" +SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index 2cc92b7b47..e802bcee18 100644 --- a/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/poky/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "fe19892a8168bf19d81e3bc4ee319bf7f9f058f5" -PV = "20220725" +SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f" +PV = "20221107" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/poky/meta/recipes-connectivity/openssh/openssh_8.9p1.bb b/poky/meta/recipes-connectivity/openssh/openssh_8.9p1.bb index e4446280d9..6057d055f4 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh_8.9p1.bb +++ b/poky/meta/recipes-connectivity/openssh/openssh_8.9p1.bb @@ -54,15 +54,12 @@ SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" inherit autotools-brokensep ptest -PACKAGECONFIG ??= "rng-tools" +PACKAGECONFIG ??= "" PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" -# Add RRECOMMENDS to rng-tools for sshd package -PACKAGECONFIG[rng-tools] = "" - EXTRA_AUTORECONF += "--exclude=aclocal" # login path is hardcoded in sshd @@ -162,15 +159,10 @@ FILES:${PN}-keygen = "${bindir}/ssh-keygen" RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" -RRECOMMENDS:${PN}-sshd:append:class-target = "\ - ${@bb.utils.filter('PACKAGECONFIG', 'rng-tools', d)} \ -" - # break dependency on base package for -dev package # otherwise SDK fails to build as the main openssh and dropbear packages # conflict with each other RDEPENDS:${PN}-dev = "" - # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" diff --git a/poky/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/poky/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh index b9cc24a7ac..6f23490c87 100644 --- a/poky/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/poky/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -1 +1,5 @@ export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" +export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" +export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" +export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/" +export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch new file mode 100644 index 0000000000..3b94c48e8d --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch @@ -0,0 +1,225 @@ +From 959c59c7a0164117e7f8366466a32bb1f8d77ff1 Mon Sep 17 00:00:00 2001 +From: Pauli <pauli@openssl.org> +Date: Wed, 8 Mar 2023 15:28:20 +1100 +Subject: [PATCH] x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Shane Lontis <shane.lontis@oracle.com> +(Merged from https://github.com/openssl/openssl/pull/20568) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1] +CVE: CVE-2023-0464 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + crypto/x509/pcy_local.h | 8 +++++++- + crypto/x509/pcy_node.c | 12 +++++++++--- + crypto/x509/pcy_tree.c | 36 ++++++++++++++++++++++++++---------- + 3 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc..cba107c 100644 +--- a/crypto/x509/pcy_local.h ++++ b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea..450f95a 100644 +--- a/crypto/x509/pcy_node.c ++++ b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5..f953a05 100644 +--- a/crypto/x509/pcy_tree.c ++++ b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + static void expected_print(BIO *channel, + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) +@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + if ((data = ossl_policy_data_new(NULL, + OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { ++ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { + ossl_policy_data_free(data); + goto bad_tree; + } +@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (ossl_policy_node_match(last, node, data->valid_policy)) { +- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { ++ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { + ossl_policy_data_free(data); + return 0; + } +@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + /* Finally add link to anyPolicy */ + if (last->anyPolicy && + ossl_policy_level_add_node(curr, cache->anyPolicy, +- last->anyPolicy, NULL) == NULL) ++ last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, +- tree); ++ tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = ossl_policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) +-- +2.35.7 + diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch new file mode 100644 index 0000000000..57fd494464 --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch @@ -0,0 +1,56 @@ +From 1dd43e0709fece299b15208f36cc7c76209ba0bb Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Tue, 7 Mar 2023 16:52:55 +0000 +Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf + certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/20587) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1dd43e0709fece299b15208f36cc7c76209ba0bb] +CVE: CVE-2023-0465 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + crypto/x509/x509_vfy.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1d..a0282c3 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++ cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +-- +2.35.7 + diff --git a/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch new file mode 100644 index 0000000000..a16bfe42ca --- /dev/null +++ b/poky/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch @@ -0,0 +1,50 @@ +From 51e8a84ce742db0f6c70510d0159dad8f7825908 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz <tomas@openssl.org> +Date: Tue, 21 Mar 2023 16:15:47 +0100 +Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Matt Caswell <matt@openssl.org> +Reviewed-by: Paul Dale <pauli@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/20563) + +Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908] +CVE: CVE-2023-0466 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677..43c1900 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B<trust>. + X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to + B<t>. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B<policy> to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B<policies>. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. +-- +2.35.7 + diff --git a/poky/meta/recipes-connectivity/openssl/openssl_3.0.7.bb b/poky/meta/recipes-connectivity/openssl/openssl_3.0.8.bb index 9ed5f11df0..82f3e18dd7 100644 --- a/poky/meta/recipes-connectivity/openssl/openssl_3.0.7.bb +++ b/poky/meta/recipes-connectivity/openssl/openssl_3.0.8.bb @@ -12,13 +12,16 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2023-0464.patch \ + file://CVE-2023-0465.patch \ + file://CVE-2023-0466.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" +SRC_URI[sha256sum] = "6c13d2bf38fdf31eac3ce2a347073673f5d63263398f1f69d0df4a41253e4b3e" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -77,7 +80,7 @@ do_configure () { esac target="$os-${HOST_ARCH}" case $target in - linux-arc) + linux-arc | linux-microblaze*) target=linux-latomic ;; linux-arm*) @@ -105,7 +108,7 @@ do_configure () { linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el) target=linux64-mips64 ;; - linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) + linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*) target=linux-generic32 ;; linux-powerpc) diff --git a/poky/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/poky/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch new file mode 100644 index 0000000000..4325b1d6b0 --- /dev/null +++ b/poky/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch @@ -0,0 +1,48 @@ +From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001 +From: Paul Mackerras <paulus@ozlabs.org> +Date: Thu, 4 Aug 2022 12:23:08 +1000 +Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer + +This fixes a potential vulnerability where data is written to spkt.buf +and rpkt.buf without a check on the array index. To fix this, we +check the array index (pkt->cnt) before storing the byte or +incrementing the count. This also means we no longer have a potential +signed integer overflow on the increment of pkt->cnt. + +Fortunately, pppdump is not used in the normal process of setting up a +PPP connection, is not installed setuid-root, and is not invoked +automatically in any scenario that I am aware of. + +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + pppdump/pppdump.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c +index 2b815fc9..b85a8627 100644 +--- a/pppdump/pppdump.c ++++ b/pppdump/pppdump.c +@@ -297,6 +297,10 @@ dumpppp(f) + printf("%s aborted packet:\n ", dir); + q = " "; + } ++ if (pkt->cnt >= sizeof(pkt->buf)) { ++ printf("%s over-long packet truncated:\n ", dir); ++ q = " "; ++ } + nb = pkt->cnt; + p = pkt->buf; + pkt->cnt = 0; +@@ -400,7 +404,8 @@ dumpppp(f) + c ^= 0x20; + pkt->esc = 0; + } +- pkt->buf[pkt->cnt++] = c; ++ if (pkt->cnt < sizeof(pkt->buf)) ++ pkt->buf[pkt->cnt++] = c; + break; + } + } diff --git a/poky/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/poky/meta/recipes-connectivity/ppp/ppp_2.4.9.bb index 700ece61dc..7e3ae43b58 100644 --- a/poky/meta/recipes-connectivity/ppp/ppp_2.4.9.bb +++ b/poky/meta/recipes-connectivity/ppp/ppp_2.4.9.bb @@ -25,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ file://provider \ file://ppp@.service \ file://0001-ppp-fix-build-against-5.15-headers.patch \ + file://CVE-2022-4603.patch \ " SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d" diff --git a/poky/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch b/poky/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch new file mode 100644 index 0000000000..ab32f26754 --- /dev/null +++ b/poky/meta/recipes-connectivity/resolvconf/resolvconf/0001-avoid-using-m-option-for-readlink.patch @@ -0,0 +1,37 @@ +From 6bf2bb136a0b3961339369bc08e58b661fba0edb Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Thu, 17 Nov 2022 17:26:30 +0800 +Subject: [PATCH] avoid using -m option for readlink + +Use a more widely used option '-f' instead of '-m' here to +avoid dependency on coreutils. + +Looking at the git history of the resolvconf repo, the '-m' +is deliberately used. And it wants to depend on coreutils. +But in case of OE, the existence of /etc is ensured, and busybox +readlink provides '-f' option, so we can just use '-f'. In this +way, the coreutils dependency is not necessary any more. + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + etc/resolvconf/update.d/libc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/etc/resolvconf/update.d/libc b/etc/resolvconf/update.d/libc +index 1c4f6bc..f75d22c 100755 +--- a/etc/resolvconf/update.d/libc ++++ b/etc/resolvconf/update.d/libc +@@ -57,7 +57,7 @@ fi + report_warning() { echo "$0: Warning: $*" >&2 ; } + + resolv_conf_is_symlinked_to_dynamic_file() { +- [ -L ${ETC}/resolv.conf ] && [ "$(readlink -m ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ] ++ [ -L ${ETC}/resolv.conf ] && [ "$(readlink -f ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ] + } + + if ! resolv_conf_is_symlinked_to_dynamic_file ; then +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb b/poky/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb index 94fd2c1a70..3f1b75d07d 100644 --- a/poky/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb +++ b/poky/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb @@ -9,10 +9,11 @@ LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" AUTHOR = "Thomas Hood" HOMEPAGE = "http://packages.debian.org/resolvconf" -RDEPENDS:${PN} = "bash" +RDEPENDS:${PN} = "bash sed util-linux-flock" SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=unstable \ file://99_resolvconf \ + file://0001-avoid-using-m-option-for-readlink.patch \ " SRCREV = "859209d573e7aec0e95d812c6b52444591a628d1" @@ -23,8 +24,6 @@ S = "${WORKDIR}/git" # so we check the latest upstream from a directory that does get updated UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/r/resolvconf/" -inherit allarch - do_compile () { : } @@ -39,12 +38,14 @@ do_install () { fi install -d ${D}${base_libdir}/${BPN} install -d ${D}${sysconfdir}/${BPN} + install -d ${D}${nonarch_base_libdir}/${BPN} ln -snf ${localstatedir}/run/${BPN} ${D}${sysconfdir}/${BPN}/run install -d ${D}${sysconfdir} ${D}${base_sbindir} install -d ${D}${mandir}/man8 ${D}${docdir}/${P} cp -pPR etc/resolvconf ${D}${sysconfdir}/ chown -R root:root ${D}${sysconfdir}/ install -m 0755 bin/resolvconf ${D}${base_sbindir}/ + install -m 0755 bin/normalize-resolvconf ${D}${nonarch_base_libdir}/${BPN} install -m 0755 bin/list-records ${D}${base_libdir}/${BPN} install -d ${D}/${sysconfdir}/network/if-up.d install -m 0755 debian/resolvconf.000resolvconf.if-up ${D}/${sysconfdir}/network/if-up.d/000resolvconf @@ -64,4 +65,4 @@ pkg_postinst:${PN} () { fi } -FILES:${PN} += "${base_libdir}/${BPN}" +FILES:${PN} += "${base_libdir}/${BPN} ${nonarch_base_libdir}/${BPN}" diff --git a/poky/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch b/poky/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch deleted file mode 100644 index fbfb0816dd..0000000000 --- a/poky/meta/recipes-connectivity/socat/socat/0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d67d6b4f981db9612d808bd723176a1d2996d53a Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex@linutronix.de> -Date: Mon, 17 Jan 2022 13:21:32 +0100 -Subject: [PATCH] configure.ac: check getprotobynumber_r with AC_TRY_LINK - -AC_TRY_COMPILE won't error out if the function is altogether absent -(e.g. on linux musl C library), the test needs to link all the way. - -Upstream-Status: Submitted [via email to socat@dest-unreach.org] -Signed-off-by: Alexander Kanavin <alex@linutronix.de> ---- - configure.ac | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d4acc9e..973a7f2 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -137,13 +137,13 @@ AC_MSG_RESULT($sc_cv_have_prototype_hstrerror) - # getprotobynumber_r() is not standardized - AC_MSG_CHECKING(for getprotobynumber_r() variant) - AC_CACHE_VAL(sc_cv_getprotobynumber_r, --[AC_TRY_COMPILE([#include <stddef.h> -+[AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL,1024,NULL);], - [sc_cv_getprotobynumber_r=1; tmp_bynum_variant=Linux], -- [AC_TRY_COMPILE([#include <stddef.h> -+ [AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL,1024);], - [sc_cv_getprotobynumber_r=2; tmp_bynum_variant=Solaris], -- [AC_TRY_COMPILE([#include <stddef.h> -+ [AC_TRY_LINK([#include <stddef.h> - #include <netdb.h>],[getprotobynumber_r(1,NULL,NULL);], - [sc_cv_getprotobynumber_r=3; tmp_bynum_variant=AIX], - diff --git a/poky/meta/recipes-connectivity/socat/socat_1.7.4.3.bb b/poky/meta/recipes-connectivity/socat/socat_1.7.4.4.bb index a4a0a8933e..5a379380d1 100644 --- a/poky/meta/recipes-connectivity/socat/socat_1.7.4.3.bb +++ b/poky/meta/recipes-connectivity/socat/socat_1.7.4.4.bb @@ -9,11 +9,9 @@ LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ - file://0001-configure.ac-check-getprotobynumber_r-with-AC_TRY_LI.patch \ - " +SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2" -SRC_URI[sha256sum] = "d47318104415077635119dfee44bcfb41de3497374a9a001b1aff6e2f0858007" +SRC_URI[sha256sum] = "fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac" inherit autotools diff --git a/poky/meta/recipes-core/base-files/base-files/hosts b/poky/meta/recipes-core/base-files/base-files/hosts index b94f414d5c..10a5b6c704 100644 --- a/poky/meta/recipes-core/base-files/base-files/hosts +++ b/poky/meta/recipes-core/base-files/base-files/hosts @@ -1,4 +1,4 @@ -127.0.0.1 localhost.localdomain localhost +127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback diff --git a/poky/meta/recipes-core/busybox/busybox.inc b/poky/meta/recipes-core/busybox/busybox.inc index 5f1c473d5e..62dc839245 100644 --- a/poky/meta/recipes-core/busybox/busybox.inc +++ b/poky/meta/recipes-core/busybox/busybox.inc @@ -138,19 +138,26 @@ do_configure () { do_prepare_config merge_config.sh -m .config ${@" ".join(find_cfgs(d))} cml1_do_configure + + # Save a copy of .config and autoconf.h. + cp .config .config.orig + cp include/autoconf.h include/autoconf.h.orig } do_compile() { unset CFLAGS CPPFLAGS CXXFLAGS LDFLAGS export KCONFIG_NOTIMESTAMP=1 + # Ensure we start do_compile with the original .config and autoconf.h. + # These files should always have matching timestamps. + cp .config.orig .config + cp include/autoconf.h.orig include/autoconf.h + if [ "${BUSYBOX_SPLIT_SUID}" = "1" -a x`grep "CONFIG_FEATURE_INDIVIDUAL=y" .config` = x ]; then + # Guard againt interrupted do_compile: clean temporary files. + rm -f .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps + # split the .config into two parts, and make two busybox binaries - if [ -e .config.orig ]; then - # Need to guard again an interrupted do_compile - restore any backup - cp .config.orig .config - fi - cp .config .config.orig oe_runmake busybox.cfg.suid oe_runmake busybox.cfg.nosuid @@ -187,15 +194,18 @@ do_compile() { bbfatal "busybox suid binary incorrectly provides /bin/sh" fi - # copy .config.orig back to .config, because the install process may check this file - cp .config.orig .config # cleanup - rm .config.orig .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps + rm .config.app.suid .config.app.nosuid .config.disable.apps .config.nonapps else oe_runmake busybox_unstripped cp busybox_unstripped busybox oe_runmake busybox.links fi + + # restore original .config and autoconf.h, because the install process + # may check these files + cp .config.orig .config + cp include/autoconf.h.orig include/autoconf.h } do_install () { diff --git a/poky/meta/recipes-core/busybox/busybox/0001-depmod-Ignore-.debug-directories.patch b/poky/meta/recipes-core/busybox/busybox/0001-depmod-Ignore-.debug-directories.patch index 354f83a4a5..d76118f85b 100644 --- a/poky/meta/recipes-core/busybox/busybox/0001-depmod-Ignore-.debug-directories.patch +++ b/poky/meta/recipes-core/busybox/busybox/0001-depmod-Ignore-.debug-directories.patch @@ -21,7 +21,7 @@ index bb42bbe..aa5a2de 100644 /* Arbitrary. Was sb->st_size, but that breaks .gz etc */ size_t len = (64*1024*1024 - 4096); -+ if (strstr(fname, ".debug") == NULL) ++ if (strstr(fname, ".debug") != NULL) + return TRUE; + if (strrstr(fname, ".ko") == NULL) diff --git a/poky/meta/recipes-core/dbus/dbus_1.14.0.bb b/poky/meta/recipes-core/dbus/dbus_1.14.6.bb index 7598c45f8e..cc81047cef 100644 --- a/poky/meta/recipes-core/dbus/dbus_1.14.0.bb +++ b/poky/meta/recipes-core/dbus/dbus_1.14.6.bb @@ -6,16 +6,17 @@ SECTION = "base" inherit autotools pkgconfig gettext upstream-version-is-even ptest-gnome LICENSE = "AFL-2.1 | GPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=10dded3b58148f3f1fd804b26354af3e \ - file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8" +LIC_FILES_CHKSUM = "file://COPYING;md5=6423dcd74d7be9715b0db247fd889da3 \ + file://dbus/dbus.h;beginline=6;endline=20;md5=866739837ccd835350af94dccd6457d8 \ + " SRC_URI = "https://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.xz \ file://run-ptest \ file://tmpdir.patch \ file://dbus-1.init \ -" + " -SRC_URI[sha256sum] = "ccd7cce37596e0a19558fd6648d1272ab43f011d80c8635aea8fd0bad58aebd4" +SRC_URI[sha256sum] = "fd2bdf1bb89dc365a46531bff631536f22b0d1c6d5ce2c5c5e59b55265b3d66b" EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \ @@ -181,3 +182,5 @@ do_install:class-nativesdk() { rm -rf ${D}${localstatedir}/run } BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT += "d-bus_project:d-bus" diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc index 2d6e64cf8d..f3f085b616 100644 --- a/poky/meta/recipes-core/dropbear/dropbear.inc +++ b/poky/meta/recipes-core/dropbear/dropbear.inc @@ -27,7 +27,9 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear.socket \ file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} " + ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \ + file://CVE-2021-36369.patch \ + " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ diff --git a/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch b/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch new file mode 100644 index 0000000000..5ff11abdd6 --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/CVE-2021-36369.patch @@ -0,0 +1,145 @@ +From e9b15a8b1035b62413b2b881315c6bffd02205d4 Mon Sep 17 00:00:00 2001 +From: Manfred Kaiser <37737811+manfred-kaiser@users.noreply.github.com> +Date: Thu, 19 Aug 2021 17:37:14 +0200 +Subject: [PATCH] added option to disable trivial auth methods (#128) + +* added option to disable trivial auth methods + +* rename argument to match with other ssh clients + +* fixed trivial auth detection for pubkeys + +[https://github.com/mkj/dropbear/pull/128] +Upstream-Status: Backport +CVE: CVE-2021-36369 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + cli-auth.c | 3 +++ + cli-authinteract.c | 1 + + cli-authpasswd.c | 2 +- + cli-authpubkey.c | 1 + + cli-runopts.c | 7 +++++++ + cli-session.c | 1 + + runopts.h | 1 + + session.h | 1 + + 8 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/cli-auth.c b/cli-auth.c +index 2e509e5..6f04495 100644 +--- a/cli-auth.c ++++ b/cli-auth.c +@@ -267,6 +267,9 @@ void recv_msg_userauth_success() { + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + + TRACE(("received msg_userauth_success")) ++ if (cli_opts.disable_trivial_auth && cli_ses.is_trivial_auth) { ++ dropbear_exit("trivial authentication not allowed"); ++ } + /* Note: in delayed-zlib mode, setting authdone here + * will enable compression in the transport layer */ + ses.authstate.authdone = 1; +diff --git a/cli-authinteract.c b/cli-authinteract.c +index e1cc9a1..f7128ee 100644 +--- a/cli-authinteract.c ++++ b/cli-authinteract.c +@@ -114,6 +114,7 @@ void recv_msg_userauth_info_request() { + m_free(instruction); + + for (i = 0; i < num_prompts; i++) { ++ cli_ses.is_trivial_auth = 0; + unsigned int response_len = 0; + prompt = buf_getstring(ses.payload, NULL); + cleantext(prompt); +diff --git a/cli-authpasswd.c b/cli-authpasswd.c +index 00fdd8b..a24d43e 100644 +--- a/cli-authpasswd.c ++++ b/cli-authpasswd.c +@@ -155,7 +155,7 @@ void cli_auth_password() { + + encrypt_packet(); + m_burn(password, strlen(password)); +- ++ cli_ses.is_trivial_auth = 0; + TRACE(("leave cli_auth_password")) + } + #endif /* DROPBEAR_CLI_PASSWORD_AUTH */ +diff --git a/cli-authpubkey.c b/cli-authpubkey.c +index 42c4e3f..fa01807 100644 +--- a/cli-authpubkey.c ++++ b/cli-authpubkey.c +@@ -176,6 +176,7 @@ static void send_msg_userauth_pubkey(sign_key *key, enum signature_type sigtype, + buf_putbytes(sigbuf, ses.writepayload->data, ses.writepayload->len); + cli_buf_put_sign(ses.writepayload, key, sigtype, sigbuf); + buf_free(sigbuf); /* Nothing confidential in the buffer */ ++ cli_ses.is_trivial_auth = 0; + } + + encrypt_packet(); +diff --git a/cli-runopts.c b/cli-runopts.c +index 3654b9a..255b47e 100644 +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -152,6 +152,7 @@ void cli_getopts(int argc, char ** argv) { + #if DROPBEAR_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; + #endif ++ cli_opts.disable_trivial_auth = 0; + #if DROPBEAR_CLI_LOCALTCPFWD + cli_opts.localfwds = list_new(); + opts.listen_fwd_all = 0; +@@ -889,6 +890,7 @@ static void add_extendedopt(const char* origstr) { + #if DROPBEAR_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" + #endif ++ "\tDisableTrivialAuth\n" + #ifndef DISABLE_SYSLOG + "\tUseSyslog\n" + #endif +@@ -916,5 +918,10 @@ static void add_extendedopt(const char* origstr) { + return; + } + ++ if (match_extendedopt(&optstr, "DisableTrivialAuth") == DROPBEAR_SUCCESS) { ++ cli_opts.disable_trivial_auth = parse_flag_value(optstr); ++ return; ++ } ++ + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); + } +diff --git a/cli-session.c b/cli-session.c +index 5e5af22..afb54a1 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -165,6 +165,7 @@ static void cli_session_init(pid_t proxy_cmd_pid) { + /* Auth */ + cli_ses.lastprivkey = NULL; + cli_ses.lastauthtype = 0; ++ cli_ses.is_trivial_auth = 1; + + /* For printing "remote host closed" for the user */ + ses.remoteclosed = cli_remoteclosed; +diff --git a/runopts.h b/runopts.h +index 6a4a94c..01201d2 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -159,6 +159,7 @@ typedef struct cli_runopts { + #if DROPBEAR_CLI_ANYTCPFWD + int exit_on_fwd_failure; + #endif ++ int disable_trivial_auth; + #if DROPBEAR_CLI_REMOTETCPFWD + m_list * remotefwds; + #endif +diff --git a/session.h b/session.h +index fb5b8cb..6706592 100644 +--- a/session.h ++++ b/session.h +@@ -316,6 +316,7 @@ struct clientsession { + + int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, + for the last type of auth we tried */ ++ int is_trivial_auth; + int ignore_next_auth_response; + #if DROPBEAR_CLI_INTERACT_AUTH + int auth_interact_failed; /* flag whether interactive auth can still diff --git a/poky/meta/recipes-core/expat/expat_2.4.9.bb b/poky/meta/recipes-core/expat/expat_2.5.0.bb index cb007708c7..7080f934d1 100644 --- a/poky/meta/recipes-core/expat/expat_2.4.9.bb +++ b/poky/meta/recipes-core/expat/expat_2.5.0.bb @@ -14,7 +14,7 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" -SRC_URI[sha256sum] = "7f44d1469b110773a94b0d5abeeeffaef79f8bd6406b07e52394bcf48126437a" +SRC_URI[sha256sum] = "6f0e6e01f7b30025fa05c85fdad1e5d0ec7fd35d9f61b22f34998de11969ff67" EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF" diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch new file mode 100644 index 0000000000..c33fa88a76 --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch @@ -0,0 +1,51 @@ +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2990] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 14838522a706ebdcc3cdab661d4c368099fe3a4e Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@arm.com> +Date: Tue, 6 Jul 2021 19:26:03 +0100 +Subject: [PATCH] gio/tests/g-file-info: don't assume million-in-one events + don't happen + +The access and creation time tests create a file, gets the time in +seconds, then gets the time in microseconds and assumes that the +difference between the two has to be above 0. + +As rare as this may be, it can happen: + +$ stat g-file-info-test-50A450 -c %y +2021-07-06 18:24:56.000000767 +0100 + +Change the test to simply assert that the difference not negative to +handle this case. + +This is the same fix as 289f8b, but that was just modification time. +--- + gio/tests/g-file-info.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/tests/g-file-info.c b/gio/tests/g-file-info.c +index 59411c3a8..a213e4b92 100644 +--- a/gio/tests/g-file-info.c ++++ b/gio/tests/g-file-info.c +@@ -239,7 +239,7 @@ test_g_file_info_access_time (void) + g_assert_nonnull (dt_usecs); + + ts = g_date_time_difference (dt_usecs, dt); +- g_assert_cmpint (ts, >, 0); ++ g_assert_cmpint (ts, >=, 0); + g_assert_cmpint (ts, <, G_USEC_PER_SEC); + + /* Try round-tripping the access time. */ +@@ -316,7 +316,7 @@ test_g_file_info_creation_time (void) + g_assert_nonnull (dt_usecs); + + ts = g_date_time_difference (dt_usecs, dt); +- g_assert_cmpint (ts, >, 0); ++ g_assert_cmpint (ts, >=, 0); + g_assert_cmpint (ts, <, G_USEC_PER_SEC); + + /* Try round-tripping the creation time. */ +-- +2.34.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index dd1ea508d2..b5ab6502a3 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://0001-Do-not-write-bindir-into-pkg-config-files.patch \ file://0001-meson-Run-atomics-test-on-clang-as-well.patch \ file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \ + file://0001-gio-tests-g-file-info-don-t-assume-million-in-one-ev.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch" diff --git a/poky/meta/recipes-core/glibc/glibc-locale.inc b/poky/meta/recipes-core/glibc/glibc-locale.inc index 7c14abfe99..7f70b3ca4f 100644 --- a/poky/meta/recipes-core/glibc/glibc-locale.inc +++ b/poky/meta/recipes-core/glibc/glibc-locale.inc @@ -5,14 +5,9 @@ SUMMARY = "Locale data from glibc" BPN = "glibc" LOCALEBASEPN = "${MLPREFIX}glibc" -# glibc-collateral.inc inhibits all default deps, but do_package needs objcopy -# ERROR: objcopy failed with exit code 127 (cmd was 'i586-webos-linux-objcopy' --only-keep-debug 'glibc-locale/2.17-r0/package/usr/lib/gconv/IBM1166.so' 'glibc-locale/2.17-r0/package/usr/lib/gconv/.debug/IBM1166.so') -# ERROR: Function failed: split_and_strip_files -BINUTILSDEP = "virtual/${MLPREFIX}${TARGET_PREFIX}binutils:do_populate_sysroot" -BINUTILSDEP:class-nativesdk = "virtual/${TARGET_PREFIX}binutils-crosssdk:do_populate_sysroot" -do_package[depends] += "${BINUTILSDEP}" - -DEPENDS += "virtual/libc" +# Do not inhibit default deps, do_package requires binutils/gcc for +# objcopy/gcc-nm and glibc-locale depends on virtual/libc directly. +INHIBIT_DEFAULT_DEPS = "" # Binary locales are generated at build time if ENABLE_BINARY_LOCALE_GENERATION # is set. The idea is to avoid running localedef on the target (at first boot) diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc index d3cea19f9c..d36da0ce3f 100644 --- a/poky/meta/recipes-core/glibc/glibc-version.inc +++ b/poky/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.35/master" PV = "2.35" -SRCREV_glibc ?= "f8ad66a4cab14ed294bf50e7a9eddb73da6cf307" +SRCREV_glibc ?= "293211b6fddf60fc407d21fcba0326dd2148f76b" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/poky/meta/recipes-core/glibc/glibc.inc b/poky/meta/recipes-core/glibc/glibc.inc index fdd241d973..3b940b8ab2 100644 --- a/poky/meta/recipes-core/glibc/glibc.inc +++ b/poky/meta/recipes-core/glibc/glibc.inc @@ -1,7 +1,9 @@ require glibc-common.inc require glibc-ld.inc -DEPENDS = "virtual/${TARGET_PREFIX}gcc libgcc-initial linux-libc-headers" +DEPENDS = "virtual/${TARGET_PREFIX}gcc virtual/${TARGET_PREFIX}binutils${BUSUFFIX} libgcc-initial linux-libc-headers" +BUSUFFIX= "" +BUSUFFIX:class-nativesdk = "-crosssdk" PROVIDES = "virtual/libc" PROVIDES += "virtual/libintl virtual/libiconv" diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch new file mode 100644 index 0000000000..10c7e5666d --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch @@ -0,0 +1,82 @@ +From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?= + =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru> +Date: Sat, 4 Feb 2023 14:41:38 +0300 +Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `__monstartup()` allocates a buffer used to store all the data +accumulated by the monitor. + +The size of this buffer depends on the size of the internal structures +used and the address range for which the monitor is activated, as well +as on the maximum density of call instructions and/or callable functions +that could be potentially on a segment of executable code. + +In particular a hash table of arcs is placed at the end of this buffer. +The size of this hash table is calculated in bytes as + p->fromssize = p->textsize / HASHFRACTION; + +but actually should be + p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + +This results in writing beyond the end of the allocated buffer when an +added arc corresponds to a call near from the end of the monitored +address range, since `_mcount()` check the incoming caller address for +monitored range but not the intermediate result hash-like index that +uses to write into the table. + +It should be noted that when the results are output to `gmon.out`, the +table is read to the last element calculated from the allocated size in +bytes, so the arcs stored outside the buffer boundary did not fall into +`gprof` for analysis. Thus this "feature" help me to found this bug +during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438 + +Just in case, I will explicitly note that the problem breaks the +`make test t=gmon/tst-gmon-dso` added for Bug 29438. +There, the arc of the `f3()` call disappears from the output, since in +the DSO case, the call to `f3` is located close to the end of the +monitored range. + +Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru> + +Another minor error seems a related typo in the calculation of +`kcountsize`, but since kcounts are smaller than froms, this is +actually to align the p->froms data. + +Co-authored-by: DJ Delorie <dj@redhat.com> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc] +CVE: CVE-2023-0687 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + gmon/gmon.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gmon/gmon.c b/gmon/gmon.c +index dee6480..bf76358 100644 +--- a/gmon/gmon.c ++++ b/gmon/gmon.c +@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc) + p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER)); + p->textsize = p->highpc - p->lowpc; ++ /* This looks like a typo, but it's here to align the p->froms ++ section. */ + p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms)); + p->hashfraction = HASHFRACTION; + p->log_hashfraction = -1; +@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc) + instead of integer division. Precompute shift amount. */ + p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1; + } +- p->fromssize = p->textsize / HASHFRACTION; ++ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms)); + p->tolimit = p->textsize * ARCDENSITY / 100; + if (p->tolimit < MINARCS) + p->tolimit = MINARCS; +-- +2.7.4 diff --git a/poky/meta/recipes-core/glibc/glibc_2.35.bb b/poky/meta/recipes-core/glibc/glibc_2.35.bb index df847e76bf..29fcb1d627 100644 --- a/poky/meta/recipes-core/glibc/glibc_2.35.bb +++ b/poky/meta/recipes-core/glibc/glibc_2.35.bb @@ -50,6 +50,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ \ file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \ + file://CVE-2023-0687.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.37.bb b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.39.bb index 57d4152a39..7096bc94d7 100644 --- a/poky/meta/recipes-core/ifupdown/ifupdown_0.8.37.bb +++ b/poky/meta/recipes-core/ifupdown/ifupdown_0.8.39.bb @@ -16,7 +16,7 @@ SRC_URI = "git://salsa.debian.org/debian/ifupdown.git;protocol=https;branch=mast file://0001-ifupdown-skip-wrong-test-case.patch \ ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://tweak-ptest-script.patch', '', d)} \ " -SRCREV = "2b4138f36ce3ba37186aa01b502273e0c39ab518" +SRCREV = "be91dd267b4a8db502a6bbf5758563f7048b8078" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 61a9cd4aa3..e77353f6ed 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx" inherit core-image setuptools3 -SRCREV ?= "d64bef1c7d713b92a51228e5ade945835e5a94a4" +SRCREV ?= "c3038cddbce42b7e4268c1f0b45e9fba85caa231" SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/poky/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.28.bb b/poky/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb index ec9f9f4fa3..ec9f9f4fa3 100644 --- a/poky/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.28.bb +++ b/poky/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb diff --git a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc index 39ba2636ff..61b0381076 100644 --- a/poky/meta/recipes-core/libxcrypt/libxcrypt.inc +++ b/poky/meta/recipes-core/libxcrypt/libxcrypt.inc @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSING;md5=c0a30e2b1502c55a7f37e412cd6c6a4b \ inherit autotools pkgconfig SRC_URI = "git://github.com/besser82/libxcrypt.git;branch=${SRCBRANCH};protocol=https" -SRCREV = "50cf2b6dd4fdf04309445f2eec8de7051d953abf" +SRCREV = "d7fe1ac04c326dba7e0440868889d1dccb41a175" SRCBRANCH ?= "develop" SRC_URI += "file://fix_cflags_handling.patch" diff --git a/poky/meta/recipes-core/libxcrypt/libxcrypt_4.4.28.bb b/poky/meta/recipes-core/libxcrypt/libxcrypt_4.4.30.bb index 79dba2f6dc..79dba2f6dc 100644 --- a/poky/meta/recipes-core/libxcrypt/libxcrypt_4.4.28.bb +++ b/poky/meta/recipes-core/libxcrypt/libxcrypt_4.4.30.bb diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch new file mode 100644 index 0000000000..346ec37a9f --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40303.patch @@ -0,0 +1,624 @@ +From 15050f59d2a62b97b34e9cab8b8076a68ef003bd Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Thu, 25 Aug 2022 17:43:08 +0200 +Subject: [PATCH] CVE-2022-40303 + +Fix integer overflows with XML_PARSE_HUGE + +Also impose size limits when XML_PARSE_HUGE is set. Limit size of names +to XML_MAX_TEXT_LENGTH (10 million bytes) and other content to +XML_MAX_HUGE_LENGTH (1 billion bytes). + +Move some the length checks to the end of the respective loop to make +them strict. + +xmlParseEntityValue didn't have a length limitation at all. But without +XML_PARSE_HUGE, this should eventually trigger an error in xmlGROW. + +Thanks to Maddie Stone working with Google Project Zero for the report! + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0] +CVE: CVE-2022-40303 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + parser.c | 233 +++++++++++++++++++++++++++++-------------------------- + 1 file changed, 121 insertions(+), 112 deletions(-) + +diff --git a/parser.c b/parser.c +index 1bc3713..0f76577 100644 +--- a/parser.c ++++ b/parser.c +@@ -115,6 +115,8 @@ xmlParseElementEnd(xmlParserCtxtPtr ctxt); + * * + ************************************************************************/ + ++#define XML_MAX_HUGE_LENGTH 1000000000 ++ + #define XML_PARSER_BIG_ENTITY 1000 + #define XML_PARSER_LOT_ENTITY 5000 + +@@ -565,7 +567,7 @@ xmlFatalErr(xmlParserCtxtPtr ctxt, xmlParserErrors error, const char *info) + errmsg = "Malformed declaration expecting version"; + break; + case XML_ERR_NAME_TOO_LONG: +- errmsg = "Name too long use XML_PARSE_HUGE option"; ++ errmsg = "Name too long"; + break; + #if 0 + case: +@@ -3210,6 +3212,9 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNameComplex++; +@@ -3275,7 +3280,8 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } +@@ -3301,13 +3307,13 @@ xmlParseNameComplex(xmlParserCtxtPtr ctxt) { + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3346,7 +3352,10 @@ const xmlChar * + xmlParseName(xmlParserCtxtPtr ctxt) { + const xmlChar *in; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + GROW; + +@@ -3370,8 +3379,7 @@ xmlParseName(xmlParserCtxtPtr ctxt) { + in++; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Name"); + return(NULL); + } +@@ -3392,6 +3400,9 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + size_t startPosition = 0; + + #ifdef DEBUG +@@ -3412,17 +3423,13 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + while ((c != ' ') && (c != '>') && (c != '/') && /* test bigname.xml */ + (xmlIsNameChar(ctxt, c) && (c != ':'))) { + if (count++ > XML_PARSER_CHUNK_SIZE) { +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- return(NULL); +- } + count = 0; + GROW; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + } +- len += l; ++ if (len <= INT_MAX - l) ++ len += l; + NEXTL(l); + c = CUR_CHAR(l); + if (c == 0) { +@@ -3440,8 +3447,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3467,7 +3473,10 @@ static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { + const xmlChar *in, *e; + const xmlChar *ret; +- int count = 0; ++ size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNCName++; +@@ -3492,8 +3501,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; +- if ((count > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (count > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3575,6 +3583,9 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + const xmlChar *cur = *str; + int len = 0, l; + int c; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseStringName++; +@@ -3610,12 +3621,6 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3629,14 +3634,18 @@ xmlParseStringName(xmlParserCtxtPtr ctxt, const xmlChar** str) { + COPY_BUF(l,buffer,len,c); + cur += l; + c = CUR_SCHAR(cur, l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + *str = cur; + return(buffer); + } + } +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NCName"); + return(NULL); + } +@@ -3663,6 +3672,9 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + int len = 0, l; + int c; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + + #ifdef DEBUG + nbParseNmToken++; +@@ -3714,12 +3726,6 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + if (len + 10 > max) { + xmlChar *tmp; + +- if ((max > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); +- xmlFree(buffer); +- return(NULL); +- } + max *= 2; + tmp = (xmlChar *) xmlRealloc(buffer, + max * sizeof(xmlChar)); +@@ -3733,6 +3739,11 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + COPY_BUF(l,buffer,len,c); + NEXTL(l); + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); ++ xmlFree(buffer); ++ return(NULL); ++ } + } + buffer[len] = 0; + return(buffer); +@@ -3740,8 +3751,7 @@ xmlParseNmtoken(xmlParserCtxtPtr ctxt) { + } + if (len == 0) + return(NULL); +- if ((len > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "NmToken"); + return(NULL); + } +@@ -3767,6 +3777,9 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int c, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlChar stop; + xmlChar *ret = NULL; + const xmlChar *cur = NULL; +@@ -3826,6 +3839,12 @@ xmlParseEntityValue(xmlParserCtxtPtr ctxt, xmlChar **orig) { + GROW; + c = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_NOT_FINISHED, ++ "entity value too long\n"); ++ goto error; ++ } + } + buf[len] = 0; + if (ctxt->instate == XML_PARSER_EOF) +@@ -3913,6 +3932,9 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + xmlChar *rep = NULL; + size_t len = 0; + size_t buf_size = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int c, l, in_space = 0; + xmlChar *current = NULL; + xmlEntityPtr ent; +@@ -3944,16 +3966,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + while (((NXT(0) != limit) && /* checked */ + (IS_CHAR(c)) && (c != '<')) && + (ctxt->instate != XML_PARSER_EOF)) { +- /* +- * Impose a reasonable limit on attribute size, unless XML_PARSE_HUGE +- * special option is given +- */ +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } + if (c == '&') { + in_space = 0; + if (NXT(1) == '#') { +@@ -4101,6 +4113,11 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } + GROW; + c = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, ++ "AttValue length too long\n"); ++ goto mem_error; ++ } + } + if (ctxt->instate == XML_PARSER_EOF) + goto error; +@@ -4122,16 +4139,6 @@ xmlParseAttValueComplex(xmlParserCtxtPtr ctxt, int *attlen, int normalize) { + } else + NEXT; + +- /* +- * There we potentially risk an overflow, don't allow attribute value of +- * length more than INT_MAX it is a very reasonable assumption ! +- */ +- if (len >= INT_MAX) { +- xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, +- "AttValue length too long\n"); +- goto mem_error; +- } +- + if (attlen != NULL) *attlen = (int) len; + return(buf); + +@@ -4202,6 +4209,9 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; + int cur, l; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar stop; + int state = ctxt->instate; + int count = 0; +@@ -4229,13 +4239,6 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); +- xmlFree(buf); +- ctxt->instate = (xmlParserInputState) state; +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4264,6 +4267,12 @@ xmlParseSystemLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "SystemLiteral"); ++ xmlFree(buf); ++ ctxt->instate = (xmlParserInputState) state; ++ return(NULL); ++ } + } + buf[len] = 0; + ctxt->instate = (xmlParserInputState) state; +@@ -4291,6 +4300,9 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + int len = 0; + int size = XML_PARSER_BUFFER_SIZE; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_TEXT_LENGTH : ++ XML_MAX_NAME_LENGTH; + xmlChar cur; + xmlChar stop; + int count = 0; +@@ -4318,12 +4330,6 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + if (len + 1 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_NAME_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); +- xmlFree(buf); +- return(NULL); +- } + size *= 2; + tmp = (xmlChar *) xmlRealloc(buf, size * sizeof(xmlChar)); + if (tmp == NULL) { +@@ -4351,6 +4357,11 @@ xmlParsePubidLiteral(xmlParserCtxtPtr ctxt) { + SHRINK; + cur = CUR; + } ++ if (len > maxLength) { ++ xmlFatalErr(ctxt, XML_ERR_NAME_TOO_LONG, "Public ID"); ++ xmlFree(buf); ++ return(NULL); ++ } + } + buf[len] = 0; + if (cur != stop) { +@@ -4750,6 +4761,9 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + int r, rl; + int cur, l; + size_t count = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int inputid; + + inputid = ctxt->input->id; +@@ -4795,13 +4809,6 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + if ((r == '-') && (q == '-')) { + xmlFatalErr(ctxt, XML_ERR_HYPHEN_IN_COMMENT, NULL); + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment too big found", NULL); +- xmlFree (buf); +- return; +- } + if (len + 5 >= size) { + xmlChar *new_buf; + size_t new_size; +@@ -4839,6 +4846,13 @@ xmlParseCommentComplex(xmlParserCtxtPtr ctxt, xmlChar *buf, + GROW; + cur = CUR_CHAR(l); + } ++ ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment too big found", NULL); ++ xmlFree (buf); ++ return; ++ } + } + buf[len] = 0; + if (cur == 0) { +@@ -4883,6 +4897,9 @@ xmlParseComment(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t size = XML_PARSER_BUFFER_SIZE; + size_t len = 0; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + xmlParserInputState state; + const xmlChar *in; + size_t nbchar = 0; +@@ -4966,8 +4983,7 @@ get_more: + buf[len] = 0; + } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if (len > maxLength) { + xmlFatalErrMsgStr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, + "Comment too big found", NULL); + xmlFree (buf); +@@ -5167,6 +5183,9 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + xmlChar *buf = NULL; + size_t len = 0; + size_t size = XML_PARSER_BUFFER_SIZE; ++ size_t maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + int cur, l; + const xmlChar *target; + xmlParserInputState state; +@@ -5242,14 +5261,6 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + return; + } + count = 0; +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + } + COPY_BUF(l,buf,len,cur); + NEXTL(l); +@@ -5259,15 +5270,14 @@ xmlParsePI(xmlParserCtxtPtr ctxt) { + GROW; + cur = CUR_CHAR(l); + } ++ if (len > maxLength) { ++ xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, ++ "PI %s too big found", target); ++ xmlFree(buf); ++ ctxt->instate = state; ++ return; ++ } + } +- if ((len > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +- "PI %s too big found", target); +- xmlFree(buf); +- ctxt->instate = state; +- return; +- } + buf[len] = 0; + if (cur != '?') { + xmlFatalErrMsgStr(ctxt, XML_ERR_PI_NOT_FINISHED, +@@ -8959,6 +8969,9 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + const xmlChar *in = NULL, *start, *end, *last; + xmlChar *ret = NULL; + int line, col; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + GROW; + in = (xmlChar *) CUR_PTR; +@@ -8998,8 +9011,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + start = in; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9012,8 +9024,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + if ((*in++ == 0x20) && (*in == 0x20)) break; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9046,16 +9057,14 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + last = last + delta; + } + end = ctxt->input->end; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); + } + } + } +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9068,8 +9077,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + col++; + if (in >= end) { + GROW_PARSE_ATT_VALUE_INTERNAL(ctxt, in, start, end) +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9077,8 +9085,7 @@ xmlParseAttValueInternal(xmlParserCtxtPtr ctxt, int *len, int *alloc, + } + } + last = in; +- if (((in - start) > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { ++ if ((in - start) > maxLength) { + xmlFatalErrMsg(ctxt, XML_ERR_ATTRIBUTE_NOT_FINISHED, + "AttValue length too long\n"); + return(NULL); +@@ -9768,6 +9775,9 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + int s, sl; + int cur, l; + int count = 0; ++ int maxLength = (ctxt->options & XML_PARSE_HUGE) ? ++ XML_MAX_HUGE_LENGTH : ++ XML_MAX_TEXT_LENGTH; + + /* Check 2.6.0 was NXT(0) not RAW */ + if (CMP9(CUR_PTR, '<', '!', '[', 'C', 'D', 'A', 'T', 'A', '[')) { +@@ -9801,13 +9811,6 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + if (len + 5 >= size) { + xmlChar *tmp; + +- if ((size > XML_MAX_TEXT_LENGTH) && +- ((ctxt->options & XML_PARSE_HUGE) == 0)) { +- xmlFatalErrMsgStr(ctxt, XML_ERR_CDATA_NOT_FINISHED, +- "CData section too big found", NULL); +- xmlFree (buf); +- return; +- } + tmp = (xmlChar *) xmlRealloc(buf, size * 2 * sizeof(xmlChar)); + if (tmp == NULL) { + xmlFree(buf); +@@ -9834,6 +9837,12 @@ xmlParseCDSect(xmlParserCtxtPtr ctxt) { + } + NEXTL(l); + cur = CUR_CHAR(l); ++ if (len > maxLength) { ++ xmlFatalErrMsg(ctxt, XML_ERR_CDATA_NOT_FINISHED, ++ "CData section too big found\n"); ++ xmlFree(buf); ++ return; ++ } + } + buf[len] = 0; + ctxt->instate = XML_PARSER_CONTENT; +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch new file mode 100644 index 0000000000..b24be03315 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2022-40304.patch @@ -0,0 +1,106 @@ +From cde95d801abc9405ca821ad814c7730333328d96 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Wed, 31 Aug 2022 22:11:25 +0200 +Subject: [PATCH] CVE-2022-40304 + +Fix dict corruption caused by entity reference cycles + +When an entity reference cycle is detected, the entity content is +cleared by setting its first byte to zero. But the entity content might +be allocated from a dict. In this case, the dict entry becomes corrupted +leading to all kinds of logic errors, including memory errors like +double-frees. + +Stop storing entity content, orig, ExternalID and SystemID in a dict. +These values are unlikely to occur multiple times in a document, so they +shouldn't have been stored in a dict in the first place. + +Thanks to Ned Williamson and Nathan Wachholz working with Google Project +Zero for the report! + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b] +CVE: CVE-2022-40304 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + entities.c | 55 ++++++++++++++++-------------------------------------- + 1 file changed, 16 insertions(+), 39 deletions(-) + +diff --git a/entities.c b/entities.c +index 1a8f86f..ec1b9a7 100644 +--- a/entities.c ++++ b/entities.c +@@ -112,36 +112,19 @@ xmlFreeEntity(xmlEntityPtr entity) + if ((entity->children) && (entity->owner == 1) && + (entity == (xmlEntityPtr) entity->children->parent)) + xmlFreeNodeList(entity->children); +- if (dict != NULL) { +- if ((entity->name != NULL) && (!xmlDictOwns(dict, entity->name))) +- xmlFree((char *) entity->name); +- if ((entity->ExternalID != NULL) && +- (!xmlDictOwns(dict, entity->ExternalID))) +- xmlFree((char *) entity->ExternalID); +- if ((entity->SystemID != NULL) && +- (!xmlDictOwns(dict, entity->SystemID))) +- xmlFree((char *) entity->SystemID); +- if ((entity->URI != NULL) && (!xmlDictOwns(dict, entity->URI))) +- xmlFree((char *) entity->URI); +- if ((entity->content != NULL) +- && (!xmlDictOwns(dict, entity->content))) +- xmlFree((char *) entity->content); +- if ((entity->orig != NULL) && (!xmlDictOwns(dict, entity->orig))) +- xmlFree((char *) entity->orig); +- } else { +- if (entity->name != NULL) +- xmlFree((char *) entity->name); +- if (entity->ExternalID != NULL) +- xmlFree((char *) entity->ExternalID); +- if (entity->SystemID != NULL) +- xmlFree((char *) entity->SystemID); +- if (entity->URI != NULL) +- xmlFree((char *) entity->URI); +- if (entity->content != NULL) +- xmlFree((char *) entity->content); +- if (entity->orig != NULL) +- xmlFree((char *) entity->orig); +- } ++ if ((entity->name != NULL) && ++ ((dict == NULL) || (!xmlDictOwns(dict, entity->name)))) ++ xmlFree((char *) entity->name); ++ if (entity->ExternalID != NULL) ++ xmlFree((char *) entity->ExternalID); ++ if (entity->SystemID != NULL) ++ xmlFree((char *) entity->SystemID); ++ if (entity->URI != NULL) ++ xmlFree((char *) entity->URI); ++ if (entity->content != NULL) ++ xmlFree((char *) entity->content); ++ if (entity->orig != NULL) ++ xmlFree((char *) entity->orig); + xmlFree(entity); + } + +@@ -177,18 +160,12 @@ xmlCreateEntity(xmlDictPtr dict, const xmlChar *name, int type, + ret->SystemID = xmlStrdup(SystemID); + } else { + ret->name = xmlDictLookup(dict, name, -1); +- if (ExternalID != NULL) +- ret->ExternalID = xmlDictLookup(dict, ExternalID, -1); +- if (SystemID != NULL) +- ret->SystemID = xmlDictLookup(dict, SystemID, -1); ++ ret->ExternalID = xmlStrdup(ExternalID); ++ ret->SystemID = xmlStrdup(SystemID); + } + if (content != NULL) { + ret->length = xmlStrlen(content); +- if ((dict != NULL) && (ret->length < 5)) +- ret->content = (xmlChar *) +- xmlDictLookup(dict, content, ret->length); +- else +- ret->content = xmlStrndup(content, ret->length); ++ ret->content = xmlStrndup(content, ret->length); + } else { + ret->length = 0; + ret->content = NULL; +-- +2.25.1 + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.14.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.14.bb index 519985bbae..e15f8eb13f 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.14.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.14.bb @@ -13,7 +13,7 @@ DEPENDS = "zlib virtual/libiconv" inherit gnomebase -SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=testtar \ +SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testtar \ file://libxml-64bit.patch \ file://runtest.patch \ file://run-ptest \ @@ -23,10 +23,12 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te file://remove-fuzz-from-ptests.patch \ file://libxml-m4-use-pkgconfig.patch \ file://0001-Port-gentest.py-to-Python-3.patch \ + file://CVE-2022-40303.patch \ + file://CVE-2022-40304.patch \ " SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee" -SRC_URI[testtar.sha256sum] = "96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7" +SRC_URI[testtar.sha256sum] = "9b2c865aba66c6429ca301a7ef048d7eca2cdb7a9106184416710853c7b37d0d" BINCONFIG = "${bindir}/xml2-config" diff --git a/poky/meta/recipes-core/meta/buildtools-tarball.bb b/poky/meta/recipes-core/meta/buildtools-tarball.bb index 6b59e4934d..70d740b4e0 100644 --- a/poky/meta/recipes-core/meta/buildtools-tarball.bb +++ b/poky/meta/recipes-core/meta/buildtools-tarball.bb @@ -67,12 +67,17 @@ create_sdk_files:append () { # Generate new (mini) sdk-environment-setup file script=${1:-${SDK_OUTPUT}/${SDKPATH}/environment-setup-${SDK_SYS}} touch $script - echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH' >> $script + echo 'export PATH="${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH"' >> $script echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script if [ -e "${SDK_OUTPUT}${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt" ]; then echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export REQUESTS_CA_BUNDLE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script + echo 'export CURL_CA_BUNDLE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script fi + echo 'HOST_PKG_PATH=$(command -p pkg-config --variable=pc_path pkg-config 2>/dev/null)' >>$script + echo 'export PKG_CONFIG_LIBDIR=${SDKPATHNATIVE}/${libdir}/pkgconfig:${SDKPATHNATIVE}/${datadir}/pkgconfig:${HOST_PKG_PATH:-/usr/lib/pkgconfig:/usr/share/pkgconfig}' >>$script + echo 'unset HOST_PKG_PATH' toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS} diff --git a/poky/meta/recipes-core/meta/cve-update-db-native.bb b/poky/meta/recipes-core/meta/cve-update-db-native.bb index 944243fce9..e042e67b09 100644 --- a/poky/meta/recipes-core/meta/cve-update-db-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-db-native.bb @@ -18,6 +18,11 @@ NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" +# Timeout for blocking socket operations, such as the connection attempt. +CVE_SOCKET_TIMEOUT ?= "60" + +CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db" + python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") @@ -29,23 +34,15 @@ python do_fetch() { """ import bb.utils import bb.progress - import sqlite3, urllib, urllib.parse, gzip - from datetime import date + import shutil bb.utils.export_proxies(d) - YEAR_START = 2002 - db_file = d.getVar("CVE_CHECK_DB_FILE") db_dir = os.path.dirname(db_file) + db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") - if os.path.exists("{0}-journal".format(db_file)): - # If a journal is present the last update might have been interrupted. In that case, - # just wipe any leftovers and force the DB to be recreated. - os.remove("{0}-journal".format(db_file)) - - if os.path.exists(db_file): - os.remove(db_file) + cleanup_db_download(db_file, db_tmp_file) # The NVD database changes once a day, so no need to update more frequently # Allow the user to force-update @@ -63,9 +60,60 @@ python do_fetch() { pass bb.utils.mkdirhier(db_dir) + if os.path.exists(db_file): + shutil.copy2(db_file, db_tmp_file) + + if update_db_file(db_tmp_file, d) == True: + # Update downloaded correctly, can swap files + shutil.move(db_tmp_file, db_file) + else: + # Update failed, do not modify the database + bb.note("CVE database update failed") + os.remove(db_tmp_file) +} + +do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +def cleanup_db_download(db_file, db_tmp_file): + """ + Cleanup the download space from possible failed downloads + """ + + # Clean up the updates done on the main file + # Remove it only if a journal file exists - it means a complete re-download + if os.path.exists("{0}-journal".format(db_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_file)) + + if os.path.exists(db_file): + os.remove(db_file) + + # Clean-up the temporary file downloads, we can remove both journal + # and the temporary database + if os.path.exists("{0}-journal".format(db_tmp_file)): + # If a journal is present the last update might have been interrupted. In that case, + # just wipe any leftovers and force the DB to be recreated. + os.remove("{0}-journal".format(db_tmp_file)) + + if os.path.exists(db_tmp_file): + os.remove(db_tmp_file) + +def update_db_file(db_tmp_file, d): + """ + Update the given database file + """ + import bb.utils, bb.progress + from datetime import date + import urllib, gzip, sqlite3 + + YEAR_START = 2002 + cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) # Connect to database - conn = sqlite3.connect(db_file) + conn = sqlite3.connect(db_tmp_file) initialize_db(conn) with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: @@ -79,11 +127,14 @@ python do_fetch() { # Retrieve meta last modified date try: - response = urllib.request.urlopen(meta_url) + response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') - bb.warn("Failed to fetch CVE data (%s)" % e.reason) - return + bb.warn("Failed to fetch CVE data (%s)" % e) + import socket + result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP) + bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result))) + return False if response: for l in response.read().decode("utf-8").splitlines(): @@ -93,7 +144,7 @@ python do_fetch() { break else: bb.warn("Cannot parse CVE metadata, update failed") - return + return False # Compare with current db last modified date cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) @@ -107,14 +158,14 @@ python do_fetch() { # Update db with current year json file try: - response = urllib.request.urlopen(json_url) + response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) if response: update_db(conn, gzip.decompress(response.read()).decode('utf-8')) conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() except urllib.error.URLError as e: cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) - return + return False else: bb.debug(2, "Already up to date (last modified %s)" % last_modified) # Update success, set the date to cve_check file. @@ -123,11 +174,7 @@ python do_fetch() { conn.commit() conn.close() -} - -do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" -do_fetch[file-checksums] = "" -do_fetch[vardeps] = "" + return True def initialize_db(conn): with conn: diff --git a/poky/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch b/poky/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch index 89d9ffab5e..0c3df4fc44 100644 --- a/poky/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch +++ b/poky/meta/recipes-core/ovmf/ovmf/0001-ovmf-update-path-to-native-BaseTools.patch @@ -10,7 +10,7 @@ tools. The BBAKE_EDK_TOOLS_PATH string is used as a pattern to be replaced with the appropriate location before building. Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com> -Upstream-Status: Pending +Upstream-Status: Inappropriate [oe-core cross compile specific] --- OvmfPkg/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch b/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch index f6141c8af5..2293d7e938 100644 --- a/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch +++ b/poky/meta/recipes-core/ovmf/ovmf/0002-BaseTools-makefile-adjust-to-build-in-under-bitbake.patch @@ -6,8 +6,13 @@ Subject: [PATCH 2/6] BaseTools: makefile: adjust to build in under bitbake Prepend the build flags with those of bitbake. This is to build using the bitbake native sysroot include and library directories. +Note from Alex: this is not appropriate for upstream submission as +the recipe already does lots of similar in-place fixups elsewhere, so +this patch shold be converted to follow that pattern. We're not going +to fight against how upstream wants to configure the build. + Signed-off-by: Ricardo Neri <ricardo.neri@linux.intel.com> -Upstream-Status: Pending +Upstream-Status: Inappropriate [needs to be converted to in-recipe fixups] --- BaseTools/Source/C/Makefiles/header.makefile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/poky/meta/recipes-core/psplash/files/psplash-start.service b/poky/meta/recipes-core/psplash/files/psplash-start.service index 36c2bb38e0..bec9368427 100644 --- a/poky/meta/recipes-core/psplash/files/psplash-start.service +++ b/poky/meta/recipes-core/psplash/files/psplash-start.service @@ -2,6 +2,7 @@ Description=Start psplash boot splash screen DefaultDependencies=no RequiresMountsFor=/run +ConditionFileIsExecutable=/usr/bin/psplash [Service] Type=notify diff --git a/poky/meta/recipes-core/psplash/files/psplash-systemd.service b/poky/meta/recipes-core/psplash/files/psplash-systemd.service index 082207f232..e93e3deb35 100644 --- a/poky/meta/recipes-core/psplash/files/psplash-systemd.service +++ b/poky/meta/recipes-core/psplash/files/psplash-systemd.service @@ -4,6 +4,7 @@ DefaultDependencies=no After=psplash-start.service Requires=psplash-start.service RequiresMountsFor=/run +ConditionFileIsExecutable=/usr/bin/psplash [Service] ExecStart=/usr/bin/psplash-systemd diff --git a/poky/meta/recipes-core/psplash/psplash_git.bb b/poky/meta/recipes-core/psplash/psplash_git.bb index edc0ac1d89..9532ed1534 100644 --- a/poky/meta/recipes-core/psplash/psplash_git.bb +++ b/poky/meta/recipes-core/psplash/psplash_git.bb @@ -58,7 +58,7 @@ python __anonymous() { d.setVarFlag("ALTERNATIVE_TARGET_%s" % ep, 'psplash', '${bindir}/%s' % p) d.appendVar("RDEPENDS:%s" % ep, " %s" % pn) if p == "psplash-default": - d.appendVar("RRECOMMENDS:%s" % pn, " %s" % ep) + d.appendVar("RDEPENDS:%s" % pn, " %s" % ep) } S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch b/poky/meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch new file mode 100644 index 0000000000..b23b735507 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch @@ -0,0 +1,60 @@ +From 25492154b42f68a48752a7f61eaf1fb61e454e52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Tue, 18 Oct 2022 18:09:06 +0200 +Subject: [PATCH] shared/json: allow json_variant_dump() to return an error + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/7922ead507e0d83e4ec72a8cbd2b67194766e58c] + +Needed to fix CVE-2022-45873.patch backported from systemd/main, +otherwise it fails to build with: + +| ../git/src/shared/elf-util.c: In function 'parse_elf_object': +| ../git/src/shared/elf-util.c:792:27: error: void value not ignored as it ought to be +| 792 | r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL); +| | ^ + +Signed-off-by: Martin Jansa <martin2.jansa@lgepartner.com> +--- + src/shared/json.c | 7 ++++--- + src/shared/json.h | 2 +- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/shared/json.c b/src/shared/json.c +index dff95eda26..81c05efe22 100644 +--- a/src/shared/json.c ++++ b/src/shared/json.c +@@ -1792,9 +1792,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) { + return (int) sz - 1; + } + +-void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) { ++int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) { + if (!v) +- return; ++ return 0; + + if (!f) + f = stdout; +@@ -1820,7 +1820,8 @@ void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const cha + fputc('\n', f); /* In case of SSE add a second newline */ + + if (flags & JSON_FORMAT_FLUSH) +- fflush(f); ++ return fflush_and_check(f); ++ return 0; + } + + int json_variant_filter(JsonVariant **v, char **to_remove) { +diff --git a/src/shared/json.h b/src/shared/json.h +index 8760354b66..c712700763 100644 +--- a/src/shared/json.h ++++ b/src/shared/json.h +@@ -187,7 +187,7 @@ typedef enum JsonFormatFlags { + } JsonFormatFlags; + + int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret); +-void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix); ++int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix); + + int json_variant_filter(JsonVariant **v, char **to_remove); + diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch new file mode 100644 index 0000000000..eb8b0cba12 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2022-3821.patch @@ -0,0 +1,45 @@ +From bff52d96598956163d73b7c7bdec7b0ad5b3c2d4 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 15 Nov 2022 16:52:03 +0530 +Subject: [PATCH] CVE-2022-3821 + +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/72d4c15a946d20143cd4c6783c802124bc894dc7] +CVE: CVE-2022-3821 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/basic/time-util.c | 2 +- + src/test/test-time-util.c | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/time-util.c b/src/basic/time-util.c +index b659d6905d..89dc593d44 100644 +--- a/src/basic/time-util.c ++++ b/src/basic/time-util.c +@@ -588,7 +588,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { + t = b; + } + +- n = MIN((size_t) k, l); ++ n = MIN((size_t) k, l-1); + + l -= n; + p += n; +diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c +index 4d0131827e..8db6b25279 100644 +--- a/src/test/test-time-util.c ++++ b/src/test/test-time-util.c +@@ -238,6 +238,11 @@ TEST(format_timespan) { + test_format_timespan_accuracy(1); + test_format_timespan_accuracy(USEC_PER_MSEC); + test_format_timespan_accuracy(USEC_PER_SEC); ++ ++ /* See issue #23928. */ ++ _cleanup_free_ char *buf; ++ assert_se(buf = new(char, 5)); ++ assert_se(buf == format_timespan(buf, 5, 100005, 1000)); + } + + TEST(verify_timezone) { +-- +2.25.1 + diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch new file mode 100644 index 0000000000..5cf0fe284e --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-1.patch @@ -0,0 +1,109 @@ +From 45d323fc889a55fae400a5b08a56273d5724ef4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Tue, 29 Nov 2022 09:00:16 +0100 +Subject: [PATCH 1/2] coredump: adjust whitespace + +(cherry picked from commit 510a146634f3e095b34e2a26023b1b1f99dcb8c0) +(cherry picked from commit cc2eb7a9b5fd6d9dd8ea35fb045ce6e5e16e1187) +(cherry picked from commit cb044d734c44cd3c05a6e438b5b995b2a9cfa73c) + +Preparation to avoid conflicts when applying CVE CVE-2022-4415 +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/45d323fc889a55fae400a5b08a56273d5724ef4a] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + src/coredump/coredump.c | 56 ++++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index eaea63f682..8295b03ac7 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -103,16 +103,16 @@ enum { + }; + + static const char * const meta_field_names[_META_MAX] = { +- [META_ARGV_PID] = "COREDUMP_PID=", +- [META_ARGV_UID] = "COREDUMP_UID=", +- [META_ARGV_GID] = "COREDUMP_GID=", +- [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", +- [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", +- [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", +- [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", +- [META_COMM] = "COREDUMP_COMM=", +- [META_EXE] = "COREDUMP_EXE=", +- [META_UNIT] = "COREDUMP_UNIT=", ++ [META_ARGV_PID] = "COREDUMP_PID=", ++ [META_ARGV_UID] = "COREDUMP_UID=", ++ [META_ARGV_GID] = "COREDUMP_GID=", ++ [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=", ++ [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=", ++ [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=", ++ [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=", ++ [META_COMM] = "COREDUMP_COMM=", ++ [META_EXE] = "COREDUMP_EXE=", ++ [META_UNIT] = "COREDUMP_UNIT=", + }; + + typedef struct Context { +@@ -131,9 +131,9 @@ typedef enum CoredumpStorage { + } CoredumpStorage; + + static const char* const coredump_storage_table[_COREDUMP_STORAGE_MAX] = { +- [COREDUMP_STORAGE_NONE] = "none", ++ [COREDUMP_STORAGE_NONE] = "none", + [COREDUMP_STORAGE_EXTERNAL] = "external", +- [COREDUMP_STORAGE_JOURNAL] = "journal", ++ [COREDUMP_STORAGE_JOURNAL] = "journal", + }; + + DEFINE_PRIVATE_STRING_TABLE_LOOKUP(coredump_storage, CoredumpStorage); +@@ -149,13 +149,13 @@ static uint64_t arg_max_use = UINT64_MAX; + + static int parse_config(void) { + static const ConfigTableItem items[] = { +- { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage }, +- { "Coredump", "Compress", config_parse_bool, 0, &arg_compress }, +- { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max }, +- { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max }, +- { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max }, +- { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free }, +- { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use }, ++ { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage }, ++ { "Coredump", "Compress", config_parse_bool, 0, &arg_compress }, ++ { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max }, ++ { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max }, ++ { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max }, ++ { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free }, ++ { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use }, + {} + }; + +@@ -201,15 +201,15 @@ static int fix_acl(int fd, uid_t uid) { + static int fix_xattr(int fd, const Context *context) { + + static const char * const xattrs[_META_MAX] = { +- [META_ARGV_PID] = "user.coredump.pid", +- [META_ARGV_UID] = "user.coredump.uid", +- [META_ARGV_GID] = "user.coredump.gid", +- [META_ARGV_SIGNAL] = "user.coredump.signal", +- [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", +- [META_ARGV_RLIMIT] = "user.coredump.rlimit", +- [META_ARGV_HOSTNAME] = "user.coredump.hostname", +- [META_COMM] = "user.coredump.comm", +- [META_EXE] = "user.coredump.exe", ++ [META_ARGV_PID] = "user.coredump.pid", ++ [META_ARGV_UID] = "user.coredump.uid", ++ [META_ARGV_GID] = "user.coredump.gid", ++ [META_ARGV_SIGNAL] = "user.coredump.signal", ++ [META_ARGV_TIMESTAMP] = "user.coredump.timestamp", ++ [META_ARGV_RLIMIT] = "user.coredump.rlimit", ++ [META_ARGV_HOSTNAME] = "user.coredump.hostname", ++ [META_COMM] = "user.coredump.comm", ++ [META_EXE] = "user.coredump.exe", + }; + + int r = 0; +-- +2.30.2 + diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch new file mode 100644 index 0000000000..8389ee8cd6 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2022-4415-2.patch @@ -0,0 +1,391 @@ +From 1d5e0e9910500f3c3584485f77bfc35e601036e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Mon, 28 Nov 2022 12:12:55 +0100 +Subject: [PATCH 2/2] coredump: do not allow user to access coredumps with + changed uid/gid/capabilities + +When the user starts a program which elevates its permissions via setuid, +setgid, or capabilities set on the file, it may access additional information +which would then be visible in the coredump. We shouldn't make the the coredump +visible to the user in such cases. + +Reported-by: Matthias Gerstner <mgerstner@suse.de> + +This reads the /proc/<pid>/auxv file and attaches it to the process metadata as +PROC_AUXV. Before the coredump is submitted, it is parsed and if either +at_secure was set (which the kernel will do for processes that are setuid, +setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file +is not made accessible to the user. If we can't access this data, we assume the +file should not be made accessible either. In principle we could also access +the auxv data from a note in the core file, but that is much more complex and +it seems better to use the stand-alone file that is provided by the kernel. + +Attaching auxv is both convient for this patch (because this way it's passed +between the stages along with other fields), but I think it makes sense to save +it in general. + +We use the information early in the core file to figure out if the program was +32-bit or 64-bit and its endianness. This way we don't need heuristics to guess +whether the format of the auxv structure. This test might reject some cases on +fringe architecutes. But the impact would be limited: we just won't grant the +user permissions to view the coredump file. If people report that we're missing +some cases, we can always enhance this to support more architectures. + +I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and +ppc64el, but not the whole coredump handling. + +(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03) +(cherry picked from commit 9b75a3d0502d6741c8ecb7175794345f8eb3827c) +(cherry picked from commit efca5283dc791a07171f80eef84e14fdb58fad57) + +CVE: CVE-2022-4415 +Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1d5e0e9910500f3c3584485f77bfc35e601036e3] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + src/basic/io-util.h | 9 ++ + src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++--- + 2 files changed, 192 insertions(+), 13 deletions(-) + +diff --git a/src/basic/io-util.h b/src/basic/io-util.h +index 39728e06bc..3afb134266 100644 +--- a/src/basic/io-util.h ++++ b/src/basic/io-util.h +@@ -91,7 +91,16 @@ struct iovec_wrapper *iovw_new(void); + struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw); + struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw); + void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors); ++ + int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len); ++static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) { ++ /* Move data into iovw or free on error */ ++ int r = iovw_put(iovw, data, len); ++ if (r < 0) ++ free(data); ++ return r; ++} ++ + int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value); + int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value); + void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new); +diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c +index 8295b03ac7..79280ab986 100644 +--- a/src/coredump/coredump.c ++++ b/src/coredump/coredump.c +@@ -4,6 +4,7 @@ + #include <stdio.h> + #include <sys/prctl.h> + #include <sys/statvfs.h> ++#include <sys/auxv.h> + #include <sys/xattr.h> + #include <unistd.h> + +@@ -99,6 +100,7 @@ enum { + + META_EXE = _META_MANDATORY_MAX, + META_UNIT, ++ META_PROC_AUXV, + _META_MAX + }; + +@@ -113,10 +115,12 @@ static const char * const meta_field_names[_META_MAX] = { + [META_COMM] = "COREDUMP_COMM=", + [META_EXE] = "COREDUMP_EXE=", + [META_UNIT] = "COREDUMP_UNIT=", ++ [META_PROC_AUXV] = "COREDUMP_PROC_AUXV=", + }; + + typedef struct Context { + const char *meta[_META_MAX]; ++ size_t meta_size[_META_MAX]; + pid_t pid; + bool is_pid1; + bool is_journald; +@@ -178,13 +182,16 @@ static uint64_t storage_size_max(void) { + return 0; + } + +-static int fix_acl(int fd, uid_t uid) { ++static int fix_acl(int fd, uid_t uid, bool allow_user) { ++ assert(fd >= 0); ++ assert(uid_is_valid(uid)); + + #if HAVE_ACL + int r; + +- assert(fd >= 0); +- assert(uid_is_valid(uid)); ++ /* We don't allow users to read coredumps if the uid or capabilities were changed. */ ++ if (!allow_user) ++ return 0; + + if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY) + return 0; +@@ -244,7 +251,8 @@ static int fix_permissions( + const char *filename, + const char *target, + const Context *context, +- uid_t uid) { ++ uid_t uid, ++ bool allow_user) { + + int r; + +@@ -254,7 +262,7 @@ static int fix_permissions( + + /* Ignore errors on these */ + (void) fchmod(fd, 0640); +- (void) fix_acl(fd, uid); ++ (void) fix_acl(fd, uid, allow_user); + (void) fix_xattr(fd, context); + + r = fsync_full(fd); +@@ -324,6 +332,153 @@ static int make_filename(const Context *context, char **ret) { + return 0; + } + ++static int parse_auxv64( ++ const uint64_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ if (size_bytes % (2 * sizeof(uint64_t)) != 0) ++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ size_t words = size_bytes / sizeof(uint64_t); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int parse_auxv32( ++ const uint32_t *auxv, ++ size_t size_bytes, ++ int *at_secure, ++ uid_t *uid, ++ uid_t *euid, ++ gid_t *gid, ++ gid_t *egid) { ++ ++ assert(auxv || size_bytes == 0); ++ ++ size_t words = size_bytes / sizeof(uint32_t); ++ ++ if (size_bytes % (2 * sizeof(uint32_t)) != 0) ++ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes); ++ ++ /* Note that we set output variables even on error. */ ++ ++ for (size_t i = 0; i + 1 < words; i += 2) ++ switch (auxv[i]) { ++ case AT_SECURE: ++ *at_secure = auxv[i + 1] != 0; ++ break; ++ case AT_UID: ++ *uid = auxv[i + 1]; ++ break; ++ case AT_EUID: ++ *euid = auxv[i + 1]; ++ break; ++ case AT_GID: ++ *gid = auxv[i + 1]; ++ break; ++ case AT_EGID: ++ *egid = auxv[i + 1]; ++ break; ++ case AT_NULL: ++ if (auxv[i + 1] != 0) ++ goto error; ++ return 0; ++ } ++ error: ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), ++ "AT_NULL terminator not found, cannot parse auxv structure."); ++} ++ ++static int grant_user_access(int core_fd, const Context *context) { ++ int at_secure = -1; ++ uid_t uid = UID_INVALID, euid = UID_INVALID; ++ uid_t gid = GID_INVALID, egid = GID_INVALID; ++ int r; ++ ++ assert(core_fd >= 0); ++ assert(context); ++ ++ if (!context->meta[META_PROC_AUXV]) ++ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions."); ++ ++ uint8_t elf[EI_NIDENT]; ++ errno = 0; ++ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf)) ++ return log_warning_errno(errno_or_else(EIO), ++ "Failed to pread from coredump fd: %s", errno != 0 ? strerror_safe(errno) : "Unexpected EOF"); ++ ++ if (elf[EI_MAG0] != ELFMAG0 || ++ elf[EI_MAG1] != ELFMAG1 || ++ elf[EI_MAG2] != ELFMAG2 || ++ elf[EI_MAG3] != ELFMAG3 || ++ elf[EI_VERSION] != EV_CURRENT) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file does not have ELF header, not adjusting permissions."); ++ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) || ++ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB)) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file has strange ELF class, not adjusting permissions."); ++ ++ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN)) ++ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "Core file has non-native endianness, not adjusting permissions."); ++ ++ if (elf[EI_CLASS] == ELFCLASS64) ++ r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV], ++ context->meta_size[META_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ else ++ r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV], ++ context->meta_size[META_PROC_AUXV], ++ &at_secure, &uid, &euid, &gid, &egid); ++ if (r < 0) ++ return r; ++ ++ /* We allow access if we got all the data and at_secure is not set and ++ * the uid/gid matches euid/egid. */ ++ bool ret = ++ at_secure == 0 && ++ uid != UID_INVALID && euid != UID_INVALID && uid == euid && ++ gid != GID_INVALID && egid != GID_INVALID && gid == egid; ++ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)", ++ ret ? "permit" : "restrict", ++ uid, euid, gid, egid, yes_no(at_secure)); ++ return ret; ++} ++ + static int save_external_coredump( + const Context *context, + int input_fd, +@@ -446,6 +601,8 @@ static int save_external_coredump( + context->meta[META_ARGV_PID], context->meta[META_COMM]); + truncated = r == 1; + ++ bool allow_user = grant_user_access(fd, context) > 0; ++ + #if HAVE_COMPRESSION + if (arg_compress) { + _cleanup_(unlink_and_freep) char *tmp_compressed = NULL; +@@ -483,7 +640,7 @@ static int save_external_coredump( + uncompressed_size += partial_uncompressed_size; + } + +- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid); ++ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user); + if (r < 0) + return r; + +@@ -510,7 +667,7 @@ static int save_external_coredump( + "SIZE_LIMIT=%zu", max_size, + "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR); + +- r = fix_permissions(fd, tmp, fn, context, uid); ++ r = fix_permissions(fd, tmp, fn, context, uid, allow_user); + if (r < 0) + return log_error_errno(r, "Failed to fix permissions and finalize coredump %s into %s: %m", coredump_tmpfile_name(tmp), fn); + +@@ -758,7 +915,7 @@ static int change_uid_gid(const Context *context) { + } + + static int submit_coredump( +- Context *context, ++ const Context *context, + struct iovec_wrapper *iovw, + int input_fd) { + +@@ -919,16 +1076,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) { + struct iovec *iovec = iovw->iovec + n; + + for (size_t i = 0; i < ELEMENTSOF(meta_field_names); i++) { +- char *p; +- + /* Note that these strings are NUL terminated, because we made sure that a + * trailing NUL byte is in the buffer, though not included in the iov_len + * count (see process_socket() and gather_pid_metadata_*()) */ + assert(((char*) iovec->iov_base)[iovec->iov_len] == 0); + +- p = startswith(iovec->iov_base, meta_field_names[i]); ++ const char *p = startswith(iovec->iov_base, meta_field_names[i]); + if (p) { + context->meta[i] = p; ++ context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]); + count++; + break; + } +@@ -1170,6 +1326,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { + uid_t owner_uid; + pid_t pid; + char *t; ++ size_t size; + const char *p; + int r; + +@@ -1234,13 +1391,26 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) { + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t); + + p = procfs_file_alloca(pid, "cgroup"); +- if (read_full_virtual_file(p, &t, NULL) >=0) ++ if (read_full_virtual_file(p, &t, NULL) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t); + + p = procfs_file_alloca(pid, "mountinfo"); +- if (read_full_virtual_file(p, &t, NULL) >=0) ++ if (read_full_virtual_file(p, &t, NULL) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t); + ++ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */ ++ p = procfs_file_alloca(pid, "auxv"); ++ if (read_full_virtual_file(p, &t, &size) >= 0) { ++ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1); ++ if (buf) { ++ /* Add a dummy terminator to make save_context() happy. */ ++ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0'; ++ (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV=")); ++ } ++ ++ free(t); ++ } ++ + if (get_process_cwd(pid, &t) >= 0) + (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t); + +-- +2.30.2 + diff --git a/poky/meta/recipes-core/systemd/systemd/CVE-2022-45873.patch b/poky/meta/recipes-core/systemd/systemd/CVE-2022-45873.patch new file mode 100644 index 0000000000..94bd22ca43 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/CVE-2022-45873.patch @@ -0,0 +1,124 @@ +From 076b807be472630692c5348c60d0c2b7b28ad437 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Tue, 18 Oct 2022 18:23:53 +0200 +Subject: [PATCH] coredump: avoid deadlock when passing processed backtrace + data + +We would deadlock when passing the data back from the forked-off process that +was doing backtrace generation back to the coredump parent. This is because we +fork the child and wait for it to exit. The child tries to write too much data +to the output pipe, and and after the first 64k blocks on the parent because +the pipe is full. The bug surfaced in Fedora because of a combination of four +factors: +- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which + allowed coredump processing to be successful. +- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output + was very verbose. +- Fedora has the ELF package metadata available, so a lot of output can be + generated. Most other distros just don't have the information. +- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output + are generated for it. + +Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778. + +The code is changed to try to write data opportunistically. If we get partial +information, that is still logged. In is generally better to log partial +backtrace information than nothing at all. + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437] +CVE: CVE-2022-45873 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/shared/elf-util.c | 37 +++++++++++++++++++++++++++++++------ + 1 file changed, 31 insertions(+), 6 deletions(-) + +diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c +index 6d9fcfbbf2..bd27507346 100644 +--- a/src/shared/elf-util.c ++++ b/src/shared/elf-util.c +@@ -30,6 +30,9 @@ + #define THREADS_MAX 64 + #define ELF_PACKAGE_METADATA_ID 0xcafe1a7e + ++/* The amount of data we're willing to write to each of the output pipes. */ ++#define COREDUMP_PIPE_MAX (1024*1024U) ++ + static void *dw_dl = NULL; + static void *elf_dl = NULL; + +@@ -700,13 +703,13 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + return r; + + if (ret) { +- r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC)); ++ r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC|O_NONBLOCK)); + if (r < 0) + return r; + } + + if (ret_package_metadata) { +- r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC)); ++ r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC|O_NONBLOCK)); + if (r < 0) + return r; + } +@@ -750,8 +753,24 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + goto child_fail; + + if (buf) { +- r = loop_write(return_pipe[1], buf, strlen(buf), false); +- if (r < 0) ++ size_t len = strlen(buf); ++ ++ if (len > COREDUMP_PIPE_MAX) { ++ /* This is iffy. A backtrace can be a few hundred kilobytes, but too much is ++ * too much. Let's log a warning and ignore the rest. */ ++ log_warning("Generated backtrace is %zu bytes (more than the limit of %u bytes), backtrace will be truncated.", ++ len, COREDUMP_PIPE_MAX); ++ len = COREDUMP_PIPE_MAX; ++ } ++ ++ /* Bump the space for the returned string. ++ * Failure is ignored, because partial output is still useful. */ ++ (void) fcntl(return_pipe[1], F_SETPIPE_SZ, len); ++ ++ r = loop_write(return_pipe[1], buf, len, false); ++ if (r == -EAGAIN) ++ log_warning("Write failed, backtrace will be truncated."); ++ else if (r < 0) + goto child_fail; + + return_pipe[1] = safe_close(return_pipe[1]); +@@ -760,13 +779,19 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + if (package_metadata) { + _cleanup_fclose_ FILE *json_out = NULL; + ++ /* Bump the space for the returned string. We don't know how much space we'll need in ++ * advance, so we'll just try to write as much as possible and maybe fail later. */ ++ (void) fcntl(json_pipe[1], F_SETPIPE_SZ, COREDUMP_PIPE_MAX); ++ + json_out = take_fdopen(&json_pipe[1], "w"); + if (!json_out) { + r = -errno; + goto child_fail; + } + +- json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL); ++ r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL); ++ if (r < 0) ++ log_warning_errno(r, "Failed to write JSON package metadata, ignoring: %m"); + } + + _exit(EXIT_SUCCESS); +@@ -801,7 +826,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha + + r = json_parse_file(json_in, NULL, 0, &package_metadata, NULL, NULL); + if (r < 0 && r != -EINVAL) /* EINVAL: json was empty, so we got nothing, but that's ok */ +- return r; ++ log_warning_errno(r, "Failed to read or parse json metadata, ignoring: %m"); + } + + if (ret) +-- +2.25.1 + diff --git a/poky/meta/recipes-core/systemd/systemd_250.5.bb b/poky/meta/recipes-core/systemd/systemd_250.5.bb index 5d568f639e..784a7af271 100644 --- a/poky/meta/recipes-core/systemd/systemd_250.5.bb +++ b/poky/meta/recipes-core/systemd/systemd_250.5.bb @@ -25,6 +25,11 @@ SRC_URI += "file://touchscreen.rules \ file://0003-implment-systemd-sysv-install-for-OE.patch \ file://0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch \ file://0001-resolve-Use-sockaddr-pointer-type-for-bind.patch \ + file://CVE-2022-3821.patch \ + file://CVE-2022-45873.patch \ + file://0001-shared-json-allow-json_variant_dump-to-return-an-err.patch \ + file://CVE-2022-4415-1.patch \ + file://CVE-2022-4415-2.patch \ " # patches needed by musl @@ -218,7 +223,7 @@ rootlibdir ?= "${base_libdir}" rootlibexecdir = "${rootprefix}/lib" EXTRA_OEMESON += "-Dnobody-user=nobody \ - -Dnobody-group=nobody \ + -Dnobody-group=nogroup \ -Drootlibdir=${rootlibdir} \ -Drootprefix=${rootprefix} \ -Ddefault-locale=C \ @@ -388,11 +393,13 @@ SYSTEMD_PACKAGES = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', '${PN}-binfm SYSTEMD_SERVICE:${PN}-binfmt = "systemd-binfmt.service" USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ + udev \ ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-gatewayd', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ " GROUPADD_PARAM:${PN} = "-r systemd-journal;" +GROUPADD_PARAM:udev = "-r render;-r sgx;" GROUPADD_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}" USERADD_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" USERADD_PARAM:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" @@ -430,9 +437,9 @@ FILES:${PN}-binfmt = "${sysconfdir}/binfmt.d/ \ ${rootlibexecdir}/systemd/systemd-binfmt \ ${systemd_system_unitdir}/proc-sys-fs-binfmt_misc.* \ ${systemd_system_unitdir}/systemd-binfmt.service" -RRECOMMENDS:${PN}-binfmt = "kernel-module-binfmt-misc" +RRECOMMENDS:${PN}-binfmt = "${@bb.utils.contains('PACKAGECONFIG', 'binfmt', 'kernel-module-binfmt-misc', '', d)}" -RRECOMMENDS:${PN}-vconsole-setup = "kbd kbd-consolefonts kbd-keymaps" +RRECOMMENDS:${PN}-vconsole-setup = "${@bb.utils.contains('PACKAGECONFIG', 'vconsole', 'kbd kbd-consolefonts kbd-keymaps', '', d)}" FILES:${PN}-journal-gatewayd = "${rootlibexecdir}/systemd/systemd-journal-gatewayd \ diff --git a/poky/meta/recipes-devtools/apt/apt_2.4.5.bb b/poky/meta/recipes-devtools/apt/apt_2.4.5.bb index b5ada2ef55..9ebcdfd527 100644 --- a/poky/meta/recipes-devtools/apt/apt_2.4.5.bb +++ b/poky/meta/recipes-devtools/apt/apt_2.4.5.bb @@ -117,6 +117,7 @@ do_install:append:class-native() { do_install:append:class-nativesdk() { customize_apt_conf_sample + rm -rf ${D}${localstatedir}/log } do_install:append:class-target() { diff --git a/poky/meta/recipes-devtools/binutils/binutils-2.38.inc b/poky/meta/recipes-devtools/binutils/binutils-2.38.inc index fc88d4a79e..bf44e6c762 100644 --- a/poky/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/poky/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_38-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "5c0b4ee406035917d0e50aa138194fab57ae6bf8" +SRCREV ?= "dc2474e7d204c124ab5a21b4490aa46eb7e1d4c3" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=git" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -39,5 +39,16 @@ SRC_URI = "\ file://0017-CVE-2022-38127-2.patch \ file://0017-CVE-2022-38127-3.patch \ file://0017-CVE-2022-38127-4.patch \ + file://0018-CVE-2022-38128-1.patch \ + file://0018-CVE-2022-38128-2.patch \ + file://0018-CVE-2022-38128-3.patch \ + file://0019-CVE-2022-4285.patch \ + file://0020-CVE-2023-22608-1.patch \ + file://0020-CVE-2023-22608-2.patch \ + file://0020-CVE-2023-22608-3.patch \ + file://0021-CVE-2023-1579-1.patch \ + file://0021-CVE-2023-1579-2.patch \ + file://0021-CVE-2023-1579-3.patch \ + file://0021-CVE-2023-1579-4.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch b/poky/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch index 59a97c13c7..8a5f4a8d79 100644 --- a/poky/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch +++ b/poky/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch @@ -65,7 +65,7 @@ index 121c25d948f..34cbc60e5e9 100644 info.path = NULL; info.len = info.alloc = 0; - tmppath = concat (ld_sysroot, prefix, "/etc/ld.so.conf", -+ tmppath = concat (ld_sysconfdir, "/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", (const char *) NULL); if (!ldelf_parse_ld_so_conf (&info, tmppath)) { diff --git a/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch new file mode 100644 index 0000000000..0a490d86b3 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch @@ -0,0 +1,350 @@ +From f07c08e115e27cddf5a0030dc6332bbee1bd9c6a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 21 Jul 2022 08:38:14 +0930 +Subject: [PATCH] binutils/dwarf.c: abbrev caching + +I'm inclined to think that abbrev caching is counter-productive. The +time taken to search the list of abbrevs converted to internal form is +non-zero, and it's easy to decode the raw abbrevs. It's especially +silly to cache empty lists of decoded abbrevs (happens with zero +padding in .debug_abbrev), or abbrevs as they are displayed when there +is no further use of those abbrevs. This patch stops caching in those +cases. + + * dwarf.c (record_abbrev_list_for_cu): Add free_list param. + Put abbrevs on abbrev_lists here. + (new_abbrev_list): Delete function. + (process_abbrev_set): Return newly allocated list. Move + abbrev base, offset and size checking to.. + (find_and_process_abbrev_set): ..here, new function. Handle + lookup of cached abbrevs here, and calculate start and end + for process_abbrev_set. Return free_list if newly alloc'd. + (process_debug_info): Consolidate cached list lookup, new list + alloc and processing into find_and_process_abbrev_set call. + Free list when not cached. + (display_debug_abbrev): Similarly. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 208 +++++++++++++++++++++++++---------------------- + 1 file changed, 110 insertions(+), 98 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 267ed3bb382..2fc352f74c5 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -882,8 +882,15 @@ static unsigned long next_free_abbrev_m + #define ABBREV_MAP_ENTRIES_INCREMENT 8 + + static void +-record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, abbrev_list * list) ++record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, ++ abbrev_list *list, abbrev_list *free_list) + { ++ if (free_list != NULL) ++ { ++ list->next = abbrev_lists; ++ abbrev_lists = list; ++ } ++ + if (cu_abbrev_map == NULL) + { + num_abbrev_map_entries = INITIAL_NUM_ABBREV_MAP_ENTRIES; +@@ -936,20 +943,6 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-new_abbrev_list (dwarf_vma abbrev_base, dwarf_vma abbrev_offset) +-{ +- abbrev_list * list = (abbrev_list *) xcalloc (sizeof * list, 1); +- +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- +- list->next = abbrev_lists; +- abbrev_lists = list; +- +- return list; +-} +- +-static abbrev_list * + find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, + dwarf_vma abbrev_offset) + { +@@ -966,7 +959,7 @@ find_abbrev_list_by_abbrev_offset (dwarf + /* Find the abbreviation map for the CU that includes OFFSET. + OFFSET is an absolute offset from the start of the .debug_info section. */ + /* FIXME: This function is going to slow down readelf & objdump. +- Consider using a better algorithm to mitigate this effect. */ ++ Not caching abbrevs is likely the answer. */ + + static abbrev_map * + find_abbrev_map_by_offset (dwarf_vma offset) +@@ -1033,40 +1026,18 @@ add_abbrev_attr (unsigned long attrib + list->last_abbrev->last_attr = attr; + } + +-/* Processes the (partial) contents of a .debug_abbrev section. +- Returns NULL if the end of the section was encountered. +- Returns the address after the last byte read if the end of +- an abbreviation set was found. */ ++/* Return processed (partial) contents of a .debug_abbrev section. ++ Returns NULL on errors. */ + +-static unsigned char * ++static abbrev_list * + process_abbrev_set (struct dwarf_section *section, +- dwarf_vma abbrev_base, +- dwarf_vma abbrev_size, +- dwarf_vma abbrev_offset, +- abbrev_list *list) ++ unsigned char *start, ++ unsigned char *end) + { +- if (abbrev_base >= section->size +- || abbrev_size > section->size - abbrev_base) +- { +- /* PR 17531: file:4bcd9ce9. */ +- warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) (abbrev_base + abbrev_size), +- (unsigned long) section->size); +- return NULL; +- } +- if (abbrev_offset >= abbrev_size) +- { +- warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) abbrev_offset, +- (unsigned long) abbrev_size); +- return NULL; +- } ++ abbrev_list *list = xmalloc (sizeof (*list)); ++ list->first_abbrev = NULL; ++ list->last_abbrev = NULL; + +- unsigned char *start = section->start + abbrev_base; +- unsigned char *end = start + abbrev_size; +- start += abbrev_offset; + while (start < end) + { + unsigned long entry; +@@ -1079,14 +1050,18 @@ process_abbrev_set (struct dwarf_section + /* A single zero is supposed to end the set according + to the standard. If there's more, then signal that to + the caller. */ +- if (start == end) +- return NULL; +- if (entry == 0) +- return start; ++ if (start == end || entry == 0) ++ { ++ list->start_of_next_abbrevs = start != end ? start : NULL; ++ return list; ++ } + + READ_ULEB (tag, start, end); + if (start == end) +- return NULL; ++ { ++ free (list); ++ return NULL; ++ } + + children = *start++; + +@@ -1121,9 +1096,67 @@ process_abbrev_set (struct dwarf_section + /* Report the missing single zero which ends the section. */ + error (_(".debug_abbrev section not zero terminated\n")); + ++ free (list); + return NULL; + } + ++/* Return a sequence of abbrevs in SECTION starting at ABBREV_BASE ++ plus ABBREV_OFFSET and finishing at ABBREV_BASE + ABBREV_SIZE. ++ If FREE_LIST is non-NULL search the already decoded abbrevs on ++ abbrev_lists first and if found set *FREE_LIST to NULL. If ++ searching doesn't find a matching abbrev, set *FREE_LIST to the ++ newly allocated list. If FREE_LIST is NULL, no search is done and ++ the returned abbrev_list is always newly allocated. */ ++ ++static abbrev_list * ++find_and_process_abbrev_set (struct dwarf_section *section, ++ dwarf_vma abbrev_base, ++ dwarf_vma abbrev_size, ++ dwarf_vma abbrev_offset, ++ abbrev_list **free_list) ++{ ++ if (free_list) ++ *free_list = NULL; ++ ++ if (abbrev_base >= section->size ++ || abbrev_size > section->size - abbrev_base) ++ { ++ /* PR 17531: file:4bcd9ce9. */ ++ warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) (abbrev_base + abbrev_size), ++ (unsigned long) section->size); ++ return NULL; ++ } ++ if (abbrev_offset >= abbrev_size) ++ { ++ warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) abbrev_offset, ++ (unsigned long) abbrev_size); ++ return NULL; ++ } ++ ++ unsigned char *start = section->start + abbrev_base + abbrev_offset; ++ unsigned char *end = section->start + abbrev_base + abbrev_size; ++ abbrev_list *list = NULL; ++ if (free_list) ++ list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ if (list == NULL) ++ { ++ list = process_abbrev_set (section, start, end); ++ if (list) ++ { ++ list->abbrev_base = abbrev_base; ++ list->abbrev_offset = abbrev_offset; ++ list->next = NULL; ++ } ++ if (free_list) ++ *free_list = list; ++ } ++ return list; ++} ++ + static const char * + get_TAG_name (unsigned long tag) + { +@@ -3670,7 +3703,6 @@ process_debug_info (struct dwarf_section + dwarf_vma cu_offset; + unsigned int offset_size; + struct cu_tu_set * this_set; +- abbrev_list * list; + unsigned char *end_cu; + + hdrptr = start; +@@ -3726,22 +3758,18 @@ process_debug_info (struct dwarf_section + abbrev_size = this_set->section_sizes [DW_SECT_ABBREV]; + } + +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char * next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ abbrev_list *free_list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, ++ &free_list); + start = end_cu; +- record_abbrev_list_for_cu (cu_offset, start - section_begin, list); ++ if (list != NULL && list->first_abbrev != NULL) ++ record_abbrev_list_for_cu (cu_offset, start - section_begin, ++ list, free_list); ++ else if (free_list != NULL) ++ free_abbrev_list (free_list); + } + + for (start = section_begin, unit = 0; start < end; unit++) +@@ -3757,7 +3785,6 @@ process_debug_info (struct dwarf_section + struct cu_tu_set *this_set; + dwarf_vma abbrev_base; + size_t abbrev_size; +- abbrev_list * list = NULL; + unsigned char *end_cu; + + hdrptr = start; +@@ -3936,20 +3963,10 @@ process_debug_info (struct dwarf_section + } + + /* Process the abbrevs used by this compilation unit. */ +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char *next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, NULL); + level = 0; + last_level = level; + saved_level = -1; +@@ -4128,6 +4145,8 @@ process_debug_info (struct dwarf_section + if (entry->children) + ++level; + } ++ if (list != NULL) ++ free_abbrev_list (list); + } + + /* Set num_debug_info_entries here so that it can be used to check if +@@ -6353,24 +6372,15 @@ display_debug_abbrev (struct dwarf_secti + + do + { +- abbrev_list * list; +- dwarf_vma offset; +- +- offset = start - section->start; +- list = find_abbrev_list_by_abbrev_offset (0, offset); ++ dwarf_vma offset = start - section->start; ++ abbrev_list *list = find_and_process_abbrev_set (section, 0, ++ section->size, offset, ++ NULL); + if (list == NULL) +- { +- list = new_abbrev_list (0, offset); +- start = process_abbrev_set (section, 0, section->size, offset, list); +- list->start_of_next_abbrevs = start; +- } +- else +- start = list->start_of_next_abbrevs; +- +- if (list->first_abbrev == NULL) +- continue; ++ break; + +- printf (_(" Number TAG (0x%lx)\n"), (long) offset); ++ if (list->first_abbrev) ++ printf (_(" Number TAG (0x%lx)\n"), (long) offset); + + for (entry = list->first_abbrev; entry; entry = entry->next) + { +@@ -6391,6 +6401,8 @@ display_debug_abbrev (struct dwarf_secti + putchar ('\n'); + } + } ++ start = list->start_of_next_abbrevs; ++ free_abbrev_list (list); + } + while (start); + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch new file mode 100644 index 0000000000..b867b04e96 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch @@ -0,0 +1,436 @@ +From 175b91507b83ad42607d2f6dadaf55b7b511bdbe Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 20 Jul 2022 18:28:50 +0930 +Subject: [PATCH] miscellaneous dwarf.c tidies + + * dwarf.c: Leading and trailing whitespace fixes. + (free_abbrev_list): New function. + (free_all_abbrevs): Use the above. Free cu_abbrev_map here too. + (process_abbrev_set): Print actual section name on error. + (get_type_abbrev_from_form): Add overflow check. + (free_debug_memory): Don't free cu_abbrev_map here.. + (process_debug_info): ..or here. Warn on another case of not + finding a neeeded abbrev. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 216 +++++++++++++++++++++++------------------------ + 1 file changed, 106 insertions(+), 110 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2b1eec49422..267ed3bb382 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -954,38 +954,41 @@ record_abbrev_list_for_cu (dwarf_vma sta + next_free_abbrev_map_entry ++; + } + +-static void +-free_all_abbrevs (void) ++static abbrev_list * ++free_abbrev_list (abbrev_list *list) + { +- abbrev_list * list; ++ abbrev_entry *abbrv = list->first_abbrev; + +- for (list = abbrev_lists; list != NULL;) ++ while (abbrv) + { +- abbrev_list * next = list->next; +- abbrev_entry * abbrv; ++ abbrev_attr *attr = abbrv->first_attr; + +- for (abbrv = list->first_abbrev; abbrv != NULL;) ++ while (attr) + { +- abbrev_entry * next_abbrev = abbrv->next; +- abbrev_attr * attr; +- +- for (attr = abbrv->first_attr; attr;) +- { +- abbrev_attr *next_attr = attr->next; +- +- free (attr); +- attr = next_attr; +- } +- +- free (abbrv); +- abbrv = next_abbrev; ++ abbrev_attr *next_attr = attr->next; ++ free (attr); ++ attr = next_attr; + } + +- free (list); +- list = next; ++ abbrev_entry *next_abbrev = abbrv->next; ++ free (abbrv); ++ abbrv = next_abbrev; + } + +- abbrev_lists = NULL; ++ abbrev_list *next = list->next; ++ free (list); ++ return next; ++} ++ ++static void ++free_all_abbrevs (void) ++{ ++ while (abbrev_lists) ++ abbrev_lists = free_abbrev_list (abbrev_lists); ++ ++ free (cu_abbrev_map); ++ cu_abbrev_map = NULL; ++ next_free_abbrev_map_entry = 0; + } + + static abbrev_list * +@@ -1017,7 +1020,7 @@ find_abbrev_map_by_offset (dwarf_vma off + && cu_abbrev_map[i].end > offset) + return cu_abbrev_map + i; + +- return NULL; ++ return NULL; + } + + static void +@@ -1140,7 +1143,7 @@ process_abbrev_set (struct dwarf_section + } + + /* Report the missing single zero which ends the section. */ +- error (_(".debug_abbrev section not zero terminated\n")); ++ error (_("%s section not zero terminated\n"), section->name); + + free (list); + return NULL; +@@ -1917,7 +1920,7 @@ fetch_alt_indirect_string (dwarf_vma off + dwarf_vmatoa ("x", offset)); + return _("<offset is too big>"); + } +- ++ + static const char * + get_AT_name (unsigned long attribute) + { +@@ -2199,7 +2202,8 @@ get_type_abbrev_from_form (unsigned long + case DW_FORM_ref4: + case DW_FORM_ref8: + case DW_FORM_ref_udata: +- if (uvalue + cu_offset > (size_t) (cu_end - section->start)) ++ if (uvalue + cu_offset < uvalue ++ || uvalue + cu_offset > (size_t) (cu_end - section->start)) + { + warn (_("Unable to resolve ref form: uvalue %lx + cu_offset %lx > CU size %lx\n"), + uvalue, (long) cu_offset, (long) (cu_end - section->start)); +@@ -2236,7 +2240,7 @@ get_type_abbrev_from_form (unsigned long + else + *map_return = NULL; + } +- ++ + READ_ULEB (abbrev_number, data, section->start + section->size); + + for (entry = map->list->first_abbrev; entry != NULL; entry = entry->next) +@@ -2837,7 +2841,7 @@ read_and_display_attr_value (unsigned lo + if (!do_loc) + printf ("%c<0x%s>", delimiter, dwarf_vmatoa ("x", uvalue + cu_offset)); + break; +- ++ + default: + warn (_("Unrecognized form: 0x%lx\n"), form); + /* What to do? Consume a byte maybe? */ +@@ -3009,7 +3013,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3043,7 +3047,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3671,11 +3675,8 @@ process_debug_info (struct dwarf_section + introduce (section, false); + + free_all_abbrevs (); +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; + +- /* In order to be able to resolve DW_FORM_ref_attr forms we need ++ /* In order to be able to resolve DW_FORM_ref_addr forms we need + to load *all* of the abbrevs for all CUs in this .debug_info + section. This does effectively mean that we (partially) read + every CU header twice. */ +@@ -4029,12 +4030,11 @@ process_debug_info (struct dwarf_section + + /* Scan through the abbreviation list until we reach the + correct entry. */ +- if (list == NULL) +- continue; +- +- for (entry = list->first_abbrev; entry != NULL; entry = entry->next) +- if (entry->number == abbrev_number) +- break; ++ entry = NULL; ++ if (list != NULL) ++ for (entry = list->first_abbrev; entry != NULL; entry = entry->next) ++ if (entry->number == abbrev_number) ++ break; + + if (entry == NULL) + { +@@ -4442,7 +4442,7 @@ display_debug_sup (struct dwarf_section + + SAFE_BYTE_GET_AND_INC (is_supplementary, start, 1, end); + if (is_supplementary != 0 && is_supplementary != 1) +- warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); ++ warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); + + sup_filename = start; + if (is_supplementary && sup_filename[0] != 0) +@@ -5621,7 +5621,7 @@ display_debug_lines_decoded (struct dwar + printf ("%s %11d %#18" DWARF_VMA_FMT "x", + newFileName, state_machine_regs.line, + state_machine_regs.address); +- } ++ } + else + { + if (xop == -DW_LNE_end_sequence) +@@ -6075,7 +6075,7 @@ display_debug_macro (struct dwarf_sectio + load_debug_section_with_follow (str, file); + load_debug_section_with_follow (line, file); + load_debug_section_with_follow (str_index, file); +- ++ + introduce (section, false); + + while (curr < end) +@@ -6519,7 +6519,7 @@ display_loc_list (struct dwarf_section * + + /* Check base address specifiers. */ + if (is_max_address (begin, pointer_size) +- && !is_max_address (end, pointer_size)) ++ && !is_max_address (end, pointer_size)) + { + base_address = end; + print_dwarf_vma (begin, pointer_size); +@@ -6697,7 +6697,7 @@ display_loclists_list (struct dwarf_sect + case DW_LLE_default_location: + begin = end = 0; + break; +- ++ + case DW_LLE_offset_pair: + READ_ULEB (begin, start, section_end); + begin += base_address; +@@ -6993,7 +6993,7 @@ display_offset_entry_loclists (struct dw + unsigned char * start = section->start; + unsigned char * const end = start + section->size; + +- introduce (section, false); ++ introduce (section, false); + + do + { +@@ -7042,14 +7042,14 @@ display_offset_entry_loclists (struct dw + section->name, segment_selector_size); + return 0; + } +- ++ + if (offset_entry_count == 0) + { + warn (_("The %s section contains a table without offset\n"), + section->name); + return 0; + } +- ++ + printf (_("\n Offset Entries starting at 0x%lx:\n"), + (long)(start - section->start)); + +@@ -8295,12 +8295,12 @@ display_debug_ranges (struct dwarf_secti + next = section_begin + offset + debug_info_p->rnglists_base; + + /* If multiple DWARF entities reference the same range then we will +- have multiple entries in the `range_entries' list for the same +- offset. Thanks to the sort above these will all be consecutive in +- the `range_entries' list, so we can easily ignore duplicates +- here. */ ++ have multiple entries in the `range_entries' list for the same ++ offset. Thanks to the sort above these will all be consecutive in ++ the `range_entries' list, so we can easily ignore duplicates ++ here. */ + if (i > 0 && last_offset == offset) +- continue; ++ continue; + last_offset = offset; + + if (dwarf_check != 0 && i > 0) +@@ -10336,7 +10336,7 @@ display_debug_names (struct dwarf_sectio + break; + if (tagno >= 0) + printf ("%s<%lu>", +- (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), ++ (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), + (unsigned long) abbrev_tag); + + for (entry = abbrev_lookup; +@@ -10901,7 +10901,7 @@ process_cu_tu_index (struct dwarf_sectio + Check for integer overflow (can occur when size_t is 32-bit) + with overlarge ncols or nused values. */ + if (nused == -1u +- || _mul_overflow ((size_t) ncols, 4, &temp) ++ || _mul_overflow ((size_t) ncols, 4, &temp) + || _mul_overflow ((size_t) nused + 1, temp, &total) + || total > (size_t) (limit - ppool)) + { +@@ -10909,7 +10909,7 @@ process_cu_tu_index (struct dwarf_sectio + section->name); + return 0; + } +- ++ + if (do_display) + { + printf (_(" Offset table\n")); +@@ -11413,8 +11413,8 @@ add_separate_debug_file (const char * fi + + static bool + debuginfod_fetch_separate_debug_info (struct dwarf_section * section, +- char ** filename, +- void * file) ++ char ** filename, ++ void * file) + { + size_t build_id_len; + unsigned char * build_id; +@@ -11432,14 +11432,14 @@ debuginfod_fetch_separate_debug_info (st + + filelen = strnlen ((const char *)section->start, section->size); + if (filelen == section->size) +- /* Corrupt debugaltlink. */ +- return false; ++ /* Corrupt debugaltlink. */ ++ return false; + + build_id = section->start + filelen + 1; + build_id_len = section->size - (filelen + 1); + + if (build_id_len == 0) +- return false; ++ return false; + } + else + return false; +@@ -11451,25 +11451,25 @@ debuginfod_fetch_separate_debug_info (st + + client = debuginfod_begin (); + if (client == NULL) +- return false; ++ return false; + + /* Query debuginfod servers for the target file. If found its path +- will be stored in filename. */ ++ will be stored in filename. */ + fd = debuginfod_find_debuginfo (client, build_id, build_id_len, filename); + debuginfod_end (client); + + /* Only free build_id if we allocated space for a hex string +- in get_build_id (). */ ++ in get_build_id (). */ + if (build_id_len == 0) +- free (build_id); ++ free (build_id); + + if (fd >= 0) +- { +- /* File successfully retrieved. Close fd since we want to +- use open_debug_file () on filename instead. */ +- close (fd); +- return true; +- } ++ { ++ /* File successfully retrieved. Close fd since we want to ++ use open_debug_file () on filename instead. */ ++ close (fd); ++ return true; ++ } + } + + return false; +@@ -11482,7 +11482,7 @@ load_separate_debug_info (const char * + parse_func_type parse_func, + check_func_type check_func, + void * func_data, +- void * file ATTRIBUTE_UNUSED) ++ void * file ATTRIBUTE_UNUSED) + { + const char * separate_filename; + char * debug_filename; +@@ -11597,11 +11597,11 @@ load_separate_debug_info (const char * + & tmp_filename, + file)) + { +- /* File successfully downloaded from server, replace +- debug_filename with the file's path. */ +- free (debug_filename); +- debug_filename = tmp_filename; +- goto found; ++ /* File successfully downloaded from server, replace ++ debug_filename with the file's path. */ ++ free (debug_filename); ++ debug_filename = tmp_filename; ++ goto found; + } + } + #endif +@@ -11766,12 +11766,12 @@ load_build_id_debug_file (const char * m + /* In theory we should extract the contents of the section into + a note structure and then check the fields. For now though + just use hard coded offsets instead: +- ++ + Field Bytes Contents + NSize 0...3 4 + DSize 4...7 8+ + Type 8..11 3 (NT_GNU_BUILD_ID) +- Name 12.15 GNU\0 ++ Name 12.15 GNU\0 + Data 16.... */ + + /* FIXME: Check the name size, name and type fields. */ +@@ -11783,7 +11783,7 @@ load_build_id_debug_file (const char * m + warn (_(".note.gnu.build-id data size is too small\n")); + return; + } +- ++ + if (build_id_size > (section->size - 16)) + { + warn (_(".note.gnu.build-id data size is too bug\n")); +@@ -12075,10 +12075,6 @@ free_debug_memory (void) + + free_all_abbrevs (); + +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; +- + free (shndx_pool); + shndx_pool = NULL; + shndx_pool_size = 0; diff --git a/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch new file mode 100644 index 0000000000..04d06ed6b6 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch @@ -0,0 +1,95 @@ +From 695c6dfe7e85006b98c8b746f3fd5f913c94ebff Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 21 Jul 2022 09:56:15 +0930 +Subject: [PATCH] PR29370, infinite loop in display_debug_abbrev + +The PR29370 testcase is a fuzzed object file with multiple +.trace_abbrev sections. Multiple .trace_abbrev or .debug_abbrev +sections are not a violation of the DWARF standard. The DWARF5 +standard even gives an example of multiple .debug_abbrev sections +contained in groups. Caching and lookup of processed abbrevs thus +needs to be done by section and offset rather than base and offset. +(Why base anyway?) Or, since section contents are kept, by a pointer +into the contents. + + PR 29370 + * dwarf.c (struct abbrev_list): Replace abbrev_base and + abbrev_offset with raw field. + (find_abbrev_list_by_abbrev_offset): Delete. + (find_abbrev_list_by_raw_abbrev): New function. + (process_abbrev_set): Set list->raw and list->next. + (find_and_process_abbrev_set): Replace abbrev list lookup with + new function. Don't set list abbrev_base, abbrev_offset or next. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2fc352f74c5..99fb3566994 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -856,8 +856,7 @@ typedef struct abbrev_list + { + abbrev_entry * first_abbrev; + abbrev_entry * last_abbrev; +- dwarf_vma abbrev_base; +- dwarf_vma abbrev_offset; ++ unsigned char * raw; + struct abbrev_list * next; + unsigned char * start_of_next_abbrevs; + } +@@ -946,14 +945,12 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, +- dwarf_vma abbrev_offset) ++find_abbrev_list_by_raw_abbrev (unsigned char *raw) + { + abbrev_list * list; + + for (list = abbrev_lists; list != NULL; list = list->next) +- if (list->abbrev_base == abbrev_base +- && list->abbrev_offset == abbrev_offset) ++ if (list->raw == raw) + return list; + + return NULL; +@@ -1040,6 +1037,7 @@ process_abbrev_set (struct dwarf_section + abbrev_list *list = xmalloc (sizeof (*list)); + list->first_abbrev = NULL; + list->last_abbrev = NULL; ++ list->raw = start; + + while (start < end) + { +@@ -1055,6 +1053,7 @@ process_abbrev_set (struct dwarf_section + the caller. */ + if (start == end || entry == 0) + { ++ list->next = NULL; + list->start_of_next_abbrevs = start != end ? start : NULL; + return list; + } +@@ -1144,16 +1143,10 @@ find_and_process_abbrev_set (struct dwar + unsigned char *end = section->start + abbrev_base + abbrev_size; + abbrev_list *list = NULL; + if (free_list) +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ list = find_abbrev_list_by_raw_abbrev (start); + if (list == NULL) + { + list = process_abbrev_set (section, start, end); +- if (list) +- { +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- list->next = NULL; +- } + if (free_list) + *free_list = list; + } diff --git a/poky/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch b/poky/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch new file mode 100644 index 0000000000..e5e404982e --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch @@ -0,0 +1,37 @@ +From 5c831a3c7f3ca98d6aba1200353311e1a1f84c70 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 19 Oct 2022 15:09:12 +0100 +Subject: [PATCH] Fix an illegal memory access when parsing an ELF file + containing corrupt symbol version information. + + PR 29699 + * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field + of the section header is zero. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70] +CVE: CVE-2022-4285 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index fe00e0f9189..7cd7febcf95 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -8918,7 +8918,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verref; + } +- elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_alloc (abfd, amt); ++ if (amt == 0) ++ goto error_return_verref; ++ elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verref == NULL) + goto error_return_verref; + +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch new file mode 100644 index 0000000000..18d4ac5f9d --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch @@ -0,0 +1,506 @@ +From 116aac1447ee92df25599859293752648e3c6ea0 Mon Sep 17 00:00:00 2001 +From: "Steinar H. Gunderson" <sesse@google.com> +Date: Fri, 20 May 2022 16:10:34 +0200 +Subject: [PATCH] add a trie to map quickly from address range to compilation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + unit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using perf to profile large binaries, _bfd_dwarf2_find_nearest_line() +becomes a hotspot, as perf wants to get line number information +(for inline-detection purposes) for each and every sample. In Chromium +in particular (the content_shell binary), this entails going through +475k address ranges, which takes a long time when done repeatedly. + +Add a radix-256 trie over the address space to quickly map address to +compilation unit spaces; for content_shell, which is 1.6 GB when some +(but not full) debug information turned is on, we go from 6 ms to +0.006 ms (6 µs) for each lookup from address to compilation unit, a 1000x +speedup. + +There is a modest RAM increase of 180 MB in this binary (the existing +linked list over ranges uses about 10 MB, and the entire perf job uses +between 2-3 GB for a medium-size profile); for smaller binaries with few +ranges, there should be hardly any extra RAM usage at all. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=b43771b045fb5616da3964f2994eefbe8ae70d32] + +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 326 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 312 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index fdf071c3..0ae50a37 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -82,6 +82,77 @@ struct adjusted_section + bfd_vma adj_vma; + }; + ++/* A trie to map quickly from address range to compilation unit. ++ ++ This is a fairly standard radix-256 trie, used to quickly locate which ++ compilation unit any given address belongs to. Given that each compilation ++ unit may register hundreds of very small and unaligned ranges (which may ++ potentially overlap, due to inlining and other concerns), and a large ++ program may end up containing hundreds of thousands of such ranges, we cannot ++ scan through them linearly without undue slowdown. ++ ++ We use a hybrid trie to avoid memory explosion: There are two types of trie ++ nodes, leaves and interior nodes. (Almost all nodes are leaves, so they ++ take up the bulk of the memory usage.) Leaves contain a simple array of ++ ranges (high/low address) and which compilation unit contains those ranges, ++ and when we get to a leaf, we scan through it linearly. Interior nodes ++ contain pointers to 256 other nodes, keyed by the next byte of the address. ++ So for a 64-bit address like 0x1234567abcd, we would start at the root and go ++ down child[0x00]->child[0x00]->child[0x01]->child[0x23]->child[0x45] etc., ++ until we hit a leaf. (Nodes are, in general, leaves until they exceed the ++ default allocation of 16 elements, at which point they are converted to ++ interior node if possible.) This gives us near-constant lookup times; ++ the only thing that can be costly is if there are lots of overlapping ranges ++ within a single 256-byte segment of the binary, in which case we have to ++ scan through them all to find the best match. ++ ++ For a binary with few ranges, we will in practice only have a single leaf ++ node at the root, containing a simple array. Thus, the scheme is efficient ++ for both small and large binaries. ++ */ ++ ++/* Experiments have shown 16 to be a memory-efficient default leaf size. ++ The only case where a leaf will hold more memory than this, is at the ++ bottomost level (covering 256 bytes in the binary), where we'll expand ++ the leaf to be able to hold more ranges if needed. ++ */ ++#define TRIE_LEAF_SIZE 16 ++ ++/* All trie_node pointers will really be trie_leaf or trie_interior, ++ but they have this common head. */ ++struct trie_node ++{ ++ /* If zero, we are an interior node. ++ Otherwise, how many ranges we have room for in this leaf. */ ++ unsigned int num_room_in_leaf; ++}; ++ ++struct trie_leaf ++{ ++ struct trie_node head; ++ unsigned int num_stored_in_leaf; ++ struct { ++ struct comp_unit *unit; ++ bfd_vma low_pc, high_pc; ++ } ranges[TRIE_LEAF_SIZE]; ++}; ++ ++struct trie_interior ++{ ++ struct trie_node head; ++ struct trie_node *children[256]; ++}; ++ ++static struct trie_node *alloc_trie_leaf (bfd *abfd) ++{ ++ struct trie_leaf *leaf = ++ bfd_zalloc (abfd, sizeof (struct trie_leaf)); ++ if (leaf == NULL) ++ return NULL; ++ leaf->head.num_room_in_leaf = TRIE_LEAF_SIZE; ++ return &leaf->head; ++} ++ + struct dwarf2_debug_file + { + /* The actual bfd from which debug info was loaded. Might be +@@ -139,6 +210,9 @@ struct dwarf2_debug_file + /* A list of all previously read comp_units. */ + struct comp_unit *all_comp_units; + ++ /* A list of all previously read comp_units with no ranges (yet). */ ++ struct comp_unit *all_comp_units_without_ranges; ++ + /* Last comp unit in list above. */ + struct comp_unit *last_comp_unit; + +@@ -147,6 +221,9 @@ struct dwarf2_debug_file + + /* Hash table to map offsets to decoded abbrevs. */ + htab_t abbrev_offsets; ++ ++ /* Root of a trie to map addresses to compilation units. */ ++ struct trie_node *trie_root; + }; + + struct dwarf2_debug +@@ -220,6 +297,11 @@ struct comp_unit + /* Chain the previously read compilation units. */ + struct comp_unit *next_unit; + ++ /* Chain the previously read compilation units that have no ranges yet. ++ We scan these separately when we have a trie over the ranges. ++ Unused if arange.high != 0. */ ++ struct comp_unit *next_unit_without_ranges; ++ + /* Likewise, chain the compilation unit read after this one. + The comp units are stored in reversed reading order. */ + struct comp_unit *prev_unit; +@@ -296,6 +378,10 @@ struct comp_unit + + /* TRUE if symbols are cached in hash table for faster lookup by name. */ + bool cached; ++ ++ /* Used when iterating over trie leaves to know which units we have ++ already seen in this iteration. */ ++ bool mark; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -1766,9 +1852,189 @@ concat_filename (struct line_info_table *table, unsigned int file) + return strdup (filename); + } + ++/* Number of bits in a bfd_vma. */ ++#define VMA_BITS (8 * sizeof (bfd_vma)) ++ ++/* Check whether [low1, high1) can be combined with [low2, high2), ++ i.e., they touch or overlap. */ ++static bool ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) ++{ ++ if (low1 == low2 || high1 == high2) ++ return true; ++ ++ /* Sort so that low1 is below low2. */ ++ if (low1 > low2) ++ { ++ bfd_vma tmp; ++ ++ tmp = low1; ++ low1 = low2; ++ low2 = tmp; ++ ++ tmp = high1; ++ high1 = high2; ++ high2 = tmp; ++ } ++ ++ /* We touch iff low2 == high1. ++ We overlap iff low2 is within [low1, high1). */ ++ return (low2 <= high1); ++} ++ ++/* Insert an address range in the trie mapping addresses to compilation units. ++ Will return the new trie node (usually the same as is being sent in, but ++ in case of a leaf-to-interior conversion, or expansion of a leaf, it may be ++ different), or NULL on failure. ++ */ ++static struct trie_node *insert_arange_in_trie(bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) ++{ ++ bfd_vma clamped_low_pc, clamped_high_pc; ++ int ch, from_ch, to_ch; ++ bool is_full_leaf = false; ++ ++ /* See if we can extend any of the existing ranges. This merging ++ isn't perfect (if merging opens up the possibility of merging two existing ++ ranges, we won't find them), but it takes the majority of the cases. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (leaf->ranges[i].unit == unit && ++ ranges_overlap(low_pc, high_pc, ++ leaf->ranges[i].low_pc, leaf->ranges[i].high_pc)) ++ { ++ if (low_pc < leaf->ranges[i].low_pc) ++ leaf->ranges[i].low_pc = low_pc; ++ if (high_pc > leaf->ranges[i].high_pc) ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ } ++ ++ is_full_leaf = leaf->num_stored_in_leaf == trie->num_room_in_leaf; ++ } ++ ++ /* If we're a leaf with no more room and we're _not_ at the bottom, ++ convert to an interior node. */ ++ if (is_full_leaf && trie_pc_bits < VMA_BITS) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ trie = bfd_zalloc (abfd, sizeof (struct trie_interior)); ++ if (!trie) ++ return NULL; ++ is_full_leaf = false; ++ ++ /* TODO: If we wanted to save a little more memory at the cost of ++ complexity, we could have reused the old leaf node as one of the ++ children of the new interior node, instead of throwing it away. */ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (!insert_arange_in_trie (abfd, trie, trie_pc, trie_pc_bits, ++ leaf->ranges[i].unit, leaf->ranges[i].low_pc, ++ leaf->ranges[i].high_pc)) ++ return NULL; ++ } ++ } ++ ++ /* If we're a leaf with no more room and we _are_ at the bottom, ++ we have no choice but to just make it larger. */ ++ if (is_full_leaf) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int new_room_in_leaf = trie->num_room_in_leaf * 2; ++ struct trie_leaf *new_leaf; ++ ++ new_leaf = bfd_zalloc (abfd, ++ sizeof (struct trie_leaf) + ++ (new_room_in_leaf - TRIE_LEAF_SIZE) * sizeof (leaf->ranges[0])); ++ new_leaf->head.num_room_in_leaf = new_room_in_leaf; ++ new_leaf->num_stored_in_leaf = leaf->num_stored_in_leaf; ++ ++ memcpy (new_leaf->ranges, ++ leaf->ranges, ++ leaf->num_stored_in_leaf * sizeof (leaf->ranges[0])); ++ trie = &new_leaf->head; ++ is_full_leaf = false; ++ ++ /* Now the insert below will go through. */ ++ } ++ ++ /* If we're a leaf (now with room), we can just insert at the end. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ ++ unsigned int i = leaf->num_stored_in_leaf++; ++ leaf->ranges[i].unit = unit; ++ leaf->ranges[i].low_pc = low_pc; ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ ++ /* Now we are definitely an interior node, so recurse into all ++ the relevant buckets. */ ++ ++ /* Clamp the range to the current trie bucket. */ ++ clamped_low_pc = low_pc; ++ clamped_high_pc = high_pc; ++ if (trie_pc_bits > 0) ++ { ++ bfd_vma bucket_high_pc = ++ trie_pc + ((bfd_vma)-1 >> trie_pc_bits); /* Inclusive. */ ++ if (clamped_low_pc < trie_pc) ++ clamped_low_pc = trie_pc; ++ if (clamped_high_pc > bucket_high_pc) ++ clamped_high_pc = bucket_high_pc; ++ } ++ ++ /* Insert the ranges in all buckets that it spans. */ ++ from_ch = (clamped_low_pc >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ to_ch = ((clamped_high_pc - 1) >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ for (ch = from_ch; ch <= to_ch; ++ch) ++ { ++ struct trie_interior *interior = (struct trie_interior *) trie; ++ struct trie_node *child = interior->children[ch]; ++ ++ if (child == NULL) ++ { ++ child = alloc_trie_leaf (abfd); ++ if (!child) ++ return NULL; ++ } ++ child = insert_arange_in_trie (abfd, ++ child, ++ trie_pc + ((bfd_vma)ch << (VMA_BITS - trie_pc_bits - 8)), ++ trie_pc_bits + 8, ++ unit, ++ low_pc, ++ high_pc); ++ if (!child) ++ return NULL; ++ ++ interior->children[ch] = child; ++ } ++ ++ return trie; ++} ++ ++ + static bool +-arange_add (const struct comp_unit *unit, struct arange *first_arange, +- bfd_vma low_pc, bfd_vma high_pc) ++arange_add (struct comp_unit *unit, struct arange *first_arange, ++ struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) + { + struct arange *arange; + +@@ -1776,6 +2042,19 @@ arange_add (const struct comp_unit *unit, struct arange *first_arange, + if (low_pc == high_pc) + return true; + ++ if (trie_root != NULL) ++ { ++ *trie_root = insert_arange_in_trie (unit->file->bfd_ptr, ++ *trie_root, ++ 0, ++ 0, ++ unit, ++ low_pc, ++ high_pc); ++ if (*trie_root == NULL) ++ return false; ++ } ++ + /* If the first arange is empty, use it. */ + if (first_arange->high == 0) + { +@@ -2410,7 +2689,8 @@ decode_line_info (struct comp_unit *unit) + low_pc = address; + if (address > high_pc) + high_pc = address; +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto line_fail; + break; + case DW_LNE_set_address: +@@ -3134,7 +3414,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3169,7 +3449,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + base_address = high_pc; + else + { +- if (!arange_add (unit, arange, ++ if (!arange_add (unit, arange, trie_root, + base_address + low_pc, base_address + high_pc)) + return false; + } +@@ -3179,7 +3459,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3253,19 +3533,19 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + return false; + } + +- if (!arange_add (unit, arange, low_pc, high_pc)) ++ if (!arange_add (unit, arange, trie_root, low_pc, high_pc)) + return false; + } + } + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + if (unit->version <= 4) +- return read_ranges (unit, arange, offset); ++ return read_ranges (unit, arange, trie_root, offset); + else +- return read_rnglists (unit, arange, offset); ++ return read_rnglists (unit, arange, trie_root, offset); + } + + static struct funcinfo * +@@ -3563,7 +3843,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &func->arange, attr.u.val)) ++ && !read_rangelist (unit, &func->arange, ++ &unit->file->trie_root, attr.u.val)) + goto fail; + break; + +@@ -3679,7 +3960,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + if (func && high_pc != 0) + { +- if (!arange_add (unit, &func->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &func->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto fail; + } + } +@@ -3874,7 +4156,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &unit->arange, attr.u.val)) ++ && !read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr.u.val)) + return NULL; + break; + +@@ -3916,7 +4199,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + high_pc += low_pc; + if (high_pc != 0) + { +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + return NULL; + } + +@@ -4747,6 +5031,14 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + if (!stash->alt.abbrev_offsets) + return false; + ++ stash->f.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->f.trie_root) ++ return false; ++ ++ stash->alt.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->alt.trie_root) ++ return false; ++ + *pinfo = stash; + + if (debug_bfd == NULL) +@@ -4918,6 +5210,12 @@ stash_comp_unit (struct dwarf2_debug *stash, struct dwarf2_debug_file *file) + each->next_unit = file->all_comp_units; + file->all_comp_units = each; + ++ if (each->arange.high == 0) ++ { ++ each->next_unit_without_ranges = file->all_comp_units_without_ranges; ++ file->all_comp_units_without_ranges = each->next_unit_without_ranges; ++ } ++ + file->info_ptr += length; + return each; + } diff --git a/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch new file mode 100644 index 0000000000..a58b8dccdc --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch @@ -0,0 +1,210 @@ +From 1e716c1b160d56c2ab8711e199cad5b4db47cedf Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 30 Aug 2022 16:01:20 +0100 +Subject: [PATCH] BFD library: Use entry 0 in directory and filename tables of + + DWARF-5 debug info. + + PR 29529 + * dwarf2.c (struct line_info_table): Add new field: + use_dir_and_file_0. + (concat_filename): Use new field to help select the correct table + slot. + (read_formatted_entries): Do not skip entry 0. + (decode_line_info): Set new field depending upon the version of + DWARF being parsed. Initialise filename based upon the setting of + the new field. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=37833b966576c5d25e797ea3b6c33d0459a71892] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 86 ++++++++++++++++++++---------- + ld/testsuite/ld-x86-64/pr27587.err | 2 +- + 2 files changed, 59 insertions(+), 29 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0ae50a37..b7839ad6 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1571,6 +1571,7 @@ struct line_info_table + unsigned int num_files; + unsigned int num_dirs; + unsigned int num_sequences; ++ bool use_dir_and_file_0; + char * comp_dir; + char ** dirs; + struct fileinfo* files; +@@ -1791,16 +1792,30 @@ concat_filename (struct line_info_table *table, unsigned int file) + { + char *filename; + +- if (table == NULL || file - 1 >= table->num_files) ++ /* Pre DWARF-5 entry 0 in the directory and filename tables was not used. ++ So in order to save space in the tables used here the info for, eg ++ directory 1 is stored in slot 0 of the directory table, directory 2 ++ in slot 1 and so on. ++ ++ Starting with DWARF-5 the 0'th entry is used so there is a one to one ++ mapping between DWARF slots and internal table entries. */ ++ if (! table->use_dir_and_file_0) + { +- /* FILE == 0 means unknown. */ +- if (file) +- _bfd_error_handler +- (_("DWARF error: mangled line number section (bad file number)")); ++ /* Pre DWARF-5, FILE == 0 means unknown. */ ++ if (file == 0) ++ return strdup ("<unknown>"); ++ -- file; ++ } ++ ++ if (table == NULL || file >= table->num_files) ++ { ++ _bfd_error_handler ++ (_("DWARF error: mangled line number section (bad file number)")); + return strdup ("<unknown>"); + } + +- filename = table->files[file - 1].name; ++ filename = table->files[file].name; ++ + if (filename == NULL) + return strdup ("<unknown>"); + +@@ -1811,12 +1826,17 @@ concat_filename (struct line_info_table *table, unsigned int file) + char *name; + size_t len; + +- if (table->files[file - 1].dir ++ if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file - 1].dir <= table->num_dirs ++ && table->files[file].dir <= table->num_dirs + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) +- subdir_name = table->dirs[table->files[file - 1].dir - 1]; ++ { ++ if (table->use_dir_and_file_0) ++ subdir_name = table->dirs[table->files[file].dir]; ++ else ++ subdir_name = table->dirs[table->files[file].dir - 1]; ++ } + + if (!subdir_name || !IS_ABSOLUTE_PATH (subdir_name)) + dir_name = table->comp_dir; +@@ -1857,10 +1877,12 @@ concat_filename (struct line_info_table *table, unsigned int file) + + /* Check whether [low1, high1) can be combined with [low2, high2), + i.e., they touch or overlap. */ +-static bool ranges_overlap (bfd_vma low1, +- bfd_vma high1, +- bfd_vma low2, +- bfd_vma high2) ++ ++static bool ++ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) + { + if (low1 == low2 || high1 == high2) + return true; +@@ -1887,15 +1909,16 @@ static bool ranges_overlap (bfd_vma low1, + /* Insert an address range in the trie mapping addresses to compilation units. + Will return the new trie node (usually the same as is being sent in, but + in case of a leaf-to-interior conversion, or expansion of a leaf, it may be +- different), or NULL on failure. +- */ +-static struct trie_node *insert_arange_in_trie(bfd *abfd, +- struct trie_node *trie, +- bfd_vma trie_pc, +- unsigned int trie_pc_bits, +- struct comp_unit *unit, +- bfd_vma low_pc, +- bfd_vma high_pc) ++ different), or NULL on failure. */ ++ ++static struct trie_node * ++insert_arange_in_trie (bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) + { + bfd_vma clamped_low_pc, clamped_high_pc; + int ch, from_ch, to_ch; +@@ -2031,7 +2054,6 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, + return trie; + } + +- + static bool + arange_add (struct comp_unit *unit, struct arange *first_arange, + struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) +@@ -2412,10 +2434,8 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + } + } + +- /* Skip the first "zero entry", which is the compilation dir/file. */ +- if (datai != 0) +- if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) +- return false; ++ if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) ++ return false; + } + + *bufp = buf; +@@ -2592,6 +2612,7 @@ decode_line_info (struct comp_unit *unit) + if (!read_formatted_entries (unit, &line_ptr, line_end, table, + line_info_add_file_name)) + goto fail; ++ table->use_dir_and_file_0 = true; + } + else + { +@@ -2614,6 +2635,7 @@ decode_line_info (struct comp_unit *unit) + if (!line_info_add_file_name (table, cur_file, dir, xtime, size)) + goto fail; + } ++ table->use_dir_and_file_0 = false; + } + + /* Read the statement sequences until there's nothing left. */ +@@ -2622,7 +2644,7 @@ decode_line_info (struct comp_unit *unit) + /* State machine registers. */ + bfd_vma address = 0; + unsigned char op_index = 0; +- char * filename = table->num_files ? concat_filename (table, 1) : NULL; ++ char * filename = NULL; + unsigned int line = 1; + unsigned int column = 0; + unsigned int discriminator = 0; +@@ -2637,6 +2659,14 @@ decode_line_info (struct comp_unit *unit) + bfd_vma low_pc = (bfd_vma) -1; + bfd_vma high_pc = 0; + ++ if (table->num_files) ++ { ++ if (table->use_dir_and_file_0) ++ filename = concat_filename (table, 0); ++ else ++ filename = concat_filename (table, 1); ++ } ++ + /* Decode the table. */ + while (!end_sequence && line_ptr < line_end) + { +diff --git a/ld/testsuite/ld-x86-64/pr27587.err b/ld/testsuite/ld-x86-64/pr27587.err +index fa870790..807750ca 100644 +--- a/ld/testsuite/ld-x86-64/pr27587.err ++++ b/ld/testsuite/ld-x86-64/pr27587.err +@@ -1,3 +1,3 @@ + #... +-.*pr27587.i:4: undefined reference to `stack_size' ++.*pr27587/<artificial>:4: undefined reference to `stack_size' + #... diff --git a/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch new file mode 100644 index 0000000000..a1b74248ce --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch @@ -0,0 +1,32 @@ +From 4b8386a90802ed8e43eac2266f6e03c92b4462ed Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 23 Dec 2022 13:02:04 +0000 +Subject: [PATCH] Fix illegal memory access parsing corrupt DWARF information. + + PR 29936 + * dwarf2.c (concat_filename): Fix check for a directory index off + the end of the directory table. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index b7839ad6..8b07a24c 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1828,7 +1828,8 @@ concat_filename (struct line_info_table *table, unsigned int file) + + if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file].dir <= table->num_dirs ++ && table->files[file].dir ++ <= (table->use_dir_and_file_0 ? table->num_dirs - 1 : table->num_dirs) + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) + { diff --git a/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch new file mode 100644 index 0000000000..1e9c03e70e --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch @@ -0,0 +1,459 @@ +From f67741e172bf342291fe3abd2b395899ce6433a0 Mon Sep 17 00:00:00 2001 +From: "Potharla, Rupesh" <Rupesh.Potharla@amd.com> +Date: Tue, 24 May 2022 00:01:49 +0000 +Subject: [PATCH] bfd: Add Support for DW_FORM_strx* and DW_FORM_addrx* + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f67741e172bf342291fe3abd2b395899ce6433a0] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 282 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 268 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index f6b0183720b..45e286754e4 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -189,6 +189,18 @@ struct dwarf2_debug_file + /* Length of the loaded .debug_str section. */ + bfd_size_type dwarf_str_size; + ++ /* Pointer to the .debug_str_offsets section loaded into memory. */ ++ bfd_byte *dwarf_str_offsets_buffer; ++ ++ /* Length of the loaded .debug_str_offsets section. */ ++ bfd_size_type dwarf_str_offsets_size; ++ ++ /* Pointer to the .debug_addr section loaded into memory. */ ++ bfd_byte *dwarf_addr_buffer; ++ ++ /* Length of the loaded .debug_addr section. */ ++ bfd_size_type dwarf_addr_size; ++ + /* Pointer to the .debug_line_str section loaded into memory. */ + bfd_byte *dwarf_line_str_buffer; + +@@ -382,6 +394,12 @@ struct comp_unit + /* Used when iterating over trie leaves to know which units we have + already seen in this iteration. */ + bool mark; ++ ++ /* Base address of debug_addr section. */ ++ size_t dwarf_addr_offset; ++ ++ /* Base address of string offset table. */ ++ size_t dwarf_str_offset; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -424,6 +442,8 @@ const struct dwarf_debug_section dwarf_debug_sections[] = + { ".debug_static_vars", ".zdebug_static_vars" }, + { ".debug_str", ".zdebug_str", }, + { ".debug_str", ".zdebug_str", }, ++ { ".debug_str_offsets", ".zdebug_str_offsets", }, ++ { ".debug_addr", ".zdebug_addr", }, + { ".debug_line_str", ".zdebug_line_str", }, + { ".debug_types", ".zdebug_types" }, + /* GNU DWARF 1 extensions */ +@@ -458,6 +478,8 @@ enum dwarf_debug_section_enum + debug_static_vars, + debug_str, + debug_str_alt, ++ debug_str_offsets, ++ debug_addr, + debug_line_str, + debug_types, + debug_sfnames, +@@ -1307,12 +1329,92 @@ is_int_form (const struct attribute *attr) + } + } + ++/* Returns true if the form is strx[1-4]. */ ++ ++static inline bool ++is_strx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_strx ++ || form == DW_FORM_strx1 ++ || form == DW_FORM_strx2 ++ || form == DW_FORM_strx3 ++ || form == DW_FORM_strx4); ++} ++ ++/* Return true if the form is addrx[1-4]. */ ++ ++static inline bool ++is_addrx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_addrx ++ || form == DW_FORM_addrx1 ++ || form == DW_FORM_addrx2 ++ || form == DW_FORM_addrx3 ++ || form == DW_FORM_addrx4); ++} ++ ++/* Returns the address in .debug_addr section using DW_AT_addr_base. ++ Used to implement DW_FORM_addrx*. */ ++static bfd_vma ++read_indexed_address (bfd_uint64_t idx, ++ struct comp_unit *unit) ++{ ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ size_t addr_base = unit->dwarf_addr_offset; ++ bfd_byte *info_ptr; ++ ++ if (stash == NULL) ++ return 0; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_addr], ++ file->syms, 0, ++ &file->dwarf_addr_buffer, &file->dwarf_addr_size)) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ ++ if (unit->offset_size == 4) ++ return bfd_get_32 (unit->abfd, info_ptr); ++ else ++ return bfd_get_64 (unit->abfd, info_ptr); ++} ++ ++/* Returns the string using DW_AT_str_offsets_base. ++ Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx ATTRIBUTE_UNUSED, +- struct comp_unit * unit ATTRIBUTE_UNUSED) ++read_indexed_string (bfd_uint64_t idx, ++ struct comp_unit *unit) + { +- /* FIXME: Add support for indexed strings. */ +- return "<indexed strings not yet supported>"; ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ bfd_byte *info_ptr; ++ unsigned long str_offset; ++ ++ if (stash == NULL) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str], ++ file->syms, 0, ++ &file->dwarf_str_buffer, &file->dwarf_str_size)) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str_offsets], ++ file->syms, 0, ++ &file->dwarf_str_offsets_buffer, ++ &file->dwarf_str_offsets_size)) ++ return NULL; ++ ++ info_ptr = (file->dwarf_str_offsets_buffer ++ + unit->dwarf_str_offset ++ + idx * unit->offset_size); ++ ++ if (unit->offset_size == 4) ++ str_offset = bfd_get_32 (unit->abfd, info_ptr); ++ else ++ str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ ++ return (const char *) file->dwarf_str_buffer + str_offset; + } + + /* Read and fill in the value of attribute ATTR as described by FORM. +@@ -1381,21 +1483,37 @@ read_attribute_value (struct attribute * attr, + case DW_FORM_ref1: + case DW_FORM_flag: + case DW_FORM_data1: ++ attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ /* dwarf_addr_offset value 0 indicates the attribute DW_AT_addr_base ++ is not yet read. */ ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data2: +- case DW_FORM_addrx2: + case DW_FORM_ref2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + break; ++ case DW_FORM_addrx2: ++ attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ break; + case DW_FORM_addrx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address(attr->u.val, unit); + break; + case DW_FORM_ref4: + case DW_FORM_data4: ++ attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data8: + case DW_FORM_ref8: +@@ -1416,24 +1534,31 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_strx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ /* dwarf_str_offset value 0 indicates the attribute DW_AT_str_offsets_base ++ is not yet read. */ ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_exprloc: + case DW_FORM_block: +@@ -1455,9 +1580,14 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_ref_udata: + case DW_FORM_udata: ++ attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, ++ false, info_ptr_end); ++ break; + case DW_FORM_addrx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_indirect: + form = _bfd_safe_read_leb128 (abfd, &info_ptr, +@@ -2396,6 +2526,11 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + { + case DW_FORM_string: + case DW_FORM_line_strp: ++ case DW_FORM_strx: ++ case DW_FORM_strx1: ++ case DW_FORM_strx2: ++ case DW_FORM_strx3: ++ case DW_FORM_strx4: + *stringp = attr.u.str; + break; + +@@ -4031,6 +4166,80 @@ scan_unit_for_symbols (struct comp_unit *unit) + return false; + } + ++/* Read the attributes of the form strx and addrx. */ ++ ++static void ++reread_attribute (struct comp_unit *unit, ++ struct attribute *attr, ++ bfd_vma *low_pc, ++ bfd_vma *high_pc, ++ bool *high_pc_relative, ++ bool compunit) ++{ ++ if (is_strx_form (attr->form)) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (is_addrx_form (attr->form)) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ ++ switch (attr->name) ++ { ++ case DW_AT_stmt_list: ++ unit->stmtlist = 1; ++ unit->line_offset = attr->u.val; ++ break; ++ ++ case DW_AT_name: ++ if (is_str_form (attr)) ++ unit->name = attr->u.str; ++ break; ++ ++ case DW_AT_low_pc: ++ *low_pc = attr->u.val; ++ if (compunit) ++ unit->base_address = *low_pc; ++ break; ++ ++ case DW_AT_high_pc: ++ *high_pc = attr->u.val; ++ *high_pc_relative = attr->form != DW_FORM_addr; ++ break; ++ ++ case DW_AT_ranges: ++ if (!read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr->u.val)) ++ return; ++ break; ++ ++ case DW_AT_comp_dir: ++ { ++ char *comp_dir = attr->u.str; ++ ++ if (!is_str_form (attr)) ++ { ++ _bfd_error_handler ++ (_("DWARF error: DW_AT_comp_dir attribute encountered " ++ "with a non-string form")); ++ comp_dir = NULL; ++ } ++ ++ if (comp_dir) ++ { ++ char *cp = strchr (comp_dir, ':'); ++ ++ if (cp && cp != comp_dir && cp[-1] == '.' && cp[1] == '/') ++ comp_dir = cp + 1; ++ } ++ unit->comp_dir = comp_dir; ++ break; ++ } ++ ++ case DW_AT_language: ++ unit->lang = attr->u.val; ++ default: ++ break; ++ } ++} ++ + /* Parse a DWARF2 compilation unit starting at INFO_PTR. UNIT_LENGTH + includes the compilation unit header that proceeds the DIE's, but + does not include the length field that precedes each compilation +@@ -4064,6 +4273,10 @@ parse_comp_unit (struct dwarf2_debug *stash, + bfd *abfd = file->bfd_ptr; + bool high_pc_relative = false; + enum dwarf_unit_type unit_type; ++ struct attribute *str_addrp = NULL; ++ size_t str_count = 0; ++ size_t str_alloc = 0; ++ bool compunit_flag = false; + + version = read_2_bytes (abfd, &info_ptr, end_ptr); + if (version < 2 || version > 5) +@@ -4168,11 +4381,33 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->file = file; + unit->info_ptr_unit = info_ptr_unit; + ++ if (abbrev->tag == DW_TAG_compile_unit) ++ compunit_flag = true; ++ + for (i = 0; i < abbrev->num_attrs; ++i) + { + info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, end_ptr); + if (info_ptr == NULL) +- return NULL; ++ goto err_exit; ++ ++ /* Identify attributes of the form strx* and addrx* which come before ++ DW_AT_str_offsets_base and DW_AT_addr_base respectively in the CU. ++ Store the attributes in an array and process them later. */ ++ if ((unit->dwarf_str_offset == 0 && is_strx_form (attr.form)) ++ || (unit->dwarf_addr_offset == 0 && is_addrx_form (attr.form))) ++ { ++ if (str_count <= str_alloc) ++ { ++ str_alloc = 2 * str_alloc + 200; ++ str_addrp = bfd_realloc (str_addrp, ++ str_alloc * sizeof (*str_addrp)); ++ if (str_addrp == NULL) ++ goto err_exit; ++ } ++ str_addrp[str_count] = attr; ++ str_count++; ++ continue; ++ } + + /* Store the data if it is of an attribute we want to keep in a + partial symbol table. */ +@@ -4198,7 +4433,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + /* If the compilation unit DIE has a DW_AT_low_pc attribute, + this is the base address to use when reading location + lists or range lists. */ +- if (abbrev->tag == DW_TAG_compile_unit) ++ if (compunit_flag) + unit->base_address = low_pc; + } + break; +@@ -4215,7 +4450,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + if (is_int_form (&attr) + && !read_rangelist (unit, &unit->arange, + &unit->file->trie_root, attr.u.val)) +- return NULL; ++ goto err_exit; + break; + + case DW_AT_comp_dir: +@@ -4248,21 +4483,40 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->lang = attr.u.val; + break; + ++ case DW_AT_addr_base: ++ unit->dwarf_addr_offset = attr.u.val; ++ break; ++ ++ case DW_AT_str_offsets_base: ++ unit->dwarf_str_offset = attr.u.val; ++ break; ++ + default: + break; + } + } ++ ++ for (i = 0; i < str_count; ++i) ++ reread_attribute (unit, &str_addrp[i], &low_pc, &high_pc, ++ &high_pc_relative, compunit_flag); ++ + if (high_pc_relative) + high_pc += low_pc; + if (high_pc != 0) + { + if (!arange_add (unit, &unit->arange, &unit->file->trie_root, + low_pc, high_pc)) +- return NULL; ++ goto err_exit; + } + + unit->first_child_die_ptr = info_ptr; ++ ++ free (str_addrp); + return unit; ++ ++ err_exit: ++ free (str_addrp); ++ return NULL; + } + + /* Return TRUE if UNIT may contain the address given by ADDR. When +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch new file mode 100644 index 0000000000..be698ef5c1 --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch @@ -0,0 +1,2127 @@ +From 0e3c1eebb22e0ade28b619fb41f42d66ed6fb145 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 27 May 2022 12:37:21 +0930 +Subject: [PATCH] Remove use of bfd_uint64_t and similar + +Requiring C99 means that uses of bfd_uint64_t can be replaced with +uint64_t, and similarly for bfd_int64_t, BFD_HOST_U_64_BIT, and +BFD_HOST_64_BIT. This patch does that, removes #ifdef BFD_HOST_* +and tidies a few places that print 64-bit values. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=0e3c1eebb22e0ade28b619fb41f42d66ed6fb145] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/aix386-core.c | 6 +-- + bfd/bfd-in.h | 24 ++++++------ + bfd/bfd-in2.h | 36 +++++++++--------- + bfd/coff-rs6000.c | 10 +---- + bfd/coff-x86_64.c | 2 +- + bfd/cpu-ia64-opc.c | 22 +++++------ + bfd/dwarf2.c | 83 ++++++++++++++++++++--------------------- + bfd/elf32-score.c | 16 ++++---- + bfd/elf64-ia64-vms.c | 8 ++-- + bfd/elflink.c | 16 +------- + bfd/elfxx-ia64.c | 6 +-- + bfd/hppabsd-core.c | 6 +-- + bfd/hpux-core.c | 6 +-- + bfd/irix-core.c | 6 +-- + bfd/libbfd.c | 65 +++++++++----------------------- + bfd/mach-o.c | 2 +- + bfd/mach-o.h | 8 ++-- + bfd/netbsd-core.c | 6 +-- + bfd/osf-core.c | 6 +-- + bfd/ptrace-core.c | 6 +-- + bfd/sco5-core.c | 6 +-- + bfd/targets.c | 12 +++--- + bfd/trad-core.c | 6 +-- + bfd/vms-alpha.c | 2 +- + binutils/nm.c | 49 +++--------------------- + binutils/od-macho.c | 50 ++++++++----------------- + binutils/prdbg.c | 39 +++---------------- + binutils/readelf.c | 21 +++++------ + gas/config/tc-arm.c | 28 ++++---------- + gas/config/tc-csky.c | 10 ++--- + gas/config/tc-sparc.c | 35 +++++++++-------- + gas/config/tc-tilegx.c | 20 +++++----- + gas/config/tc-tilepro.c | 20 +++++----- + gas/config/tc-z80.c | 8 ++-- + gas/config/te-vms.c | 2 +- + gas/config/te-vms.h | 2 +- + gdb/findcmd.c | 2 +- + gdb/tilegx-tdep.c | 2 +- + gprof/gmon_io.c | 44 ++++++---------------- + include/elf/nfp.h | 2 +- + include/opcode/csky.h | 62 +++++++++++++++--------------- + include/opcode/ia64.h | 2 +- + opcodes/csky-dis.c | 2 +- + opcodes/csky-opc.h | 4 +- + opcodes/ia64-dis.c | 2 +- + 45 files changed, 297 insertions(+), 475 deletions(-) + +diff --git a/bfd/aix386-core.c b/bfd/aix386-core.c +index 3443e49ed46..977a6bd1fb4 100644 +--- a/bfd/aix386-core.c ++++ b/bfd/aix386-core.c +@@ -220,9 +220,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_aix386_vec = + { +diff --git a/bfd/bfd-in.h b/bfd/bfd-in.h +index a1c4bf139fc..09c5728e944 100644 +--- a/bfd/bfd-in.h ++++ b/bfd/bfd-in.h +@@ -116,10 +116,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -447,10 +447,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -459,8 +459,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -470,8 +470,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h +index 50e26fc691d..d50885e76cf 100644 +--- a/bfd/bfd-in2.h ++++ b/bfd/bfd-in2.h +@@ -123,10 +123,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -454,10 +454,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -466,8 +466,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -477,8 +477,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +@@ -7416,9 +7416,9 @@ typedef struct bfd_target + /* Entries for byte swapping for data. These are different from the + other entry points, since they don't take a BFD as the first argument. + Certain other handlers could do the same. */ +- bfd_uint64_t (*bfd_getx64) (const void *); +- bfd_int64_t (*bfd_getx_signed_64) (const void *); +- void (*bfd_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_getx64) (const void *); ++ int64_t (*bfd_getx_signed_64) (const void *); ++ void (*bfd_putx64) (uint64_t, void *); + bfd_vma (*bfd_getx32) (const void *); + bfd_signed_vma (*bfd_getx_signed_32) (const void *); + void (*bfd_putx32) (bfd_vma, void *); +@@ -7427,9 +7427,9 @@ typedef struct bfd_target + void (*bfd_putx16) (bfd_vma, void *); + + /* Byte swapping for the headers. */ +- bfd_uint64_t (*bfd_h_getx64) (const void *); +- bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +- void (*bfd_h_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_h_getx64) (const void *); ++ int64_t (*bfd_h_getx_signed_64) (const void *); ++ void (*bfd_h_putx64) (uint64_t, void *); + bfd_vma (*bfd_h_getx32) (const void *); + bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 8819187ab42..48ce5c0516b 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -1890,18 +1890,12 @@ xcoff_write_armap_old (bfd *abfd, unsigned int elength ATTRIBUTE_UNUSED, + } + + static char buff20[XCOFFARMAGBIG_ELEMENT_SIZE + 1]; +-#if BFD_HOST_64BIT_LONG +-#define FMT20 "%-20ld" +-#elif defined (__MSVCRT__) +-#define FMT20 "%-20I64d" +-#else +-#define FMT20 "%-20lld" +-#endif ++#define FMT20 "%-20" PRId64 + #define FMT12 "%-12d" + #define FMT12_OCTAL "%-12o" + #define FMT4 "%-4d" + #define PRINT20(d, v) \ +- sprintf (buff20, FMT20, (bfd_uint64_t)(v)), \ ++ sprintf (buff20, FMT20, (uint64_t) (v)), \ + memcpy ((void *) (d), buff20, 20) + + #define PRINT12(d, v) \ +diff --git a/bfd/coff-x86_64.c b/bfd/coff-x86_64.c +index e8e16d3ce4b..cf339c93215 100644 +--- a/bfd/coff-x86_64.c ++++ b/bfd/coff-x86_64.c +@@ -201,7 +201,7 @@ coff_amd64_reloc (bfd *abfd, + + case 4: + { +- bfd_uint64_t x = bfd_get_64 (abfd, addr); ++ uint64_t x = bfd_get_64 (abfd, addr); + DOIT (x); + bfd_put_64 (abfd, x, addr); + } +diff --git a/bfd/cpu-ia64-opc.c b/bfd/cpu-ia64-opc.c +index e2b5c2694b6..01e3c3f476a 100644 +--- a/bfd/cpu-ia64-opc.c ++++ b/bfd/cpu-ia64-opc.c +@@ -99,14 +99,14 @@ ins_immu (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_immu (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_U_64_BIT value = 0; ++ uint64_t value = 0; + int i, bits = 0, total = 0; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + value |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + *valuep = value; +@@ -161,7 +161,7 @@ static const char* + ins_imms_scaled (const struct ia64_operand *self, ia64_insn value, + ia64_insn *code, int scale) + { +- BFD_HOST_64_BIT svalue = value, sign_bit = 0; ++ int64_t svalue = value, sign_bit = 0; + ia64_insn new_insn = 0; + int i; + +@@ -186,17 +186,17 @@ ext_imms_scaled (const struct ia64_operand *self, ia64_insn code, + ia64_insn *valuep, int scale) + { + int i, bits = 0, total = 0; +- BFD_HOST_U_64_BIT val = 0, sign; ++ uint64_t val = 0, sign; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + val |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + /* sign extend: */ +- sign = (BFD_HOST_U_64_BIT) 1 << (total - 1); ++ sign = (uint64_t) 1 << (total - 1); + val = (val ^ sign) - sign; + + *valuep = val << scale; +@@ -312,7 +312,7 @@ static const char* + ins_cnt (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { + --value; +- if (value >= ((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) ++ if (value >= (uint64_t) 1 << self->field[0].bits) + return "count out of range"; + + *code |= value << self->field[0].shift; +@@ -323,7 +323,7 @@ static const char* + ext_cnt (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { + *valuep = ((code >> self->field[0].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) - 1)) + 1; ++ & (((uint64_t) 1 << self->field[0].bits) - 1)) + 1; + return 0; + } + +@@ -421,8 +421,8 @@ ext_strd5b (const struct ia64_operand *self, ia64_insn code, + static const char* + ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { +- BFD_HOST_64_BIT val = value; +- BFD_HOST_U_64_BIT sign = 0; ++ int64_t val = value; ++ uint64_t sign = 0; + + if (val < 0) + { +@@ -444,7 +444,7 @@ ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_inc3 (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_64_BIT val; ++ int64_t val; + int negate; + + val = (code >> self->field[0].shift) & 0x7; +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 45e286754e4..6a728fc38b0 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -63,8 +63,8 @@ struct attribute + { + char *str; + struct dwarf_block *blk; +- bfd_uint64_t val; +- bfd_int64_t sval; ++ uint64_t val; ++ int64_t sval; + } + u; + }; +@@ -632,12 +632,12 @@ lookup_info_hash_table (struct info_hash_table *hash_table, const char *key) + the located section does not contain at least OFFSET bytes. */ + + static bool +-read_section (bfd * abfd, ++read_section (bfd *abfd, + const struct dwarf_debug_section *sec, +- asymbol ** syms, +- bfd_uint64_t offset, +- bfd_byte ** section_buffer, +- bfd_size_type * section_size) ++ asymbol **syms, ++ uint64_t offset, ++ bfd_byte **section_buffer, ++ bfd_size_type *section_size) + { + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +@@ -848,7 +848,7 @@ read_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -882,7 +882,7 @@ read_indirect_line_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -919,7 +919,7 @@ read_alt_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + char *str; + +@@ -975,8 +975,7 @@ read_alt_indirect_string (struct comp_unit *unit, + or NULL upon failure. */ + + static bfd_byte * +-read_alt_indirect_ref (struct comp_unit * unit, +- bfd_uint64_t offset) ++read_alt_indirect_ref (struct comp_unit *unit, uint64_t offset) + { + struct dwarf2_debug *stash = unit->stash; + +@@ -1012,7 +1011,7 @@ read_alt_indirect_ref (struct comp_unit * unit, + return stash->alt.dwarf_info_buffer + offset; + } + +-static bfd_uint64_t ++static uint64_t + read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end) + { + bfd_byte *buf = *ptr; +@@ -1131,7 +1130,7 @@ del_abbrev (void *p) + in a hash table. */ + + static struct abbrev_info** +-read_abbrevs (bfd *abfd, bfd_uint64_t offset, struct dwarf2_debug *stash, ++read_abbrevs (bfd *abfd, uint64_t offset, struct dwarf2_debug *stash, + struct dwarf2_debug_file *file) + { + struct abbrev_info **abbrevs; +@@ -1356,8 +1355,7 @@ is_addrx_form (enum dwarf_form form) + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ + static bfd_vma +-read_indexed_address (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1383,8 +1381,7 @@ read_indexed_address (bfd_uint64_t idx, + /* Returns the string using DW_AT_str_offsets_base. + Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_string (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1717,39 +1714,39 @@ struct line_info_table + struct funcinfo + { + /* Pointer to previous function in list of all functions. */ +- struct funcinfo * prev_func; ++ struct funcinfo *prev_func; + /* Pointer to function one scope higher. */ +- struct funcinfo * caller_func; ++ struct funcinfo *caller_func; + /* Source location file name where caller_func inlines this func. */ +- char * caller_file; ++ char *caller_file; + /* Source location file name. */ +- char * file; ++ char *file; + /* Source location line number where caller_func inlines this func. */ +- int caller_line; ++ int caller_line; + /* Source location line number. */ +- int line; +- int tag; +- bool is_linkage; +- const char * name; +- struct arange arange; ++ int line; ++ int tag; ++ bool is_linkage; ++ const char *name; ++ struct arange arange; + /* Where the symbol is defined. */ +- asection * sec; ++ asection *sec; + /* The offset of the funcinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + }; + + struct lookup_funcinfo + { + /* Function information corresponding to this lookup table entry. */ +- struct funcinfo * funcinfo; ++ struct funcinfo *funcinfo; + + /* The lowest address for this specific function. */ +- bfd_vma low_addr; ++ bfd_vma low_addr; + + /* The highest address of this function before the lookup table is sorted. + The highest address of all prior functions after the lookup table is + sorted, which is used for binary search. */ +- bfd_vma high_addr; ++ bfd_vma high_addr; + /* Index of this function, used to ensure qsort is stable. */ + unsigned int idx; + }; +@@ -1759,7 +1756,7 @@ struct varinfo + /* Pointer to previous variable in list of all variables. */ + struct varinfo *prev_var; + /* The offset of the varinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + /* Source location file name. */ + char *file; + /* Source location line number. */ +@@ -3335,7 +3332,7 @@ find_abstract_instance (struct comp_unit *unit, + bfd_byte *info_ptr_end; + unsigned int abbrev_number, i; + struct abbrev_info *abbrev; +- bfd_uint64_t die_ref = attr_ptr->u.val; ++ uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; + const char *name = NULL; + +@@ -3549,7 +3546,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3594,7 +3591,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3675,7 +3672,7 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + if (unit->version <= 4) + return read_ranges (unit, arange, trie_root, offset); +@@ -3684,7 +3681,7 @@ read_rangelist (struct comp_unit *unit, struct arange *arange, + } + + static struct funcinfo * +-lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) ++lookup_func_by_offset (uint64_t offset, struct funcinfo * table) + { + for (; table != NULL; table = table->prev_func) + if (table->unit_offset == offset) +@@ -3693,7 +3690,7 @@ lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) + } + + static struct varinfo * +-lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) ++lookup_var_by_offset (uint64_t offset, struct varinfo * table) + { + while (table) + { +@@ -3775,7 +3772,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + struct abbrev_info *abbrev; + struct funcinfo *func; + struct varinfo *var; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -3909,7 +3906,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + bfd_vma low_pc = 0; + bfd_vma high_pc = 0; + bool high_pc_relative = false; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -4259,7 +4256,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + { + struct comp_unit* unit; + unsigned int version; +- bfd_uint64_t abbrev_offset = 0; ++ uint64_t abbrev_offset = 0; + /* Initialize it just to avoid a GCC false warning. */ + unsigned int addr_size = -1; + struct abbrev_info** abbrevs; +diff --git a/bfd/elf32-score.c b/bfd/elf32-score.c +index c868707347c..5bc78d523ea 100644 +--- a/bfd/elf32-score.c ++++ b/bfd/elf32-score.c +@@ -230,14 +230,14 @@ static bfd_vma + score3_bfd_getl48 (const void *p) + { + const bfd_byte *addr = p; +- bfd_uint64_t v; +- +- v = (bfd_uint64_t) addr[4]; +- v |= (bfd_uint64_t) addr[5] << 8; +- v |= (bfd_uint64_t) addr[2] << 16; +- v |= (bfd_uint64_t) addr[3] << 24; +- v |= (bfd_uint64_t) addr[0] << 32; +- v |= (bfd_uint64_t) addr[1] << 40; ++ uint64_t v; ++ ++ v = (uint64_t) addr[4]; ++ v |= (uint64_t) addr[5] << 8; ++ v |= (uint64_t) addr[2] << 16; ++ v |= (uint64_t) addr[3] << 24; ++ v |= (uint64_t) addr[0] << 32; ++ v |= (uint64_t) addr[1] << 40; + return v; + } + +diff --git a/bfd/elf64-ia64-vms.c b/bfd/elf64-ia64-vms.c +index 59cc6b6fe85..4d8f98550a3 100644 +--- a/bfd/elf64-ia64-vms.c ++++ b/bfd/elf64-ia64-vms.c +@@ -179,7 +179,7 @@ struct elf64_ia64_vms_obj_tdata + struct elf_obj_tdata root; + + /* Ident for shared library. */ +- bfd_uint64_t ident; ++ uint64_t ident; + + /* Used only during link: offset in the .fixups section for this bfd. */ + bfd_vma fixups_off; +@@ -2791,7 +2791,7 @@ elf64_ia64_size_dynamic_sections (bfd *output_bfd ATTRIBUTE_UNUSED, + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_IDENT, 0)) + return false; + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_LINKTIME, +- (((bfd_uint64_t)time_hi) << 32) ++ ((uint64_t) time_hi << 32) + + time_lo)) + return false; + +@@ -4720,7 +4720,7 @@ elf64_vms_close_and_cleanup (bfd *abfd) + if ((isize & 7) != 0) + { + int ishort = 8 - (isize & 7); +- bfd_uint64_t pad = 0; ++ uint64_t pad = 0; + + bfd_seek (abfd, isize, SEEK_SET); + bfd_bwrite (&pad, ishort, abfd); +@@ -4853,7 +4853,7 @@ elf64_vms_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info) + bed->s->swap_dyn_in (abfd, extdyn, &dyn); + if (dyn.d_tag == DT_IA_64_VMS_IDENT) + { +- bfd_uint64_t tagv = dyn.d_un.d_val; ++ uint64_t tagv = dyn.d_un.d_val; + elf_ia64_vms_ident (abfd) = tagv; + break; + } +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 96eb36aa5bf..fc3a335c72d 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -6354,15 +6354,11 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + size_t best_size = 0; + unsigned long int i; + +- /* We have a problem here. The following code to optimize the table +- size requires an integer type with more the 32 bits. If +- BFD_HOST_U_64_BIT is set we know about such a type. */ +-#ifdef BFD_HOST_U_64_BIT + if (info->optimize) + { + size_t minsize; + size_t maxsize; +- BFD_HOST_U_64_BIT best_chlen = ~((BFD_HOST_U_64_BIT) 0); ++ uint64_t best_chlen = ~((uint64_t) 0); + bfd *dynobj = elf_hash_table (info)->dynobj; + size_t dynsymcount = elf_hash_table (info)->dynsymcount; + const struct elf_backend_data *bed = get_elf_backend_data (dynobj); +@@ -6399,7 +6395,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + for (i = minsize; i < maxsize; ++i) + { + /* Walk through the array of hashcodes and count the collisions. */ +- BFD_HOST_U_64_BIT max; ++ uint64_t max; + unsigned long int j; + unsigned long int fact; + +@@ -6464,11 +6460,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + free (counts); + } + else +-#endif /* defined (BFD_HOST_U_64_BIT) */ + { +- /* This is the fallback solution if no 64bit type is available or if we +- are not supposed to spend much time on optimizations. We select the +- bucket count using a fixed set of numbers. */ + for (i = 0; elf_buckets[i] != 0; i++) + { + best_size = elf_buckets[i]; +@@ -9354,7 +9346,6 @@ ext32b_r_offset (const void *p) + return aval; + } + +-#ifdef BFD_HOST_64_BIT + static bfd_vma + ext64l_r_offset (const void *p) + { +@@ -9398,7 +9389,6 @@ ext64b_r_offset (const void *p) + | (uint64_t) a->c[7]); + return aval; + } +-#endif + + /* When performing a relocatable link, the input relocations are + preserved. But, if they reference global symbols, the indices +@@ -9502,13 +9492,11 @@ elf_link_adjust_relocs (bfd *abfd, + } + else + { +-#ifdef BFD_HOST_64_BIT + if (abfd->xvec->header_byteorder == BFD_ENDIAN_LITTLE) + ext_r_off = ext64l_r_offset; + else if (abfd->xvec->header_byteorder == BFD_ENDIAN_BIG) + ext_r_off = ext64b_r_offset; + else +-#endif + abort (); + } + +diff --git a/bfd/elfxx-ia64.c b/bfd/elfxx-ia64.c +index c126adf6890..a108324ca39 100644 +--- a/bfd/elfxx-ia64.c ++++ b/bfd/elfxx-ia64.c +@@ -555,11 +555,7 @@ ia64_elf_install_value (bfd_byte *hit_addr, bfd_vma v, unsigned int r_type) + enum ia64_opnd opnd; + const char *err; + size_t size = 8; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val = (BFD_HOST_U_64_BIT) v; +-#else +- bfd_vma val = v; +-#endif ++ uint64_t val = v; + + opnd = IA64_OPND_NIL; + switch (r_type) +diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c +index acfa5f69a95..d87af955838 100644 +--- a/bfd/hppabsd-core.c ++++ b/bfd/hppabsd-core.c +@@ -213,9 +213,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hppabsd_vec = + { +diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c +index 4f03b84909a..654532c6bb9 100644 +--- a/bfd/hpux-core.c ++++ b/bfd/hpux-core.c +@@ -362,9 +362,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hpux_vec = + { +diff --git a/bfd/irix-core.c b/bfd/irix-core.c +index 694fe2e2e07..b12aef9ce8b 100644 +--- a/bfd/irix-core.c ++++ b/bfd/irix-core.c +@@ -275,9 +275,9 @@ swap_abort(void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_irix_vec = + { +diff --git a/bfd/libbfd.c b/bfd/libbfd.c +index 2781671ddba..d33f3416206 100644 +--- a/bfd/libbfd.c ++++ b/bfd/libbfd.c +@@ -617,7 +617,7 @@ DESCRIPTION + #define COERCE16(x) (((bfd_vma) (x) ^ 0x8000) - 0x8000) + #define COERCE32(x) (((bfd_vma) (x) ^ 0x80000000) - 0x80000000) + #define COERCE64(x) \ +- (((bfd_uint64_t) (x) ^ ((bfd_uint64_t) 1 << 63)) - ((bfd_uint64_t) 1 << 63)) ++ (((uint64_t) (x) ^ ((uint64_t) 1 << 63)) - ((uint64_t) 1 << 63)) + + bfd_vma + bfd_getb16 (const void *p) +@@ -757,12 +757,11 @@ bfd_getl_signed_32 (const void *p) + return COERCE32 (v); + } + +-bfd_uint64_t +-bfd_getb64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getb64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -774,18 +773,13 @@ bfd_getb64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_uint64_t +-bfd_getl64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getl64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -797,19 +791,13 @@ bfd_getl64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif +- + } + +-bfd_int64_t +-bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getb_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -821,18 +809,13 @@ bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_int64_t +-bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getl_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -844,10 +827,6 @@ bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + + void +@@ -871,9 +850,8 @@ bfd_putl32 (bfd_vma data, void *p) + } + + void +-bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putb64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[0] = (data >> (7*8)) & 0xff; + addr[1] = (data >> (6*8)) & 0xff; +@@ -883,15 +861,11 @@ bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[5] = (data >> (2*8)) & 0xff; + addr[6] = (data >> (1*8)) & 0xff; + addr[7] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putl64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[7] = (data >> (7*8)) & 0xff; + addr[6] = (data >> (6*8)) & 0xff; +@@ -901,13 +875,10 @@ bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[2] = (data >> (2*8)) & 0xff; + addr[1] = (data >> (1*8)) & 0xff; + addr[0] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) ++bfd_put_bits (uint64_t data, void *p, int bits, bool big_p) + { + bfd_byte *addr = (bfd_byte *) p; + int i; +@@ -926,11 +897,11 @@ bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) + } + } + +-bfd_uint64_t ++uint64_t + bfd_get_bits (const void *p, int bits, bool big_p) + { + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t data; ++ uint64_t data; + int i; + int bytes; + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index e32b7873cef..9f3f1f13e4e 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -4773,7 +4773,7 @@ bfd_mach_o_read_source_version (bfd *abfd, bfd_mach_o_load_command *command) + { + bfd_mach_o_source_version_command *cmd = &command->command.source_version; + struct mach_o_source_version_command_external raw; +- bfd_uint64_t ver; ++ uint64_t ver; + + if (command->len < sizeof (raw) + 8) + return false; +diff --git a/bfd/mach-o.h b/bfd/mach-o.h +index 5a068d8d970..f7418ad8d40 100644 +--- a/bfd/mach-o.h ++++ b/bfd/mach-o.h +@@ -545,8 +545,8 @@ bfd_mach_o_encryption_info_command; + + typedef struct bfd_mach_o_main_command + { +- bfd_uint64_t entryoff; +- bfd_uint64_t stacksize; ++ uint64_t entryoff; ++ uint64_t stacksize; + } + bfd_mach_o_main_command; + +@@ -563,8 +563,8 @@ bfd_mach_o_source_version_command; + typedef struct bfd_mach_o_note_command + { + char data_owner[16]; +- bfd_uint64_t offset; +- bfd_uint64_t size; ++ uint64_t offset; ++ uint64_t size; + } + bfd_mach_o_note_command; + +diff --git a/bfd/netbsd-core.c b/bfd/netbsd-core.c +index cb215937da6..ffc8e50842c 100644 +--- a/bfd/netbsd-core.c ++++ b/bfd/netbsd-core.c +@@ -257,9 +257,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_netbsd_vec = + { +diff --git a/bfd/osf-core.c b/bfd/osf-core.c +index 09a04a07624..04434b2045c 100644 +--- a/bfd/osf-core.c ++++ b/bfd/osf-core.c +@@ -169,9 +169,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_osf_vec = + { +diff --git a/bfd/ptrace-core.c b/bfd/ptrace-core.c +index 3d077d21200..c4afffbfb95 100644 +--- a/bfd/ptrace-core.c ++++ b/bfd/ptrace-core.c +@@ -160,9 +160,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_ptrace_vec = + { +diff --git a/bfd/sco5-core.c b/bfd/sco5-core.c +index d1f80c9079f..7807ac86a65 100644 +--- a/bfd/sco5-core.c ++++ b/bfd/sco5-core.c +@@ -340,9 +340,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_sco5_vec = + { +diff --git a/bfd/targets.c b/bfd/targets.c +index 05dd8236d91..f44b5c67724 100644 +--- a/bfd/targets.c ++++ b/bfd/targets.c +@@ -226,9 +226,9 @@ DESCRIPTION + . {* Entries for byte swapping for data. These are different from the + . other entry points, since they don't take a BFD as the first argument. + . Certain other handlers could do the same. *} +-. bfd_uint64_t (*bfd_getx64) (const void *); +-. bfd_int64_t (*bfd_getx_signed_64) (const void *); +-. void (*bfd_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_getx64) (const void *); ++. int64_t (*bfd_getx_signed_64) (const void *); ++. void (*bfd_putx64) (uint64_t, void *); + . bfd_vma (*bfd_getx32) (const void *); + . bfd_signed_vma (*bfd_getx_signed_32) (const void *); + . void (*bfd_putx32) (bfd_vma, void *); +@@ -237,9 +237,9 @@ DESCRIPTION + . void (*bfd_putx16) (bfd_vma, void *); + . + . {* Byte swapping for the headers. *} +-. bfd_uint64_t (*bfd_h_getx64) (const void *); +-. bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +-. void (*bfd_h_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_h_getx64) (const void *); ++. int64_t (*bfd_h_getx_signed_64) (const void *); ++. void (*bfd_h_putx64) (uint64_t, void *); + . bfd_vma (*bfd_h_getx32) (const void *); + . bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + . void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/trad-core.c b/bfd/trad-core.c +index 92a279b6a72..8e9ee0d6667 100644 +--- a/bfd/trad-core.c ++++ b/bfd/trad-core.c +@@ -249,9 +249,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_trad_vec = + { +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 1129c98f0e2..fd0762811df 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -522,7 +522,7 @@ _bfd_vms_slurp_eisd (bfd *abfd, unsigned int offset) + struct vms_eisd *eisd; + unsigned int rec_size; + unsigned int size; +- bfd_uint64_t vaddr; ++ uint64_t vaddr; + unsigned int flags; + unsigned int vbn; + char *name = NULL; +diff --git a/binutils/nm.c b/binutils/nm.c +index 60e4d850885..539c5688425 100644 +--- a/binutils/nm.c ++++ b/binutils/nm.c +@@ -1557,29 +1557,15 @@ get_print_format (void) + padding = "016"; + } + +- const char * length = "l"; +- if (print_width == 64) +- { +-#if BFD_HOST_64BIT_LONG +- ; +-#elif BFD_HOST_64BIT_LONG_LONG +-#ifndef __MSVCRT__ +- length = "ll"; +-#else +- length = "I64"; +-#endif +-#endif +- } +- + const char * radix = NULL; + switch (print_radix) + { +- case 8: radix = "o"; break; +- case 10: radix = "d"; break; +- case 16: radix = "x"; break; ++ case 8: radix = PRIo64; break; ++ case 10: radix = PRId64; break; ++ case 16: radix = PRIx64; break; + } + +- return concat ("%", padding, length, radix, NULL); ++ return concat ("%", padding, radix, NULL); + } + + static void +@@ -1874,33 +1860,8 @@ print_value (bfd *abfd ATTRIBUTE_UNUSED, bfd_vma val) + switch (print_width) + { + case 32: +- printf (print_format_string, (unsigned long) val); +- break; +- + case 64: +-#if BFD_HOST_64BIT_LONG || BFD_HOST_64BIT_LONG_LONG +- printf (print_format_string, val); +-#else +- /* We have a 64 bit value to print, but the host is only 32 bit. */ +- if (print_radix == 16) +- bfd_fprintf_vma (abfd, stdout, val); +- else +- { +- char buf[30]; +- char *s; +- +- s = buf + sizeof buf; +- *--s = '\0'; +- while (val > 0) +- { +- *--s = (val % print_radix) + '0'; +- val /= print_radix; +- } +- while ((buf + sizeof buf - 1) - s < 16) +- *--s = '0'; +- printf ("%s", s); +- } +-#endif ++ printf (print_format_string, (uint64_t) val); + break; + + default: +diff --git a/binutils/od-macho.c b/binutils/od-macho.c +index 56d448ac3bd..e91c87d2acf 100644 +--- a/binutils/od-macho.c ++++ b/binutils/od-macho.c +@@ -283,15 +283,6 @@ bfd_mach_o_print_flags (const bfd_mach_o_xlat_name *table, + printf ("-"); + } + +-/* Print a bfd_uint64_t, using a platform independent style. */ +- +-static void +-printf_uint64 (bfd_uint64_t v) +-{ +- printf ("0x%08lx%08lx", +- (unsigned long)((v >> 16) >> 16), (unsigned long)(v & 0xffffffffUL)); +-} +- + static const char * + bfd_mach_o_get_name_or_null (const bfd_mach_o_xlat_name *table, + unsigned long val) +@@ -1729,26 +1720,20 @@ dump_load_command (bfd *abfd, bfd_mach_o_load_command *cmd, + } + case BFD_MACH_O_LC_MAIN: + { +- bfd_mach_o_main_command *entry = &cmd->command.main; +- printf (" entry offset: "); +- printf_uint64 (entry->entryoff); +- printf ("\n" +- " stack size: "); +- printf_uint64 (entry->stacksize); +- printf ("\n"); +- break; ++ bfd_mach_o_main_command *entry = &cmd->command.main; ++ printf (" entry offset: %#016" PRIx64 "\n" ++ " stack size: %#016" PRIx64 "\n", ++ entry->entryoff, entry->stacksize); ++ break; + } + case BFD_MACH_O_LC_NOTE: + { +- bfd_mach_o_note_command *note = &cmd->command.note; +- printf (" data owner: %.16s\n", note->data_owner); +- printf (" offset: "); +- printf_uint64 (note->offset); +- printf ("\n" +- " size: "); +- printf_uint64 (note->size); +- printf ("\n"); +- break; ++ bfd_mach_o_note_command *note = &cmd->command.note; ++ printf (" data owner: %.16s\n" ++ " offset: %#016" PRIx64 "\n" ++ " size: %#016" PRIx64 "\n", ++ note->data_owner, note->offset, note->size); ++ break; + } + case BFD_MACH_O_LC_BUILD_VERSION: + dump_build_version (abfd, cmd); +@@ -2013,14 +1998,11 @@ dump_obj_compact_unwind (bfd *abfd, + { + e = (struct mach_o_compact_unwind_64 *) p; + +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->start)); +- printf (" %08lx", (unsigned long)bfd_get_32 (abfd, e->length)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->personality)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->lsda)); +- putchar ('\n'); ++ printf (" %#016" PRIx64 " %#08x %#016" PRIx64 " %#016" PRIx64 "\n", ++ (uint64_t) bfd_get_64 (abfd, e->start), ++ (unsigned int) bfd_get_32 (abfd, e->length), ++ (uint64_t) bfd_get_64 (abfd, e->personality), ++ (uint64_t) bfd_get_64 (abfd, e->lsda)); + + printf (" encoding: "); + dump_unwind_encoding (mdata, bfd_get_32 (abfd, e->encoding)); +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index d6cbab8578b..c1e41628d26 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -485,41 +485,12 @@ pop_type (struct pr_handle *info) + static void + print_vma (bfd_vma vma, char *buf, bool unsignedp, bool hexp) + { +- if (sizeof (vma) <= sizeof (unsigned long)) +- { +- if (hexp) +- sprintf (buf, "0x%lx", (unsigned long) vma); +- else if (unsignedp) +- sprintf (buf, "%lu", (unsigned long) vma); +- else +- sprintf (buf, "%ld", (long) vma); +- } +-#if BFD_HOST_64BIT_LONG_LONG +- else if (sizeof (vma) <= sizeof (unsigned long long)) +- { +-#ifndef __MSVCRT__ +- if (hexp) +- sprintf (buf, "0x%llx", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%llu", (unsigned long long) vma); +- else +- sprintf (buf, "%lld", (long long) vma); +-#else +- if (hexp) +- sprintf (buf, "0x%I64x", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%I64u", (unsigned long long) vma); +- else +- sprintf (buf, "%I64d", (long long) vma); +-#endif +- } +-#endif ++ if (hexp) ++ sprintf (buf, "%#" PRIx64, (uint64_t) vma); ++ else if (unsignedp) ++ sprintf (buf, "%" PRIu64, (uint64_t) vma); + else +- { +- buf[0] = '0'; +- buf[1] = 'x'; +- sprintf_vma (buf + 2, vma); +- } ++ sprintf (buf, "%" PRId64, (int64_t) vma); + } + + /* Start a new compilation unit. */ +diff --git a/binutils/readelf.c b/binutils/readelf.c +index c35bfc12366..4c0a2a34767 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -10729,7 +10729,7 @@ dynamic_section_parisc_val (Elf_Internal_Dyn * entry) + /* Display a VMS time in a human readable format. */ + + static void +-print_vms_time (bfd_int64_t vmstime) ++print_vms_time (int64_t vmstime) + { + struct tm *tm = NULL; + time_t unxtime; +@@ -20764,7 +20764,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + /* FIXME: Generate an error if descsz > 8 ? */ + + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata, 8)); + break; + + case NT_VMS_LINKTIME: +@@ -20773,8 +20773,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20784,8 +20783,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20794,16 +20792,15 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + + printf (_(" Major id: %u, minor id: %u\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata, 4), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 4, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata, 4), ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 4, 4)); + printf (_(" Last modified : ")); +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata + 8, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata + 8, 8)); + printf (_("\n Link flags : ")); + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata + 16, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata + 16, 8)); + printf (_(" Header flags: 0x%08x\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 24, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 24, 4)); + printf (_(" Image id : %.*s\n"), maxlen - 32, pnote->descdata + 32); + break; + #endif +diff --git a/gas/config/tc-arm.c b/gas/config/tc-arm.c +index 1721097cfca..2e6d175482e 100644 +--- a/gas/config/tc-arm.c ++++ b/gas/config/tc-arm.c +@@ -3565,7 +3565,7 @@ add_to_lit_pool (unsigned int nbytes) + imm1 = inst.operands[1].imm; + imm2 = (inst.operands[1].regisimm ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned ? 0 +- : ((bfd_int64_t) inst.operands[1].imm) >> 32); ++ : (int64_t) inst.operands[1].imm >> 32); + if (target_big_endian) + { + imm1 = imm2; +@@ -8819,15 +8819,14 @@ neon_cmode_for_move_imm (unsigned immlo, unsigned immhi, int float_p, + return FAIL; + } + +-#if defined BFD_HOST_64_BIT + /* Returns TRUE if double precision value V may be cast + to single precision without loss of accuracy. */ + + static bool +-is_double_a_single (bfd_uint64_t v) ++is_double_a_single (uint64_t v) + { + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + return ((exp == 0 || exp == 0x7FF + || (exp >= 1023 - 126 && exp <= 1023 + 127)) +@@ -8838,11 +8837,11 @@ is_double_a_single (bfd_uint64_t v) + (ignoring the least significant bits in exponent and mantissa). */ + + static int +-double_to_single (bfd_uint64_t v) ++double_to_single (uint64_t v) + { + unsigned int sign = (v >> 63) & 1; + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + if (exp == 0x7FF) + exp = 0xFF; +@@ -8865,7 +8864,6 @@ double_to_single (bfd_uint64_t v) + mantissa >>= 29; + return (sign << 31) | (exp << 23) | mantissa; + } +-#endif /* BFD_HOST_64_BIT */ + + enum lit_type + { +@@ -8914,11 +8912,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + if (inst.relocs[0].exp.X_op == O_constant + || inst.relocs[0].exp.X_op == O_big) + { +-#if defined BFD_HOST_64_BIT +- bfd_uint64_t v; +-#else +- valueT v; +-#endif ++ uint64_t v; + if (inst.relocs[0].exp.X_op == O_big) + { + LITTLENUM_TYPE w[X_PRECISION]; +@@ -8933,7 +8927,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + else + l = generic_bignum; + +-#if defined BFD_HOST_64_BIT + v = l[3] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[2] & LITTLENUM_MASK; +@@ -8941,11 +8934,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + v |= l[1] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[0] & LITTLENUM_MASK; +-#else +- v = l[1] & LITTLENUM_MASK; +- v <<= LITTLENUM_NUMBER_OF_BITS; +- v |= l[0] & LITTLENUM_MASK; +-#endif + } + else + v = inst.relocs[0].exp.X_add_number; +@@ -9041,7 +9029,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned + ? 0 +- : ((bfd_int64_t)((int) immlo)) >> 32; ++ : (int64_t) (int) immlo >> 32; + int cmode = neon_cmode_for_move_imm (immlo, immhi, false, &immbits, + &op, 64, NT_invtype); + +@@ -9090,7 +9078,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + discrepancy between the output produced by an assembler built for + a 32-bit-only host and the output produced from a 64-bit host, but + this cannot be helped. */ +-#if defined BFD_HOST_64_BIT + else if (!inst.operands[1].issingle + && ARM_CPU_HAS_FEATURE (cpu_variant, fpu_vfp_ext_v3)) + { +@@ -9103,7 +9090,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + return true; + } + } +-#endif + } + } + +diff --git a/gas/config/tc-csky.c b/gas/config/tc-csky.c +index 2371eeb747e..5b824d89af0 100644 +--- a/gas/config/tc-csky.c ++++ b/gas/config/tc-csky.c +@@ -215,7 +215,7 @@ enum + unsigned int mach_flag = 0; + unsigned int arch_flag = 0; + unsigned int other_flag = 0; +-BFD_HOST_U_64_BIT isa_flag = 0; ++uint64_t isa_flag = 0; + unsigned int dsp_flag = 0; + + typedef struct stack_size_entry +@@ -245,7 +245,7 @@ struct csky_macro_info + const char *name; + /* How many operands : if operands == 5, all of 1,2,3,4 are ok. */ + long oprnd_num; +- BFD_HOST_U_64_BIT isa_flag; ++ uint64_t isa_flag; + /* Do the work. */ + void (*handle_func)(void); + }; +@@ -591,14 +591,14 @@ struct csky_cpu_feature + { + const char unique; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + struct csky_cpu_version + { + int r; + int p; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + #define CSKY_FEATURE_MAX 10 +@@ -608,7 +608,7 @@ struct csky_cpu_info + { + const char *name; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + struct csky_cpu_feature features[CSKY_FEATURE_MAX]; + struct csky_cpu_version ver[CSKY_CPU_REVERISON_MAX]; + }; +diff --git a/gas/config/tc-sparc.c b/gas/config/tc-sparc.c +index 222223f3549..4e443b1d28d 100644 +--- a/gas/config/tc-sparc.c ++++ b/gas/config/tc-sparc.c +@@ -75,10 +75,10 @@ static enum { MM_TSO, MM_PSO, MM_RMO } sparc_memory_model = MM_RMO; + #ifndef TE_SOLARIS + /* Bitmask of instruction types seen so far, used to populate the + GNU attributes section with hwcap information. */ +-static bfd_uint64_t hwcap_seen; ++static uint64_t hwcap_seen; + #endif + +-static bfd_uint64_t hwcap_allowed; ++static uint64_t hwcap_allowed; + + static int architecture_requested; + static int warn_on_bump; +@@ -498,15 +498,15 @@ md_parse_option (int c, const char *arg) + || opcode_arch > max_architecture) + max_architecture = opcode_arch; + +- /* The allowed hardware capabilities are the implied by the +- opcodes arch plus any extra capabilities defined in the GAS +- arch. */ +- hwcap_allowed +- = (hwcap_allowed +- | (((bfd_uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2) << 32) +- | (((bfd_uint64_t) sa->hwcap2_allowed) << 32) +- | sparc_opcode_archs[opcode_arch].hwcaps +- | sa->hwcap_allowed); ++ /* The allowed hardware capabilities are the implied by the ++ opcodes arch plus any extra capabilities defined in the GAS ++ arch. */ ++ hwcap_allowed ++ = (hwcap_allowed ++ | ((uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2 << 32) ++ | ((uint64_t) sa->hwcap2_allowed << 32) ++ | sparc_opcode_archs[opcode_arch].hwcaps ++ | sa->hwcap_allowed); + architecture_requested = 1; + } + break; +@@ -1607,7 +1607,7 @@ md_assemble (char *str) + } + + static const char * +-get_hwcap_name (bfd_uint64_t mask) ++get_hwcap_name (uint64_t mask) + { + if (mask & HWCAP_MUL32) + return "mul32"; +@@ -3171,8 +3171,7 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + msg_str = sasi->name; + } + +- bfd_uint64_t hwcaps +- = (((bfd_uint64_t) insn->hwcaps2) << 32) | insn->hwcaps; ++ uint64_t hwcaps = ((uint64_t) insn->hwcaps2 << 32) | insn->hwcaps; + + #ifndef TE_SOLARIS + if (hwcaps) +@@ -3211,10 +3210,10 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + } + current_architecture = needed_architecture; + hwcap_allowed +- = (hwcap_allowed +- | hwcaps +- | (((bfd_uint64_t) sparc_opcode_archs[current_architecture].hwcaps2) << 32) +- | sparc_opcode_archs[current_architecture].hwcaps); ++ = (hwcap_allowed ++ | hwcaps ++ | ((uint64_t) sparc_opcode_archs[current_architecture].hwcaps2 << 32) ++ | sparc_opcode_archs[current_architecture].hwcaps); + } + /* Conflict. */ + /* ??? This seems to be a bit fragile. What if the next entry in +diff --git a/gas/config/tc-tilegx.c b/gas/config/tc-tilegx.c +index b627b7080e5..4fcc38c9034 100644 +--- a/gas/config/tc-tilegx.c ++++ b/gas/config/tc-tilegx.c +@@ -789,16 +789,16 @@ emit_tilegx_instruction (tilegx_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilegx_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -808,12 +808,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -825,7 +825,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-tilepro.c b/gas/config/tc-tilepro.c +index af0be422f98..ca092d77a4b 100644 +--- a/gas/config/tc-tilepro.c ++++ b/gas/config/tc-tilepro.c +@@ -677,16 +677,16 @@ emit_tilepro_instruction (tilepro_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilepro_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -696,12 +696,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -713,7 +713,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-z80.c b/gas/config/tc-z80.c +index 81fbfe3b0ae..714e704e24a 100644 +--- a/gas/config/tc-z80.c ++++ b/gas/config/tc-z80.c +@@ -3910,11 +3910,11 @@ z80_tc_label_is_local (const char *name) + #define EXP_MIN -0x10000 + #define EXP_MAX 0x10000 + static int +-str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) ++str_to_broken_float (bool *signP, uint64_t *mantissaP, int *expP) + { + char *p; + bool sign; +- bfd_uint64_t mantissa = 0; ++ uint64_t mantissa = 0; + int exponent = 0; + int i; + +@@ -4029,7 +4029,7 @@ str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) + static const char * + str_to_zeda32(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +@@ -4088,7 +4088,7 @@ str_to_zeda32(char *litP, int *sizeP) + static const char * + str_to_float48(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +diff --git a/gas/config/te-vms.c b/gas/config/te-vms.c +index 015c95867f0..6661a3b6a72 100644 +--- a/gas/config/te-vms.c ++++ b/gas/config/te-vms.c +@@ -339,7 +339,7 @@ vms_file_stats_name (const char *dirname, + return 0; + } + +-bfd_uint64_t ++uint64_t + vms_dwarf2_file_time_name (const char *filename, const char *dirname) + { + long long cdt; +diff --git a/gas/config/te-vms.h b/gas/config/te-vms.h +index ffe7f5e8f37..08f218502de 100644 +--- a/gas/config/te-vms.h ++++ b/gas/config/te-vms.h +@@ -20,7 +20,7 @@ + #define TE_VMS + #include "obj-format.h" + +-extern bfd_uint64_t vms_dwarf2_file_time_name (const char *, const char *); ++extern uint64_t vms_dwarf2_file_time_name (const char *, const char *); + extern long vms_dwarf2_file_size_name (const char *, const char *); + extern char *vms_dwarf2_file_name (const char *, const char *); + +diff --git a/gdb/findcmd.c b/gdb/findcmd.c +index ff13f22e970..ed2cea7b74d 100644 +--- a/gdb/findcmd.c ++++ b/gdb/findcmd.c +@@ -30,7 +30,7 @@ + /* Copied from bfd_put_bits. */ + + static void +-put_bits (bfd_uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) ++put_bits (uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) + { + int i; + int bytes; +diff --git a/gdb/tilegx-tdep.c b/gdb/tilegx-tdep.c +index 7930db72779..9668aa80b53 100644 +--- a/gdb/tilegx-tdep.c ++++ b/gdb/tilegx-tdep.c +@@ -375,7 +375,7 @@ tilegx_analyze_prologue (struct gdbarch* gdbarch, + CORE_ADDR instbuf_start; + unsigned int instbuf_size; + int status; +- bfd_uint64_t bundle; ++ uint64_t bundle; + struct tilegx_decoded_instruction + decoded[TILEGX_MAX_INSTRUCTIONS_PER_BUNDLE]; + int num_insns; +diff --git a/gprof/gmon_io.c b/gprof/gmon_io.c +index c613809d396..2b4dd26375b 100644 +--- a/gprof/gmon_io.c ++++ b/gprof/gmon_io.c +@@ -48,10 +48,8 @@ enum gmon_ptr_signedness { + static enum gmon_ptr_size gmon_get_ptr_size (void); + static enum gmon_ptr_signedness gmon_get_ptr_signedness (void); + +-#ifdef BFD_HOST_U_64_BIT +-static int gmon_io_read_64 (FILE *, BFD_HOST_U_64_BIT *); +-static int gmon_io_write_64 (FILE *, BFD_HOST_U_64_BIT); +-#endif ++static int gmon_io_read_64 (FILE *, uint64_t *); ++static int gmon_io_write_64 (FILE *, uint64_t); + static int gmon_read_raw_arc + (FILE *, bfd_vma *, bfd_vma *, unsigned long *); + static int gmon_write_raw_arc +@@ -109,9 +107,8 @@ gmon_io_read_32 (FILE *ifp, unsigned int *valp) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) ++gmon_io_read_64 (FILE *ifp, uint64_t *valp) + { + char buf[8]; + +@@ -120,15 +117,12 @@ gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) + *valp = bfd_get_64 (core_bfd, buf); + return 0; + } +-#endif + + int + gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + { + unsigned int val32; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val64; +-#endif ++ uint64_t val64; + + switch (gmon_get_ptr_size ()) + { +@@ -136,23 +130,19 @@ gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + if (gmon_io_read_32 (ifp, &val32)) + return 1; + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (int) val32; ++ *valp = (int) val32; + else +- *valp = val32; ++ *valp = val32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &val64)) + return 1; +-#ifdef BFD_HOST_64_BIT + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (BFD_HOST_64_BIT) val64; ++ *valp = (int64_t) val64; + else +-#endif +- *valp = val64; ++ *valp = val64; + break; +-#endif + } + return 0; + } +@@ -176,9 +166,8 @@ gmon_io_write_32 (FILE *ofp, unsigned int val) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) ++gmon_io_write_64 (FILE *ofp, uint64_t val) + { + char buf[8]; + +@@ -187,7 +176,6 @@ gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) + return 1; + return 0; + } +-#endif + + int + gmon_io_write_vma (FILE *ofp, bfd_vma val) +@@ -200,12 +188,10 @@ gmon_io_write_vma (FILE *ofp, bfd_vma val) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) val)) ++ if (gmon_io_write_64 (ofp, (uint64_t) val)) + return 1; + break; +-#endif + } + return 0; + } +@@ -232,9 +218,7 @@ gmon_io_write (FILE *ofp, char *buf, size_t n) + static int + gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + { +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT cnt64; +-#endif ++ uint64_t cnt64; + unsigned int cnt32; + + if (gmon_io_read_vma (ifp, fpc) +@@ -249,13 +233,11 @@ gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + *cnt = cnt32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &cnt64)) + return 1; + *cnt = cnt64; + break; +-#endif + + default: + return 1; +@@ -278,12 +260,10 @@ gmon_write_raw_arc (FILE *ofp, bfd_vma fpc, bfd_vma spc, unsigned long cnt) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) cnt)) ++ if (gmon_io_write_64 (ofp, (uint64_t) cnt)) + return 1; + break; +-#endif + } + return 0; + } +diff --git a/include/elf/nfp.h b/include/elf/nfp.h +index 5a06051196c..c89cefff27b 100644 +--- a/include/elf/nfp.h ++++ b/include/elf/nfp.h +@@ -102,7 +102,7 @@ extern "C" + #define SHF_NFP_INIT 0x80000000 + #define SHF_NFP_INIT2 0x40000000 + #define SHF_NFP_SCS(shf) (((shf) >> 32) & 0xFF) +-#define SHF_NFP_SET_SCS(v) (((BFD_HOST_U_64_BIT)((v) & 0xFF)) << 32) ++#define SHF_NFP_SET_SCS(v) ((uint64_t) ((v) & 0xFF) << 32) + + /* NFP Section Info + For PROGBITS and NOBITS sections: +diff --git a/include/opcode/csky.h b/include/opcode/csky.h +index ed00bfd7cd6..faecba11611 100644 +--- a/include/opcode/csky.h ++++ b/include/opcode/csky.h +@@ -22,46 +22,46 @@ + #include "dis-asm.h" + + /* The following bitmasks control instruction set architecture. */ +-#define CSKYV1_ISA_E1 ((bfd_uint64_t)1 << 0) +-#define CSKYV2_ISA_E1 ((bfd_uint64_t)1 << 1) +-#define CSKYV2_ISA_1E2 ((bfd_uint64_t)1 << 2) +-#define CSKYV2_ISA_2E3 ((bfd_uint64_t)1 << 3) +-#define CSKYV2_ISA_3E7 ((bfd_uint64_t)1 << 4) +-#define CSKYV2_ISA_7E10 ((bfd_uint64_t)1 << 5) +-#define CSKYV2_ISA_3E3R1 ((bfd_uint64_t)1 << 6) +-#define CSKYV2_ISA_3E3R2 ((bfd_uint64_t)1 << 7) +-#define CSKYV2_ISA_10E60 ((bfd_uint64_t)1 << 8) +-#define CSKYV2_ISA_3E3R3 ((bfd_uint64_t)1 << 9) +- +-#define CSKY_ISA_TRUST ((bfd_uint64_t)1 << 11) +-#define CSKY_ISA_CACHE ((bfd_uint64_t)1 << 12) +-#define CSKY_ISA_NVIC ((bfd_uint64_t)1 << 13) +-#define CSKY_ISA_CP ((bfd_uint64_t)1 << 14) +-#define CSKY_ISA_MP ((bfd_uint64_t)1 << 15) +-#define CSKY_ISA_MP_1E2 ((bfd_uint64_t)1 << 16) +-#define CSKY_ISA_JAVA ((bfd_uint64_t)1 << 17) +-#define CSKY_ISA_MAC ((bfd_uint64_t)1 << 18) +-#define CSKY_ISA_MAC_DSP ((bfd_uint64_t)1 << 19) ++#define CSKYV1_ISA_E1 ((uint64_t) 1 << 0) ++#define CSKYV2_ISA_E1 ((uint64_t) 1 << 1) ++#define CSKYV2_ISA_1E2 ((uint64_t) 1 << 2) ++#define CSKYV2_ISA_2E3 ((uint64_t) 1 << 3) ++#define CSKYV2_ISA_3E7 ((uint64_t) 1 << 4) ++#define CSKYV2_ISA_7E10 ((uint64_t) 1 << 5) ++#define CSKYV2_ISA_3E3R1 ((uint64_t) 1 << 6) ++#define CSKYV2_ISA_3E3R2 ((uint64_t) 1 << 7) ++#define CSKYV2_ISA_10E60 ((uint64_t) 1 << 8) ++#define CSKYV2_ISA_3E3R3 ((uint64_t) 1 << 9) ++ ++#define CSKY_ISA_TRUST ((uint64_t) 1 << 11) ++#define CSKY_ISA_CACHE ((uint64_t) 1 << 12) ++#define CSKY_ISA_NVIC ((uint64_t) 1 << 13) ++#define CSKY_ISA_CP ((uint64_t) 1 << 14) ++#define CSKY_ISA_MP ((uint64_t) 1 << 15) ++#define CSKY_ISA_MP_1E2 ((uint64_t) 1 << 16) ++#define CSKY_ISA_JAVA ((uint64_t) 1 << 17) ++#define CSKY_ISA_MAC ((uint64_t) 1 << 18) ++#define CSKY_ISA_MAC_DSP ((uint64_t) 1 << 19) + + /* Base ISA for csky v1 and v2. */ +-#define CSKY_ISA_DSP ((bfd_uint64_t)1 << 20) +-#define CSKY_ISA_DSP_1E2 ((bfd_uint64_t)1 << 21) +-#define CSKY_ISA_DSP_ENHANCE ((bfd_uint64_t)1 << 22) +-#define CSKY_ISA_DSPE60 ((bfd_uint64_t)1 << 23) ++#define CSKY_ISA_DSP ((uint64_t) 1 << 20) ++#define CSKY_ISA_DSP_1E2 ((uint64_t) 1 << 21) ++#define CSKY_ISA_DSP_ENHANCE ((uint64_t) 1 << 22) ++#define CSKY_ISA_DSPE60 ((uint64_t) 1 << 23) + + /* Base float instruction (803f & 810f). */ +-#define CSKY_ISA_FLOAT_E1 ((bfd_uint64_t)1 << 25) ++#define CSKY_ISA_FLOAT_E1 ((uint64_t) 1 << 25) + /* M_FLOAT support (810f). */ +-#define CSKY_ISA_FLOAT_1E2 ((bfd_uint64_t)1 << 26) ++#define CSKY_ISA_FLOAT_1E2 ((uint64_t) 1 << 26) + /* 803 support (803f). */ +-#define CSKY_ISA_FLOAT_1E3 ((bfd_uint64_t)1 << 27) ++#define CSKY_ISA_FLOAT_1E3 ((uint64_t) 1 << 27) + /* 807 support (803f & 807f). */ +-#define CSKY_ISA_FLOAT_3E4 ((bfd_uint64_t)1 << 28) ++#define CSKY_ISA_FLOAT_3E4 ((uint64_t) 1 << 28) + /* 860 support. */ +-#define CSKY_ISA_FLOAT_7E60 ((bfd_uint64_t)1 << 36) ++#define CSKY_ISA_FLOAT_7E60 ((uint64_t) 1 << 36) + /* Vector DSP support. */ +-#define CSKY_ISA_VDSP ((bfd_uint64_t)1 << 29) +-#define CSKY_ISA_VDSP_2 ((bfd_uint64_t)1 << 30) ++#define CSKY_ISA_VDSP ((uint64_t) 1 << 29) ++#define CSKY_ISA_VDSP_2 ((uint64_t) 1 << 30) + + /* The following bitmasks control cpu architecture for CSKY. */ + #define CSKY_ABI_V1 (1 << 28) +diff --git a/include/opcode/ia64.h b/include/opcode/ia64.h +index fbdd8f14e65..42a6812c3f8 100644 +--- a/include/opcode/ia64.h ++++ b/include/opcode/ia64.h +@@ -29,7 +29,7 @@ + extern "C" { + #endif + +-typedef BFD_HOST_U_64_BIT ia64_insn; ++typedef uint64_t ia64_insn; + + enum ia64_insn_type + { +diff --git a/opcodes/csky-dis.c b/opcodes/csky-dis.c +index b7c833623e5..99103ff57b5 100644 +--- a/opcodes/csky-dis.c ++++ b/opcodes/csky-dis.c +@@ -49,7 +49,7 @@ struct csky_dis_info + disassemble_info *info; + /* Opcode information. */ + struct csky_opcode_info const *opinfo; +- BFD_HOST_U_64_BIT isa; ++ uint64_t isa; + /* The value of operand to show. */ + int value; + /* Whether to look up/print a symbol name. */ +diff --git a/opcodes/csky-opc.h b/opcodes/csky-opc.h +index b65efe19d9f..d2db90ede95 100644 +--- a/opcodes/csky-opc.h ++++ b/opcodes/csky-opc.h +@@ -271,8 +271,8 @@ struct csky_opcode + /* Encodings for 32-bit opcodes. */ + struct csky_opcode_info op32[OP_TABLE_NUM]; + /* Instruction set flag. */ +- BFD_HOST_U_64_BIT isa_flag16; +- BFD_HOST_U_64_BIT isa_flag32; ++ uint64_t isa_flag16; ++ uint64_t isa_flag32; + /* Whether this insn needs relocation, 0: no, !=0: yes. */ + signed int reloc16; + signed int reloc32; +diff --git a/opcodes/ia64-dis.c b/opcodes/ia64-dis.c +index 5eb37277a5d..e76f40393c6 100644 +--- a/opcodes/ia64-dis.c ++++ b/opcodes/ia64-dis.c +@@ -73,7 +73,7 @@ print_insn_ia64 (bfd_vma memaddr, struct disassemble_info *info) + const struct ia64_operand *odesc; + const struct ia64_opcode *idesc; + const char *err, *str, *tname; +- BFD_HOST_U_64_BIT value; ++ uint64_t value; + bfd_byte bundle[16]; + enum ia64_unit unit; + char regname[16]; +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch new file mode 100644 index 0000000000..6a838ea3ea --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch @@ -0,0 +1,156 @@ +From 31d6c13defeba7716ebc9d5c8f81f2f35fe39980 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 14 Jun 2022 12:46:42 +0930 +Subject: [PATCH] PR29230, segv in lookup_symbol_in_variable_table + +The PR23230 testcase uses indexed strings without specifying +SW_AT_str_offsets_base. In this case we left u.str with garbage (from +u.val) which then led to a segfault when attempting to access the +string. Fix that by clearing u.str. The patch also adds missing +sanity checks in the recently committed read_indexed_address and +read_indexed_string functions. + + PR 29230 + * dwarf2.c (read_indexed_address): Return uint64_t. Sanity check idx. + (read_indexed_string): Use uint64_t for str_offset. Sanity check idx. + (read_attribute_value): Clear u.str for indexed string forms when + DW_AT_str_offsets_base is not yet read or missing. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=31d6c13defeba7716ebc9d5c8f81f2f35fe39980] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 9 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 51018e1ab45..aaa2d84887f 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1353,13 +1353,13 @@ is_addrx_form (enum dwarf_form form) + + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ +-static bfd_vma ++static uint64_t + read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +- size_t addr_base = unit->dwarf_addr_offset; + bfd_byte *info_ptr; ++ size_t offset; + + if (stash == NULL) + return 0; +@@ -1369,12 +1369,23 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + &file->dwarf_addr_buffer, &file->dwarf_addr_size)) + return 0; + +- info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return 0; ++ ++ offset += unit->dwarf_addr_offset; ++ if (offset < unit->dwarf_addr_offset ++ || offset > file->dwarf_addr_size ++ || file->dwarf_addr_size - offset < unit->offset_size) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + offset; + + if (unit->offset_size == 4) + return bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + return bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return 0; + } + + /* Returns the string using DW_AT_str_offsets_base. +@@ -1385,7 +1396,8 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + bfd_byte *info_ptr; +- unsigned long str_offset; ++ uint64_t str_offset; ++ size_t offset; + + if (stash == NULL) + return NULL; +@@ -1401,15 +1413,26 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + &file->dwarf_str_offsets_size)) + return NULL; + +- info_ptr = (file->dwarf_str_offsets_buffer +- + unit->dwarf_str_offset +- + idx * unit->offset_size); ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return NULL; ++ ++ offset += unit->dwarf_str_offset; ++ if (offset < unit->dwarf_str_offset ++ || offset > file->dwarf_str_offsets_size ++ || file->dwarf_str_offsets_size - offset < unit->offset_size) ++ return NULL; ++ ++ info_ptr = file->dwarf_str_offsets_buffer + offset; + + if (unit->offset_size == 4) + str_offset = bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return NULL; + ++ if (str_offset >= file->dwarf_str_size) ++ return NULL; + return (const char *) file->dwarf_str_buffer + str_offset; + } + +@@ -1534,27 +1557,37 @@ read_attribute_value (struct attribute * attr, + is not yet read. */ + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_exprloc: + case DW_FORM_block: +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch new file mode 100644 index 0000000000..c5a869ca9d --- /dev/null +++ b/poky/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch @@ -0,0 +1,37 @@ +From 3e307d538c351aa9327cbad672c884059ecc20dd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 11 Jan 2023 12:13:46 +0000 +Subject: [PATCH] Fix a potential illegal memory access in the BFD library when + parsing a corrupt DWARF file. + + PR 29988 + * dwarf2.c (read_indexed_address): Fix check for an out of range + offset. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 6eb6e04e6e5..4ec0053a111 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1412,7 +1412,7 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + offset += unit->dwarf_addr_offset; + if (offset < unit->dwarf_addr_offset + || offset > file->dwarf_addr_size +- || file->dwarf_addr_size - offset < unit->offset_size) ++ || file->dwarf_addr_size - offset < unit->addr_size) + return 0; + + info_ptr = file->dwarf_addr_buffer + offset; +-- +2.31.1 + diff --git a/poky/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch b/poky/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch deleted file mode 100644 index 88597cf3a9..0000000000 --- a/poky/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b6d1a1ff2de363b1b76c8c70f77ae56a4e4d4b56 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 5 Sep 2019 18:37:31 +0800 -Subject: [PATCH] bootchart2: support usrmerge - -Upstream-Status: Inappropriate [oe-specific] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 1cc2974..f988904 100644 ---- a/Makefile -+++ b/Makefile -@@ -36,7 +36,7 @@ endif - PY_SITEDIR ?= $(PY_LIBDIR)/site-packages - LIBC_A_PATH = /usr$(LIBDIR) - # Always lib, even on systems that otherwise use lib64 --SYSTEMD_UNIT_DIR = $(EARLY_PREFIX)/lib/systemd/system -+SYSTEMD_UNIT_DIR ?= $(EARLY_PREFIX)/lib/systemd/system - COLLECTOR = \ - collector/collector.o \ - collector/output.o \ -@@ -99,7 +99,7 @@ install-chroot: - install -d $(DESTDIR)$(PKGLIBDIR)/tmpfs - - install-collector: all install-chroot -- install -m 755 -D bootchartd $(DESTDIR)$(EARLY_PREFIX)/sbin/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX) -+ install -m 755 -D bootchartd $(DESTDIR)${BASE_SBINDIR}/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX) - install -m 644 -D bootchartd.conf $(DESTDIR)/etc/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX).conf - install -m 755 -D bootchart-collector $(DESTDIR)$(PKGLIBDIR)/$(PROGRAM_PREFIX)bootchart$(PROGRAM_SUFFIX)-collector - --- -2.7.4 - diff --git a/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb b/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb index b1628075a7..38a1c9d147 100644 --- a/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb +++ b/poky/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb @@ -93,7 +93,6 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)" SRC_URI = "git://github.com/xrmx/bootchart.git;branch=master;protocol=https \ file://bootchartd_stop.sh \ file://0001-collector-Allocate-space-on-heap-for-chunks.patch \ - file://0001-bootchart2-support-usrmerge.patch \ file://0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch \ " @@ -119,12 +118,11 @@ UPDATERCPN = "bootchartd-stop-initscript" INITSCRIPT_NAME = "bootchartd_stop.sh" INITSCRIPT_PARAMS = "start 99 2 3 4 5 ." -EXTRA_OEMAKE = 'BASE_SBINDIR="${base_sbindir}"' - do_compile:prepend () { export PY_LIBDIR="${libdir}/${PYTHON_DIR}" export BINDIR="${bindir}" - export LIBDIR="${base_libdir}" + export LIBDIR="/${baselib}" + export EARLY_PREFIX="${root_prefix}" } do_install () { @@ -132,9 +130,8 @@ do_install () { export PY_LIBDIR="${libdir}/${PYTHON_DIR}" export BINDIR="${bindir}" export DESTDIR="${D}" - export LIBDIR="${base_libdir}" - export PKGLIBDIR="${base_libdir}/bootchart" - export SYSTEMD_UNIT_DIR="${systemd_system_unitdir}" + export LIBDIR="/${baselib}" + export EARLY_PREFIX="${root_prefix}" oe_runmake install NO_PYTHON_COMPILE=1 install -d ${D}${sysconfdir}/init.d diff --git a/poky/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb b/poky/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb index ee1f7761c4..45ea78ae00 100644 --- a/poky/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb +++ b/poky/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb @@ -32,6 +32,7 @@ CMAKE_EXTRACONF = "\ -DCMAKE_USE_SYSTEM_LIBRARY_EXPAT=0 \ -DENABLE_ACL=0 -DHAVE_ACL_LIBACL_H=0 \ -DHAVE_SYS_ACL_H=0 \ + -DCURL_LIBRARIES=-lcurl \ " do_configure () { diff --git a/poky/meta/recipes-devtools/gcc/gcc-11.3.inc b/poky/meta/recipes-devtools/gcc/gcc-11.3.inc index 27074a06ae..ab2ece3cce 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-11.3.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-11.3.inc @@ -48,7 +48,6 @@ SRC_URI = "\ file://0016-If-CXXFLAGS-contains-something-unsupported-by-the-bu.patch \ file://0017-handle-sysroot-support-for-nativesdk-gcc.patch \ file://0018-Search-target-sysroot-gcc-version-specific-dirs-with.patch \ - file://0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch \ file://0020-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch \ file://0021-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch \ file://0022-sync-gcc-stddef.h-with-musl.patch \ diff --git a/poky/meta/recipes-devtools/gcc/gcc-shared-source.inc b/poky/meta/recipes-devtools/gcc/gcc-shared-source.inc index aac4b49313..03f520b093 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-shared-source.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-shared-source.inc @@ -9,3 +9,13 @@ SRC_URI = "" do_configure[depends] += "gcc-source-${PV}:do_preconfigure" do_populate_lic[depends] += "gcc-source-${PV}:do_unpack" +do_deploy_source_date_epoch[depends] += "gcc-source-${PV}:do_deploy_source_date_epoch" + +# Copy the SDE from the shared workdir to the recipe workdir +do_deploy_source_date_epoch () { + sde_file=${SDE_FILE} + sde_file=${sde_file#${WORKDIR}/} + mkdir -p ${SDE_DEPLOYDIR} $(dirname ${SDE_FILE}) + cp -p $(dirname ${S})/$sde_file ${SDE_DEPLOYDIR} + cp -p $(dirname ${S})/$sde_file ${SDE_FILE} +} diff --git a/poky/meta/recipes-devtools/gcc/gcc-source.inc b/poky/meta/recipes-devtools/gcc/gcc-source.inc index 224b7778ef..265bcf4bef 100644 --- a/poky/meta/recipes-devtools/gcc/gcc-source.inc +++ b/poky/meta/recipes-devtools/gcc/gcc-source.inc @@ -17,6 +17,13 @@ STAMPCLEAN = "${STAMPS_DIR}/work-shared/gcc-${PV}-*" INHIBIT_DEFAULT_DEPS = "1" DEPENDS = "" PACKAGES = "" +TARGET_ARCH = "allarch" +TARGET_AS_ARCH = "none" +TARGET_CC_ARCH = "none" +TARGET_LD_ARCH = "none" +TARGET_OS = "linux" +baselib = "lib" +PACKAGE_ARCH = "all" B = "${WORKDIR}/build" @@ -25,8 +32,6 @@ python do_preconfigure () { import subprocess cmd = d.expand('cd ${S} && PATH=${PATH} gnu-configize') subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) - # See 0044-gengtypes.patch, we need to regenerate this file - bb.utils.remove(d.expand("${S}/gcc/gengtype-lex.c")) cmd = d.expand("sed -i 's/BUILD_INFO=info/BUILD_INFO=/' ${S}/gcc/configure") subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) diff --git a/poky/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch b/poky/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch index c38d1b9119..864c8b3017 100644 --- a/poky/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch +++ b/poky/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch @@ -43,10 +43,10 @@ Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> gcc/testsuite/lib/target-supports.exp | 3 ++- 9 files changed, 79 insertions(+), 8 deletions(-) -diff --git a/gcc/config/arm/arm-cpus.in b/gcc/config/arm/arm-cpus.in -index bcc9ebe9f..58d83829c 100644 ---- a/gcc/config/arm/arm-cpus.in -+++ b/gcc/config/arm/arm-cpus.in +Index: gcc-11.3.0/gcc/config/arm/arm-cpus.in +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/arm-cpus.in ++++ gcc-11.3.0/gcc/config/arm/arm-cpus.in @@ -132,6 +132,9 @@ define feature cmse # Architecture rel 8.1-M. define feature armv8_1m_main @@ -57,7 +57,7 @@ index bcc9ebe9f..58d83829c 100644 # Floating point and Neon extensions. # VFPv1 is not supported in GCC. -@@ -293,6 +296,7 @@ define fgroup ARMv8m_base ARMv6m armv8 cmse tdiv +@@ -293,6 +296,7 @@ define fgroup ARMv8m_base ARMv6m armv8 c define fgroup ARMv8m_main ARMv7m armv8 cmse define fgroup ARMv8r ARMv8a define fgroup ARMv8_1m_main ARMv8m_main armv8_1m_main @@ -87,10 +87,10 @@ index bcc9ebe9f..58d83829c 100644 begin arch iwmmxt tune for iwmmxt tune flags LDSCHED STRONG XSCALE -diff --git a/gcc/config/arm/arm-tables.opt b/gcc/config/arm/arm-tables.opt -index 5692d4fb7..ae3dd9414 100644 ---- a/gcc/config/arm/arm-tables.opt -+++ b/gcc/config/arm/arm-tables.opt +Index: gcc-11.3.0/gcc/config/arm/arm-tables.opt +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/arm-tables.opt ++++ gcc-11.3.0/gcc/config/arm/arm-tables.opt @@ -380,10 +380,13 @@ EnumValue Enum(arm_arch) String(armv8.1-m.main) Value(30) @@ -107,10 +107,10 @@ index 5692d4fb7..ae3dd9414 100644 Enum Name(arm_fpu) Type(enum fpu_type) -diff --git a/gcc/config/arm/arm.h b/gcc/config/arm/arm.h -index 47c13a9e5..088c7725c 100644 ---- a/gcc/config/arm/arm.h -+++ b/gcc/config/arm/arm.h +Index: gcc-11.3.0/gcc/config/arm/arm.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/arm.h ++++ gcc-11.3.0/gcc/config/arm/arm.h @@ -456,7 +456,8 @@ enum base_architecture BASE_ARCH_8A = 8, BASE_ARCH_8M_BASE = 8, @@ -121,10 +121,10 @@ index 47c13a9e5..088c7725c 100644 }; /* The major revision number of the ARM Architecture implemented by the target. */ -diff --git a/gcc/config/arm/t-aprofile b/gcc/config/arm/t-aprofile -index 8574ac3e2..68e2251c7 100644 ---- a/gcc/config/arm/t-aprofile -+++ b/gcc/config/arm/t-aprofile +Index: gcc-11.3.0/gcc/config/arm/t-aprofile +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/t-aprofile ++++ gcc-11.3.0/gcc/config/arm/t-aprofile @@ -26,8 +26,8 @@ # Arch and FPU variants to build libraries with @@ -136,7 +136,7 @@ index 8574ac3e2..68e2251c7 100644 # ARMv7-A - build nofp, fp-d16 and SIMD variants -@@ -46,6 +46,11 @@ MULTILIB_REQUIRED += mthumb/march=armv8-a/mfloat-abi=soft +@@ -46,6 +46,11 @@ MULTILIB_REQUIRED += mthumb/march=armv8- MULTILIB_REQUIRED += mthumb/march=armv8-a+simd/mfloat-abi=hard MULTILIB_REQUIRED += mthumb/march=armv8-a+simd/mfloat-abi=softfp @@ -148,7 +148,7 @@ index 8574ac3e2..68e2251c7 100644 # Matches # Arch Matches -@@ -129,17 +134,29 @@ MULTILIB_MATCHES += march?armv8-a=march?armv8.6-a +@@ -129,17 +134,29 @@ MULTILIB_MATCHES += march?armv8-a=march? MULTILIB_MATCHES += $(foreach ARCH, $(v8_6_a_simd_variants), \ march?armv8-a+simd=march?armv8.6-a$(ARCH)) @@ -180,11 +180,11 @@ index 8574ac3e2..68e2251c7 100644 - $(foreach ARCH, armv7-a armv8-a, \ + $(foreach ARCH, armv7-a armv8-a armv9-a, \ mthumb/march.$(ARCH)/mfloat-abi.soft=m$(MODE)/march.$(ARCH)/mfloat-abi.softfp)) -diff --git a/gcc/config/arm/t-arm-elf b/gcc/config/arm/t-arm-elf -index d68def308..b3a900e8c 100644 ---- a/gcc/config/arm/t-arm-elf -+++ b/gcc/config/arm/t-arm-elf -@@ -38,6 +38,8 @@ v7ve_fps := vfpv3-d16 vfpv3 vfpv3-d16-fp16 vfpv3-fp16 vfpv4 neon \ +Index: gcc-11.3.0/gcc/config/arm/t-arm-elf +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/t-arm-elf ++++ gcc-11.3.0/gcc/config/arm/t-arm-elf +@@ -38,6 +38,8 @@ v7ve_fps := vfpv3-d16 vfpv3 vfpv3-d16-fp # it seems to work ok. v8_fps := simd fp16 crypto fp16+crypto dotprod fp16fml @@ -202,7 +202,7 @@ index d68def308..b3a900e8c 100644 # No floating point variants, require thumb1 softfp all_nofp_t := armv6-m armv6s-m armv8-m.base -@@ -110,6 +114,11 @@ MULTILIB_MATCHES += $(foreach ARCH, $(all_v8_archs), \ +@@ -110,6 +114,11 @@ MULTILIB_MATCHES += $(foreach ARCH, $(foreach FPARCH, $(v8_fps), \ march?armv7+fp=march?$(ARCH)+$(FPARCH))) @@ -214,11 +214,11 @@ index d68def308..b3a900e8c 100644 MULTILIB_MATCHES += $(foreach ARCH, armv7e-m armv8-m.mainline, \ march?armv7+fp=march?$(ARCH)+fp.dp) -diff --git a/gcc/config/arm/t-multilib b/gcc/config/arm/t-multilib -index ddc5033bf..d789b86ee 100644 ---- a/gcc/config/arm/t-multilib -+++ b/gcc/config/arm/t-multilib -@@ -78,6 +78,8 @@ v8_4_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) +Index: gcc-11.3.0/gcc/config/arm/t-multilib +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/t-multilib ++++ gcc-11.3.0/gcc/config/arm/t-multilib +@@ -78,6 +78,8 @@ v8_4_a_simd_variants := $(call all_feat_ v8_5_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) v8_6_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) v8_r_nosimd_variants := +crc @@ -227,7 +227,7 @@ index ddc5033bf..d789b86ee 100644 ifneq (,$(HAS_APROFILE)) include $(srcdir)/config/arm/t-aprofile -@@ -202,6 +204,16 @@ MULTILIB_MATCHES += march?armv7=march?armv8.6-a +@@ -202,6 +204,16 @@ MULTILIB_MATCHES += march?armv7=march?ar MULTILIB_MATCHES += $(foreach ARCH, $(v8_6_a_simd_variants), \ march?armv7+fp=march?armv8.6-a$(ARCH)) @@ -244,10 +244,10 @@ index ddc5033bf..d789b86ee 100644 endif # Not APROFILE. # Use Thumb libraries for everything. -diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi -index 7184a62d0..9a712c0d6 100644 ---- a/gcc/doc/invoke.texi -+++ b/gcc/doc/invoke.texi +Index: gcc-11.3.0/gcc/doc/invoke.texi +=================================================================== +--- gcc-11.3.0.orig/gcc/doc/invoke.texi ++++ gcc-11.3.0/gcc/doc/invoke.texi @@ -19701,6 +19701,7 @@ Permissible names are: @samp{armv7-m}, @samp{armv7e-m}, @samp{armv8-m.base}, @samp{armv8-m.main}, @@ -256,10 +256,10 @@ index 7184a62d0..9a712c0d6 100644 @samp{iwmmxt} and @samp{iwmmxt2}. Additionally, the following architectures, which lack support for the -diff --git a/gcc/testsuite/gcc.target/arm/multilib.exp b/gcc/testsuite/gcc.target/arm/multilib.exp -index 4b30025db..e3f06c316 100644 ---- a/gcc/testsuite/gcc.target/arm/multilib.exp -+++ b/gcc/testsuite/gcc.target/arm/multilib.exp +Index: gcc-11.3.0/gcc/testsuite/gcc.target/arm/multilib.exp +=================================================================== +--- gcc-11.3.0.orig/gcc/testsuite/gcc.target/arm/multilib.exp ++++ gcc-11.3.0/gcc/testsuite/gcc.target/arm/multilib.exp @@ -135,6 +135,14 @@ if {[multilib_config "aprofile"] } { {-march=armv8.6-a+simd+fp16 -mfloat-abi=softfp} "thumb/v8-a+simd/softfp" {-march=armv8.6-a+simd+fp16+nofp -mfloat-abi=softfp} "thumb/v8-a/nofp" @@ -275,10 +275,10 @@ index 4b30025db..e3f06c316 100644 {-mcpu=cortex-a53+crypto -mfloat-abi=hard} "thumb/v8-a+simd/hard" {-mcpu=cortex-a53+nofp -mfloat-abi=softfp} "thumb/v8-a/nofp" {-march=armv8-a+crc -mfloat-abi=hard -mfpu=vfp} "thumb/v8-a+simd/hard" -diff --git a/gcc/testsuite/lib/target-supports.exp b/gcc/testsuite/lib/target-supports.exp -index 857e57218..52e043917 100644 ---- a/gcc/testsuite/lib/target-supports.exp -+++ b/gcc/testsuite/lib/target-supports.exp +Index: gcc-11.3.0/gcc/testsuite/lib/target-supports.exp +=================================================================== +--- gcc-11.3.0.orig/gcc/testsuite/lib/target-supports.exp ++++ gcc-11.3.0/gcc/testsuite/lib/target-supports.exp @@ -4820,7 +4820,8 @@ foreach { armfunc armflag armdefs } { v8m_base "-march=armv8-m.base -mthumb -mfloat-abi=soft" __ARM_ARCH_8M_BASE__ @@ -289,6 +289,3 @@ index 857e57218..52e043917 100644 eval [string map [list FUNC $armfunc FLAG $armflag DEFS $armdefs ] { proc check_effective_target_arm_arch_FUNC_ok { } { return [check_no_compiler_messages arm_arch_FUNC_ok assembly { --- -2.34.1 - diff --git a/poky/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/poky/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch index ef19eef822..b3515c9734 100644 --- a/poky/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch +++ b/poky/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch @@ -1,4 +1,4 @@ -From 84dd8ea4c982fc2c82af642293d29e9c1880de5b Mon Sep 17 00:00:00 2001 +From 4de00af67b57b5440bdf61ab364ad959ad0aeee7 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Fri, 29 Mar 2013 09:24:50 +0400 Subject: [PATCH] Define GLIBC_DYNAMIC_LINKER and UCLIBC_DYNAMIC_LINKER @@ -12,28 +12,37 @@ SH, sparc, alpha for possible future support (if any) Removes the do_headerfix task in metadata +Signed-off-by: Khem Raj <raj.khem@gmail.com> + Upstream-Status: Inappropriate [OE configuration] Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Refresh patch from master to deduplicate patches and fix arm linker +Signed-off-by: Pavel Zhukov <pavel@zhukoff.net> --- gcc/config/aarch64/aarch64-linux.h | 4 ++-- gcc/config/alpha/linux-elf.h | 4 ++-- - gcc/config/arm/linux-eabi.h | 4 ++-- + gcc/config/arm/linux-eabi.h | 6 +++--- gcc/config/arm/linux-elf.h | 2 +- - gcc/config/i386/linux.h | 2 +- - gcc/config/i386/linux64.h | 6 +++--- + gcc/config/i386/linux.h | 4 ++-- + gcc/config/i386/linux64.h | 12 ++++++------ gcc/config/linux.h | 8 ++++---- - gcc/config/mips/linux.h | 12 ++++++------ - gcc/config/riscv/linux.h | 2 +- + gcc/config/microblaze/linux.h | 4 ++-- + gcc/config/mips/linux.h | 18 +++++++++--------- + gcc/config/nios2/linux.h | 4 ++-- + gcc/config/riscv/linux.h | 4 ++-- gcc/config/rs6000/linux64.h | 15 +++++---------- - gcc/config/sh/linux.h | 2 +- + gcc/config/rs6000/sysv4.h | 4 ++-- + gcc/config/s390/linux.h | 8 ++++---- + gcc/config/sh/linux.h | 4 ++-- gcc/config/sparc/linux.h | 2 +- gcc/config/sparc/linux64.h | 4 ++-- - 13 files changed, 31 insertions(+), 36 deletions(-) + 17 files changed, 53 insertions(+), 58 deletions(-) -diff --git a/gcc/config/aarch64/aarch64-linux.h b/gcc/config/aarch64/aarch64-linux.h -index 7f2529a2a1d..4bcae7f3110 100644 ---- a/gcc/config/aarch64/aarch64-linux.h -+++ b/gcc/config/aarch64/aarch64-linux.h +Index: gcc-11.3.0/gcc/config/aarch64/aarch64-linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/aarch64/aarch64-linux.h ++++ gcc-11.3.0/gcc/config/aarch64/aarch64-linux.h @@ -21,10 +21,10 @@ #ifndef GCC_AARCH64_LINUX_H #define GCC_AARCH64_LINUX_H @@ -47,11 +56,11 @@ index 7f2529a2a1d..4bcae7f3110 100644 #undef ASAN_CC1_SPEC #define ASAN_CC1_SPEC "%{%:sanitize(address):-funwind-tables}" -diff --git a/gcc/config/alpha/linux-elf.h b/gcc/config/alpha/linux-elf.h -index c1dae8ca2cf..3ce2b76c1a4 100644 ---- a/gcc/config/alpha/linux-elf.h -+++ b/gcc/config/alpha/linux-elf.h -@@ -23,8 +23,8 @@ along with GCC; see the file COPYING3. If not see +Index: gcc-11.3.0/gcc/config/alpha/linux-elf.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/alpha/linux-elf.h ++++ gcc-11.3.0/gcc/config/alpha/linux-elf.h +@@ -23,8 +23,8 @@ along with GCC; see the file COPYING3. #define EXTRA_SPECS \ { "elf_dynamic_linker", ELF_DYNAMIC_LINKER }, @@ -62,10 +71,10 @@ index c1dae8ca2cf..3ce2b76c1a4 100644 #if DEFAULT_LIBC == LIBC_UCLIBC #define CHOOSE_DYNAMIC_LINKER(G, U) "%{mglibc:" G ";:" U "}" #elif DEFAULT_LIBC == LIBC_GLIBC -diff --git a/gcc/config/arm/linux-eabi.h b/gcc/config/arm/linux-eabi.h -index 85d0136e76e..6bd95855827 100644 ---- a/gcc/config/arm/linux-eabi.h -+++ b/gcc/config/arm/linux-eabi.h +Index: gcc-11.3.0/gcc/config/arm/linux-eabi.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/linux-eabi.h ++++ gcc-11.3.0/gcc/config/arm/linux-eabi.h @@ -65,8 +65,8 @@ GLIBC_DYNAMIC_LINKER_DEFAULT and TARGET_DEFAULT_FLOAT_ABI. */ @@ -77,10 +86,19 @@ index 85d0136e76e..6bd95855827 100644 #define GLIBC_DYNAMIC_LINKER_DEFAULT GLIBC_DYNAMIC_LINKER_SOFT_FLOAT #define GLIBC_DYNAMIC_LINKER \ -diff --git a/gcc/config/arm/linux-elf.h b/gcc/config/arm/linux-elf.h -index 0c1c4e70b6b..6bd643ade11 100644 ---- a/gcc/config/arm/linux-elf.h -+++ b/gcc/config/arm/linux-elf.h +@@ -89,7 +89,7 @@ + #define MUSL_DYNAMIC_LINKER_E "%{mbig-endian:eb}" + #endif + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" + + /* At this point, bpabi.h will have clobbered LINK_SPEC. We want to + use the GNU/Linux version, not the generic BPABI version. */ +Index: gcc-11.3.0/gcc/config/arm/linux-elf.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/linux-elf.h ++++ gcc-11.3.0/gcc/config/arm/linux-elf.h @@ -60,7 +60,7 @@ #define LIBGCC_SPEC "%{mfloat-abi=soft*:-lfloat} -lgcc" @@ -90,11 +108,11 @@ index 0c1c4e70b6b..6bd643ade11 100644 #define LINUX_TARGET_LINK_SPEC "%{h*} \ %{static:-Bstatic} \ -diff --git a/gcc/config/i386/linux.h b/gcc/config/i386/linux.h -index 04b274f1654..7aafcf3ac2d 100644 ---- a/gcc/config/i386/linux.h -+++ b/gcc/config/i386/linux.h -@@ -20,7 +20,7 @@ along with GCC; see the file COPYING3. If not see +Index: gcc-11.3.0/gcc/config/i386/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/i386/linux.h ++++ gcc-11.3.0/gcc/config/i386/linux.h +@@ -20,7 +20,7 @@ along with GCC; see the file COPYING3. <http://www.gnu.org/licenses/>. */ #define GNU_USER_LINK_EMULATION "elf_i386" @@ -102,12 +120,13 @@ index 04b274f1654..7aafcf3ac2d 100644 +#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-linux.so.2" #undef MUSL_DYNAMIC_LINKER - #define MUSL_DYNAMIC_LINKER "/lib/ld-musl-i386.so.1" -diff --git a/gcc/config/i386/linux64.h b/gcc/config/i386/linux64.h -index b3822ced528..92d303e80d6 100644 ---- a/gcc/config/i386/linux64.h -+++ b/gcc/config/i386/linux64.h -@@ -27,9 +27,9 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-i386.so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-i386.so.1" +Index: gcc-11.3.0/gcc/config/i386/linux64.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/i386/linux64.h ++++ gcc-11.3.0/gcc/config/i386/linux64.h +@@ -27,13 +27,13 @@ see the files COPYING3 and COPYING.RUNTI #define GNU_USER_LINK_EMULATION64 "elf_x86_64" #define GNU_USER_LINK_EMULATIONX32 "elf32_x86_64" @@ -119,12 +138,19 @@ index b3822ced528..92d303e80d6 100644 +#define GLIBC_DYNAMIC_LINKERX32 SYSTEMLIBS_DIR "ld-linux-x32.so.2" #undef MUSL_DYNAMIC_LINKER32 - #define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-i386.so.1" -diff --git a/gcc/config/linux.h b/gcc/config/linux.h -index 4e1db60fced..87efc5f69fe 100644 ---- a/gcc/config/linux.h -+++ b/gcc/config/linux.h -@@ -94,10 +94,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see +-#define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-i386.so.1" ++#define MUSL_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld-musl-i386.so.1" + #undef MUSL_DYNAMIC_LINKER64 +-#define MUSL_DYNAMIC_LINKER64 "/lib/ld-musl-x86_64.so.1" ++#define MUSL_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld-musl-x86_64.so.1" + #undef MUSL_DYNAMIC_LINKERX32 +-#define MUSL_DYNAMIC_LINKERX32 "/lib/ld-musl-x32.so.1" ++#define MUSL_DYNAMIC_LINKERX32 SYSTEMLIBS_DIR "ld-musl-x32.so.1" +Index: gcc-11.3.0/gcc/config/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/linux.h ++++ gcc-11.3.0/gcc/config/linux.h +@@ -94,10 +94,10 @@ see the files COPYING3 and COPYING.RUNTI GLIBC_DYNAMIC_LINKER must be defined for each target using them, or GLIBC_DYNAMIC_LINKER32 and GLIBC_DYNAMIC_LINKER64 for targets supporting both 32-bit and 64-bit compilation. */ @@ -139,11 +165,33 @@ index 4e1db60fced..87efc5f69fe 100644 #define BIONIC_DYNAMIC_LINKER "/system/bin/linker" #define BIONIC_DYNAMIC_LINKER32 "/system/bin/linker" #define BIONIC_DYNAMIC_LINKER64 "/system/bin/linker64" -diff --git a/gcc/config/mips/linux.h b/gcc/config/mips/linux.h -index 44a85e410d9..8d41b5574f6 100644 ---- a/gcc/config/mips/linux.h -+++ b/gcc/config/mips/linux.h -@@ -22,20 +22,20 @@ along with GCC; see the file COPYING3. If not see +Index: gcc-11.3.0/gcc/config/microblaze/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/microblaze/linux.h ++++ gcc-11.3.0/gcc/config/microblaze/linux.h +@@ -28,7 +28,7 @@ + #undef TLS_NEEDS_GOT + #define TLS_NEEDS_GOT 1 + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "/ld.so.1" + #define UCLIBC_DYNAMIC_LINKER "/lib/ld-uClibc.so.0" + + #if TARGET_BIG_ENDIAN_DEFAULT == 0 /* LE */ +@@ -38,7 +38,7 @@ + #endif + + #undef MUSL_DYNAMIC_LINKER +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-microblaze" MUSL_DYNAMIC_LINKER_E ".so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-microblaze" MUSL_DYNAMIC_LINKER_E ".so.1" + + #undef SUBTARGET_EXTRA_SPECS + #define SUBTARGET_EXTRA_SPECS \ +Index: gcc-11.3.0/gcc/config/mips/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/mips/linux.h ++++ gcc-11.3.0/gcc/config/mips/linux.h +@@ -22,29 +22,29 @@ along with GCC; see the file COPYING3. #define GNU_USER_LINK_EMULATIONN32 "elf32%{EB:b}%{EL:l}tsmipn32" #define GLIBC_DYNAMIC_LINKER32 \ @@ -170,11 +218,36 @@ index 44a85e410d9..8d41b5574f6 100644 #undef MUSL_DYNAMIC_LINKER32 #define MUSL_DYNAMIC_LINKER32 \ -diff --git a/gcc/config/riscv/linux.h b/gcc/config/riscv/linux.h -index fce5b896e6e..03aa55cb5ab 100644 ---- a/gcc/config/riscv/linux.h -+++ b/gcc/config/riscv/linux.h -@@ -22,7 +22,7 @@ along with GCC; see the file COPYING3. If not see +- "/lib/ld-musl-mips%{mips32r6|mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mips%{mips32r6|mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + #undef MUSL_DYNAMIC_LINKER64 + #define MUSL_DYNAMIC_LINKER64 \ +- "/lib/ld-musl-mips64%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mips64%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + #define MUSL_DYNAMIC_LINKERN32 \ +- "/lib/ld-musl-mipsn32%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mipsn32%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + + #define BIONIC_DYNAMIC_LINKERN32 "/system/bin/linker32" + #define GNU_USER_DYNAMIC_LINKERN32 \ +Index: gcc-11.3.0/gcc/config/nios2/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/nios2/linux.h ++++ gcc-11.3.0/gcc/config/nios2/linux.h +@@ -29,7 +29,7 @@ + #undef CPP_SPEC + #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}" + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-linux-nios2.so.1" + + #undef LINK_SPEC + #define LINK_SPEC LINK_SPEC_ENDIAN \ +Index: gcc-11.3.0/gcc/config/riscv/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/riscv/linux.h ++++ gcc-11.3.0/gcc/config/riscv/linux.h +@@ -22,7 +22,7 @@ along with GCC; see the file COPYING3. GNU_USER_TARGET_OS_CPP_BUILTINS(); \ } while (0) @@ -183,10 +256,19 @@ index fce5b896e6e..03aa55cb5ab 100644 #define MUSL_ABI_SUFFIX \ "%{mabi=ilp32:-sf}" \ -diff --git a/gcc/config/rs6000/linux64.h b/gcc/config/rs6000/linux64.h -index e3f2cd254f6..a11e01faa3d 100644 ---- a/gcc/config/rs6000/linux64.h -+++ b/gcc/config/rs6000/linux64.h +@@ -33,7 +33,7 @@ along with GCC; see the file COPYING3. + "%{mabi=lp64d:}" + + #undef MUSL_DYNAMIC_LINKER +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-riscv" XLEN_SPEC MUSL_ABI_SUFFIX ".so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-riscv" XLEN_SPEC MUSL_ABI_SUFFIX ".so.1" + + /* Because RISC-V only has word-sized atomics, it requries libatomic where + others do not. So link libatomic by default, as needed. */ +Index: gcc-11.3.0/gcc/config/rs6000/linux64.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/rs6000/linux64.h ++++ gcc-11.3.0/gcc/config/rs6000/linux64.h @@ -336,24 +336,19 @@ extern int dot_symbols; #undef LINK_OS_DEFAULT_SPEC #define LINK_OS_DEFAULT_SPEC "%(link_os_linux)" @@ -217,12 +299,55 @@ index e3f2cd254f6..a11e01faa3d 100644 #undef DEFAULT_ASM_ENDIAN #if (TARGET_DEFAULT & MASK_LITTLE_ENDIAN) -diff --git a/gcc/config/sh/linux.h b/gcc/config/sh/linux.h -index 7558d2f7195..3aaa6c3a078 100644 ---- a/gcc/config/sh/linux.h -+++ b/gcc/config/sh/linux.h -@@ -64,7 +64,7 @@ along with GCC; see the file COPYING3. If not see - "/lib/ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ +Index: gcc-11.3.0/gcc/config/rs6000/sysv4.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/rs6000/sysv4.h ++++ gcc-11.3.0/gcc/config/rs6000/sysv4.h +@@ -780,10 +780,10 @@ GNU_USER_TARGET_CC1_SPEC + + #define MUSL_DYNAMIC_LINKER_E ENDIAN_SELECT("","le","") + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld.so.1" + #undef MUSL_DYNAMIC_LINKER + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-powerpc" MUSL_DYNAMIC_LINKER_E "%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-powerpc" MUSL_DYNAMIC_LINKER_E "%{msoft-float:-sf}.so.1" + + #ifndef GNU_USER_DYNAMIC_LINKER + #define GNU_USER_DYNAMIC_LINKER GLIBC_DYNAMIC_LINKER +Index: gcc-11.3.0/gcc/config/s390/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/s390/linux.h ++++ gcc-11.3.0/gcc/config/s390/linux.h +@@ -72,13 +72,13 @@ along with GCC; see the file COPYING3. + #define MULTILIB_DEFAULTS { "m31" } + #endif + +-#define GLIBC_DYNAMIC_LINKER32 "/lib/ld.so.1" +-#define GLIBC_DYNAMIC_LINKER64 "/lib/ld64.so.1" ++#define GLIBC_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld.so.1" ++#define GLIBC_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld64.so.1" + + #undef MUSL_DYNAMIC_LINKER32 +-#define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-s390.so.1" ++#define MUSL_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld-musl-s390.so.1" + #undef MUSL_DYNAMIC_LINKER64 +-#define MUSL_DYNAMIC_LINKER64 "/lib/ld-musl-s390x.so.1" ++#define MUSL_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld-musl-s390x.so.1" + + #undef LINK_SPEC + #define LINK_SPEC \ +Index: gcc-11.3.0/gcc/config/sh/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/sh/linux.h ++++ gcc-11.3.0/gcc/config/sh/linux.h +@@ -61,10 +61,10 @@ along with GCC; see the file COPYING3. + + #undef MUSL_DYNAMIC_LINKER + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ ++ SYSTEMLIBS_DIR "ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ "%{mfdpic:-fdpic}.so.1" -#define GLIBC_DYNAMIC_LINKER "/lib/ld-linux.so.2" @@ -230,11 +355,11 @@ index 7558d2f7195..3aaa6c3a078 100644 #undef SUBTARGET_LINK_EMUL_SUFFIX #define SUBTARGET_LINK_EMUL_SUFFIX "%{mfdpic:_fd;:_linux}" -diff --git a/gcc/config/sparc/linux.h b/gcc/config/sparc/linux.h -index 2550d7ee8f0..a94f4cd8ba2 100644 ---- a/gcc/config/sparc/linux.h -+++ b/gcc/config/sparc/linux.h -@@ -78,7 +78,7 @@ extern const char *host_detect_local_cpu (int argc, const char **argv); +Index: gcc-11.3.0/gcc/config/sparc/linux.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/sparc/linux.h ++++ gcc-11.3.0/gcc/config/sparc/linux.h +@@ -78,7 +78,7 @@ extern const char *host_detect_local_cpu When the -shared link option is used a final link is not being done. */ @@ -243,11 +368,11 @@ index 2550d7ee8f0..a94f4cd8ba2 100644 #undef LINK_SPEC #define LINK_SPEC "-m elf32_sparc %{shared:-shared} \ -diff --git a/gcc/config/sparc/linux64.h b/gcc/config/sparc/linux64.h -index 95af8afa9b5..63127afb074 100644 ---- a/gcc/config/sparc/linux64.h -+++ b/gcc/config/sparc/linux64.h -@@ -78,8 +78,8 @@ along with GCC; see the file COPYING3. If not see +Index: gcc-11.3.0/gcc/config/sparc/linux64.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/sparc/linux64.h ++++ gcc-11.3.0/gcc/config/sparc/linux64.h +@@ -78,8 +78,8 @@ along with GCC; see the file COPYING3. When the -shared link option is used a final link is not being done. */ diff --git a/poky/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch b/poky/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch index ac139542f1..0f94936140 100644 --- a/poky/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch +++ b/poky/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch @@ -18,13 +18,13 @@ Upstream-Status: Pending gcc/config/arm/linux-eabi.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -diff --git a/gcc/config/arm/linux-eabi.h b/gcc/config/arm/linux-eabi.h -index 6bd95855827..77befab5da8 100644 ---- a/gcc/config/arm/linux-eabi.h -+++ b/gcc/config/arm/linux-eabi.h +Index: gcc-11.3.0/gcc/config/arm/linux-eabi.h +=================================================================== +--- gcc-11.3.0.orig/gcc/config/arm/linux-eabi.h ++++ gcc-11.3.0/gcc/config/arm/linux-eabi.h @@ -91,10 +91,14 @@ #define MUSL_DYNAMIC_LINKER \ - "/lib/ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" + SYSTEMLIBS_DIR "ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" +/* For armv4 we pass --fix-v4bx to linker to support EABI */ +#undef TARGET_FIX_V4BX_SPEC diff --git a/poky/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch b/poky/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch deleted file mode 100644 index 76ebfd7f77..0000000000 --- a/poky/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9ec4db8e910d9a51ae43f6b20d4bf1dac2d8cca8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 2 Feb 2016 10:26:10 -0800 -Subject: [PATCH] nios2: Define MUSL_DYNAMIC_LINKER - -Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e5ddbbf992b909d8e38851bd3179d29389e6ac97] - -Signed-off-by: Marek Vasut <marex@denx.de> -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gcc/config/nios2/linux.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/gcc/config/nios2/linux.h b/gcc/config/nios2/linux.h -index 08edf1521f6..15696d86241 100644 ---- a/gcc/config/nios2/linux.h -+++ b/gcc/config/nios2/linux.h -@@ -30,6 +30,7 @@ - #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}" - - #define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1" -+#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-nios2.so.1" - - #undef LINK_SPEC - #define LINK_SPEC LINK_SPEC_ENDIAN \ diff --git a/poky/meta/recipes-devtools/git/git_2.35.4.bb b/poky/meta/recipes-devtools/git/git_2.35.7.bb index 18f39875db..faf0b67051 100644 --- a/poky/meta/recipes-devtools/git/git_2.35.4.bb +++ b/poky/meta/recipes-devtools/git/git_2.35.7.bb @@ -31,6 +31,10 @@ CVE_PRODUCT = "git-scm:git" # in mirrored git repos. Most OE users wouldn't build the docs and # we don't see this as a major issue for our general users/usecases. CVE_CHECK_IGNORE += "CVE-2022-24975" +# This is specific to Git-for-Windows +CVE_CHECK_IGNORE += "CVE-2022-41953" +# specific to Git for Windows +CVE_CHECK_IGNORE += "CVE-2023-22743" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" @@ -165,4 +169,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "4970108bdc227e2c3687899f8fc7501c54c839dcc42f4d999ac9e3e3f52df583" +SRC_URI[tarball.sha256sum] = "fc849272a95cc7457091221a645fcd753b3b1984767ee3323fb6a0aa944bbcb4" diff --git a/poky/meta/recipes-devtools/go/go-1.17.13.inc b/poky/meta/recipes-devtools/go/go-1.17.13.inc index b18de66f42..cda9227042 100644 --- a/poky/meta/recipes-devtools/go/go-1.17.13.inc +++ b/poky/meta/recipes-devtools/go/go-1.17.13.inc @@ -1,6 +1,6 @@ require go-common.inc -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.18:" +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -17,6 +17,17 @@ SRC_URI += "\ file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ file://CVE-2022-27664.patch \ + file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ + file://CVE-2022-41715.patch \ + file://CVE-2022-41717.patch \ + file://CVE-2022-2879.patch \ + file://CVE-2022-41720.patch \ + file://CVE-2022-41723.patch \ + file://cve-2022-41724.patch \ + file://add_godebug.patch \ + file://cve-2022-41725.patch \ + file://CVE-2022-41722.patch \ + file://CVE-2023-24537.patch \ " SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" @@ -24,3 +35,6 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784 # fix in 1.17 onwards where we can drop this. # https://github.com/golang/go/issues/30999#issuecomment-910470358 CVE_CHECK_IGNORE += "CVE-2021-29923" + +# This is specific to Microsoft Windows +CVE_CHECK_IGNORE += "CVE-2022-41716" diff --git a/poky/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch b/poky/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch new file mode 100644 index 0000000000..80fba1446e --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch @@ -0,0 +1,178 @@ +From c8bdf59453c95528a444a85e1b206c1c09eb20f6 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 22 Sep 2022 13:32:00 -0700 +Subject: [PATCH] net/http/httputil: avoid query parameter smuggling + +Query parameter smuggling occurs when a proxy's interpretation +of query parameters differs from that of a downstream server. +Change ReverseProxy to avoid forwarding ignored query parameters. + +Remove unparsable query parameters from the outbound request + + * if req.Form != nil after calling ReverseProxy.Director; and + * before calling ReverseProxy.Rewrite. + +This change preserves the existing behavior of forwarding the +raw query untouched if a Director hook does not parse the query +by calling Request.ParseForm (possibly indirectly). + +Fixes #55842 +For #54663 +For CVE-2022-2880 + +Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit 7c84234142149bd24a4096c6cab691d3593f3431) +Reviewed-on: https://go-review.googlesource.com/c/go/+/433695 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +CVE: CVE-2022-2880 +Upstream-Status: Backport [9d2c73a9fd69e45876509bb3bdb2af99bf77da1e] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/net/http/httputil/reverseproxy.go | 36 +++++++++++ + src/net/http/httputil/reverseproxy_test.go | 74 ++++++++++++++++++++++ + 2 files changed, 110 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 8b63368..c76eec6 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -249,6 +249,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + } + + p.Director(outreq) ++ if outreq.Form != nil { ++ outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery) ++ } + outreq.Close = false + + reqUpType := upgradeType(outreq.Header) +@@ -628,3 +631,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + _, err := io.Copy(c.backend, c.user) + errc <- err + } ++ ++func cleanQueryParams(s string) string { ++ reencode := func(s string) string { ++ v, _ := url.ParseQuery(s) ++ return v.Encode() ++ } ++ for i := 0; i < len(s); { ++ switch s[i] { ++ case ';': ++ return reencode(s) ++ case '%': ++ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) { ++ return reencode(s) ++ } ++ i += 3 ++ default: ++ i++ ++ } ++ } ++ return s ++} ++ ++func ishex(c byte) bool { ++ switch { ++ case '0' <= c && c <= '9': ++ return true ++ case 'a' <= c && c <= 'f': ++ return true ++ case 'A' <= c && c <= 'F': ++ return true ++ } ++ return false ++} +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index 4b6ad77..8c0a4f1 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1517,3 +1517,77 @@ func TestJoinURLPath(t *testing.T) { + } + } + } ++ ++const ( ++ testWantsCleanQuery = true ++ testWantsRawQuery = false ++) ++ ++func TestReverseProxyQueryParameterSmugglingDirectorDoesNotParseForm(t *testing.T) { ++ testReverseProxyQueryParameterSmuggling(t, testWantsRawQuery, func(u *url.URL) *ReverseProxy { ++ proxyHandler := NewSingleHostReverseProxy(u) ++ oldDirector := proxyHandler.Director ++ proxyHandler.Director = func(r *http.Request) { ++ oldDirector(r) ++ } ++ return proxyHandler ++ }) ++} ++ ++func TestReverseProxyQueryParameterSmugglingDirectorParsesForm(t *testing.T) { ++ testReverseProxyQueryParameterSmuggling(t, testWantsCleanQuery, func(u *url.URL) *ReverseProxy { ++ proxyHandler := NewSingleHostReverseProxy(u) ++ oldDirector := proxyHandler.Director ++ proxyHandler.Director = func(r *http.Request) { ++ // Parsing the form causes ReverseProxy to remove unparsable ++ // query parameters before forwarding. ++ r.FormValue("a") ++ oldDirector(r) ++ } ++ return proxyHandler ++ }) ++} ++ ++func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, newProxy func(*url.URL) *ReverseProxy) { ++ const content = "response_content" ++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ++ w.Write([]byte(r.URL.RawQuery)) ++ })) ++ defer backend.Close() ++ backendURL, err := url.Parse(backend.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ proxyHandler := newProxy(backendURL) ++ frontend := httptest.NewServer(proxyHandler) ++ defer frontend.Close() ++ ++ // Don't spam output with logs of queries containing semicolons. ++ backend.Config.ErrorLog = log.New(io.Discard, "", 0) ++ frontend.Config.ErrorLog = log.New(io.Discard, "", 0) ++ ++ for _, test := range []struct { ++ rawQuery string ++ cleanQuery string ++ }{{ ++ rawQuery: "a=1&a=2;b=3", ++ cleanQuery: "a=1", ++ }, { ++ rawQuery: "a=1&a=%zz&b=3", ++ cleanQuery: "a=1&b=3", ++ }} { ++ res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery) ++ if err != nil { ++ t.Fatalf("Get: %v", err) ++ } ++ defer res.Body.Close() ++ body, _ := io.ReadAll(res.Body) ++ wantQuery := test.rawQuery ++ if wantCleanQuery { ++ wantQuery = test.cleanQuery ++ } ++ if got, want := string(body), wantQuery; got != want { ++ t.Errorf("proxy forwarded raw query %q as %q, want %q", test.rawQuery, got, want) ++ } ++ } ++} +-- +2.32.0 + diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch new file mode 100644 index 0000000000..0315e1a3ee --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +CVE: CVE-2022-2879 +Upstream-Status: Backport [0a723816cd205576945fa57fbdde7e6532d59d08] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/archive/tar/format.go | 4 ++++ + src/archive/tar/reader.go | 14 ++++++++++++-- + src/archive/tar/reader_test.go | 8 +++++++- + src/archive/tar/writer.go | 3 +++ + src/archive/tar/writer_test.go | 27 +++++++++++++++++++++++++++ + 5 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index cfe24a5..6642364 100644 +--- a/src/archive/tar/format.go ++++ b/src/archive/tar/format.go +@@ -143,6 +143,10 @@ const ( + blockSize = 512 // Size of each block in a tar stream + nameSize = 100 // Max length of the name field in USTAR format + prefixSize = 155 // Max length of the prefix field in USTAR format ++ ++ // Max length of a special file (PAX header, GNU long name or link). ++ // This matches the limit used by libarchive. ++ maxSpecialFileSize = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 1b1d5b4..f645af8 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { + continue // This is a meta header affecting the next header + case TypeGNULongName, TypeGNULongLink: + format.mayOnlyBe(FormatGNU) +- realname, err := io.ReadAll(tr) ++ realname, err := readSpecialFile(tr) + if err != nil { + return nil, err + } +@@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { + // parsePAX parses PAX headers. + // If an extended header (type 'x') is invalid, ErrHeader is returned + func parsePAX(r io.Reader) (map[string]string, error) { +- buf, err := io.ReadAll(r) ++ buf, err := readSpecialFile(r) + if err != nil { + return nil, err + } +@@ -826,6 +826,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { + return n, err + } + ++// readSpecialFile is like io.ReadAll except it returns ++// ErrFieldTooLong if more than maxSpecialFileSize is read. ++func readSpecialFile(r io.Reader) ([]byte, error) { ++ buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) ++ if len(buf) > maxSpecialFileSize { ++ return nil, ErrFieldTooLong ++ } ++ return buf, err ++} ++ + // discard skips n bytes in r, reporting an error if unable to do so. + func discard(r io.Reader, n int64) error { + // If possible, Seek to the last byte before the end of the data section. +diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go +index 789ddc1..926dc3d 100644 +--- a/src/archive/tar/reader_test.go ++++ b/src/archive/tar/reader_test.go +@@ -6,6 +6,7 @@ package tar + + import ( + "bytes" ++ "compress/bzip2" + "crypto/md5" + "errors" + "fmt" +@@ -625,9 +626,14 @@ func TestReader(t *testing.T) { + } + defer f.Close() + ++ var fr io.Reader = f ++ if strings.HasSuffix(v.file, ".bz2") { ++ fr = bzip2.NewReader(fr) ++ } ++ + // Capture all headers and checksums. + var ( +- tr = NewReader(f) ++ tr = NewReader(fr) + hdrs []*Header + chksums []string + rdbuf = make([]byte, 8) +diff --git a/src/archive/tar/writer.go b/src/archive/tar/writer.go +index e80498d..893eac0 100644 +--- a/src/archive/tar/writer.go ++++ b/src/archive/tar/writer.go +@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { + flag = TypeXHeader + } + data := buf.String() ++ if len(data) > maxSpecialFileSize { ++ return ErrFieldTooLong ++ } + if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { + return err // Global headers return here + } +diff --git a/src/archive/tar/writer_test.go b/src/archive/tar/writer_test.go +index a00f02d..4e709e5 100644 +--- a/src/archive/tar/writer_test.go ++++ b/src/archive/tar/writer_test.go +@@ -1006,6 +1006,33 @@ func TestIssue12594(t *testing.T) { + } + } + ++func TestWriteLongHeader(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ h *Header ++ }{{ ++ name: "name too long", ++ h: &Header{Name: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "linkname too long", ++ h: &Header{Linkname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "uname too long", ++ h: &Header{Uname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "gname too long", ++ h: &Header{Gname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "PAX header too long", ++ h: &Header{PAXRecords: map[string]string{"GOLANG.x": strings.Repeat("a", maxSpecialFileSize)}}, ++ }} { ++ w := NewWriter(io.Discard) ++ if err := w.WriteHeader(test.h); err != ErrFieldTooLong { ++ t.Errorf("%v: w.WriteHeader() = %v, want ErrFieldTooLong", test.name, err) ++ } ++ } ++} ++ + // testNonEmptyWriter wraps an io.Writer and ensures that + // Write is never called with an empty buffer. + type testNonEmptyWriter struct{ io.Writer } diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch new file mode 100644 index 0000000000..994f37aaf3 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch @@ -0,0 +1,270 @@ +From e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Mon Sep 17 00:00:00 2001 +From: Russ Cox <rsc@golang.org> +Date: Wed, 28 Sep 2022 11:18:51 -0400 +Subject: [PATCH] [release-branch.go1.18] regexp: limit size of parsed regexps + +Set a 128 MB limit on the amount of space used by []syntax.Inst +in the compiled form corresponding to a given regexp. + +Also set a 128 MB limit on the rune storage in the *syntax.Regexp +tree itself. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. + +Fixes CVE-2022-41715. +Updates #55949. +Fixes #55950. + +Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 +Run-TryBot: Carlos Amedee <carlos@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997] +CVE: CVE-2022-41715 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/regexp/syntax/parse.go | 145 ++++++++++++++++++++++++++++++-- + src/regexp/syntax/parse_test.go | 13 +-- + 2 files changed, 148 insertions(+), 10 deletions(-) + +diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go +index d7cf2af..3792960 100644 +--- a/src/regexp/syntax/parse.go ++++ b/src/regexp/syntax/parse.go +@@ -90,15 +90,49 @@ const ( + // until we've allocated at least maxHeight Regexp structures. + const maxHeight = 1000 + ++// maxSize is the maximum size of a compiled regexp in Insts. ++// It too is somewhat arbitrarily chosen, but the idea is to be large enough ++// to allow significant regexps while at the same time small enough that ++// the compiled form will not take up too much memory. ++// 128 MB is enough for a 3.3 million Inst structures, which roughly ++// corresponds to a 3.3 MB regexp. ++const ( ++ maxSize = 128 << 20 / instSize ++ instSize = 5 * 8 // byte, 2 uint32, slice is 5 64-bit words ++) ++ ++// maxRunes is the maximum number of runes allowed in a regexp tree ++// counting the runes in all the nodes. ++// Ignoring character classes p.numRunes is always less than the length of the regexp. ++// Character classes can make it much larger: each \pL adds 1292 runes. ++// 128 MB is enough for 32M runes, which is over 26k \pL instances. ++// Note that repetitions do not make copies of the rune slices, ++// so \pL{1000} is only one rune slice, not 1000. ++// We could keep a cache of character classes we've seen, ++// so that all the \pL we see use the same rune list, ++// but that doesn't remove the problem entirely: ++// consider something like [\pL01234][\pL01235][\pL01236]...[\pL^&*()]. ++// And because the Rune slice is exposed directly in the Regexp, ++// there is not an opportunity to change the representation to allow ++// partial sharing between different character classes. ++// So the limit is the best we can do. ++const ( ++ maxRunes = 128 << 20 / runeSize ++ runeSize = 4 // rune is int32 ++) ++ + type parser struct { + flags Flags // parse mode flags + stack []*Regexp // stack of parsed expressions + free *Regexp + numCap int // number of capturing groups seen + wholeRegexp string +- tmpClass []rune // temporary char class work space +- numRegexp int // number of regexps allocated +- height map[*Regexp]int // regexp height for height limit check ++ tmpClass []rune // temporary char class work space ++ numRegexp int // number of regexps allocated ++ numRunes int // number of runes in char classes ++ repeats int64 // product of all repetitions seen ++ height map[*Regexp]int // regexp height, for height limit check ++ size map[*Regexp]int64 // regexp compiled size, for size limit check + } + + func (p *parser) newRegexp(op Op) *Regexp { +@@ -122,6 +156,104 @@ func (p *parser) reuse(re *Regexp) { + p.free = re + } + ++func (p *parser) checkLimits(re *Regexp) { ++ if p.numRunes > maxRunes { ++ panic(ErrInternalError) ++ } ++ p.checkSize(re) ++ p.checkHeight(re) ++} ++ ++func (p *parser) checkSize(re *Regexp) { ++ if p.size == nil { ++ // We haven't started tracking size yet. ++ // Do a relatively cheap check to see if we need to start. ++ // Maintain the product of all the repeats we've seen ++ // and don't track if the total number of regexp nodes ++ // we've seen times the repeat product is in budget. ++ if p.repeats == 0 { ++ p.repeats = 1 ++ } ++ if re.Op == OpRepeat { ++ n := re.Max ++ if n == -1 { ++ n = re.Min ++ } ++ if n <= 0 { ++ n = 1 ++ } ++ if int64(n) > maxSize/p.repeats { ++ p.repeats = maxSize ++ } else { ++ p.repeats *= int64(n) ++ } ++ } ++ if int64(p.numRegexp) < maxSize/p.repeats { ++ return ++ } ++ ++ // We need to start tracking size. ++ // Make the map and belatedly populate it ++ // with info about everything we've constructed so far. ++ p.size = make(map[*Regexp]int64) ++ for _, re := range p.stack { ++ p.checkSize(re) ++ } ++ } ++ ++ if p.calcSize(re, true) > maxSize { ++ panic(ErrInternalError) ++ } ++} ++ ++func (p *parser) calcSize(re *Regexp, force bool) int64 { ++ if !force { ++ if size, ok := p.size[re]; ok { ++ return size ++ } ++ } ++ ++ var size int64 ++ switch re.Op { ++ case OpLiteral: ++ size = int64(len(re.Rune)) ++ case OpCapture, OpStar: ++ // star can be 1+ or 2+; assume 2 pessimistically ++ size = 2 + p.calcSize(re.Sub[0], false) ++ case OpPlus, OpQuest: ++ size = 1 + p.calcSize(re.Sub[0], false) ++ case OpConcat: ++ for _, sub := range re.Sub { ++ size += p.calcSize(sub, false) ++ } ++ case OpAlternate: ++ for _, sub := range re.Sub { ++ size += p.calcSize(sub, false) ++ } ++ if len(re.Sub) > 1 { ++ size += int64(len(re.Sub)) - 1 ++ } ++ case OpRepeat: ++ sub := p.calcSize(re.Sub[0], false) ++ if re.Max == -1 { ++ if re.Min == 0 { ++ size = 2 + sub // x* ++ } else { ++ size = 1 + int64(re.Min)*sub // xxx+ ++ } ++ break ++ } ++ // x{2,5} = xx(x(x(x)?)?)? ++ size = int64(re.Max)*sub + int64(re.Max-re.Min) ++ } ++ ++ if size < 1 { ++ size = 1 ++ } ++ p.size[re] = size ++ return size ++} ++ + func (p *parser) checkHeight(re *Regexp) { + if p.numRegexp < maxHeight { + return +@@ -158,6 +290,7 @@ func (p *parser) calcHeight(re *Regexp, force bool) int { + + // push pushes the regexp re onto the parse stack and returns the regexp. + func (p *parser) push(re *Regexp) *Regexp { ++ p.numRunes += len(re.Rune) + if re.Op == OpCharClass && len(re.Rune) == 2 && re.Rune[0] == re.Rune[1] { + // Single rune. + if p.maybeConcat(re.Rune[0], p.flags&^FoldCase) { +@@ -189,7 +322,7 @@ func (p *parser) push(re *Regexp) *Regexp { + } + + p.stack = append(p.stack, re) +- p.checkHeight(re) ++ p.checkLimits(re) + return re + } + +@@ -299,7 +432,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) ( + re.Sub = re.Sub0[:1] + re.Sub[0] = sub + p.stack[n-1] = re +- p.checkHeight(re) ++ p.checkLimits(re) + + if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) { + return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]} +@@ -503,6 +636,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp { + + for j := start; j < i; j++ { + sub[j] = p.removeLeadingString(sub[j], len(str)) ++ p.checkLimits(sub[j]) + } + suffix := p.collapse(sub[start:i], OpAlternate) // recurse + +@@ -560,6 +694,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp { + for j := start; j < i; j++ { + reuse := j != start // prefix came from sub[start] + sub[j] = p.removeLeadingRegexp(sub[j], reuse) ++ p.checkLimits(sub[j]) + } + suffix := p.collapse(sub[start:i], OpAlternate) // recurse + +diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go +index 1ef6d8a..67e3c56 100644 +--- a/src/regexp/syntax/parse_test.go ++++ b/src/regexp/syntax/parse_test.go +@@ -484,12 +484,15 @@ var invalidRegexps = []string{ + `(?P<>a)`, + `[a-Z]`, + `(?i)[a-Z]`, +- `a{100000}`, +- `a{100000,}`, +- "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", +- strings.Repeat("(", 1000) + strings.Repeat(")", 1000), +- strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), + `\Q\E*`, ++ `a{100000}`, // too much repetition ++ `a{100000,}`, // too much repetition ++ "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", // too much repetition ++ strings.Repeat("(", 1000) + strings.Repeat(")", 1000), // too deep ++ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), // too deep ++ "(" + strings.Repeat("(xx?)", 1000) + "){1000}", // too long ++ strings.Repeat("(xx?){1000}", 1000), // too long ++ strings.Repeat(`\pL`, 27000), // too many runes + } + + var onlyPerl = []string{ +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch new file mode 100644 index 0000000000..e2ab92ed00 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch @@ -0,0 +1,89 @@ +From 618120c165669c00a1606505defea6ca755cdc27 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 30 Nov 2022 16:46:33 -0500 +Subject: [PATCH] [release-branch.go1.19] net/http: update bundled + golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +For #56350. +For #57009. +Fixes CVE-2022-41717. + +Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Jenny Rakoczy <jenny@golang.org> +Reviewed-by: Michael Pratt <mpratt@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27] +CVE: CVE-2022-41717 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/net/http/h2_bundle.go | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 3306e29..d48d43f 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules") + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") + + goBin := testenv.GoToolPath(t) +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 6e2ef30..9d6abd8 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4189,6 +4189,7 @@ type http2serverConn struct { + headerTableSize uint32 + peerMaxHeaderListSize uint32 // zero means unknown (default) + canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case ++ canonHeaderKeysSize int // canonHeader keys size in bytes + writingFrame bool // started writing a frame (on serve goroutine or separate) + writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh + needsFrameFlush bool // last frame write wasn't a flush +@@ -4368,6 +4369,13 @@ func (sc *http2serverConn) condlogf(err error, format string, args ...interface{ + } + } + ++// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size ++// of the entries in the canonHeader cache. ++// This should be larger than the size of unique, uncommon header keys likely to ++// be sent by the peer, while not so high as to permit unreasonable memory usage ++// if the peer sends an unbounded number of unique header keys. ++const http2maxCachedCanonicalHeadersKeysSize = 2048 ++ + func (sc *http2serverConn) canonicalHeader(v string) string { + sc.serveG.check() + http2buildCommonHeaderMapsOnce() +@@ -4383,14 +4391,10 @@ func (sc *http2serverConn) canonicalHeader(v string) string { + sc.canonHeader = make(map[string]string) + } + cv = CanonicalHeaderKey(v) +- // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of +- // entries in the canonHeader cache. This should be larger than the number +- // of unique, uncommon header keys likely to be sent by the peer, while not +- // so high as to permit unreaasonable memory usage if the peer sends an unbounded +- // number of unique header keys. +- const maxCachedCanonicalHeaders = 32 +- if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ size := 100 + len(v)*2 // 100 bytes of map overhead + key + value ++ if sc.canonHeaderKeysSize+size <= http2maxCachedCanonicalHeadersKeysSize { + sc.canonHeader[v] = cv ++ sc.canonHeaderKeysSize += size + } + return cv + } +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch new file mode 100644 index 0000000000..6c2e8804b3 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch @@ -0,0 +1,514 @@ +From f8896a97a0630b0f2f8c488310147f7f20b3ec7d Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 10 Nov 2022 12:16:27 -0800 +Subject: [PATCH] os, net/http: avoid escapes from os.DirFS and http.Dir on + Windows + +Do not permit access to Windows reserved device names (NUL, COM1, etc.) +via os.DirFS and http.Dir filesystems. + +Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the +the root to the relative path with a path separator, making +os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is +a UNC name. Not only does this not open the intended file, but permits +reference to any file on the system rather than only files on the +current drive. + +Make os.DirFS("") invalid, with all file access failing. Previously, +a root of "" was interpreted as "/", which is surprising and probably +unintentional. + +Fixes CVE-2022-41720. +Fixes #56694. + +Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663832 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/455360 +Reviewed-by: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Jenny Rakoczy <jenny@golang.org> + +CVE: CVE-2022-41720 +Upstream-Status: Backport [7013a4f5f816af62033ad63dd06b77c30d7a62a7] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/go/build/deps_test.go | 1 + + src/internal/safefilepath/path.go | 21 +++++ + src/internal/safefilepath/path_other.go | 23 ++++++ + src/internal/safefilepath/path_test.go | 88 +++++++++++++++++++++ + src/internal/safefilepath/path_windows.go | 95 +++++++++++++++++++++++ + src/net/http/fs.go | 8 +- + src/net/http/fs_test.go | 28 +++++++ + src/os/file.go | 36 +++++++-- + src/os/os_test.go | 38 +++++++++ + 9 files changed, 328 insertions(+), 10 deletions(-) + create mode 100644 src/internal/safefilepath/path.go + create mode 100644 src/internal/safefilepath/path_other.go + create mode 100644 src/internal/safefilepath/path_test.go + create mode 100644 src/internal/safefilepath/path_windows.go + +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index 45e2f25..dc3bb8c 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -165,6 +165,7 @@ var depsRules = ` + io/fs + < internal/testlog + < internal/poll ++ < internal/safefilepath + < os + < os/signal; + +diff --git a/src/internal/safefilepath/path.go b/src/internal/safefilepath/path.go +new file mode 100644 +index 0000000..0f0a270 +--- /dev/null ++++ b/src/internal/safefilepath/path.go +@@ -0,0 +1,21 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package safefilepath manipulates operating-system file paths. ++package safefilepath ++ ++import ( ++ "errors" ++) ++ ++var errInvalidPath = errors.New("invalid path") ++ ++// FromFS converts a slash-separated path into an operating-system path. ++// ++// FromFS returns an error if the path cannot be represented by the operating ++// system. For example, paths containing '\' and ':' characters are rejected ++// on Windows. ++func FromFS(path string) (string, error) { ++ return fromFS(path) ++} +diff --git a/src/internal/safefilepath/path_other.go b/src/internal/safefilepath/path_other.go +new file mode 100644 +index 0000000..f93da18 +--- /dev/null ++++ b/src/internal/safefilepath/path_other.go +@@ -0,0 +1,23 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build !windows ++ ++package safefilepath ++ ++import "runtime" ++ ++func fromFS(path string) (string, error) { ++ if runtime.GOOS == "plan9" { ++ if len(path) > 0 && path[0] == '#' { ++ return path, errInvalidPath ++ } ++ } ++ for i := range path { ++ if path[i] == 0 { ++ return "", errInvalidPath ++ } ++ } ++ return path, nil ++} +diff --git a/src/internal/safefilepath/path_test.go b/src/internal/safefilepath/path_test.go +new file mode 100644 +index 0000000..dc662c1 +--- /dev/null ++++ b/src/internal/safefilepath/path_test.go +@@ -0,0 +1,88 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package safefilepath_test ++ ++import ( ++ "internal/safefilepath" ++ "os" ++ "path/filepath" ++ "runtime" ++ "testing" ++) ++ ++type PathTest struct { ++ path, result string ++} ++ ++const invalid = "" ++ ++var fspathtests = []PathTest{ ++ {".", "."}, ++ {"/a/b/c", "/a/b/c"}, ++ {"a\x00b", invalid}, ++} ++ ++var winreservedpathtests = []PathTest{ ++ {`a\b`, `a\b`}, ++ {`a:b`, `a:b`}, ++ {`a/b:c`, `a/b:c`}, ++ {`NUL`, `NUL`}, ++ {`./com1`, `./com1`}, ++ {`a/nul/b`, `a/nul/b`}, ++} ++ ++// Whether a reserved name with an extension is reserved or not varies by ++// Windows version. ++var winreservedextpathtests = []PathTest{ ++ {"nul.txt", "nul.txt"}, ++ {"a/nul.txt/b", "a/nul.txt/b"}, ++} ++ ++var plan9reservedpathtests = []PathTest{ ++ {`#c`, `#c`}, ++} ++ ++func TestFromFS(t *testing.T) { ++ switch runtime.GOOS { ++ case "windows": ++ if canWriteFile(t, "NUL") { ++ t.Errorf("can unexpectedly write a file named NUL on Windows") ++ } ++ if canWriteFile(t, "nul.txt") { ++ fspathtests = append(fspathtests, winreservedextpathtests...) ++ } else { ++ winreservedpathtests = append(winreservedpathtests, winreservedextpathtests...) ++ } ++ for i := range winreservedpathtests { ++ winreservedpathtests[i].result = invalid ++ } ++ for i := range fspathtests { ++ fspathtests[i].result = filepath.FromSlash(fspathtests[i].result) ++ } ++ case "plan9": ++ for i := range plan9reservedpathtests { ++ plan9reservedpathtests[i].result = invalid ++ } ++ } ++ tests := fspathtests ++ tests = append(tests, winreservedpathtests...) ++ tests = append(tests, plan9reservedpathtests...) ++ for _, test := range tests { ++ got, err := safefilepath.FromFS(test.path) ++ if (got == "") != (err != nil) { ++ t.Errorf(`FromFS(%q) = %q, %v; want "" only if err != nil`, test.path, got, err) ++ } ++ if got != test.result { ++ t.Errorf("FromFS(%q) = %q, %v; want %q", test.path, got, err, test.result) ++ } ++ } ++} ++ ++func canWriteFile(t *testing.T, name string) bool { ++ path := filepath.Join(t.TempDir(), name) ++ os.WriteFile(path, []byte("ok"), 0666) ++ b, _ := os.ReadFile(path) ++ return string(b) == "ok" ++} +diff --git a/src/internal/safefilepath/path_windows.go b/src/internal/safefilepath/path_windows.go +new file mode 100644 +index 0000000..909c150 +--- /dev/null ++++ b/src/internal/safefilepath/path_windows.go +@@ -0,0 +1,95 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package safefilepath ++ ++import ( ++ "syscall" ++ "unicode/utf8" ++) ++ ++func fromFS(path string) (string, error) { ++ if !utf8.ValidString(path) { ++ return "", errInvalidPath ++ } ++ for len(path) > 1 && path[0] == '/' && path[1] == '/' { ++ path = path[1:] ++ } ++ containsSlash := false ++ for p := path; p != ""; { ++ // Find the next path element. ++ i := 0 ++ dot := -1 ++ for i < len(p) && p[i] != '/' { ++ switch p[i] { ++ case 0, '\\', ':': ++ return "", errInvalidPath ++ case '.': ++ if dot < 0 { ++ dot = i ++ } ++ } ++ i++ ++ } ++ part := p[:i] ++ if i < len(p) { ++ containsSlash = true ++ p = p[i+1:] ++ } else { ++ p = "" ++ } ++ // Trim the extension and look for a reserved name. ++ base := part ++ if dot >= 0 { ++ base = part[:dot] ++ } ++ if isReservedName(base) { ++ if dot < 0 { ++ return "", errInvalidPath ++ } ++ // The path element is a reserved name with an extension. ++ // Some Windows versions consider this a reserved name, ++ // while others do not. Use FullPath to see if the name is ++ // reserved. ++ if p, _ := syscall.FullPath(part); len(p) >= 4 && p[:4] == `\\.\` { ++ return "", errInvalidPath ++ } ++ } ++ } ++ if containsSlash { ++ // We can't depend on strings, so substitute \ for / manually. ++ buf := []byte(path) ++ for i, b := range buf { ++ if b == '/' { ++ buf[i] = '\\' ++ } ++ } ++ path = string(buf) ++ } ++ return path, nil ++} ++ ++// isReservedName reports if name is a Windows reserved device name. ++// It does not detect names with an extension, which are also reserved on some Windows versions. ++// ++// For details, search for PRN in ++// https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file. ++func isReservedName(name string) bool { ++ if 3 <= len(name) && len(name) <= 4 { ++ switch string([]byte{toUpper(name[0]), toUpper(name[1]), toUpper(name[2])}) { ++ case "CON", "PRN", "AUX", "NUL": ++ return len(name) == 3 ++ case "COM", "LPT": ++ return len(name) == 4 && '1' <= name[3] && name[3] <= '9' ++ } ++ } ++ return false ++} ++ ++func toUpper(c byte) byte { ++ if 'a' <= c && c <= 'z' { ++ return c - ('a' - 'A') ++ } ++ return c ++} +diff --git a/src/net/http/fs.go b/src/net/http/fs.go +index 57e731e..43ee4b5 100644 +--- a/src/net/http/fs.go ++++ b/src/net/http/fs.go +@@ -9,6 +9,7 @@ package http + import ( + "errors" + "fmt" ++ "internal/safefilepath" + "io" + "io/fs" + "mime" +@@ -69,14 +70,15 @@ func mapDirOpenError(originalErr error, name string) error { + // Open implements FileSystem using os.Open, opening files for reading rooted + // and relative to the directory d. + func (d Dir) Open(name string) (File, error) { +- if filepath.Separator != '/' && strings.ContainsRune(name, filepath.Separator) { +- return nil, errors.New("http: invalid character in file path") ++ path, err := safefilepath.FromFS(path.Clean("/" + name)) ++ if err != nil { ++ return nil, errors.New("http: invalid or unsafe file path") + } + dir := string(d) + if dir == "" { + dir = "." + } +- fullName := filepath.Join(dir, filepath.FromSlash(path.Clean("/"+name))) ++ fullName := filepath.Join(dir, path) + f, err := os.Open(fullName) + if err != nil { + return nil, mapDirOpenError(err, fullName) +diff --git a/src/net/http/fs_test.go b/src/net/http/fs_test.go +index b42ade1..941448a 100644 +--- a/src/net/http/fs_test.go ++++ b/src/net/http/fs_test.go +@@ -648,6 +648,34 @@ func TestFileServerZeroByte(t *testing.T) { + } + } + ++func TestFileServerNamesEscape(t *testing.T) { ++ t.Run("h1", func(t *testing.T) { ++ testFileServerNamesEscape(t, h1Mode) ++ }) ++ t.Run("h2", func(t *testing.T) { ++ testFileServerNamesEscape(t, h2Mode) ++ }) ++} ++func testFileServerNamesEscape(t *testing.T, h2 bool) { ++ defer afterTest(t) ++ ts := newClientServerTest(t, h2, FileServer(Dir("testdata"))).ts ++ defer ts.Close() ++ for _, path := range []string{ ++ "/../testdata/file", ++ "/NUL", // don't read from device files on Windows ++ } { ++ res, err := ts.Client().Get(ts.URL + path) ++ if err != nil { ++ t.Fatal(err) ++ } ++ res.Body.Close() ++ if res.StatusCode < 400 || res.StatusCode > 599 { ++ t.Errorf("Get(%q): got status %v, want 4xx or 5xx", path, res.StatusCode) ++ } ++ ++ } ++} ++ + type fakeFileInfo struct { + dir bool + basename string +diff --git a/src/os/file.go b/src/os/file.go +index e717f17..cb87158 100644 +--- a/src/os/file.go ++++ b/src/os/file.go +@@ -37,12 +37,12 @@ + // Note: The maximum number of concurrent operations on a File may be limited by + // the OS or the system. The number should be high, but exceeding it may degrade + // performance or cause other issues. +-// + package os + + import ( + "errors" + "internal/poll" ++ "internal/safefilepath" + "internal/testlog" + "internal/unsafeheader" + "io" +@@ -623,6 +623,8 @@ func isWindowsNulName(name string) bool { + // the /prefix tree, then using DirFS does not stop the access any more than using + // os.Open does. DirFS is therefore not a general substitute for a chroot-style security + // mechanism when the directory tree contains arbitrary content. ++// ++// The directory dir must not be "". + func DirFS(dir string) fs.FS { + return dirFS(dir) + } +@@ -641,10 +643,11 @@ func containsAny(s, chars string) bool { + type dirFS string + + func (dir dirFS) Open(name string) (fs.File, error) { +- if !fs.ValidPath(name) || runtime.GOOS == "windows" && containsAny(name, `\:`) { +- return nil, &PathError{Op: "open", Path: name, Err: ErrInvalid} ++ fullname, err := dir.join(name) ++ if err != nil { ++ return nil, &PathError{Op: "stat", Path: name, Err: err} + } +- f, err := Open(string(dir) + "/" + name) ++ f, err := Open(fullname) + if err != nil { + return nil, err // nil fs.File + } +@@ -652,16 +655,35 @@ func (dir dirFS) Open(name string) (fs.File, error) { + } + + func (dir dirFS) Stat(name string) (fs.FileInfo, error) { +- if !fs.ValidPath(name) || runtime.GOOS == "windows" && containsAny(name, `\:`) { +- return nil, &PathError{Op: "stat", Path: name, Err: ErrInvalid} ++ fullname, err := dir.join(name) ++ if err != nil { ++ return nil, &PathError{Op: "stat", Path: name, Err: err} + } +- f, err := Stat(string(dir) + "/" + name) ++ f, err := Stat(fullname) + if err != nil { + return nil, err + } + return f, nil + } + ++// join returns the path for name in dir. ++func (dir dirFS) join(name string) (string, error) { ++ if dir == "" { ++ return "", errors.New("os: DirFS with empty root") ++ } ++ if !fs.ValidPath(name) { ++ return "", ErrInvalid ++ } ++ name, err := safefilepath.FromFS(name) ++ if err != nil { ++ return "", ErrInvalid ++ } ++ if IsPathSeparator(dir[len(dir)-1]) { ++ return string(dir) + name, nil ++ } ++ return string(dir) + string(PathSeparator) + name, nil ++} ++ + // ReadFile reads the named file and returns the contents. + // A successful call returns err == nil, not err == EOF. + // Because ReadFile reads the whole file, it does not treat an EOF from Read +diff --git a/src/os/os_test.go b/src/os/os_test.go +index 506f1fb..be269bb 100644 +--- a/src/os/os_test.go ++++ b/src/os/os_test.go +@@ -2702,6 +2702,44 @@ func TestDirFS(t *testing.T) { + if err == nil { + t.Fatalf(`Open testdata\dirfs succeeded`) + } ++ ++ // Test that Open does not open Windows device files. ++ _, err = d.Open(`NUL`) ++ if err == nil { ++ t.Errorf(`Open NUL succeeded`) ++ } ++} ++ ++func TestDirFSRootDir(t *testing.T) { ++ cwd, err := os.Getwd() ++ if err != nil { ++ t.Fatal(err) ++ } ++ cwd = cwd[len(filepath.VolumeName(cwd)):] // trim volume prefix (C:) on Windows ++ cwd = filepath.ToSlash(cwd) // convert \ to / ++ cwd = strings.TrimPrefix(cwd, "/") // trim leading / ++ ++ // Test that Open can open a path starting at /. ++ d := DirFS("/") ++ f, err := d.Open(cwd + "/testdata/dirfs/a") ++ if err != nil { ++ t.Fatal(err) ++ } ++ f.Close() ++} ++ ++func TestDirFSEmptyDir(t *testing.T) { ++ d := DirFS("") ++ cwd, _ := os.Getwd() ++ for _, path := range []string{ ++ "testdata/dirfs/a", // not DirFS(".") ++ filepath.ToSlash(cwd) + "/testdata/dirfs/a", // not DirFS("/") ++ } { ++ _, err := d.Open(path) ++ if err == nil { ++ t.Fatalf(`DirFS("").Open(%q) succeeded`, path) ++ } ++ } + } + + func TestDirFSPathsValid(t *testing.T) { diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch new file mode 100644 index 0000000000..426a4f925f --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch @@ -0,0 +1,103 @@ +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 12 Dec 2022 16:43:37 -0800 +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows + +Do not permit Clean to convert a relative path into one starting +with a drive reference. This change causes Clean to insert a . +path element at the start of a path when the original path does not +start with a volume name, and the first path element would contain +a colon. + +This may introduce a spurious but harmless . path element under +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. + +This reverts CL 401595, since the change here supersedes the one +in that CL. + +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. + +Updates #57274 +Fixes #57276 +Fixes CVE-2022-41722 + +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119 +Reviewed-by: Than McIntosh <thanm@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Michael Pratt <mpratt@google.com> + +CVE: CVE-2022-41722 +Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/path/filepath/path.go | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go +index 8300a32..94621a0 100644 +--- a/src/path/filepath/path.go ++++ b/src/path/filepath/path.go +@@ -15,6 +15,7 @@ import ( + "errors" + "io/fs" + "os" ++ "runtime" + "sort" + "strings" + ) +@@ -117,21 +118,9 @@ func Clean(path string) string { + case os.IsPathSeparator(path[r]): + // empty path element + r++ +- case path[r] == '.' && r+1 == n: ++ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): + // . element + r++ +- case path[r] == '.' && os.IsPathSeparator(path[r+1]): +- // ./ element +- r++ +- +- for r < len(path) && os.IsPathSeparator(path[r]) { +- r++ +- } +- if out.w == 0 && volumeNameLen(path[r:]) > 0 { +- // When joining prefix "." and an absolute path on Windows, +- // the prefix should not be removed. +- out.append('.') +- } + case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): + // .. element: remove to last separator + r += 2 +@@ -157,6 +146,18 @@ func Clean(path string) string { + if rooted && out.w != 1 || !rooted && out.w != 0 { + out.append(Separator) + } ++ // If a ':' appears in the path element at the start of a Windows path, ++ // insert a .\ at the beginning to avoid converting relative paths ++ // like a/../c: into c:. ++ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 { ++ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ { ++ if path[i] == ':' { ++ out.append('.') ++ out.append(Separator) ++ break ++ } ++ } ++ } + // copy element + for ; r < n && !os.IsPathSeparator(path[r]); r++ { + out.append(path[r]) +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch new file mode 100644 index 0000000000..a93fa31dcd --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch @@ -0,0 +1,156 @@ +From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 6 Feb 2023 10:03:44 -0800 +Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2022-41723 +Fixes #58355 +Updates #57855 + +Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Pratt <mpratt@google.com> +Auto-Submit: Michael Pratt <mpratt@google.com> +Reviewed-by: Than McIntosh <thanm@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3] +CVE: CVE-2022-41723 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++--------- + 1 file changed, 49 insertions(+), 30 deletions(-) + +diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go +index 85f18a2..02e80e3 100644 +--- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go ++++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go +@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + + var hf HeaderField + wantStr := d.emitEnabled || it.indexed() ++ var undecodedName undecodedString + if nameIdx > 0 { + ihf, ok := d.at(nameIdx) + if !ok { +@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + } + hf.Name = ihf.Name + } else { +- hf.Name, buf, err = d.readString(buf, wantStr) ++ undecodedName, buf, err = d.readString(buf) + if err != nil { + return err + } + } +- hf.Value, buf, err = d.readString(buf, wantStr) ++ undecodedValue, buf, err := d.readString(buf) + if err != nil { + return err + } ++ if wantStr { ++ if nameIdx <= 0 { ++ hf.Name, err = d.decodeString(undecodedName) ++ if err != nil { ++ return err ++ } ++ } ++ hf.Value, err = d.decodeString(undecodedValue) ++ if err != nil { ++ return err ++ } ++ } + d.buf = buf + if it.indexed() { + d.dynTab.add(hf) +@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { + return 0, origP, errNeedMore + } + +-// readString decodes an hpack string from p. ++// readString reads an hpack string from p. + // +-// wantStr is whether s will be used. If false, decompression and +-// []byte->string garbage are skipped if s will be ignored +-// anyway. This does mean that huffman decoding errors for non-indexed +-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server +-// is returning an error anyway, and because they're not indexed, the error +-// won't affect the decoding state. +-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { ++// It returns a reference to the encoded string data to permit deferring decode costs ++// until after the caller verifies all data is present. ++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { + if len(p) == 0 { +- return "", p, errNeedMore ++ return u, p, errNeedMore + } + isHuff := p[0]&128 != 0 + strLen, p, err := readVarInt(7, p) + if err != nil { +- return "", p, err ++ return u, p, err + } + if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { +- return "", nil, ErrStringLength ++ // Returning an error here means Huffman decoding errors ++ // for non-indexed strings past the maximum string length ++ // are ignored, but the server is returning an error anyway ++ // and because the string is not indexed the error will not ++ // affect the decoding state. ++ return u, nil, ErrStringLength + } + if uint64(len(p)) < strLen { +- return "", p, errNeedMore +- } +- if !isHuff { +- if wantStr { +- s = string(p[:strLen]) +- } +- return s, p[strLen:], nil ++ return u, p, errNeedMore + } ++ u.isHuff = isHuff ++ u.b = p[:strLen] ++ return u, p[strLen:], nil ++} + +- if wantStr { +- buf := bufPool.Get().(*bytes.Buffer) +- buf.Reset() // don't trust others +- defer bufPool.Put(buf) +- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { +- buf.Reset() +- return "", nil, err +- } ++type undecodedString struct { ++ isHuff bool ++ b []byte ++} ++ ++func (d *Decoder) decodeString(u undecodedString) (string, error) { ++ if !u.isHuff { ++ return string(u.b), nil ++ } ++ buf := bufPool.Get().(*bytes.Buffer) ++ buf.Reset() // don't trust others ++ var s string ++ err := huffmanDecode(buf, d.maxStrLen, u.b) ++ if err == nil { + s = buf.String() +- buf.Reset() // be nice to GC + } +- return s, p[strLen:], nil ++ buf.Reset() // be nice to GC ++ bufPool.Put(buf) ++ return s, err + } +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch new file mode 100644 index 0000000000..4521f159ea --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch @@ -0,0 +1,75 @@ +From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 20 Mar 2023 10:43:19 -0700 +Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime + message sizes + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611 +Reviewed-by: Damien Neil <dneil@google.com> +Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168 +Reviewed-on: https://go-review.googlesource.com/c/go/+/481986 +Reviewed-by: Matthew Dempsky <mdempsky@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104] +CVE: CVE-2023-24537 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/go/parser/parser_test.go | 16 ++++++++++++++++ + src/go/scanner/scanner.go | 5 ++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go +index 1a46c87..993df63 100644 +--- a/src/go/parser/parser_test.go ++++ b/src/go/parser/parser_test.go +@@ -746,3 +746,19 @@ func TestScopeDepthLimit(t *testing.T) { + } + } + } ++ ++// TestIssue59180 tests that line number overflow doesn't cause an infinite loop. ++func TestIssue59180(t *testing.T) { ++ testcases := []string{ ++ "package p\n//line :9223372036854775806\n\n//", ++ "package p\n//line :1:9223372036854775806\n\n//", ++ "package p\n//line file:9223372036854775806\n\n//", ++ } ++ ++ for _, src := range testcases { ++ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments) ++ if err == nil { ++ t.Errorf("ParseFile(%s) succeeded unexpectedly", src) ++ } ++ } ++} +diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go +index f08e28c..ff847b5 100644 +--- a/src/go/scanner/scanner.go ++++ b/src/go/scanner/scanner.go +@@ -251,13 +251,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) { + return + } + ++ // Put a cap on the maximum size of line and column numbers. ++ // 30 bits allows for some additional space before wrapping an int32. ++ const maxLineCol = 1<<30 - 1 + var line, col int + i2, n2, ok2 := trailingDigits(text[:i-1]) + if ok2 { + //line filename:line:col + i, i2 = i2, i + line, col = n2, n +- if col == 0 { ++ if col == 0 || col > maxLineCol { + s.error(offs+i2, "invalid column number: "+string(text[i2:])) + return + } +-- +2.25.1 diff --git a/poky/meta/recipes-devtools/go/go-1.19/add_godebug.patch b/poky/meta/recipes-devtools/go/go-1.19/add_godebug.patch new file mode 100644 index 0000000000..0c3d2d2855 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.19/add_godebug.patch @@ -0,0 +1,84 @@ + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git as of commit 22c1d18a27... +Copy src/internal/godebug from go 1.19 since it does not +exist in 1.17. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + +--- /dev/null ++++ go/src/internal/godebug/godebug.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package godebug parses the GODEBUG environment variable. ++package godebug ++ ++import "os" ++ ++// Get returns the value for the provided GODEBUG key. ++func Get(key string) string { ++ return get(os.Getenv("GODEBUG"), key) ++} ++ ++// get returns the value part of key=value in s (a GODEBUG value). ++func get(s, key string) string { ++ for i := 0; i < len(s)-len(key)-1; i++ { ++ if i > 0 && s[i-1] != ',' { ++ continue ++ } ++ afterKey := s[i+len(key):] ++ if afterKey[0] != '=' || s[i:i+len(key)] != key { ++ continue ++ } ++ val := afterKey[1:] ++ for i, b := range val { ++ if b == ',' { ++ return val[:i] ++ } ++ } ++ return val ++ } ++ return "" ++} +--- /dev/null ++++ go/src/internal/godebug/godebug_test.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package godebug ++ ++import "testing" ++ ++func TestGet(t *testing.T) { ++ tests := []struct { ++ godebug string ++ key string ++ want string ++ }{ ++ {"", "", ""}, ++ {"", "foo", ""}, ++ {"foo=bar", "foo", "bar"}, ++ {"foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar", "foo", "bar"}, ++ {",,,foo=bar,,,", "foo", "bar"}, ++ {"foodecoy=wrong,foo=bar", "foo", "bar"}, ++ {"foo=", "foo", ""}, ++ {"foo", "foo", ""}, ++ {",foo", "foo", ""}, ++ {"foo=bar,baz", "loooooooong", ""}, ++ } ++ for _, tt := range tests { ++ got := get(tt.godebug, tt.key) ++ if got != tt.want { ++ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want) ++ } ++ } ++} diff --git a/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch b/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch new file mode 100644 index 0000000000..aacffbffcd --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch @@ -0,0 +1,2391 @@ +From 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <roland@golang.org> +Date: Wed, 14 Dec 2022 09:43:16 -0800 +Subject: [PATCH] [release-branch.go1.19] crypto/tls: replace all usages of + BytesOrPanic + +Message marshalling makes use of BytesOrPanic a lot, under the +assumption that it will never panic. This assumption was incorrect, and +specifically crafted handshakes could trigger panics. Rather than just +surgically replacing the usages of BytesOrPanic in paths that could +panic, replace all usages of it with proper error returns in case there +are other ways of triggering panics which we didn't find. + +In one specific case, the tree routed by expandLabel, we replace the +usage of BytesOrPanic, but retain a panic. This function already +explicitly panicked elsewhere, and returning an error from it becomes +rather painful because it requires changing a large number of APIs. +The marshalling is unlikely to ever panic, as the inputs are all either +fixed length, or already limited to the sizes required. If it were to +panic, it'd likely only be during development. A close inspection shows +no paths for a user to cause a panic currently. + +This patches ends up being rather large, since it requires routing +errors back through functions which previously had no error returns. +Where possible I've tried to use helpers that reduce the verbosity +of frequently repeated stanzas, and to make the diffs as minimal as +possible. + +Thanks to Marten Seemann for reporting this issue. + +Updates #58001 +Fixes #58358 +Fixes CVE-2022-41724 + +Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436 +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +(cherry picked from commit 0f3a44ad7b41cc89efdfad25278953e17d9c1e04) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728204 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468117 +Auto-Submit: Michael Pratt <mpratt@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Than McIntosh <thanm@google.com> +--- + +CVE: CVE-2022-41724 + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git commit 00b256e9e3c0fa... +boring_test.go does not exist +modified for conn.go and handshake_messages.go + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/crypto/tls/boring_test.go | 2 +- + src/crypto/tls/common.go | 2 +- + src/crypto/tls/conn.go | 46 +- + src/crypto/tls/handshake_client.go | 95 +-- + src/crypto/tls/handshake_client_test.go | 4 +- + src/crypto/tls/handshake_client_tls13.go | 74 ++- + src/crypto/tls/handshake_messages.go | 716 +++++++++++----------- + src/crypto/tls/handshake_messages_test.go | 19 +- + src/crypto/tls/handshake_server.go | 73 ++- + src/crypto/tls/handshake_server_test.go | 31 +- + src/crypto/tls/handshake_server_tls13.go | 71 ++- + src/crypto/tls/key_schedule.go | 19 +- + src/crypto/tls/ticket.go | 8 +- + 13 files changed, 657 insertions(+), 503 deletions(-) + +--- go.orig/src/crypto/tls/common.go ++++ go/src/crypto/tls/common.go +@@ -1357,7 +1357,7 @@ func (c *Certificate) leaf() (*x509.Cert + } + + type handshakeMessage interface { +- marshal() []byte ++ marshal() ([]byte, error) + unmarshal([]byte) bool + } + +--- go.orig/src/crypto/tls/conn.go ++++ go/src/crypto/tls/conn.go +@@ -994,18 +994,46 @@ func (c *Conn) writeRecordLocked(typ rec + return n, nil + } + +-// writeRecord writes a TLS record with the given type and payload to the +-// connection and updates the record layer state. +-func (c *Conn) writeRecord(typ recordType, data []byte) (int, error) { ++// writeHandshakeRecord writes a handshake message to the connection and updates ++// the record layer state. If transcript is non-nil the marshalled message is ++// written to it. ++func (c *Conn) writeHandshakeRecord(msg handshakeMessage, transcript transcriptHash) (int, error) { + c.out.Lock() + defer c.out.Unlock() + +- return c.writeRecordLocked(typ, data) ++ data, err := msg.marshal() ++ if err != nil { ++ return 0, err ++ } ++ if transcript != nil { ++ transcript.Write(data) ++ } ++ ++ return c.writeRecordLocked(recordTypeHandshake, data) ++} ++ ++// writeChangeCipherRecord writes a ChangeCipherSpec message to the connection and ++// updates the record layer state. ++func (c *Conn) writeChangeCipherRecord() error { ++ c.out.Lock() ++ defer c.out.Unlock() ++ _, err := c.writeRecordLocked(recordTypeChangeCipherSpec, []byte{1}) ++ return err + } + + // readHandshake reads the next handshake message from +-// the record layer. +-func (c *Conn) readHandshake() (interface{}, error) { ++// the record layer. If transcript is non-nil, the message ++// is written to the passed transcriptHash. ++ ++// backport 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 ++// ++// Commit wants to set this to ++// ++// func (c *Conn) readHandshake(transcript transcriptHash) (any, error) { ++// ++// but that does not compile. Retain the original interface{} argument. ++// ++func (c *Conn) readHandshake(transcript transcriptHash) (interface{}, error) { + for c.hand.Len() < 4 { + if err := c.readRecord(); err != nil { + return nil, err +@@ -1084,6 +1112,11 @@ func (c *Conn) readHandshake() (interfac + if !m.unmarshal(data) { + return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } ++ ++ if transcript != nil { ++ transcript.Write(data) ++ } ++ + return m, nil + } + +@@ -1159,7 +1192,7 @@ func (c *Conn) handleRenegotiation() err + return errors.New("tls: internal error: unexpected renegotiation") + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -1205,7 +1238,7 @@ func (c *Conn) handlePostHandshakeMessag + return c.handleRenegotiation() + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -1241,7 +1274,11 @@ func (c *Conn) handleKeyUpdate(keyUpdate + defer c.out.Unlock() + + msg := &keyUpdateMsg{} +- _, err := c.writeRecordLocked(recordTypeHandshake, msg.marshal()) ++ msgBytes, err := msg.marshal() ++ if err != nil { ++ return err ++ } ++ _, err = c.writeRecordLocked(recordTypeHandshake, msgBytes) + if err != nil { + // Surface the error at the next write. + c.out.setErrorLocked(err) +--- go.orig/src/crypto/tls/handshake_client.go ++++ go/src/crypto/tls/handshake_client.go +@@ -157,7 +157,10 @@ func (c *Conn) clientHandshake(ctx conte + } + c.serverName = hello.serverName + +- cacheKey, session, earlySecret, binderKey := c.loadSession(hello) ++ cacheKey, session, earlySecret, binderKey, err := c.loadSession(hello) ++ if err != nil { ++ return err ++ } + if cacheKey != "" && session != nil { + defer func() { + // If we got a handshake failure when resuming a session, throw away +@@ -172,11 +175,12 @@ func (c *Conn) clientHandshake(ctx conte + }() + } + +- if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil { ++ if _, err := c.writeHandshakeRecord(hello, nil); err != nil { + return err + } + +- msg, err := c.readHandshake() ++ // serverHelloMsg is not included in the transcript ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -241,9 +245,9 @@ func (c *Conn) clientHandshake(ctx conte + } + + func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string, +- session *ClientSessionState, earlySecret, binderKey []byte) { ++ session *ClientSessionState, earlySecret, binderKey []byte, err error) { + if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { +- return "", nil, nil, nil ++ return "", nil, nil, nil, nil + } + + hello.ticketSupported = true +@@ -258,14 +262,14 @@ func (c *Conn) loadSession(hello *client + // renegotiation is primarily used to allow a client to send a client + // certificate, which would be skipped if session resumption occurred. + if c.handshakes != 0 { +- return "", nil, nil, nil ++ return "", nil, nil, nil, nil + } + + // Try to resume a previously negotiated TLS session, if available. + cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) + session, ok := c.config.ClientSessionCache.Get(cacheKey) + if !ok || session == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Check that version used for the previous session is still valid. +@@ -277,7 +281,7 @@ func (c *Conn) loadSession(hello *client + } + } + if !versOk { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Check that the cached server certificate is not expired, and that it's +@@ -286,16 +290,16 @@ func (c *Conn) loadSession(hello *client + if !c.config.InsecureSkipVerify { + if len(session.verifiedChains) == 0 { + // The original connection had InsecureSkipVerify, while this doesn't. +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + serverCert := session.serverCertificates[0] + if c.config.time().After(serverCert.NotAfter) { + // Expired certificate, delete the entry. + c.config.ClientSessionCache.Put(cacheKey, nil) +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + if err := serverCert.VerifyHostname(c.config.ServerName); err != nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + } + +@@ -303,7 +307,7 @@ func (c *Conn) loadSession(hello *client + // In TLS 1.2 the cipher suite must match the resumed session. Ensure we + // are still offering it. + if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + hello.sessionTicket = session.sessionTicket +@@ -313,14 +317,14 @@ func (c *Conn) loadSession(hello *client + // Check that the session ticket is not expired. + if c.config.time().After(session.useBy) { + c.config.ClientSessionCache.Put(cacheKey, nil) +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // In TLS 1.3 the KDF hash must match the resumed session. Ensure we + // offer at least one cipher suite with that hash. + cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite) + if cipherSuite == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + cipherSuiteOk := false + for _, offeredID := range hello.cipherSuites { +@@ -331,7 +335,7 @@ func (c *Conn) loadSession(hello *client + } + } + if !cipherSuiteOk { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Set the pre_shared_key extension. See RFC 8446, Section 4.2.11.1. +@@ -349,9 +353,15 @@ func (c *Conn) loadSession(hello *client + earlySecret = cipherSuite.extract(psk, nil) + binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil) + transcript := cipherSuite.hash.New() +- transcript.Write(hello.marshalWithoutBinders()) ++ helloBytes, err := hello.marshalWithoutBinders() ++ if err != nil { ++ return "", nil, nil, nil, err ++ } ++ transcript.Write(helloBytes) + pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)} +- hello.updateBinders(pskBinders) ++ if err := hello.updateBinders(pskBinders); err != nil { ++ return "", nil, nil, nil, err ++ } + + return + } +@@ -396,8 +406,12 @@ func (hs *clientHandshakeState) handshak + hs.finishedHash.discardHandshakeBuffer() + } + +- hs.finishedHash.Write(hs.hello.marshal()) +- hs.finishedHash.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.hello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if err := transcriptMsg(hs.serverHello, &hs.finishedHash); err != nil { ++ return err ++ } + + c.buffering = true + c.didResume = isResume +@@ -468,7 +482,7 @@ func (hs *clientHandshakeState) pickCiph + func (hs *clientHandshakeState) doFullHandshake() error { + c := hs.c + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -477,9 +491,8 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.finishedHash.Write(certMsg.marshal()) + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -497,11 +510,10 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: received unexpected CertificateStatus message") + } +- hs.finishedHash.Write(cs.marshal()) + + c.ocspResponse = cs.response + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -530,14 +542,13 @@ func (hs *clientHandshakeState) doFullHa + + skx, ok := msg.(*serverKeyExchangeMsg) + if ok { +- hs.finishedHash.Write(skx.marshal()) + err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx) + if err != nil { + c.sendAlert(alertUnexpectedMessage) + return err + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -548,7 +559,6 @@ func (hs *clientHandshakeState) doFullHa + certReq, ok := msg.(*certificateRequestMsg) + if ok { + certRequested = true +- hs.finishedHash.Write(certReq.marshal()) + + cri := certificateRequestInfoFromMsg(hs.ctx, c.vers, certReq) + if chainToSend, err = c.getClientCertificate(cri); err != nil { +@@ -556,7 +566,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -567,7 +577,6 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(shd, msg) + } +- hs.finishedHash.Write(shd.marshal()) + + // If the server requested a certificate then we have to send a + // Certificate message, even if it's empty because we don't have a +@@ -575,8 +584,7 @@ func (hs *clientHandshakeState) doFullHa + if certRequested { + certMsg = new(certificateMsg) + certMsg.certificates = chainToSend.Certificate +- hs.finishedHash.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + } +@@ -587,8 +595,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + if ckx != nil { +- hs.finishedHash.Write(ckx.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(ckx, &hs.finishedHash); err != nil { + return err + } + } +@@ -635,8 +642,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + +- hs.finishedHash.Write(certVerify.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerify, &hs.finishedHash); err != nil { + return err + } + } +@@ -771,7 +777,10 @@ func (hs *clientHandshakeState) readFini + return err + } + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -787,7 +796,11 @@ func (hs *clientHandshakeState) readFini + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server's Finished message was incorrect") + } +- hs.finishedHash.Write(serverFinished.marshal()) ++ ++ if err := transcriptMsg(serverFinished, &hs.finishedHash); err != nil { ++ return err ++ } ++ + copy(out, verify) + return nil + } +@@ -798,7 +811,7 @@ func (hs *clientHandshakeState) readSess + } + + c := hs.c +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -807,7 +820,6 @@ func (hs *clientHandshakeState) readSess + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(sessionTicketMsg, msg) + } +- hs.finishedHash.Write(sessionTicketMsg.marshal()) + + hs.session = &ClientSessionState{ + sessionTicket: sessionTicketMsg.ticket, +@@ -827,14 +839,13 @@ func (hs *clientHandshakeState) readSess + func (hs *clientHandshakeState) sendFinished(out []byte) error { + c := hs.c + +- if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { ++ if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) +- hs.finishedHash.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + copy(out, finished.verifyData) +--- go.orig/src/crypto/tls/handshake_client_test.go ++++ go/src/crypto/tls/handshake_client_test.go +@@ -1257,7 +1257,7 @@ func TestServerSelectingUnconfiguredAppl + cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256, + alpnProtocol: "how-about-this", + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), +@@ -1500,7 +1500,7 @@ func TestServerSelectingUnconfiguredCiph + random: make([]byte, 32), + cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), +--- go.orig/src/crypto/tls/handshake_client_tls13.go ++++ go/src/crypto/tls/handshake_client_tls13.go +@@ -58,7 +58,10 @@ func (hs *clientHandshakeStateTLS13) han + } + + hs.transcript = hs.suite.hash.New() +- hs.transcript.Write(hs.hello.marshal()) ++ ++ if err := transcriptMsg(hs.hello, hs.transcript); err != nil { ++ return err ++ } + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + if err := hs.sendDummyChangeCipherSpec(); err != nil { +@@ -69,7 +72,9 @@ func (hs *clientHandshakeStateTLS13) han + } + } + +- hs.transcript.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } + + c.buffering = true + if err := hs.processServerHello(); err != nil { +@@ -168,8 +173,7 @@ func (hs *clientHandshakeStateTLS13) sen + } + hs.sentDummyCCS = true + +- _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) +- return err ++ return hs.c.writeChangeCipherRecord() + } + + // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and +@@ -184,7 +188,9 @@ func (hs *clientHandshakeStateTLS13) pro + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + hs.transcript.Write(chHash) +- hs.transcript.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } + + // The only HelloRetryRequest extensions we support are key_share and + // cookie, and clients must abort the handshake if the HRR would not result +@@ -249,10 +255,18 @@ func (hs *clientHandshakeStateTLS13) pro + transcript := hs.suite.hash.New() + transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + transcript.Write(chHash) +- transcript.Write(hs.serverHello.marshal()) +- transcript.Write(hs.hello.marshalWithoutBinders()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } ++ helloBytes, err := hs.hello.marshalWithoutBinders() ++ if err != nil { ++ return err ++ } ++ transcript.Write(helloBytes) + pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} +- hs.hello.updateBinders(pskBinders) ++ if err := hs.hello.updateBinders(pskBinders); err != nil { ++ return err ++ } + } else { + // Server selected a cipher suite incompatible with the PSK. + hs.hello.pskIdentities = nil +@@ -260,12 +274,12 @@ func (hs *clientHandshakeStateTLS13) pro + } + } + +- hs.transcript.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + +- msg, err := c.readHandshake() ++ // serverHelloMsg is not included in the transcript ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -354,6 +368,7 @@ func (hs *clientHandshakeStateTLS13) est + if !hs.usingPSK { + earlySecret = hs.suite.extract(nil, nil) + } ++ + handshakeSecret := hs.suite.extract(sharedKey, + hs.suite.deriveSecret(earlySecret, "derived", nil)) + +@@ -384,7 +399,7 @@ func (hs *clientHandshakeStateTLS13) est + func (hs *clientHandshakeStateTLS13) readServerParameters() error { + c := hs.c + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -394,7 +409,6 @@ func (hs *clientHandshakeStateTLS13) rea + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(encryptedExtensions, msg) + } +- hs.transcript.Write(encryptedExtensions.marshal()) + + if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil { + c.sendAlert(alertUnsupportedExtension) +@@ -423,18 +437,16 @@ func (hs *clientHandshakeStateTLS13) rea + return nil + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } + + certReq, ok := msg.(*certificateRequestMsgTLS13) + if ok { +- hs.transcript.Write(certReq.marshal()) +- + hs.certReq = certReq + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -449,7 +461,6 @@ func (hs *clientHandshakeStateTLS13) rea + c.sendAlert(alertDecodeError) + return errors.New("tls: received empty certificates message") + } +- hs.transcript.Write(certMsg.marshal()) + + c.scts = certMsg.certificate.SignedCertificateTimestamps + c.ocspResponse = certMsg.certificate.OCSPStaple +@@ -458,7 +469,10 @@ func (hs *clientHandshakeStateTLS13) rea + return err + } + +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -489,7 +503,9 @@ func (hs *clientHandshakeStateTLS13) rea + return errors.New("tls: invalid signature by the server certificate: " + err.Error()) + } + +- hs.transcript.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, hs.transcript); err != nil { ++ return err ++ } + + return nil + } +@@ -497,7 +513,10 @@ func (hs *clientHandshakeStateTLS13) rea + func (hs *clientHandshakeStateTLS13) readServerFinished() error { + c := hs.c + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -514,7 +533,9 @@ func (hs *clientHandshakeStateTLS13) rea + return errors.New("tls: invalid server finished hash") + } + +- hs.transcript.Write(finished.marshal()) ++ if err := transcriptMsg(finished, hs.transcript); err != nil { ++ return err ++ } + + // Derive secrets that take context through the server Finished. + +@@ -563,8 +584,7 @@ func (hs *clientHandshakeStateTLS13) sen + certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 + +- hs.transcript.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + +@@ -601,8 +621,7 @@ func (hs *clientHandshakeStateTLS13) sen + } + certVerifyMsg.signature = sig + +- hs.transcript.Write(certVerifyMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + +@@ -616,8 +635,7 @@ func (hs *clientHandshakeStateTLS13) sen + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + +- hs.transcript.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + +--- go.orig/src/crypto/tls/handshake_messages.go ++++ go/src/crypto/tls/handshake_messages.go +@@ -5,6 +5,7 @@ + package tls + + import ( ++ "errors" + "fmt" + "strings" + +@@ -94,9 +95,181 @@ type clientHelloMsg struct { + pskBinders [][]byte + } + +-func (m *clientHelloMsg) marshal() []byte { ++func (m *clientHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil ++ } ++ ++ var exts cryptobyte.Builder ++ if len(m.serverName) > 0 { ++ // RFC 6066, Section 3 ++ exts.AddUint16(extensionServerName) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8(0) // name_type = host_name ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(m.serverName)) ++ }) ++ }) ++ }) ++ } ++ if m.ocspStapling { ++ // RFC 4366, Section 3.6 ++ exts.AddUint16(extensionStatusRequest) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8(1) // status_type = ocsp ++ exts.AddUint16(0) // empty responder_id_list ++ exts.AddUint16(0) // empty request_extensions ++ }) ++ } ++ if len(m.supportedCurves) > 0 { ++ // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 ++ exts.AddUint16(extensionSupportedCurves) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, curve := range m.supportedCurves { ++ exts.AddUint16(uint16(curve)) ++ } ++ }) ++ }) ++ } ++ if len(m.supportedPoints) > 0 { ++ // RFC 4492, Section 5.1.2 ++ exts.AddUint16(extensionSupportedPoints) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.supportedPoints) ++ }) ++ }) ++ } ++ if m.ticketSupported { ++ // RFC 5077, Section 3.2 ++ exts.AddUint16(extensionSessionTicket) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.sessionTicket) ++ }) ++ } ++ if len(m.supportedSignatureAlgorithms) > 0 { ++ // RFC 5246, Section 7.4.1.4.1 ++ exts.AddUint16(extensionSignatureAlgorithms) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sigAlgo := range m.supportedSignatureAlgorithms { ++ exts.AddUint16(uint16(sigAlgo)) ++ } ++ }) ++ }) ++ } ++ if len(m.supportedSignatureAlgorithmsCert) > 0 { ++ // RFC 8446, Section 4.2.3 ++ exts.AddUint16(extensionSignatureAlgorithmsCert) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { ++ exts.AddUint16(uint16(sigAlgo)) ++ } ++ }) ++ }) ++ } ++ if m.secureRenegotiationSupported { ++ // RFC 5746, Section 3.2 ++ exts.AddUint16(extensionRenegotiationInfo) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.secureRenegotiation) ++ }) ++ }) ++ } ++ if len(m.alpnProtocols) > 0 { ++ // RFC 7301, Section 3.1 ++ exts.AddUint16(extensionALPN) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, proto := range m.alpnProtocols { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(proto)) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.scts { ++ // RFC 6962, Section 3.3.1 ++ exts.AddUint16(extensionSCT) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if len(m.supportedVersions) > 0 { ++ // RFC 8446, Section 4.2.1 ++ exts.AddUint16(extensionSupportedVersions) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, vers := range m.supportedVersions { ++ exts.AddUint16(vers) ++ } ++ }) ++ }) ++ } ++ if len(m.cookie) > 0 { ++ // RFC 8446, Section 4.2.2 ++ exts.AddUint16(extensionCookie) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.cookie) ++ }) ++ }) ++ } ++ if len(m.keyShares) > 0 { ++ // RFC 8446, Section 4.2.8 ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, ks := range m.keyShares { ++ exts.AddUint16(uint16(ks.group)) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(ks.data) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.earlyData { ++ // RFC 8446, Section 4.2.10 ++ exts.AddUint16(extensionEarlyData) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if len(m.pskModes) > 0 { ++ // RFC 8446, Section 4.2.9 ++ exts.AddUint16(extensionPSKModes) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.pskModes) ++ }) ++ }) ++ } ++ if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension ++ // RFC 8446, Section 4.2.11 ++ exts.AddUint16(extensionPreSharedKey) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, psk := range m.pskIdentities { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(psk.label) ++ }) ++ exts.AddUint32(psk.obfuscatedTicketAge) ++ } ++ }) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, binder := range m.pskBinders { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(binder) ++ }) ++ } ++ }) ++ }) ++ } ++ extBytes, err := exts.Bytes() ++ if err != nil { ++ return nil, err + } + + var b cryptobyte.Builder +@@ -116,219 +289,53 @@ func (m *clientHelloMsg) marshal() []byt + b.AddBytes(m.compressionMethods) + }) + +- // If extensions aren't present, omit them. +- var extensionsPresent bool +- bWithoutExtensions := *b +- +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- if len(m.serverName) > 0 { +- // RFC 6066, Section 3 +- b.AddUint16(extensionServerName) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8(0) // name_type = host_name +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(m.serverName)) +- }) +- }) +- }) +- } +- if m.ocspStapling { +- // RFC 4366, Section 3.6 +- b.AddUint16(extensionStatusRequest) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8(1) // status_type = ocsp +- b.AddUint16(0) // empty responder_id_list +- b.AddUint16(0) // empty request_extensions +- }) +- } +- if len(m.supportedCurves) > 0 { +- // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 +- b.AddUint16(extensionSupportedCurves) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, curve := range m.supportedCurves { +- b.AddUint16(uint16(curve)) +- } +- }) +- }) +- } +- if len(m.supportedPoints) > 0 { +- // RFC 4492, Section 5.1.2 +- b.AddUint16(extensionSupportedPoints) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.supportedPoints) +- }) +- }) +- } +- if m.ticketSupported { +- // RFC 5077, Section 3.2 +- b.AddUint16(extensionSessionTicket) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.sessionTicket) +- }) +- } +- if len(m.supportedSignatureAlgorithms) > 0 { +- // RFC 5246, Section 7.4.1.4.1 +- b.AddUint16(extensionSignatureAlgorithms) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sigAlgo := range m.supportedSignatureAlgorithms { +- b.AddUint16(uint16(sigAlgo)) +- } +- }) +- }) +- } +- if len(m.supportedSignatureAlgorithmsCert) > 0 { +- // RFC 8446, Section 4.2.3 +- b.AddUint16(extensionSignatureAlgorithmsCert) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { +- b.AddUint16(uint16(sigAlgo)) +- } +- }) +- }) +- } +- if m.secureRenegotiationSupported { +- // RFC 5746, Section 3.2 +- b.AddUint16(extensionRenegotiationInfo) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.secureRenegotiation) +- }) +- }) +- } +- if len(m.alpnProtocols) > 0 { +- // RFC 7301, Section 3.1 +- b.AddUint16(extensionALPN) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, proto := range m.alpnProtocols { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(proto)) +- }) +- } +- }) +- }) +- } +- if m.scts { +- // RFC 6962, Section 3.3.1 +- b.AddUint16(extensionSCT) +- b.AddUint16(0) // empty extension_data +- } +- if len(m.supportedVersions) > 0 { +- // RFC 8446, Section 4.2.1 +- b.AddUint16(extensionSupportedVersions) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, vers := range m.supportedVersions { +- b.AddUint16(vers) +- } +- }) +- }) +- } +- if len(m.cookie) > 0 { +- // RFC 8446, Section 4.2.2 +- b.AddUint16(extensionCookie) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.cookie) +- }) +- }) +- } +- if len(m.keyShares) > 0 { +- // RFC 8446, Section 4.2.8 +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, ks := range m.keyShares { +- b.AddUint16(uint16(ks.group)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(ks.data) +- }) +- } +- }) +- }) +- } +- if m.earlyData { +- // RFC 8446, Section 4.2.10 +- b.AddUint16(extensionEarlyData) +- b.AddUint16(0) // empty extension_data +- } +- if len(m.pskModes) > 0 { +- // RFC 8446, Section 4.2.9 +- b.AddUint16(extensionPSKModes) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.pskModes) +- }) +- }) +- } +- if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension +- // RFC 8446, Section 4.2.11 +- b.AddUint16(extensionPreSharedKey) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, psk := range m.pskIdentities { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(psk.label) +- }) +- b.AddUint32(psk.obfuscatedTicketAge) +- } +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, binder := range m.pskBinders { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(binder) +- }) +- } +- }) +- }) +- } +- +- extensionsPresent = len(b.BytesOrPanic()) > 2 +- }) +- +- if !extensionsPresent { +- *b = bWithoutExtensions +- } +- }) ++ if len(extBytes) > 0 { ++ b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { ++ b.AddBytes(extBytes) ++ }) ++ } ++ }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + // marshalWithoutBinders returns the ClientHello through the + // PreSharedKeyExtension.identities field, according to RFC 8446, Section + // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. +-func (m *clientHelloMsg) marshalWithoutBinders() []byte { ++func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { + bindersLen := 2 // uint16 length prefix + for _, binder := range m.pskBinders { + bindersLen += 1 // uint8 length prefix + bindersLen += len(binder) + } + +- fullMessage := m.marshal() +- return fullMessage[:len(fullMessage)-bindersLen] ++ fullMessage, err := m.marshal() ++ if err != nil { ++ return nil, err ++ } ++ return fullMessage[:len(fullMessage)-bindersLen], nil + } + + // updateBinders updates the m.pskBinders field, if necessary updating the + // cached marshaled representation. The supplied binders must have the same + // length as the current m.pskBinders. +-func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { ++func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { + if len(pskBinders) != len(m.pskBinders) { +- panic("tls: internal error: pskBinders length mismatch") ++ return errors.New("tls: internal error: pskBinders length mismatch") + } + for i := range m.pskBinders { + if len(pskBinders[i]) != len(m.pskBinders[i]) { +- panic("tls: internal error: pskBinders length mismatch") ++ return errors.New("tls: internal error: pskBinders length mismatch") + } + } + m.pskBinders = pskBinders + if m.raw != nil { +- lenWithoutBinders := len(m.marshalWithoutBinders()) ++ helloBytes, err := m.marshalWithoutBinders() ++ if err != nil { ++ return err ++ } ++ lenWithoutBinders := len(helloBytes) + // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. + b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +@@ -339,9 +346,11 @@ func (m *clientHelloMsg) updateBinders(p + } + }) + if len(b.BytesOrPanic()) != len(m.raw) { +- panic("tls: internal error: failed to update binders") ++ return errors.New("tls: internal error: failed to update binders") + } + } ++ ++ return nil + } + + func (m *clientHelloMsg) unmarshal(data []byte) bool { +@@ -613,9 +622,98 @@ type serverHelloMsg struct { + selectedGroup CurveID + } + +-func (m *serverHelloMsg) marshal() []byte { ++func (m *serverHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil ++ } ++ ++ var exts cryptobyte.Builder ++ if m.ocspStapling { ++ exts.AddUint16(extensionStatusRequest) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if m.ticketSupported { ++ exts.AddUint16(extensionSessionTicket) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if m.secureRenegotiationSupported { ++ exts.AddUint16(extensionRenegotiationInfo) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.secureRenegotiation) ++ }) ++ }) ++ } ++ if len(m.alpnProtocol) > 0 { ++ exts.AddUint16(extensionALPN) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(m.alpnProtocol)) ++ }) ++ }) ++ }) ++ } ++ if len(m.scts) > 0 { ++ exts.AddUint16(extensionSCT) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sct := range m.scts { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(sct) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.supportedVersion != 0 { ++ exts.AddUint16(extensionSupportedVersions) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(m.supportedVersion) ++ }) ++ } ++ if m.serverShare.group != 0 { ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(uint16(m.serverShare.group)) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.serverShare.data) ++ }) ++ }) ++ } ++ if m.selectedIdentityPresent { ++ exts.AddUint16(extensionPreSharedKey) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(m.selectedIdentity) ++ }) ++ } ++ ++ if len(m.cookie) > 0 { ++ exts.AddUint16(extensionCookie) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.cookie) ++ }) ++ }) ++ } ++ if m.selectedGroup != 0 { ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(uint16(m.selectedGroup)) ++ }) ++ } ++ if len(m.supportedPoints) > 0 { ++ exts.AddUint16(extensionSupportedPoints) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.supportedPoints) ++ }) ++ }) ++ } ++ ++ extBytes, err := exts.Bytes() ++ if err != nil { ++ return nil, err + } + + var b cryptobyte.Builder +@@ -629,104 +727,15 @@ func (m *serverHelloMsg) marshal() []byt + b.AddUint16(m.cipherSuite) + b.AddUint8(m.compressionMethod) + +- // If extensions aren't present, omit them. +- var extensionsPresent bool +- bWithoutExtensions := *b +- +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- if m.ocspStapling { +- b.AddUint16(extensionStatusRequest) +- b.AddUint16(0) // empty extension_data +- } +- if m.ticketSupported { +- b.AddUint16(extensionSessionTicket) +- b.AddUint16(0) // empty extension_data +- } +- if m.secureRenegotiationSupported { +- b.AddUint16(extensionRenegotiationInfo) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.secureRenegotiation) +- }) +- }) +- } +- if len(m.alpnProtocol) > 0 { +- b.AddUint16(extensionALPN) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(m.alpnProtocol)) +- }) +- }) +- }) +- } +- if len(m.scts) > 0 { +- b.AddUint16(extensionSCT) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sct := range m.scts { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(sct) +- }) +- } +- }) +- }) +- } +- if m.supportedVersion != 0 { +- b.AddUint16(extensionSupportedVersions) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(m.supportedVersion) +- }) +- } +- if m.serverShare.group != 0 { +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(uint16(m.serverShare.group)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.serverShare.data) +- }) +- }) +- } +- if m.selectedIdentityPresent { +- b.AddUint16(extensionPreSharedKey) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(m.selectedIdentity) +- }) +- } +- +- if len(m.cookie) > 0 { +- b.AddUint16(extensionCookie) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.cookie) +- }) +- }) +- } +- if m.selectedGroup != 0 { +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(uint16(m.selectedGroup)) +- }) +- } +- if len(m.supportedPoints) > 0 { +- b.AddUint16(extensionSupportedPoints) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.supportedPoints) +- }) +- }) +- } +- +- extensionsPresent = len(b.BytesOrPanic()) > 2 +- }) +- +- if !extensionsPresent { +- *b = bWithoutExtensions ++ if len(extBytes) > 0 { ++ b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { ++ b.AddBytes(extBytes) ++ }) + } + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *serverHelloMsg) unmarshal(data []byte) bool { +@@ -844,9 +853,9 @@ type encryptedExtensionsMsg struct { + alpnProtocol string + } + +-func (m *encryptedExtensionsMsg) marshal() []byte { ++func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -866,8 +875,9 @@ func (m *encryptedExtensionsMsg) marshal + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { +@@ -915,10 +925,10 @@ func (m *encryptedExtensionsMsg) unmarsh + + type endOfEarlyDataMsg struct{} + +-func (m *endOfEarlyDataMsg) marshal() []byte { ++func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeEndOfEarlyData +- return x ++ return x, nil + } + + func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { +@@ -930,9 +940,9 @@ type keyUpdateMsg struct { + updateRequested bool + } + +-func (m *keyUpdateMsg) marshal() []byte { ++func (m *keyUpdateMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -945,8 +955,9 @@ func (m *keyUpdateMsg) marshal() []byte + } + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *keyUpdateMsg) unmarshal(data []byte) bool { +@@ -978,9 +989,9 @@ type newSessionTicketMsgTLS13 struct { + maxEarlyData uint32 + } + +-func (m *newSessionTicketMsgTLS13) marshal() []byte { ++func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1005,8 +1016,9 @@ func (m *newSessionTicketMsgTLS13) marsh + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { +@@ -1059,9 +1071,9 @@ type certificateRequestMsgTLS13 struct { + certificateAuthorities [][]byte + } + +-func (m *certificateRequestMsgTLS13) marshal() []byte { ++func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1120,8 +1132,9 @@ func (m *certificateRequestMsgTLS13) mar + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { +@@ -1205,9 +1218,9 @@ type certificateMsg struct { + certificates [][]byte + } + +-func (m *certificateMsg) marshal() (x []byte) { ++func (m *certificateMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var i int +@@ -1216,7 +1229,7 @@ func (m *certificateMsg) marshal() (x [] + } + + length := 3 + 3*len(m.certificates) + i +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeCertificate + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1237,7 +1250,7 @@ func (m *certificateMsg) marshal() (x [] + } + + m.raw = x +- return ++ return m.raw, nil + } + + func (m *certificateMsg) unmarshal(data []byte) bool { +@@ -1284,9 +1297,9 @@ type certificateMsgTLS13 struct { + scts bool + } + +-func (m *certificateMsgTLS13) marshal() []byte { ++func (m *certificateMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1304,8 +1317,9 @@ func (m *certificateMsgTLS13) marshal() + marshalCertificate(b, certificate) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { +@@ -1428,9 +1442,9 @@ type serverKeyExchangeMsg struct { + key []byte + } + +-func (m *serverKeyExchangeMsg) marshal() []byte { ++func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + length := len(m.key) + x := make([]byte, length+4) +@@ -1441,7 +1455,7 @@ func (m *serverKeyExchangeMsg) marshal() + copy(x[4:], m.key) + + m.raw = x +- return x ++ return x, nil + } + + func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { +@@ -1458,9 +1472,9 @@ type certificateStatusMsg struct { + response []byte + } + +-func (m *certificateStatusMsg) marshal() []byte { ++func (m *certificateStatusMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1472,8 +1486,9 @@ func (m *certificateStatusMsg) marshal() + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateStatusMsg) unmarshal(data []byte) bool { +@@ -1492,10 +1507,10 @@ func (m *certificateStatusMsg) unmarshal + + type serverHelloDoneMsg struct{} + +-func (m *serverHelloDoneMsg) marshal() []byte { ++func (m *serverHelloDoneMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeServerHelloDone +- return x ++ return x, nil + } + + func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { +@@ -1507,9 +1522,9 @@ type clientKeyExchangeMsg struct { + ciphertext []byte + } + +-func (m *clientKeyExchangeMsg) marshal() []byte { ++func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + length := len(m.ciphertext) + x := make([]byte, length+4) +@@ -1520,7 +1535,7 @@ func (m *clientKeyExchangeMsg) marshal() + copy(x[4:], m.ciphertext) + + m.raw = x +- return x ++ return x, nil + } + + func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { +@@ -1541,9 +1556,9 @@ type finishedMsg struct { + verifyData []byte + } + +-func (m *finishedMsg) marshal() []byte { ++func (m *finishedMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1552,8 +1567,9 @@ func (m *finishedMsg) marshal() []byte { + b.AddBytes(m.verifyData) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *finishedMsg) unmarshal(data []byte) bool { +@@ -1575,9 +1591,9 @@ type certificateRequestMsg struct { + certificateAuthorities [][]byte + } + +-func (m *certificateRequestMsg) marshal() (x []byte) { ++func (m *certificateRequestMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + // See RFC 4346, Section 7.4.4. +@@ -1592,7 +1608,7 @@ func (m *certificateRequestMsg) marshal( + length += 2 + 2*len(m.supportedSignatureAlgorithms) + } + +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeCertificateRequest + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1627,7 +1643,7 @@ func (m *certificateRequestMsg) marshal( + } + + m.raw = x +- return ++ return m.raw, nil + } + + func (m *certificateRequestMsg) unmarshal(data []byte) bool { +@@ -1713,9 +1729,9 @@ type certificateVerifyMsg struct { + signature []byte + } + +-func (m *certificateVerifyMsg) marshal() (x []byte) { ++func (m *certificateVerifyMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1729,8 +1745,9 @@ func (m *certificateVerifyMsg) marshal() + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateVerifyMsg) unmarshal(data []byte) bool { +@@ -1753,15 +1770,15 @@ type newSessionTicketMsg struct { + ticket []byte + } + +-func (m *newSessionTicketMsg) marshal() (x []byte) { ++func (m *newSessionTicketMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + // See RFC 5077, Section 3.3. + ticketLen := len(m.ticket) + length := 2 + 4 + ticketLen +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeNewSessionTicket + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1772,7 +1789,7 @@ func (m *newSessionTicketMsg) marshal() + + m.raw = x + +- return ++ return m.raw, nil + } + + func (m *newSessionTicketMsg) unmarshal(data []byte) bool { +@@ -1800,10 +1817,25 @@ func (m *newSessionTicketMsg) unmarshal( + type helloRequestMsg struct { + } + +-func (*helloRequestMsg) marshal() []byte { +- return []byte{typeHelloRequest, 0, 0, 0} ++func (*helloRequestMsg) marshal() ([]byte, error) { ++ return []byte{typeHelloRequest, 0, 0, 0}, nil + } + + func (*helloRequestMsg) unmarshal(data []byte) bool { + return len(data) == 4 + } ++ ++type transcriptHash interface { ++ Write([]byte) (int, error) ++} ++ ++// transcriptMsg is a helper used to marshal and hash messages which typically ++// are not written to the wire, and as such aren't hashed during Conn.writeRecord. ++func transcriptMsg(msg handshakeMessage, h transcriptHash) error { ++ data, err := msg.marshal() ++ if err != nil { ++ return err ++ } ++ h.Write(data) ++ return nil ++} +--- go.orig/src/crypto/tls/handshake_messages_test.go ++++ go/src/crypto/tls/handshake_messages_test.go +@@ -37,6 +37,15 @@ var tests = []interface{}{ + &certificateMsgTLS13{}, + } + ++func mustMarshal(t *testing.T, msg handshakeMessage) []byte { ++ t.Helper() ++ b, err := msg.marshal() ++ if err != nil { ++ t.Fatal(err) ++ } ++ return b ++} ++ + func TestMarshalUnmarshal(t *testing.T) { + rand := rand.New(rand.NewSource(time.Now().UnixNano())) + +@@ -55,7 +64,7 @@ func TestMarshalUnmarshal(t *testing.T) + } + + m1 := v.Interface().(handshakeMessage) +- marshaled := m1.marshal() ++ marshaled := mustMarshal(t, m1) + m2 := iface.(handshakeMessage) + if !m2.unmarshal(marshaled) { + t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled) +@@ -408,12 +417,12 @@ func TestRejectEmptySCTList(t *testing.T + + var random [32]byte + sct := []byte{0x42, 0x42, 0x42, 0x42} +- serverHello := serverHelloMsg{ ++ serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{sct}, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if !serverHelloCopy.unmarshal(serverHelloBytes) { +@@ -451,12 +460,12 @@ func TestRejectEmptySCT(t *testing.T) { + // not be zero length. + + var random [32]byte +- serverHello := serverHelloMsg{ ++ serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{nil}, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if serverHelloCopy.unmarshal(serverHelloBytes) { +--- go.orig/src/crypto/tls/handshake_server.go ++++ go/src/crypto/tls/handshake_server.go +@@ -129,7 +129,9 @@ func (hs *serverHandshakeState) handshak + + // readClientHello reads a ClientHello message and selects the protocol version. + func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { +- msg, err := c.readHandshake() ++ // clientHelloMsg is included in the transcript, but we haven't initialized ++ // it yet. The respective handshake functions will record it themselves. ++ msg, err := c.readHandshake(nil) + if err != nil { + return nil, err + } +@@ -456,9 +458,10 @@ func (hs *serverHandshakeState) doResume + hs.hello.ticketSupported = hs.sessionState.usedOldKey + hs.finishedHash = newFinishedHash(c.vers, hs.suite) + hs.finishedHash.discardHandshakeBuffer() +- hs.finishedHash.Write(hs.clientHello.marshal()) +- hs.finishedHash.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + +@@ -496,24 +499,23 @@ func (hs *serverHandshakeState) doFullHa + // certificates won't be used. + hs.finishedHash.discardHandshakeBuffer() + } +- hs.finishedHash.Write(hs.clientHello.marshal()) +- hs.finishedHash.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + + certMsg := new(certificateMsg) + certMsg.certificates = hs.cert.Certificate +- hs.finishedHash.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + + if hs.hello.ocspStapling { + certStatus := new(certificateStatusMsg) + certStatus.response = hs.cert.OCSPStaple +- hs.finishedHash.Write(certStatus.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil { + return err + } + } +@@ -525,8 +527,7 @@ func (hs *serverHandshakeState) doFullHa + return err + } + if skx != nil { +- hs.finishedHash.Write(skx.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil { + return err + } + } +@@ -552,15 +553,13 @@ func (hs *serverHandshakeState) doFullHa + if c.config.ClientCAs != nil { + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } +- hs.finishedHash.Write(certReq.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil { + return err + } + } + + helloDone := new(serverHelloDoneMsg) +- hs.finishedHash.Write(helloDone.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil { + return err + } + +@@ -570,7 +569,7 @@ func (hs *serverHandshakeState) doFullHa + + var pub crypto.PublicKey // public key for client auth, if any + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -583,7 +582,6 @@ func (hs *serverHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.finishedHash.Write(certMsg.marshal()) + + if err := c.processCertsFromClient(Certificate{ + Certificate: certMsg.certificates, +@@ -594,7 +592,7 @@ func (hs *serverHandshakeState) doFullHa + pub = c.peerCertificates[0].PublicKey + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -612,7 +610,6 @@ func (hs *serverHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(ckx, msg) + } +- hs.finishedHash.Write(ckx.marshal()) + + preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) + if err != nil { +@@ -632,7 +629,10 @@ func (hs *serverHandshakeState) doFullHa + // to the client's certificate. This allows us to verify that the client is in + // possession of the private key of the certificate. + if len(c.peerCertificates) > 0 { +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -667,7 +667,9 @@ func (hs *serverHandshakeState) doFullHa + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + +- hs.finishedHash.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil { ++ return err ++ } + } + + hs.finishedHash.discardHandshakeBuffer() +@@ -707,7 +709,10 @@ func (hs *serverHandshakeState) readFini + return err + } + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -724,7 +729,10 @@ func (hs *serverHandshakeState) readFini + return errors.New("tls: client's Finished message is incorrect") + } + +- hs.finishedHash.Write(clientFinished.marshal()) ++ if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil { ++ return err ++ } ++ + copy(out, verify) + return nil + } +@@ -758,14 +766,16 @@ func (hs *serverHandshakeState) sendSess + masterSecret: hs.masterSecret, + certificates: certsFromClient, + } +- var err error +- m.ticket, err = c.encryptTicket(state.marshal()) ++ stateBytes, err := state.marshal() ++ if err != nil { ++ return err ++ } ++ m.ticket, err = c.encryptTicket(stateBytes) + if err != nil { + return err + } + +- hs.finishedHash.Write(m.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil { + return err + } + +@@ -775,14 +785,13 @@ func (hs *serverHandshakeState) sendSess + func (hs *serverHandshakeState) sendFinished(out []byte) error { + c := hs.c + +- if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { ++ if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) +- hs.finishedHash.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + +--- go.orig/src/crypto/tls/handshake_server_test.go ++++ go/src/crypto/tls/handshake_server_test.go +@@ -30,6 +30,13 @@ func testClientHello(t *testing.T, serve + testClientHelloFailure(t, serverConfig, m, "") + } + ++// testFatal is a hack to prevent the compiler from complaining that there is a ++// call to t.Fatal from a non-test goroutine ++func testFatal(t *testing.T, err error) { ++ t.Helper() ++ t.Fatal(err) ++} ++ + func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) { + c, s := localPipe(t) + go func() { +@@ -37,7 +44,9 @@ func testClientHelloFailure(t *testing.T + if ch, ok := m.(*clientHelloMsg); ok { + cli.vers = ch.vers + } +- cli.writeRecord(recordTypeHandshake, m.marshal()) ++ if _, err := cli.writeHandshakeRecord(m, nil); err != nil { ++ testFatal(t, err) ++ } + c.Close() + }() + ctx := context.Background() +@@ -194,7 +203,9 @@ func TestRenegotiationExtension(t *testi + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } + + buf := make([]byte, 1024) + n, err := c.Read(buf) +@@ -253,8 +264,10 @@ func TestTLS12OnlyCipherSuites(t *testin + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) +- reply, err := cli.readHandshake() ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } ++ reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err +@@ -308,8 +321,10 @@ func TestTLSPointFormats(t *testing.T) { + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) +- reply, err := cli.readHandshake() ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } ++ reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err +@@ -1425,7 +1440,9 @@ func TestSNIGivenOnFailure(t *testing.T) + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } + c.Close() + }() + conn := Server(s, serverConfig) +--- go.orig/src/crypto/tls/handshake_server_tls13.go ++++ go/src/crypto/tls/handshake_server_tls13.go +@@ -298,7 +298,12 @@ func (hs *serverHandshakeStateTLS13) che + c.sendAlert(alertInternalError) + return errors.New("tls: internal error: failed to clone hash") + } +- transcript.Write(hs.clientHello.marshalWithoutBinders()) ++ clientHelloBytes, err := hs.clientHello.marshalWithoutBinders() ++ if err != nil { ++ c.sendAlert(alertInternalError) ++ return err ++ } ++ transcript.Write(clientHelloBytes) + pskBinder := hs.suite.finishedHash(binderKey, transcript) + if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) { + c.sendAlert(alertDecryptError) +@@ -389,8 +394,7 @@ func (hs *serverHandshakeStateTLS13) sen + } + hs.sentDummyCCS = true + +- _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) +- return err ++ return hs.c.writeChangeCipherRecord() + } + + func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error { +@@ -398,7 +402,9 @@ func (hs *serverHandshakeStateTLS13) doH + + // The first ClientHello gets double-hashed into the transcript upon a + // HelloRetryRequest. See RFC 8446, Section 4.4.1. +- hs.transcript.Write(hs.clientHello.marshal()) ++ if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { ++ return err ++ } + chHash := hs.transcript.Sum(nil) + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) +@@ -414,8 +420,7 @@ func (hs *serverHandshakeStateTLS13) doH + selectedGroup: selectedGroup, + } + +- hs.transcript.Write(helloRetryRequest.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil { + return err + } + +@@ -423,7 +428,8 @@ func (hs *serverHandshakeStateTLS13) doH + return err + } + +- msg, err := c.readHandshake() ++ // clientHelloMsg is not included in the transcript. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -514,9 +520,10 @@ func illegalClientHelloChange(ch, ch1 *c + func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c := hs.c + +- hs.transcript.Write(hs.clientHello.marshal()) +- hs.transcript.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + +@@ -559,8 +566,7 @@ func (hs *serverHandshakeStateTLS13) sen + encryptedExtensions.alpnProtocol = selectedProto + c.clientProtocol = selectedProto + +- hs.transcript.Write(encryptedExtensions.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil { + return err + } + +@@ -589,8 +595,7 @@ func (hs *serverHandshakeStateTLS13) sen + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } + +- hs.transcript.Write(certReq.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil { + return err + } + } +@@ -601,8 +606,7 @@ func (hs *serverHandshakeStateTLS13) sen + certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 + +- hs.transcript.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + +@@ -633,8 +637,7 @@ func (hs *serverHandshakeStateTLS13) sen + } + certVerifyMsg.signature = sig + +- hs.transcript.Write(certVerifyMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + +@@ -648,8 +651,7 @@ func (hs *serverHandshakeStateTLS13) sen + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + +- hs.transcript.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + +@@ -710,7 +712,9 @@ func (hs *serverHandshakeStateTLS13) sen + finishedMsg := &finishedMsg{ + verifyData: hs.clientFinished, + } +- hs.transcript.Write(finishedMsg.marshal()) ++ if err := transcriptMsg(finishedMsg, hs.transcript); err != nil { ++ return err ++ } + + if !hs.shouldSendSessionTickets() { + return nil +@@ -735,8 +739,12 @@ func (hs *serverHandshakeStateTLS13) sen + SignedCertificateTimestamps: c.scts, + }, + } +- var err error +- m.label, err = c.encryptTicket(state.marshal()) ++ stateBytes, err := state.marshal() ++ if err != nil { ++ c.sendAlert(alertInternalError) ++ return err ++ } ++ m.label, err = c.encryptTicket(stateBytes) + if err != nil { + return err + } +@@ -755,7 +763,7 @@ func (hs *serverHandshakeStateTLS13) sen + // ticket_nonce, which must be unique per connection, is always left at + // zero because we only ever send one ticket per connection. + +- if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { ++ if _, err := c.writeHandshakeRecord(m, nil); err != nil { + return err + } + +@@ -780,7 +788,7 @@ func (hs *serverHandshakeStateTLS13) rea + // If we requested a client certificate, then the client must send a + // certificate message. If it's empty, no CertificateVerify is sent. + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -790,7 +798,6 @@ func (hs *serverHandshakeStateTLS13) rea + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.transcript.Write(certMsg.marshal()) + + if err := c.processCertsFromClient(certMsg.certificate); err != nil { + return err +@@ -804,7 +811,10 @@ func (hs *serverHandshakeStateTLS13) rea + } + + if len(certMsg.certificate.Certificate) != 0 { +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -835,7 +845,9 @@ func (hs *serverHandshakeStateTLS13) rea + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + +- hs.transcript.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, hs.transcript); err != nil { ++ return err ++ } + } + + // If we waited until the client certificates to send session tickets, we +@@ -850,7 +862,8 @@ func (hs *serverHandshakeStateTLS13) rea + func (hs *serverHandshakeStateTLS13) readClientFinished() error { + c := hs.c + +- msg, err := c.readHandshake() ++ // finishedMsg is not included in the transcript. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +--- go.orig/src/crypto/tls/key_schedule.go ++++ go/src/crypto/tls/key_schedule.go +@@ -8,6 +8,7 @@ import ( + "crypto/elliptic" + "crypto/hmac" + "errors" ++ "fmt" + "hash" + "io" + "math/big" +@@ -42,8 +43,24 @@ func (c *cipherSuiteTLS13) expandLabel(s + hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(context) + }) ++ hkdfLabelBytes, err := hkdfLabel.Bytes() ++ if err != nil { ++ // Rather than calling BytesOrPanic, we explicitly handle this error, in ++ // order to provide a reasonable error message. It should be basically ++ // impossible for this to panic, and routing errors back through the ++ // tree rooted in this function is quite painful. The labels are fixed ++ // size, and the context is either a fixed-length computed hash, or ++ // parsed from a field which has the same length limitation. As such, an ++ // error here is likely to only be caused during development. ++ // ++ // NOTE: another reasonable approach here might be to return a ++ // randomized slice if we encounter an error, which would break the ++ // connection, but avoid panicking. This would perhaps be safer but ++ // significantly more confusing to users. ++ panic(fmt.Errorf("failed to construct HKDF label: %s", err)) ++ } + out := make([]byte, length) +- n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out) ++ n, err := hkdf.Expand(c.hash.New, secret, hkdfLabelBytes).Read(out) + if err != nil || n != length { + panic("tls: HKDF-Expand-Label invocation failed unexpectedly") + } +--- go.orig/src/crypto/tls/ticket.go ++++ go/src/crypto/tls/ticket.go +@@ -32,7 +32,7 @@ type sessionState struct { + usedOldKey bool + } + +-func (m *sessionState) marshal() []byte { ++func (m *sessionState) marshal() ([]byte, error) { + var b cryptobyte.Builder + b.AddUint16(m.vers) + b.AddUint16(m.cipherSuite) +@@ -47,7 +47,7 @@ func (m *sessionState) marshal() []byte + }) + } + }) +- return b.BytesOrPanic() ++ return b.Bytes() + } + + func (m *sessionState) unmarshal(data []byte) bool { +@@ -86,7 +86,7 @@ type sessionStateTLS13 struct { + certificate Certificate // CertificateEntry certificate_list<0..2^24-1>; + } + +-func (m *sessionStateTLS13) marshal() []byte { ++func (m *sessionStateTLS13) marshal() ([]byte, error) { + var b cryptobyte.Builder + b.AddUint16(VersionTLS13) + b.AddUint8(0) // revision +@@ -96,7 +96,7 @@ func (m *sessionStateTLS13) marshal() [] + b.AddBytes(m.resumptionSecret) + }) + marshalCertificate(&b, m.certificate) +- return b.BytesOrPanic() ++ return b.Bytes() + } + + func (m *sessionStateTLS13) unmarshal(data []byte) bool { diff --git a/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch b/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch new file mode 100644 index 0000000000..a71d07e3f1 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch @@ -0,0 +1,652 @@ +From 5c55ac9bf1e5f779220294c843526536605f42ab Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 25 Jan 2023 09:27:01 -0800 +Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit memory/inode + consumption of ReadForm + +Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB" +in memory. Parsed forms can consume substantially more memory than +this limit, since ReadForm does not account for map entry overhead +and MIME headers. + +In addition, while the amount of disk memory consumed by ReadForm can +be constrained by limiting the size of the parsed input, ReadForm will +create one temporary file per form part stored on disk, potentially +consuming a large number of inodes. + +Update ReadForm's memory accounting to include part names, +MIME headers, and map entry overhead. + +Update ReadForm to store all on-disk file parts in a single +temporary file. + +Files returned by FileHeader.Open are documented as having a concrete +type of *os.File when a file is stored on disk. The change to use a +single temporary file for all parts means that this is no longer the +case when a form contains more than a single file part stored on disk. + +The previous behavior of storing each file part in a separate disk +file may be reenabled with GODEBUG=multipartfiles=distinct. + +Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap +on the size of MIME headers. + +Thanks to Jakob Ackermann (@das7pad) for reporting this issue. + +Updates #58006 +Fixes #58362 +Fixes CVE-2022-41725 + +Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276 +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit ed4664330edcd91b24914c9371c377c132dbce8c) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728949 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468116 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Than McIntosh <thanm@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +Auto-Submit: Michael Pratt <mpratt@google.com> +--- + +CVE: CVE-2022-41725 + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git commit 5c55ac9bf1e5... +modified for reader.go + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +___ + src/mime/multipart/formdata.go | 132 ++++++++++++++++++++----- + src/mime/multipart/formdata_test.go | 140 ++++++++++++++++++++++++++- + src/mime/multipart/multipart.go | 25 +++-- + src/mime/multipart/readmimeheader.go | 14 +++ + src/net/http/request_test.go | 2 +- + src/net/textproto/reader.go | 20 +++- + 6 files changed, 295 insertions(+), 38 deletions(-) + create mode 100644 src/mime/multipart/readmimeheader.go + +--- go.orig/src/mime/multipart/formdata.go ++++ go/src/mime/multipart/formdata.go +@@ -7,6 +7,7 @@ package multipart + import ( + "bytes" + "errors" ++ "internal/godebug" + "io" + "math" + "net/textproto" +@@ -33,23 +34,58 @@ func (r *Reader) ReadForm(maxMemory int6 + + func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + form := &Form{make(map[string][]string), make(map[string][]*FileHeader)} ++ var ( ++ file *os.File ++ fileOff int64 ++ ) ++ numDiskFiles := 0 ++ multipartFiles := godebug.Get("multipartfiles") ++ combineFiles := multipartFiles != "distinct" + defer func() { ++ if file != nil { ++ if cerr := file.Close(); err == nil { ++ err = cerr ++ } ++ } ++ if combineFiles && numDiskFiles > 1 { ++ for _, fhs := range form.File { ++ for _, fh := range fhs { ++ fh.tmpshared = true ++ } ++ } ++ } + if err != nil { + form.RemoveAll() ++ if file != nil { ++ os.Remove(file.Name()) ++ } + } + }() + +- // Reserve an additional 10 MB for non-file parts. +- maxValueBytes := maxMemory + int64(10<<20) +- if maxValueBytes <= 0 { ++ // maxFileMemoryBytes is the maximum bytes of file data we will store in memory. ++ // Data past this limit is written to disk. ++ // This limit strictly applies to content, not metadata (filenames, MIME headers, etc.), ++ // since metadata is always stored in memory, not disk. ++ // ++ // maxMemoryBytes is the maximum bytes we will store in memory, including file content, ++ // non-file part values, metdata, and map entry overhead. ++ // ++ // We reserve an additional 10 MB in maxMemoryBytes for non-file data. ++ // ++ // The relationship between these parameters, as well as the overly-large and ++ // unconfigurable 10 MB added on to maxMemory, is unfortunate but difficult to change ++ // within the constraints of the API as documented. ++ maxFileMemoryBytes := maxMemory ++ maxMemoryBytes := maxMemory + int64(10<<20) ++ if maxMemoryBytes <= 0 { + if maxMemory < 0 { +- maxValueBytes = 0 ++ maxMemoryBytes = 0 + } else { +- maxValueBytes = math.MaxInt64 ++ maxMemoryBytes = math.MaxInt64 + } + } + for { +- p, err := r.NextPart() ++ p, err := r.nextPart(false, maxMemoryBytes) + if err == io.EOF { + break + } +@@ -63,16 +99,27 @@ func (r *Reader) readForm(maxMemory int6 + } + filename := p.FileName() + ++ // Multiple values for the same key (one map entry, longer slice) are cheaper ++ // than the same number of values for different keys (many map entries), but ++ // using a consistent per-value cost for overhead is simpler. ++ maxMemoryBytes -= int64(len(name)) ++ maxMemoryBytes -= 100 // map overhead ++ if maxMemoryBytes < 0 { ++ // We can't actually take this path, since nextPart would already have ++ // rejected the MIME headers for being too large. Check anyway. ++ return nil, ErrMessageTooLarge ++ } ++ + var b bytes.Buffer + + if filename == "" { + // value, store as string in memory +- n, err := io.CopyN(&b, p, maxValueBytes+1) ++ n, err := io.CopyN(&b, p, maxMemoryBytes+1) + if err != nil && err != io.EOF { + return nil, err + } +- maxValueBytes -= n +- if maxValueBytes < 0 { ++ maxMemoryBytes -= n ++ if maxMemoryBytes < 0 { + return nil, ErrMessageTooLarge + } + form.Value[name] = append(form.Value[name], b.String()) +@@ -80,35 +127,45 @@ func (r *Reader) readForm(maxMemory int6 + } + + // file, store in memory or on disk ++ maxMemoryBytes -= mimeHeaderSize(p.Header) ++ if maxMemoryBytes < 0 { ++ return nil, ErrMessageTooLarge ++ } + fh := &FileHeader{ + Filename: filename, + Header: p.Header, + } +- n, err := io.CopyN(&b, p, maxMemory+1) ++ n, err := io.CopyN(&b, p, maxFileMemoryBytes+1) + if err != nil && err != io.EOF { + return nil, err + } +- if n > maxMemory { +- // too big, write to disk and flush buffer +- file, err := os.CreateTemp("", "multipart-") +- if err != nil { +- return nil, err ++ if n > maxFileMemoryBytes { ++ if file == nil { ++ file, err = os.CreateTemp(r.tempDir, "multipart-") ++ if err != nil { ++ return nil, err ++ } + } ++ numDiskFiles++ + size, err := io.Copy(file, io.MultiReader(&b, p)) +- if cerr := file.Close(); err == nil { +- err = cerr +- } + if err != nil { +- os.Remove(file.Name()) + return nil, err + } + fh.tmpfile = file.Name() + fh.Size = size ++ fh.tmpoff = fileOff ++ fileOff += size ++ if !combineFiles { ++ if err := file.Close(); err != nil { ++ return nil, err ++ } ++ file = nil ++ } + } else { + fh.content = b.Bytes() + fh.Size = int64(len(fh.content)) +- maxMemory -= n +- maxValueBytes -= n ++ maxFileMemoryBytes -= n ++ maxMemoryBytes -= n + } + form.File[name] = append(form.File[name], fh) + } +@@ -116,6 +173,17 @@ func (r *Reader) readForm(maxMemory int6 + return form, nil + } + ++func mimeHeaderSize(h textproto.MIMEHeader) (size int64) { ++ for k, vs := range h { ++ size += int64(len(k)) ++ size += 100 // map entry overhead ++ for _, v := range vs { ++ size += int64(len(v)) ++ } ++ } ++ return size ++} ++ + // Form is a parsed multipart form. + // Its File parts are stored either in memory or on disk, + // and are accessible via the *FileHeader's Open method. +@@ -133,7 +201,7 @@ func (f *Form) RemoveAll() error { + for _, fh := range fhs { + if fh.tmpfile != "" { + e := os.Remove(fh.tmpfile) +- if e != nil && err == nil { ++ if e != nil && !errors.Is(e, os.ErrNotExist) && err == nil { + err = e + } + } +@@ -148,15 +216,25 @@ type FileHeader struct { + Header textproto.MIMEHeader + Size int64 + +- content []byte +- tmpfile string ++ content []byte ++ tmpfile string ++ tmpoff int64 ++ tmpshared bool + } + + // Open opens and returns the FileHeader's associated File. + func (fh *FileHeader) Open() (File, error) { + if b := fh.content; b != nil { + r := io.NewSectionReader(bytes.NewReader(b), 0, int64(len(b))) +- return sectionReadCloser{r}, nil ++ return sectionReadCloser{r, nil}, nil ++ } ++ if fh.tmpshared { ++ f, err := os.Open(fh.tmpfile) ++ if err != nil { ++ return nil, err ++ } ++ r := io.NewSectionReader(f, fh.tmpoff, fh.Size) ++ return sectionReadCloser{r, f}, nil + } + return os.Open(fh.tmpfile) + } +@@ -175,8 +253,12 @@ type File interface { + + type sectionReadCloser struct { + *io.SectionReader ++ io.Closer + } + + func (rc sectionReadCloser) Close() error { ++ if rc.Closer != nil { ++ return rc.Closer.Close() ++ } + return nil + } +--- go.orig/src/mime/multipart/formdata_test.go ++++ go/src/mime/multipart/formdata_test.go +@@ -6,8 +6,10 @@ package multipart + + import ( + "bytes" ++ "fmt" + "io" + "math" ++ "net/textproto" + "os" + "strings" + "testing" +@@ -208,8 +210,8 @@ Content-Disposition: form-data; name="la + maxMemory int64 + err error + }{ +- {"smaller", 50, nil}, +- {"exact-fit", 25, nil}, ++ {"smaller", 50 + int64(len("largetext")) + 100, nil}, ++ {"exact-fit", 25 + int64(len("largetext")) + 100, nil}, + {"too-large", 0, ErrMessageTooLarge}, + } + for _, tc := range testCases { +@@ -224,7 +226,7 @@ Content-Disposition: form-data; name="la + defer f.RemoveAll() + } + if tc.err != err { +- t.Fatalf("ReadForm error - got: %v; expected: %v", tc.err, err) ++ t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err) + } + if err == nil { + if g := f.Value["largetext"][0]; g != largeTextValue { +@@ -234,3 +236,135 @@ Content-Disposition: form-data; name="la + }) + } + } ++ ++// TestReadForm_MetadataTooLarge verifies that we account for the size of field names, ++// MIME headers, and map entry overhead while limiting the memory consumption of parsed forms. ++func TestReadForm_MetadataTooLarge(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ f func(*Writer) ++ }{{ ++ name: "large name", ++ f: func(fw *Writer) { ++ name := strings.Repeat("a", 10<<20) ++ w, _ := fw.CreateFormField(name) ++ w.Write([]byte("value")) ++ }, ++ }, { ++ name: "large MIME header", ++ f: func(fw *Writer) { ++ h := make(textproto.MIMEHeader) ++ h.Set("Content-Disposition", `form-data; name="a"`) ++ h.Set("X-Foo", strings.Repeat("a", 10<<20)) ++ w, _ := fw.CreatePart(h) ++ w.Write([]byte("value")) ++ }, ++ }, { ++ name: "many parts", ++ f: func(fw *Writer) { ++ for i := 0; i < 110000; i++ { ++ w, _ := fw.CreateFormField("f") ++ w.Write([]byte("v")) ++ } ++ }, ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ test.f(fw) ++ if err := fw.Close(); err != nil { ++ t.Fatal(err) ++ } ++ fr := NewReader(&buf, fw.Boundary()) ++ _, err := fr.ReadForm(0) ++ if err != ErrMessageTooLarge { ++ t.Errorf("fr.ReadForm() = %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++// TestReadForm_ManyFiles_Combined tests that a multipart form containing many files only ++// results in a single on-disk file. ++func TestReadForm_ManyFiles_Combined(t *testing.T) { ++ const distinct = false ++ testReadFormManyFiles(t, distinct) ++} ++ ++// TestReadForm_ManyFiles_Distinct tests that setting GODEBUG=multipartfiles=distinct ++// results in every file in a multipart form being placed in a distinct on-disk file. ++func TestReadForm_ManyFiles_Distinct(t *testing.T) { ++ t.Setenv("GODEBUG", "multipartfiles=distinct") ++ const distinct = true ++ testReadFormManyFiles(t, distinct) ++} ++ ++func testReadFormManyFiles(t *testing.T, distinct bool) { ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ const numFiles = 10 ++ for i := 0; i < numFiles; i++ { ++ name := fmt.Sprint(i) ++ w, err := fw.CreateFormFile(name, name) ++ if err != nil { ++ t.Fatal(err) ++ } ++ w.Write([]byte(name)) ++ } ++ if err := fw.Close(); err != nil { ++ t.Fatal(err) ++ } ++ fr := NewReader(&buf, fw.Boundary()) ++ fr.tempDir = t.TempDir() ++ form, err := fr.ReadForm(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ for i := 0; i < numFiles; i++ { ++ name := fmt.Sprint(i) ++ if got := len(form.File[name]); got != 1 { ++ t.Fatalf("form.File[%q] has %v entries, want 1", name, got) ++ } ++ fh := form.File[name][0] ++ file, err := fh.Open() ++ if err != nil { ++ t.Fatalf("form.File[%q].Open() = %v", name, err) ++ } ++ if distinct { ++ if _, ok := file.(*os.File); !ok { ++ t.Fatalf("form.File[%q].Open: %T, want *os.File", name, file) ++ } ++ } ++ got, err := io.ReadAll(file) ++ file.Close() ++ if string(got) != name || err != nil { ++ t.Fatalf("read form.File[%q]: %q, %v; want %q, nil", name, string(got), err, name) ++ } ++ } ++ dir, err := os.Open(fr.tempDir) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer dir.Close() ++ names, err := dir.Readdirnames(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ wantNames := 1 ++ if distinct { ++ wantNames = numFiles ++ } ++ if len(names) != wantNames { ++ t.Fatalf("temp dir contains %v files; want 1", len(names)) ++ } ++ if err := form.RemoveAll(); err != nil { ++ t.Fatalf("form.RemoveAll() = %v", err) ++ } ++ names, err = dir.Readdirnames(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if len(names) != 0 { ++ t.Fatalf("temp dir contains %v files; want 0", len(names)) ++ } ++} +--- go.orig/src/mime/multipart/multipart.go ++++ go/src/mime/multipart/multipart.go +@@ -128,12 +128,12 @@ func (r *stickyErrorReader) Read(p []byt + return n, r.err + } + +-func newPart(mr *Reader, rawPart bool) (*Part, error) { ++func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { + bp := &Part{ + Header: make(map[string][]string), + mr: mr, + } +- if err := bp.populateHeaders(); err != nil { ++ if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil { + return nil, err + } + bp.r = partReader{bp} +@@ -149,12 +149,16 @@ func newPart(mr *Reader, rawPart bool) ( + return bp, nil + } + +-func (bp *Part) populateHeaders() error { ++func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error { + r := textproto.NewReader(bp.mr.bufReader) +- header, err := r.ReadMIMEHeader() ++ header, err := readMIMEHeader(r, maxMIMEHeaderSize) + if err == nil { + bp.Header = header + } ++ // TODO: Add a distinguishable error to net/textproto. ++ if err != nil && err.Error() == "message too large" { ++ err = ErrMessageTooLarge ++ } + return err + } + +@@ -294,6 +298,7 @@ func (p *Part) Close() error { + // isn't supported. + type Reader struct { + bufReader *bufio.Reader ++ tempDir string // used in tests + + currentPart *Part + partsRead int +@@ -304,6 +309,10 @@ type Reader struct { + dashBoundary []byte // "--boundary" + } + ++// maxMIMEHeaderSize is the maximum size of a MIME header we will parse, ++// including header keys, values, and map overhead. ++const maxMIMEHeaderSize = 10 << 20 ++ + // NextPart returns the next part in the multipart or an error. + // When there are no more parts, the error io.EOF is returned. + // +@@ -311,7 +320,7 @@ type Reader struct { + // has a value of "quoted-printable", that header is instead + // hidden and the body is transparently decoded during Read calls. + func (r *Reader) NextPart() (*Part, error) { +- return r.nextPart(false) ++ return r.nextPart(false, maxMIMEHeaderSize) + } + + // NextRawPart returns the next part in the multipart or an error. +@@ -320,10 +329,10 @@ func (r *Reader) NextPart() (*Part, erro + // Unlike NextPart, it does not have special handling for + // "Content-Transfer-Encoding: quoted-printable". + func (r *Reader) NextRawPart() (*Part, error) { +- return r.nextPart(true) ++ return r.nextPart(true, maxMIMEHeaderSize) + } + +-func (r *Reader) nextPart(rawPart bool) (*Part, error) { ++func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { + if r.currentPart != nil { + r.currentPart.Close() + } +@@ -348,7 +357,7 @@ func (r *Reader) nextPart(rawPart bool) + + if r.isBoundaryDelimiterLine(line) { + r.partsRead++ +- bp, err := newPart(r, rawPart) ++ bp, err := newPart(r, rawPart, maxMIMEHeaderSize) + if err != nil { + return nil, err + } +--- /dev/null ++++ go/src/mime/multipart/readmimeheader.go +@@ -0,0 +1,14 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++package multipart ++ ++import ( ++ "net/textproto" ++ _ "unsafe" // for go:linkname ++) ++ ++// readMIMEHeader is defined in package net/textproto. ++// ++//go:linkname readMIMEHeader net/textproto.readMIMEHeader ++func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error) +--- go.orig/src/net/http/request_test.go ++++ go/src/net/http/request_test.go +@@ -1110,7 +1110,7 @@ func testMissingFile(t *testing.T, req * + t.Errorf("FormFile file = %v, want nil", f) + } + if fh != nil { +- t.Errorf("FormFile file header = %q, want nil", fh) ++ t.Errorf("FormFile file header = %v, want nil", fh) + } + if err != ErrMissingFile { + t.Errorf("FormFile err = %q, want ErrMissingFile", err) +--- go.orig/src/net/textproto/reader.go ++++ go/src/net/textproto/reader.go +@@ -7,8 +7,10 @@ package textproto + import ( + "bufio" + "bytes" ++ "errors" + "fmt" + "io" ++ "math" + "strconv" + "strings" + "sync" +@@ -481,6 +483,12 @@ func (r *Reader) ReadDotLines() ([]strin + // } + // + func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) { ++ return readMIMEHeader(r, math.MaxInt64) ++} ++ ++// readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size. ++// It is called by the mime/multipart package. ++func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + // Avoid lots of small slice allocations later by allocating one + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. +@@ -521,6 +529,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + continue + } + ++ // backport 5c55ac9bf1e5f779220294c843526536605f42ab ++ // ++ // value is computed as ++ // ++ // value := string(bytes.TrimLeft(v, " \t")) ++ // ++ // in the original patch from 1.19. This relies on ++ // 'v' which does not exist in 1.17. We leave the ++ // 1.17 method unchanged. ++ + // Skip initial spaces in value. + i++ // skip colon + for i < len(kv) && (kv[i] == ' ' || kv[i] == '\t') { +@@ -529,6 +547,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + value := string(kv[i:]) + + vv := m[key] ++ if vv == nil { ++ lim -= int64(len(key)) ++ lim -= 100 // map entry overhead ++ } ++ lim -= int64(len(value)) ++ if lim < 0 { ++ // TODO: This should be a distinguishable error (ErrMessageTooLarge) ++ // to allow mime/multipart to detect it. ++ return m, errors.New("message too large") ++ } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. + // Most headers aren't multi-valued. diff --git a/poky/meta/recipes-devtools/go/go-crosssdk.inc b/poky/meta/recipes-devtools/go/go-crosssdk.inc index cd23cca2fe..766938670a 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk.inc +++ b/poky/meta/recipes-devtools/go/go-crosssdk.inc @@ -4,6 +4,8 @@ DEPENDS = "go-native virtual/${TARGET_PREFIX}gcc-crosssdk virtual/nativesdk-${TA PN = "go-crosssdk-${SDK_SYS}" PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk" +export GOCACHE = "${B}/.cache" + do_configure[noexec] = "1" do_compile() { diff --git a/poky/meta/recipes-devtools/go/go_1.17.13.bb b/poky/meta/recipes-devtools/go/go_1.17.13.bb index 34dc89bb0c..bb57c1c48a 100644 --- a/poky/meta/recipes-devtools/go/go_1.17.13.bb +++ b/poky/meta/recipes-devtools/go/go_1.17.13.bb @@ -11,7 +11,7 @@ export CXX_FOR_TARGET = "g++" # mips/rv64 doesn't support -buildmode=pie, so skip the QA checking for mips/riscv32 and its # variants. python() { - if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv32' in d.getVar('TARGET_ARCH',True): - d.appendVar('INSANE_SKIP:%s' % d.getVar('PN',True), " textrel") + if 'mips' in d.getVar('TARGET_ARCH') or 'riscv32' in d.getVar('TARGET_ARCH'): + d.appendVar('INSANE_SKIP:%s' % d.getVar('PN'), " textrel") } diff --git a/poky/meta/recipes-devtools/json-c/json-c/run-ptest b/poky/meta/recipes-devtools/json-c/json-c/run-ptest new file mode 100644 index 0000000000..9ee6095ea2 --- /dev/null +++ b/poky/meta/recipes-devtools/json-c/json-c/run-ptest @@ -0,0 +1,20 @@ +#!/bin/sh + +# This script is used to run json-c test suites +cd tests + +ret_val=0 +for i in test*.test; do + # test_basic is not an own testcase, just + # contains common code of other tests + if [ "$i" != "test_basic.test" ]; then + if ./$i > json-c_test.log 2>&1 ; then + echo PASS: $i + else + ret_val=1 + echo FAIL: $i + fi + fi +done + +exit $ret_val diff --git a/poky/meta/recipes-devtools/json-c/json-c_0.15.bb b/poky/meta/recipes-devtools/json-c/json-c_0.15.bb index a4673a2f0e..7cbed55b3b 100644 --- a/poky/meta/recipes-devtools/json-c/json-c_0.15.bb +++ b/poky/meta/recipes-devtools/json-c/json-c_0.15.bb @@ -4,7 +4,10 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" -SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz" +SRC_URI = " \ + https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ + file://run-ptest \ +" SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" @@ -13,6 +16,15 @@ UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" RPROVIDES:${PN} = "libjson" -inherit cmake +inherit cmake ptest + +do_install_ptest() { + install -d ${D}/${PTEST_PATH}/tests + install ${B}/tests/test* ${D}/${PTEST_PATH}/tests + install ${S}/tests/*.test ${D}/${PTEST_PATH}/tests + install ${S}/tests/*.expected ${D}/${PTEST_PATH}/tests + install ${S}/tests/test-defs.sh ${D}/${PTEST_PATH}/tests + install ${S}/tests/valid*json ${D}/${PTEST_PATH}/tests +} BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-devtools/lua/lua_5.4.4.bb b/poky/meta/recipes-devtools/lua/lua_5.4.4.bb index 0b2e754b31..a39d888ec2 100644 --- a/poky/meta/recipes-devtools/lua/lua_5.4.4.bb +++ b/poky/meta/recipes-devtools/lua/lua_5.4.4.bb @@ -57,3 +57,6 @@ do_install_ptest () { } BBCLASSEXTEND = "native nativesdk" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}-dev:${includedir}/luaconf.h" diff --git a/poky/meta/recipes-devtools/meson/meson/meson-wrapper b/poky/meta/recipes-devtools/meson/meson/meson-wrapper index 8fafaad975..71c61db84f 100755 --- a/poky/meta/recipes-devtools/meson/meson/meson-wrapper +++ b/poky/meta/recipes-devtools/meson/meson/meson-wrapper @@ -5,7 +5,7 @@ if [ -z "$OECORE_NATIVE_SYSROOT" ]; then fi if [ -z "$SSL_CERT_DIR" ]; then - export SSL_CERT_DIR="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/" + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/etc/ssl/certs/" fi # If these are set to a cross-compile path, meson will get confused and try to @@ -13,7 +13,19 @@ fi # config is already in meson.cross. unset CC CXX CPP LD AR NM STRIP +case "$1" in +setup|configure|dist|install|introspect|init|test|wrap|subprojects|rewrite|compile|devenv|env2mfile|help) MESON_CMD="$1" ;; +*) echo meson-wrapper: Implicit setup command assumed; MESON_CMD=setup ;; +esac + +if [ "$MESON_CMD" = "setup" ]; then + MESON_SETUP_OPTS=" \ + --cross-file="$OECORE_NATIVE_SYSROOT/usr/share/meson/${TARGET_PREFIX}meson.cross" \ + --native-file="$OECORE_NATIVE_SYSROOT/usr/share/meson/meson.native" \ + " + echo meson-wrapper: Running meson with setup options: \"$MESON_SETUP_OPTS\" +fi + exec "$OECORE_NATIVE_SYSROOT/usr/bin/meson.real" \ - --cross-file "${OECORE_NATIVE_SYSROOT}/usr/share/meson/${TARGET_PREFIX}meson.cross" \ - --native-file "${OECORE_NATIVE_SYSROOT}/usr/share/meson/meson.native" \ - "$@" + "$@" \ + $MESON_SETUP_OPTS diff --git a/poky/meta/recipes-devtools/mtd/mtd-utils_git.bb b/poky/meta/recipes-devtools/mtd/mtd-utils_git.bb index 3318277477..6a4f7b0688 100644 --- a/poky/meta/recipes-devtools/mtd/mtd-utils_git.bb +++ b/poky/meta/recipes-devtools/mtd/mtd-utils_git.bb @@ -11,9 +11,9 @@ inherit autotools pkgconfig update-alternatives DEPENDS = "zlib e2fsprogs util-linux" RDEPENDS:mtd-utils-tests += "bash" -PV = "2.1.4" +PV = "2.1.5" -SRCREV = "c7f1bfa44a84d02061787e2f6093df5cc40b9f5c" +SRCREV = "3f3b4cc6c3120107e7aaa21c6415772a255ac49c" SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \ file://add-exclusion-to-mkfs-jffs2-git-2.patch \ " diff --git a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb index e72c171b92..b27e3ded33 100644 --- a/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb +++ b/poky/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb @@ -7,12 +7,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ file://opkg.py;beginline=2;endline=18;md5=ffa11ff3c15eb31c6a7ceaa00cc9f986" PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'update-alternatives', 'virtual/update-alternatives', '', d)}" -SRC_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV}.tar.gz \ +SRC_URI = "git://git.yoctoproject.org/opkg-utils;protocol=https;branch=master \ file://0001-update-alternatives-correctly-match-priority.patch \ " -UPSTREAM_CHECK_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/refs/" +SRCREV = "9239541f14a2529b9d01c0a253ab11afa2822dab" -SRC_URI[sha256sum] = "55733c0f8ffde2bb4f9593cfd66a1f68e6a2f814e8e62f6fd78472911c818c32" +S = "${WORKDIR}/git" TARGET_CC_ARCH += "${LDFLAGS}" diff --git a/poky/meta/recipes-devtools/opkg/opkg_0.5.0.bb b/poky/meta/recipes-devtools/opkg/opkg_0.5.0.bb index e91d7250bc..7bddaa3016 100644 --- a/poky/meta/recipes-devtools/opkg/opkg_0.5.0.bb +++ b/poky/meta/recipes-devtools/opkg/opkg_0.5.0.bb @@ -46,7 +46,9 @@ EXTRA_OECONF:class-native = "--localstatedir=/${@os.path.relpath('${localstatedi do_install:append () { install -d ${D}${sysconfdir}/opkg install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf - echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option info_dir ${OPKGLIBDIR}/opkg/info" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option status_file ${OPKGLIBDIR}/opkg/status" >>${D}${sysconfdir}/opkg/opkg.conf # We need to create the lock directory install -d ${D}${OPKGLIBDIR}/opkg diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch b/poky/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch deleted file mode 100644 index b755a263a4..0000000000 --- a/poky/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 682fb48c137b687477008b68863c2a0b73ed47d1 Mon Sep 17 00:00:00 2001 -From: Fabio Berton <fabio.berton@ossystems.com.br> -Date: Fri, 9 Sep 2016 16:00:42 -0300 -Subject: [PATCH] handle read-only files - -Patch from: -https://github.com/darealshinji/patchelf/commit/40e66392bc4b96e9b4eda496827d26348a503509 - -Upstream-Status: Denied [https://github.com/NixOS/patchelf/pull/89] - -Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> - ---- - src/patchelf.cc | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -Index: git/src/patchelf.cc -=================================================================== ---- git.orig/src/patchelf.cc -+++ git/src/patchelf.cc -@@ -534,9 +534,19 @@ void ElfFile<ElfFileParamNames>::sortShd - - static void writeFile(const std::string & fileName, const FileContents & contents) - { -+ struct stat st; -+ int fd; -+ - debug("writing %s\n", fileName.c_str()); - -- int fd = open(fileName.c_str(), O_CREAT | O_TRUNC | O_WRONLY, 0777); -+ if (stat(fileName.c_str(), &st) != 0) -+ error("stat"); -+ -+ if (chmod(fileName.c_str(), 0600) != 0) -+ error("chmod"); -+ -+ fd = open(fileName.c_str(), O_CREAT | O_TRUNC | O_WRONLY, 0777); -+ - if (fd == -1) - error("open"); - -@@ -551,8 +561,6 @@ static void writeFile(const std::string - bytesWritten += portion; - } - -- if (close(fd) >= 0) -- return; - /* - * Just ignore EINTR; a retry loop is the wrong thing to do. - * -@@ -561,9 +569,11 @@ static void writeFile(const std::string - * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR - * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain - */ -- if (errno == EINTR) -- return; -- error("close"); -+ if ((close(fd) < 0) && errno != EINTR) -+ error("close"); -+ -+ if (chmod(fileName.c_str(), st.st_mode) != 0) -+ error("chmod"); - } - - diff --git a/poky/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb b/poky/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb index 0fa2c00f1d..82c7e807ac 100644 --- a/poky/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb +++ b/poky/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb @@ -5,7 +5,6 @@ HOMEPAGE = "https://github.com/NixOS/patchelf" LICENSE = "GPL-3.0-only" SRC_URI = "git://github.com/NixOS/patchelf;protocol=https;branch=master \ - file://handle-read-only-files.patch \ " SRCREV = "a35054504293f9ff64539850d1ed0bfd2f5399f2" diff --git a/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch new file mode 100644 index 0000000000..c6ec7c94e1 --- /dev/null +++ b/poky/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch @@ -0,0 +1,75 @@ +From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Wed, 15 Mar 2023 16:12:43 +0800 +Subject: [PATCH] tuple: test for, and stop string processing, on truncation + +otherwise a buffer overflow occurs. +this has been a bug in pkgconf since the beginning, it seems. +instead of disclosing the bug correctly, a "hotshot" developer +decided to blog about it instead. sigh. + +https://nullprogram.com/blog/2023/01/18/ + +Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059] +CVE: CVE-2023-24056 +Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com> +--- + libpkgconf/tuple.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c +index 2d550d8..b831070 100644 +--- a/libpkgconf/tuple.c ++++ b/libpkgconf/tuple.c +@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + } + } + ++ size_t remain = PKGCONF_BUFSIZE - (bptr - buf); + ptr += (pptr - ptr); + kv = pkgconf_tuple_find_global(client, varname); + if (kv != NULL) + { +- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(kv); ++ size_t nlen = pkgconf_strlcpy(bptr, kv, remain); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); ++ ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + else + { +@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + + if (kv != NULL) + { ++ size_t nlen; ++ + parsekv = pkgconf_tuple_parse(client, vars, kv); ++ nlen = pkgconf_strlcpy(bptr, parsekv, remain); ++ free(parsekv); + +- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(parsekv); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + +- free(parsekv); ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + } + } +-- +2.27.0 + diff --git a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb index 887e15e28c..cad0a0fa4f 100644 --- a/poky/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb +++ b/poky/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0" SRC_URI = "\ https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \ + file://0001-tuple-test-for-and-stop-string-processing-on-truncat.patch \ file://pkg-config-wrapper \ file://pkg-config-native.in \ file://pkg-config-esdk.in \ diff --git a/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch b/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch new file mode 100644 index 0000000000..94ca254549 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch @@ -0,0 +1,230 @@ +From 167413eefa9482a7777b3ccdcc70e511ef5fcc2b Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Thu, 2 Feb 2023 12:57:06 +0000 +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi 2022.12.07 removes root certificates from + "TrustCor" from the root store. These are in the process of being removed + from Mozilla's trust store. TrustCor's root certificates are being removed + pursuant to an investigation prompted by media reporting that TrustCor's + ownership also operated a business that produced spyware. Conclusions of + Mozilla's investigation can be found in the linked google group discussion. + +CVE: CVE-2022-23491 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/9e9e840925d7b8e76c76fdac1fab7e6e88c1c3b8] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + certifi/cacert.pem | 181 --------------------------------------------- + 1 file changed, 181 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6d0ccc0..6bae3e4 100644 +--- a/certifi/cacert.pem ++++ b/certifi/cacert.pem +@@ -694,37 +694,6 @@ BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB + ZQ== + -----END CERTIFICATE----- + +-# Issuer: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Subject: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Label: "Network Solutions Certificate Authority" +-# Serial: 116697915152937497490437556386812487904 +-# MD5 Fingerprint: d3:f3:a6:16:c0:fa:6b:1d:59:b1:2d:96:4d:0e:11:2e +-# SHA1 Fingerprint: 74:f8:a3:c3:ef:e7:b3:90:06:4b:83:90:3c:21:64:60:20:e5:df:ce +-# SHA256 Fingerprint: 15:f0:ba:00:a3:ac:7a:f3:ac:88:4c:07:2b:10:11:a0:77:bd:77:c0:97:f4:01:64:b2:f8:59:8a:bd:83:86:0c +------BEGIN CERTIFICATE----- +-MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi +-MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu +-MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp +-dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV +-UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO +-ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG +-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz +-c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP +-OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl +-mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF +-BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4 +-qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw +-gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB +-BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu +-bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp +-dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8 +-6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/ +-h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH +-/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv +-wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN +-pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey +------END CERTIFICATE----- +- + # Issuer: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Subject: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Label: "COMODO ECC Certification Authority" +@@ -2385,46 +2354,6 @@ KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg + xwy8p2Fp8fc74SrL+SvzZpA3 + -----END CERTIFICATE----- + +-# Issuer: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Subject: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Label: "Staat der Nederlanden EV Root CA" +-# Serial: 10000013 +-# MD5 Fingerprint: fc:06:af:7b:e8:1a:f1:9a:b4:e8:d2:70:1f:c0:f5:ba +-# SHA1 Fingerprint: 76:e2:7e:c1:4f:db:82:c1:c0:a6:75:b5:05:be:3d:29:b4:ed:db:bb +-# SHA256 Fingerprint: 4d:24:91:41:4c:fe:95:67:46:ec:4c:ef:a6:cf:6f:72:e2:8a:13:29:43:2f:9d:8a:90:7a:c4:cb:5d:ad:c1:5a +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +- + # Issuer: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Subject: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Label: "IdenTrust Commercial Root CA 1" +@@ -3032,116 +2961,6 @@ T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe + MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== + -----END CERTIFICATE----- + +-# Issuer: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-1" +-# Serial: 15752444095811006489 +-# MD5 Fingerprint: 6e:85:f1:dc:1a:00:d3:22:d5:b2:b2:ac:6b:37:05:45 +-# SHA1 Fingerprint: ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a +-# SHA256 Fingerprint: d4:0e:9c:86:cd:8f:e4:68:c1:77:69:59:f4:9e:a7:74:fa:54:86:84:b6:c4:06:f3:90:92:61:f4:dc:e2:57:5c +------BEGIN CERTIFICATE----- +-MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y +-IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB +-pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h +-IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG +-A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU +-cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid +-RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V +-seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme +-9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV +-EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW +-hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ +-DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw +-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD +-ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I +-/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +-ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ +-yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts +-L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN +-zl/HHk484IkzlQsPpTLWPFp5LBk= +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-2" +-# Serial: 2711694510199101698 +-# MD5 Fingerprint: a2:e1:f8:18:0b:ba:45:d5:c7:41:2a:bb:37:52:45:64 +-# SHA1 Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c:c0 +-# SHA256 Fingerprint: 07:53:e9:40:37:8c:1b:d5:e3:83:6e:39:5d:ae:a5:cb:83:9e:50:46:f1:bd:0e:ae:19:51:cf:10:fe:c7:c9:65 +------BEGIN CERTIFICATE----- +-MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig +-Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk +-MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg +-Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD +-VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy +-dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +-AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ +-QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq +-1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp +-2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK +-DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape +-az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF +-3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 +-oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM +-g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 +-mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +-8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd +-BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U +-nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw +-DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX +-dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ +-MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL +-/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX +-CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa +-ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW +-2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 +-N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 +-Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB +-As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp +-5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu +-1uwJ +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor ECA-1" +-# Serial: 9548242946988625984 +-# MD5 Fingerprint: 27:92:23:1d:0a:f5:40:7c:e9:e6:6b:9d:d8:f5:e7:6c +-# SHA1 Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78:bd +-# SHA256 Fingerprint: 5a:88:5d:b1:9c:01:d9:12:c5:75:93:88:93:8c:af:bb:df:03:1a:b2:d4:8e:91:ee:15:58:9b:42:97:1d:03:9c +------BEGIN CERTIFICATE----- +-MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y +-IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig +-RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb +-3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA +-BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 +-3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou +-owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ +-wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF +-ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf +-BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ +-MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv +-civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 +-AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +-hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 +-soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI +-WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi +-tJ/X5g== +------END CERTIFICATE----- +- + # Issuer: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Subject: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Label: "SSL.com Root Certification Authority RSA" +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb b/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb index 4c376da897..57bd59ba44 100644 --- a/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb +++ b/poky/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb @@ -7,6 +7,8 @@ HOMEPAGE = " http://certifi.io/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=67da0714c3f9471067b729eca6c9fbe8" +SRC_URI += "file://CVE-2022-23491.patch" + SRC_URI[sha256sum] = "78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872" inherit pypi setuptools3 diff --git a/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch new file mode 100644 index 0000000000..16192b22c7 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch @@ -0,0 +1,97 @@ +From 6ebe9231cd34dacd32a964859bc509aaa1e3f5fd Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Fri, 6 Jan 2023 14:13:10 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1518 + +Fix command injection +Add `--` in some commands that receive user input +and if interpreted as options could lead to remote +code execution (RCE). + +There may be more commands that could benefit from `--` +so the input is never interpreted as an option, +but most of those aren't dangerous. + +Fixed commands: + +- push +- pull +- fetch +- clone/clone_from and friends +- archive (not sure if this one can be exploited, but it doesn't hurt + adding `--` :)) + +For anyone using GitPython and exposing any of the GitPython methods to users, +make sure to always validate the input (like if starts with `--`). +And for anyone allowing users to pass arbitrary options, be aware +that some options may lead fo RCE, like `--exc`, `--upload-pack`, +`--receive-pack`, `--config` (#1516). + +Ref #1517 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1518] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/remote.py | 6 +++--- + git/repo/base.py | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/git/remote.py b/git/remote.py +index 56f3c5b..59681bc 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -881,7 +881,7 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + +- proc = self.repo.git.fetch(self, *args, as_process=True, with_stdout=False, ++ proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -905,7 +905,7 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.pull(self, refspec, with_stdout=False, as_process=True, ++ proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, + kill_after_timeout=kill_after_timeout) +@@ -945,7 +945,7 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) +- proc = self.repo.git.push(self, refspec, porcelain=True, as_process=True, ++ proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, + **kwargs) +diff --git a/git/repo/base.py b/git/repo/base.py +index 7713c91..f14f929 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -1072,7 +1072,7 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) +- proc = git.clone(multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, ++ proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: + handle_process_output(proc, None, to_progress_instance(progress).new_message_handler(), +@@ -1173,7 +1173,7 @@ class Repo(object): + if not isinstance(path, (tuple, list)): + path = [path] + # end assure paths is list +- self.git.archive(treeish, *path, **kwargs) ++ self.git.archive("--", treeish, *path, **kwargs) + return self + + def has_separate_working_tree(self) -> bool: +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch new file mode 100644 index 0000000000..a017369f37 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch @@ -0,0 +1,488 @@ +From fe9b71628767610a238e47cd46b82d411a7e871a Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Sat, 7 Jan 2023 17:16:57 +0000 +Subject: [PATCH] python3-git: CVE-2022-24439 fix from PR 1521 + +Forbid unsafe protocol URLs in Repo.clone{,_from}() +Since the URL is passed directly to git clone, and the remote-ext helper +will happily execute shell commands, so by default disallow URLs that +contain a "::" unless a new unsafe_protocols kwarg is passed. +(CVE-2022-24439) + +Fixes #1515 + +CVE: CVE-2022-24439 + +Upstream-Status: Backport [https://github.com/gitpython-developers/GitPython/pull/1521] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + git/cmd.py | 51 ++++++++++++++++++++++++-- + git/exc.py | 8 ++++ + git/objects/submodule/base.py | 19 ++++++---- + git/remote.py | 69 +++++++++++++++++++++++++++++++---- + git/repo/base.py | 44 ++++++++++++++++++---- + 5 files changed, 166 insertions(+), 25 deletions(-) + +diff --git a/git/cmd.py b/git/cmd.py +index 4f05698..77026d6 100644 +--- a/git/cmd.py ++++ b/git/cmd.py +@@ -4,6 +4,7 @@ + # This module is part of GitPython and is released under + # the BSD License: http://www.opensource.org/licenses/bsd-license.php + from __future__ import annotations ++import re + from contextlib import contextmanager + import io + import logging +@@ -31,7 +32,9 @@ from git.util import is_cygwin_git, cygpath, expand_path, remove_password_if_pre + + from .exc import ( + GitCommandError, +- GitCommandNotFound ++ GitCommandNotFound, ++ UnsafeOptionError, ++ UnsafeProtocolError + ) + from .util import ( + LazyMixin, +@@ -225,6 +228,8 @@ class Git(LazyMixin): + + _excluded_ = ('cat_file_all', 'cat_file_header', '_version_info') + ++ re_unsafe_protocol = re.compile("(.+)::.+") ++ + def __getstate__(self) -> Dict[str, Any]: + return slots_to_dict(self, exclude=self._excluded_) + +@@ -400,6 +405,44 @@ class Git(LazyMixin): + url = url.replace("\\\\", "\\").replace("\\", "/") + return url + ++ @classmethod ++ def check_unsafe_protocols(cls, url: str) -> None: ++ """ ++ Check for unsafe protocols. ++ Apart from the usual protocols (http, git, ssh), ++ Git allows "remote helpers" that have the form `<transport>::<address>`, ++ one of these helpers (`ext::`) can be used to invoke any arbitrary command. ++ See: ++ - https://git-scm.com/docs/gitremote-helpers ++ - https://git-scm.com/docs/git-remote-ext ++ """ ++ match = cls.re_unsafe_protocol.match(url) ++ if match: ++ protocol = match.group(1) ++ raise UnsafeProtocolError( ++ f"The `{protocol}::` protocol looks suspicious, use `allow_unsafe_protocols=True` to allow it." ++ ) ++ ++ @classmethod ++ def check_unsafe_options(cls, options: List[str], unsafe_options: List[str]) -> None: ++ """ ++ Check for unsafe options. ++ Some options that are passed to `git <command>` can be used to execute ++ arbitrary commands, this are blocked by default. ++ """ ++ # Options can be of the form `foo` or `--foo bar` `--foo=bar`, ++ # so we need to check if they start with "--foo" or if they are equal to "foo". ++ bare_unsafe_options = [ ++ option.lstrip("-") ++ for option in unsafe_options ++ ] ++ for option in options: ++ for unsafe_option, bare_option in zip(unsafe_options, bare_unsafe_options): ++ if option.startswith(unsafe_option) or option == bare_option: ++ raise UnsafeOptionError( ++ f"{unsafe_option} is not allowed, use `allow_unsafe_options=True` to allow it." ++ ) ++ + class AutoInterrupt(object): + """Kill/Interrupt the stored process instance once this instance goes out of scope. It is + used to prevent processes piling up in case iterators stop reading. +@@ -1068,12 +1111,12 @@ class Git(LazyMixin): + return args + + @classmethod +- def __unpack_args(cls, arg_list: Sequence[str]) -> List[str]: ++ def _unpack_args(cls, arg_list: Sequence[str]) -> List[str]: + + outlist = [] + if isinstance(arg_list, (list, tuple)): + for arg in arg_list: +- outlist.extend(cls.__unpack_args(arg)) ++ outlist.extend(cls._unpack_args(arg)) + else: + outlist.append(str(arg_list)) + +@@ -1154,7 +1197,7 @@ class Git(LazyMixin): + # Prepare the argument list + + opt_args = self.transform_kwargs(**opts_kwargs) +- ext_args = self.__unpack_args([a for a in args if a is not None]) ++ ext_args = self._unpack_args([a for a in args if a is not None]) + + if insert_after_this_arg is None: + args_list = opt_args + ext_args +diff --git a/git/exc.py b/git/exc.py +index e8ff784..5c96db2 100644 +--- a/git/exc.py ++++ b/git/exc.py +@@ -36,6 +36,14 @@ class NoSuchPathError(GitError, OSError): + """ Thrown if a path could not be access by the system. """ + + ++class UnsafeProtocolError(GitError): ++ """Thrown if unsafe protocols are passed without being explicitly allowed.""" ++ ++ ++class UnsafeOptionError(GitError): ++ """Thrown if unsafe options are passed without being explicitly allowed.""" ++ ++ + class CommandError(GitError): + """Base class for exceptions thrown at every stage of `Popen()` execution. + +diff --git a/git/objects/submodule/base.py b/git/objects/submodule/base.py +index f782045..deb224e 100644 +--- a/git/objects/submodule/base.py ++++ b/git/objects/submodule/base.py +@@ -264,7 +264,8 @@ class Submodule(IndexObject, TraversableIterableObj): + # end + + @classmethod +- def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, **kwargs: Any) -> 'Repo': ++ def _clone_repo(cls, repo: 'Repo', url: str, path: PathLike, name: str, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,**kwargs: Any) -> 'Repo': + """:return: Repo instance of newly cloned repository + :param repo: our parent repository + :param url: url to clone from +@@ -281,7 +282,8 @@ class Submodule(IndexObject, TraversableIterableObj): + module_checkout_path = osp.join(str(repo.working_tree_dir), path) + # end + +- clone = git.Repo.clone_from(url, module_checkout_path, **kwargs) ++ clone = git.Repo.clone_from(url, module_checkout_path, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + if cls._need_gitfile_submodules(repo.git): + cls._write_git_file_and_module_config(module_checkout_path, module_abspath) + # end +@@ -338,8 +340,8 @@ class Submodule(IndexObject, TraversableIterableObj): + @classmethod + def add(cls, repo: 'Repo', name: str, path: PathLike, url: Union[str, None] = None, + branch: Union[str, None] = None, no_checkout: bool = False, depth: Union[int, None] = None, +- env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None +- ) -> 'Submodule': ++ env: Union[Mapping[str, str], None] = None, clone_multi_options: Union[Sequence[TBD], None] = None, ++ allow_unsafe_options: bool = False, allow_unsafe_protocols: bool = False,) -> 'Submodule': + """Add a new submodule to the given repository. This will alter the index + as well as the .gitmodules file, but will not create a new commit. + If the submodule already exists, no matter if the configuration differs +@@ -447,7 +449,8 @@ class Submodule(IndexObject, TraversableIterableObj): + kwargs['multi_options'] = clone_multi_options + + # _clone_repo(cls, repo, url, path, name, **kwargs): +- mrepo = cls._clone_repo(repo, url, path, name, env=env, **kwargs) ++ mrepo = cls._clone_repo(repo, url, path, name, env=env, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, **kwargs) + # END verify url + + ## See #525 for ensuring git urls in config-files valid under Windows. +@@ -484,7 +487,8 @@ class Submodule(IndexObject, TraversableIterableObj): + def update(self, recursive: bool = False, init: bool = True, to_latest_revision: bool = False, + progress: Union['UpdateProgress', None] = None, dry_run: bool = False, + force: bool = False, keep_going: bool = False, env: Union[Mapping[str, str], None] = None, +- clone_multi_options: Union[Sequence[TBD], None] = None) -> 'Submodule': ++ clone_multi_options: Union[Sequence[TBD], None] = None, allow_unsafe_options: bool = False, ++ allow_unsafe_protocols: bool = False) -> 'Submodule': + """Update the repository of this submodule to point to the checkout + we point at with the binsha of this instance. + +@@ -585,7 +589,8 @@ class Submodule(IndexObject, TraversableIterableObj): + (self.url, checkout_module_abspath, self.name)) + if not dry_run: + mrepo = self._clone_repo(self.repo, self.url, self.path, self.name, n=True, env=env, +- multi_options=clone_multi_options) ++ multi_options=clone_multi_options, allow_unsafe_options=allow_unsafe_options, ++ allow_unsafe_protocols=allow_unsafe_protocols) + # END handle dry-run + progress.update(END | CLONE, 0, 1, prefix + "Done cloning to %s" % checkout_module_abspath) + +diff --git a/git/remote.py b/git/remote.py +index 59681bc..cea6b99 100644 +--- a/git/remote.py ++++ b/git/remote.py +@@ -473,6 +473,23 @@ class Remote(LazyMixin, IterableObj): + __slots__ = ("repo", "name", "_config_reader") + _id_attribute_ = "name" + ++ unsafe_git_fetch_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-fetch#Documentation/git-fetch.txt---upload-packltupload-packgt ++ "--upload-pack", ++ ] ++ unsafe_git_pull_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-pull#Documentation/git-pull.txt---upload-packltupload-packgt ++ "--upload-pack" ++ ] ++ unsafe_git_push_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-push#Documentation/git-push.txt---execltgit-receive-packgt ++ "--receive-pack", ++ "--exec", ++ ] ++ + def __init__(self, repo: 'Repo', name: str) -> None: + """Initialize a remote instance + +@@ -549,7 +566,8 @@ class Remote(LazyMixin, IterableObj): + yield Remote(repo, section[lbound + 1:rbound]) + # END for each configuration section + +- def set_url(self, new_url: str, old_url: Optional[str] = None, **kwargs: Any) -> 'Remote': ++ def set_url(self, new_url: str, old_url: Optional[str] = None, ++ allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Configure URLs on current remote (cf command git remote set_url) + + This command manages URLs on the remote. +@@ -558,15 +576,17 @@ class Remote(LazyMixin, IterableObj): + :param old_url: when set, replaces this URL with new_url for the remote + :return: self + """ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(new_url) + scmd = 'set-url' + kwargs['insert_kwargs_after'] = scmd + if old_url: +- self.repo.git.remote(scmd, self.name, new_url, old_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, old_url, **kwargs) + else: +- self.repo.git.remote(scmd, self.name, new_url, **kwargs) ++ self.repo.git.remote(scmd, "--", self.name, new_url, **kwargs) + return self + +- def add_url(self, url: str, **kwargs: Any) -> 'Remote': ++ def add_url(self, url: str, allow_unsafe_protocols: bool = False, **kwargs: Any) -> 'Remote': + """Adds a new url on current remote (special case of git remote set_url) + + This command adds new URLs to a given remote, making it possible to have +@@ -575,7 +595,7 @@ class Remote(LazyMixin, IterableObj): + :param url: string being the URL to add as an extra remote URL + :return: self + """ +- return self.set_url(url, add=True) ++ return self.set_url(url, add=True, allow_unsafe_protocols=allow_unsafe_protocols) + + def delete_url(self, url: str, **kwargs: Any) -> 'Remote': + """Deletes a new url on current remote (special case of git remote set_url) +@@ -667,7 +687,7 @@ class Remote(LazyMixin, IterableObj): + return out_refs + + @ classmethod +- def create(cls, repo: 'Repo', name: str, url: str, **kwargs: Any) -> 'Remote': ++ def create(cls, repo: 'Repo', name: str, url: str, allow_unsafe_protocols: bool = False, *kwargs: Any) -> 'Remote': + """Create a new remote to the given repository + :param repo: Repository instance that is to receive the new remote + :param name: Desired name of the remote +@@ -677,7 +697,10 @@ class Remote(LazyMixin, IterableObj): + :raise GitCommandError: in case an origin with that name already exists""" + scmd = 'add' + kwargs['insert_kwargs_after'] = scmd +- repo.git.remote(scmd, name, Git.polish_url(url), **kwargs) ++ url = Git.polish_url(url) ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(url) ++ repo.git.remote(scmd, "--", name, url, **kwargs) + return cls(repo, name) + + # add is an alias +@@ -840,6 +863,8 @@ class Remote(LazyMixin, IterableObj): + progress: Union[RemoteProgress, None, 'UpdateProgress'] = None, + verbose: bool = True, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Fetch the latest changes for this remote + +@@ -881,6 +906,14 @@ class Remote(LazyMixin, IterableObj): + else: + args = [refspec] + ++ if not allow_unsafe_protocols: ++ for ref in args: ++ if ref: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_fetch_options) ++ + proc = self.repo.git.fetch("--", self, *args, as_process=True, with_stdout=False, + universal_newlines=True, v=verbose, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -892,6 +925,8 @@ class Remote(LazyMixin, IterableObj): + def pull(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[FetchInfo]: + """Pull changes from the given branch, being the same as a fetch followed + by a merge of branch with your local branch. +@@ -905,6 +940,15 @@ class Remote(LazyMixin, IterableObj): + # No argument refspec, then ensure the repo's config has a fetch refspec. + self._assert_refspec() + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_pull_options) ++ + proc = self.repo.git.pull("--", self, refspec, with_stdout=False, as_process=True, + universal_newlines=True, v=True, **kwargs) + res = self._get_fetch_info_from_stderr(proc, progress, +@@ -916,6 +960,8 @@ class Remote(LazyMixin, IterableObj): + def push(self, refspec: Union[str, List[str], None] = None, + progress: Union[RemoteProgress, 'UpdateProgress', Callable[..., RemoteProgress], None] = None, + kill_after_timeout: Union[None, float] = None, ++ allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, + **kwargs: Any) -> IterableList[PushInfo]: + """Push changes from source branch in refspec to target branch in refspec. + +@@ -945,6 +991,15 @@ class Remote(LazyMixin, IterableObj): + If the operation fails completely, the length of the returned IterableList will + be 0.""" + kwargs = add_progress(kwargs, self.repo.git, progress) ++ ++ refspec = Git._unpack_args(refspec or []) ++ if not allow_unsafe_protocols: ++ for ref in refspec: ++ Git.check_unsafe_protocols(ref) ++ ++ if not allow_unsafe_options: ++ Git.check_unsafe_options(options=list(kwargs.keys()), unsafe_options=self.unsafe_git_push_options) ++ + proc = self.repo.git.push("--", self, refspec, porcelain=True, as_process=True, + universal_newlines=True, + kill_after_timeout=kill_after_timeout, +diff --git a/git/repo/base.py b/git/repo/base.py +index f14f929..7b3565b 100644 +--- a/git/repo/base.py ++++ b/git/repo/base.py +@@ -24,7 +24,11 @@ from git.compat import ( + ) + from git.config import GitConfigParser + from git.db import GitCmdObjectDB +-from git.exc import InvalidGitRepositoryError, NoSuchPathError, GitCommandError ++from git.exc import ( ++ GitCommandError, ++ InvalidGitRepositoryError, ++ NoSuchPathError, ++) + from git.index import IndexFile + from git.objects import Submodule, RootModule, Commit + from git.refs import HEAD, Head, Reference, TagReference +@@ -97,6 +101,18 @@ class Repo(object): + re_author_committer_start = re.compile(r'^(author|committer)') + re_tab_full_line = re.compile(r'^\t(.*)$') + ++ unsafe_git_clone_options = [ ++ # This option allows users to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---upload-packltupload-packgt ++ "--upload-pack", ++ "-u", ++ # Users can override configuration variables ++ # like `protocol.allow` or `core.gitProxy` to execute arbitrary commands. ++ # https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---configltkeygtltvaluegt ++ "--config", ++ "-c", ++ ] ++ + # invariants + # represents the configuration level of a configuration file + config_level: ConfigLevels_Tup = ("system", "user", "global", "repository") +@@ -1049,7 +1065,8 @@ class Repo(object): + @ classmethod + def _clone(cls, git: 'Git', url: PathLike, path: PathLike, odb_default_type: Type[GitCmdObjectDB], + progress: Union['RemoteProgress', 'UpdateProgress', Callable[..., 'RemoteProgress'], None] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any ++ multi_options: Optional[List[str]] = None, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any + ) -> 'Repo': + odbt = kwargs.pop('odbt', odb_default_type) + +@@ -1072,6 +1089,12 @@ class Repo(object): + multi = None + if multi_options: + multi = shlex.split(' '.join(multi_options)) ++ ++ if not allow_unsafe_protocols: ++ Git.check_unsafe_protocols(str(url)) ++ if not allow_unsafe_options and multi_options: ++ Git.check_unsafe_options(options=multi_options, unsafe_options=cls.unsafe_git_clone_options) ++ + proc = git.clone("--", multi, Git.polish_url(str(url)), clone_path, with_extended_output=True, as_process=True, + v=True, universal_newlines=True, **add_progress(kwargs, git, progress)) + if progress: +@@ -1107,7 +1130,9 @@ class Repo(object): + return repo + + def clone(self, path: PathLike, progress: Optional[Callable] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ multi_options: Optional[List[str]] = None, unsafe_protocols: bool = False, ++ allow_unsafe_protocols: bool = False, allow_unsafe_options: bool = False, ++ **kwargs: Any) -> 'Repo': + """Create a clone from this repository. + + :param path: is the full path of the new repo (traditionally ends with ./<name>.git). +@@ -1116,18 +1141,21 @@ class Repo(object): + option per list item which is passed exactly as specified to clone. + For example ['--config core.filemode=false', '--config core.ignorecase', + '--recurse-submodule=repo1_path', '--recurse-submodule=repo2_path'] ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ex + :param kwargs: + * odbt = ObjectDatabase Type, allowing to determine the object database + implementation used by the returned Repo instance + * All remaining keyword arguments are given to the git-clone command + + :return: ``git.Repo`` (the newly cloned repo)""" +- return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, **kwargs) ++ return self._clone(self.git, self.common_dir, path, type(self.odb), progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + @ classmethod + def clone_from(cls, url: PathLike, to_path: PathLike, progress: Optional[Callable] = None, +- env: Optional[Mapping[str, str]] = None, +- multi_options: Optional[List[str]] = None, **kwargs: Any) -> 'Repo': ++ env: Optional[Mapping[str, str]] = None, multi_options: Optional[List[str]] = None, ++ unsafe_protocols: bool = False, allow_unsafe_protocols: bool = False, ++ allow_unsafe_options: bool = False, **kwargs: Any) -> 'Repo': + """Create a clone from the given URL + + :param url: valid git url, see http://www.kernel.org/pub/software/scm/git/docs/git-clone.html#URLS +@@ -1140,12 +1168,14 @@ class Repo(object): + If you want to unset some variable, consider providing empty string + as its value. + :param multi_options: See ``clone`` method ++ :param unsafe_protocols: Allow unsafe protocols to be used, like ext + :param kwargs: see the ``clone`` method + :return: Repo instance pointing to the cloned directory""" + git = cls.GitCommandWrapperType(os.getcwd()) + if env is not None: + git.update_environment(**env) +- return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs) ++ return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, ++ allow_unsafe_protocols=allow_unsafe_protocols, allow_unsafe_options=allow_unsafe_options, **kwargs) + + def archive(self, ostream: Union[TextIO, BinaryIO], treeish: Optional[str] = None, + prefix: Optional[str] = None, **kwargs: Any) -> Repo: +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb b/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb index fb1bae8f8e..1bd1426926 100644 --- a/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb +++ b/poky/meta/recipes-devtools/python/python3-git_3.1.27.bb @@ -12,6 +12,10 @@ PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta +SRC_URI += "file://0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch \ + file://0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch \ + " + SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704" DEPENDS += " ${PYTHON_PN}-gitdb" diff --git a/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch b/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch new file mode 100644 index 0000000000..66690e74b4 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch @@ -0,0 +1,119 @@ +From 925760291d6efec64fda6e9dd1fd9cfbd5be068c Mon Sep 17 00:00:00 2001 +From: Mike Bayer <mike_mp@zzzcomputing.com> +Date: Mon, 29 Aug 2022 12:28:52 -0400 +Subject: [PATCH] fix tag regexp to match quoted groups correctly + +Fixed issue in lexer where the regexp used to match tags would not +correctly interpret quoted sections individually. While this parsing issue +still produced the same expected tag structure later on, the mis-handling +of quoted sections was also subject to a regexp crash if a tag had a large +number of quotes within its quoted sections. + +Fixes: #366 +Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 + +Upstream-Status: Backport [https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c] + +Signed-off-by: <narpat.mali@windriver.com> + +--- + doc/build/unreleased/366.rst | 9 +++++++++ + mako/lexer.py | 12 ++++++++---- + test/test_lexer.py | 21 +++++++++++++++++---- + 3 files changed, 34 insertions(+), 8 deletions(-) + create mode 100644 doc/build/unreleased/366.rst + +--- /dev/null ++++ Mako-1.1.6/doc/build/unreleased/366.rst +@@ -0,0 +1,9 @@ ++.. change:: ++ :tags: bug, lexer ++ :tickets: 366 ++ ++ Fixed issue in lexer where the regexp used to match tags would not ++ correctly interpret quoted sections individually. While this parsing issue ++ still produced the same expected tag structure later on, the mis-handling ++ of quoted sections was also subject to a regexp crash if a tag had a large ++ number of quotes within its quoted sections. +\ No newline at end of file +--- Mako-1.1.6.orig/mako/lexer.py ++++ Mako-1.1.6/mako/lexer.py +@@ -295,20 +295,24 @@ class Lexer(object): + return self.template + + def match_tag_start(self): +- match = self.match( +- r""" ++ reg = r""" + \<% # opening tag + + ([\w\.\:]+) # keyword + +- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \ ++ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \ + # sign, string expression ++ # comma is for backwards compat ++ # identified in #366 + + \s* # more whitespace + + (/)?> # closing + +- """, ++ """ ++ ++ match = self.match( ++ reg, + re.I | re.S | re.X, + ) + +--- Mako-1.1.6.orig/test/test_lexer.py ++++ Mako-1.1.6/test/test_lexer.py +@@ -1,5 +1,7 @@ + import re + ++import pytest ++ + from mako import compat + from mako import exceptions + from mako import parsetree +@@ -146,6 +148,10 @@ class LexerTest(TemplateTest): + """ + self.assertRaises(exceptions.CompileException, Lexer(template).parse) + ++ def test_tag_many_quotes(self): ++ template = "<%0" + '"' * 3000 ++ assert_raises(exceptions.SyntaxException, Lexer(template).parse) ++ + def test_unmatched_tag(self): + template = """ + <%namespace name="bar"> +@@ -432,9 +438,16 @@ class LexerTest(TemplateTest): + ), + ) + +- def test_pagetag(self): +- template = """ +- <%page cached="True", args="a, b"/> ++ @pytest.mark.parametrize("comma,numchars", [(",", 48), ("", 47)]) ++ def test_pagetag(self, comma, numchars): ++ # note that the comma here looks like: ++ # <%page cached="True", args="a, b"/> ++ # that's what this test has looked like for decades, however, the ++ # comma there is not actually the right syntax. When issue #366 ++ # was fixed, the reg was altered to accommodate for this comma to allow ++ # backwards compat ++ template = f""" ++ <%page cached="True"{comma} args="a, b"/> + + some template + """ +@@ -453,7 +466,7 @@ class LexerTest(TemplateTest): + + some template + """, +- (2, 48), ++ (2, numchars), + ), + ], + ), diff --git a/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb b/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb index 71e5d96ba1..4e4f33f5dc 100644 --- a/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb +++ b/poky/meta/recipes-devtools/python/python3-mako_1.1.6.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f" PYPI_PACKAGE = "Mako" +SRC_URI += "file://CVE-2022-40023.patch" + inherit pypi python_setuptools_build_meta SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2" diff --git a/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb b/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb index 1cb2fb01c0..90a4787c17 100644 --- a/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb +++ b/poky/meta/recipes-devtools/python/python3-pytest_7.1.1.bb @@ -26,7 +26,7 @@ RDEPENDS:${PN}:class-target += " \ ${PYTHON_PN}-py \ ${PYTHON_PN}-setuptools \ ${PYTHON_PN}-six \ - ${PYTHON_PN}-toml \ + ${PYTHON_PN}-tomli \ ${PYTHON_PN}-wcwidth \ " diff --git a/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb b/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb index 8ec9a86f00..c11116a1f4 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb @@ -14,9 +14,7 @@ SRC_URI[sha256sum] = "a0adb9b503c0ffc4e8fe80b7c617898cefa78049983aaaea7f747e153a inherit cargo pypi python_setuptools_build_meta native -DEPENDS += "python3-setuptools-scm-native python3-wheel-native" - -RDEPENDS:${PN}:class-native += " \ +DEPENDS += " \ python3-semantic-version-native \ python3-setuptools-native \ python3-setuptools-scm-native \ diff --git a/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/poky/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" diff --git a/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch @@ -0,0 +1,32 @@ +From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 11 Jan 2023 07:45:57 +0000 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +CVE: CVE-2022-40898 + +Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 21e7361..ff06edf 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -27,8 +27,8 @@ else: + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? +- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", ++ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? ++ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.32.0 + diff --git a/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/poky/meta/recipes-devtools/python/python3-wheel_0.37.1.bb @@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495 inherit python_flit_core pypi -SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" +SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \ + file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \ + " BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch b/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch deleted file mode 100644 index 6a58c35cc6..0000000000 --- a/poky/meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 178a238f25ab8aff7689d7a09d66dc1583ecd6cb Mon Sep 17 00:00:00 2001 -From: "Miss Islington (bot)" - <31488909+miss-islington@users.noreply.github.com> -Date: Wed, 4 May 2022 03:23:29 -0700 -Subject: [PATCH 01/40] gh-92036: Fix gc_fini_untrack() (GH-92037) - -Fix a crash in subinterpreters related to the garbage collector. When -a subinterpreter is deleted, untrack all objects tracked by its GC. -To prevent a crash in deallocator functions expecting objects to be -tracked by the GC, leak a strong reference to these objects on -purpose, so they are never deleted and their deallocator functions -are not called. -(cherry picked from commit 14243369b5f80613628a565c224bba7fb3fcacd8) - -Co-authored-by: Victor Stinner <vstinner@python.org> - -Upstream-Status: Backport ---- - .../2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst | 5 +++++ - Modules/gcmodule.c | 6 ++++++ - 2 files changed, 11 insertions(+) - create mode 100644 Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst - -diff --git a/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -new file mode 100644 -index 0000000000..78094c5e4f ---- /dev/null -+++ b/Misc/NEWS.d/next/Core and Builtins/2022-04-28-23-37-30.gh-issue-92036.GZJAC9.rst -@@ -0,0 +1,5 @@ -+Fix a crash in subinterpreters related to the garbage collector. When a -+subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a -+crash in deallocator functions expecting objects to be tracked by the GC, leak -+a strong reference to these objects on purpose, so they are never deleted and -+their deallocator functions are not called. Patch by Victor Stinner. -diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c -index 805a159d53..43ae6fa98b 100644 ---- a/Modules/gcmodule.c -+++ b/Modules/gcmodule.c -@@ -2170,6 +2170,12 @@ gc_fini_untrack(PyGC_Head *list) - for (gc = GC_NEXT(list); gc != list; gc = GC_NEXT(list)) { - PyObject *op = FROM_GC(gc); - _PyObject_GC_UNTRACK(op); -+ // gh-92036: If a deallocator function expect the object to be tracked -+ // by the GC (ex: func_dealloc()), it can crash if called on an object -+ // which is no longer tracked by the GC. Leak one strong reference on -+ // purpose so the object is never deleted and its deallocator is not -+ // called. -+ Py_INCREF(op); - } - } - --- -2.25.1 - diff --git a/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch index 0ead57e465..8c554feb4b 100644 --- a/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch +++ b/poky/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -12,16 +12,18 @@ Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Alejandro Hernandez Samaniego <alejandro@enedino.org> +Refresh for 3.10.7: +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- setup.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/setup.py b/setup.py -index 2be4738..62f0e18 100644 +index 85a2b26357..7605347bf5 100644 --- a/setup.py +++ b/setup.py -@@ -517,6 +517,14 @@ class PyBuildExt(build_ext): +@@ -517,6 +517,14 @@ def print_three_column(lst): print("%-*s %-*s %-*s" % (longest, e, longest, f, longest, g)) @@ -35,4 +37,4 @@ index 2be4738..62f0e18 100644 + if self.missing: print() - print("Python build finished successfully!") + print("The necessary bits to build these optional modules were not " diff --git a/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch b/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch new file mode 100644 index 0000000000..d47425d239 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python3/cve-2023-24329.patch @@ -0,0 +1,50 @@ +From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 13 Nov 2022 11:00:25 -0800 +Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme + must begin with an alphabetical ASCII character. (GH-99421) + +Prevent urllib.parse.urlparse from accepting schemes that don't begin with an alphabetical ASCII character. + +RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )` +RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A` + +The WHATWG URL spec defines a scheme like this: +`"A URL-scheme string must be one ASCII alpha, followed by zero or more of ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."` +(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7) + +Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com> +--- end original header --- + +CVE: CVE-2023-24329 + +Upstream-Status: Backport [see below] + +Taken from https://github.com/python/cpython.git +commit 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 + +CVE fix extracted; test case and update to NEWS abandoned. +Defuzzed. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + Lib/urllib/parse.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 26ddf30..1c53acb 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -469,7 +469,7 @@ def urlsplit(url, scheme='', allow_fragments=True): + clear_cache() + netloc = query = fragment = '' + i = url.find(':') +- if i > 0: ++ if i > 0 and url[0].isascii() and url[0].isalpha(): + for c in url[:i]: + if c not in scheme_chars: + break +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py index 1f4c982aed..0ca687d2eb 100644 --- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -56,7 +56,7 @@ if debug == True: try: m = importlib.import_module(current_module) # handle python packages which may not include all modules in the __init__ - if os.path.basename(m.__file__) == "__init__.py": + if hasattr(m, '__file__') and os.path.basename(m.__file__) == "__init__.py": modulepath = os.path.dirname(m.__file__) for i in os.listdir(modulepath): if i.startswith("_") or not(i.endswith(".py")): diff --git a/poky/meta/recipes-devtools/python/python3_3.10.4.bb b/poky/meta/recipes-devtools/python/python3_3.10.9.bb index 34fd2895a3..867958c0fb 100644 --- a/poky/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/poky/meta/recipes-devtools/python/python3_3.10.9.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766" +LIC_FILES_CHKSUM = "file://LICENSE;md5=a1822df8d0f068628ca6090aedc5bfc8" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -35,7 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ - file://0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch \ + file://cve-2023-24329.patch \ " SRC_URI:append:class-native = " \ @@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "80bf925f571da436b35210886cf79f6eb5fa5d6c571316b73568343451f77a19" +SRC_URI[sha256sum] = "5ae03e308260164baba39921fdb4dbf8e6d03d8235a939d4582b33f0b5e46a83" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb index aa9e499c77..e297586bbb 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5 SRC_URI = "\ file://tunctl.c \ - file://qemu-oe-bridge-helper \ + file://qemu-oe-bridge-helper.c \ " S = "${WORKDIR}" @@ -16,13 +16,13 @@ inherit native do_compile() { ${CC} ${CFLAGS} ${LDFLAGS} -Wall tunctl.c -o tunctl + ${CC} ${CFLAGS} ${LDFLAGS} -Wall qemu-oe-bridge-helper.c -o qemu-oe-bridge-helper } do_install() { install -d ${D}${bindir} install tunctl ${D}${bindir}/ - - install -m 755 ${WORKDIR}/qemu-oe-bridge-helper ${D}${bindir}/ + install qemu-oe-bridge-helper ${D}${bindir}/ } DEPENDS += "qemu-system-native" diff --git a/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper b/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper deleted file mode 100755 index f057d4eef0..0000000000 --- a/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper +++ /dev/null @@ -1,25 +0,0 @@ -#! /bin/sh -# Copyright 2020 Garmin Ltd. or its subsidiaries -# -# SPDX-License-Identifier: GPL-2.0 -# -# Attempts to find and exec the host qemu-bridge-helper program - -# If the QEMU_BRIDGE_HELPER variable is set by the user, exec it. -if [ -n "$QEMU_BRIDGE_HELPER" ]; then - exec "$QEMU_BRIDGE_HELPER" "$@" -fi - -# Search common paths for the helper program -BN="qemu-bridge-helper" -PATHS="/usr/libexec/ /usr/lib/qemu/" - -for p in $PATHS; do - if [ -e "$p/$BN" ]; then - exec "$p/$BN" "$@" - fi -done - -echo "$BN not found!" > /dev/stderr -exit 1 - diff --git a/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c b/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c new file mode 100644 index 0000000000..9434e1d269 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c @@ -0,0 +1,34 @@ +/* + * Copyright 2022 Garmin Ltd. or its subsidiaries + * + * SPDX-License-Identifier: GPL-2.0 + * + * Attempts to find and exec the host qemu-bridge-helper program + */ + +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> + +void try_program(char const* path, char** args) { + if (access(path, X_OK) == 0) { + execv(path, args); + } +} + +int main(int argc, char** argv) { + char* var; + + var = getenv("QEMU_BRIDGE_HELPER"); + if (var && var[0] != '\0') { + execvp(var, argv); + return 1; + } + + try_program("/usr/libexec/qemu-bridge-helper", argv); + try_program("/usr/lib/qemu/qemu-bridge-helper", argv); + + fprintf(stderr, "No bridge helper found\n"); + return 1; +} + diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a493ac8add..a6ee958e4b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -13,7 +13,6 @@ inherit pkgconfig ptest python3-dir LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f" - SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://powerpc_rom.bin \ file://run-ptest \ @@ -36,13 +35,64 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-4206.patch \ file://CVE-2021-4207.patch \ file://CVE-2022-35414.patch \ - file://CVE-2021-3507_1.patch \ - file://CVE-2021-3507_2.patch \ file://CVE-2021-3929.patch \ file://CVE-2021-4158.patch \ file://CVE-2022-0358.patch \ file://CVE-2022-0216_1.patch \ file://CVE-2022-0216_2.patch \ + file://CVE-2021-3750-1.patch \ + file://CVE-2021-3750-2.patch \ + file://CVE-2021-3750-3.patch \ + file://0001-use-uint32t-for-reply-queue-head-tail-values.patch \ + file://0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch \ + file://0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch \ + file://0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch \ + file://0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch \ + file://0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch \ + file://0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch \ + file://0008_have_dma_buf_rw_function_take_a_void_pointer.patch \ + file://0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch \ + file://0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch \ + file://0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch \ + file://0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch \ + file://0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch \ + file://0014_let_dma_buf_rw_function_propagate_MemTxResult.patch \ + file://0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0017_let_st_pointer_dma_function_propagate_MemTxResult.patch \ + file://0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch \ + file://0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://CVE-2021-3611_1.patch \ + file://CVE-2021-3611_2.patch \ + file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \ + file://0001-softfloat-Extend-float_exception_flags-to-16-bits.patch \ + file://0002-softfloat-Add-flag-specific-to-Inf-Inf.patch \ + file://0003-softfloat-Add-flag-specific-to-Inf-0.patch \ + file://0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch \ + file://0005-softfloat-Add-flag-specific-to-signaling-nans.patch \ + file://0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch \ + file://0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch \ + file://0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch \ + file://0009-target-ppc-Update-fmadd-for-new-flags.patch \ + file://0010-target-ppc-Split-out-do_fmadd.patch \ + file://0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch \ + file://0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch \ + file://0013-target-ppc-fix-xscvqpdp-register-access.patch \ + file://0014-target-ppc-move-xscvqpdp-to-decodetree.patch \ + file://0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch \ + file://0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch \ + file://0017-target-ppc-Implement-Vector-Expand-Mask.patch \ + file://0018-target-ppc-Implement-Vector-Extract-Mask.patch \ + file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \ + file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ + file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ + file://CVE-2022-3165.patch \ + file://CVE-2022-4144.patch \ + file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \ + file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -161,6 +211,7 @@ PACKAGECONFIG:remove:mingw32 = "kvm virglrenderer epoxy gtk+" PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2" PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr," PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," +PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburing" PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," @@ -212,6 +263,7 @@ PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma" PACKAGECONFIG[vde] = "--enable-vde,--disable-vde" PACKAGECONFIG[slirp] = "--enable-slirp=internal,--disable-slirp" PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" +PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack," INSANE_SKIP:${PN} = "arch" diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch new file mode 100644 index 0000000000..cd846222c9 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch @@ -0,0 +1,57 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:37 +0100 +Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no + log_cmd handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only 3 command types are logged: no need to call qxl_phys2virt() +for the other types. Using different cases will help to pass +different structure sizes to qxl_phys2virt() in a pair of commits. + +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-2-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 68bfa47568..1bcf803db6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_name(qxl_type, ext->cmd.type), + compat ? "(compat)" : ""); + ++ switch (ext->cmd.type) { ++ case QXL_CMD_DRAW: ++ break; ++ case QXL_CMD_SURFACE: ++ break; ++ case QXL_CMD_CURSOR: ++ break; ++ default: ++ goto out; ++ } + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); + if (!data) { + return 1; +@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_log_cmd_cursor(qxl, data, ext->group_id); + break; + } ++out: + fprintf(stderr, "\n"); + return 0; + } +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch new file mode 100644 index 0000000000..ac51cf567a --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch @@ -0,0 +1,217 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/8efec0e] + +Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch: + +../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': +../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? + 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + | ^~~~ + | gsize +../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is reported only once for each function it appears in + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:39 +0100 +Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently qxl_phys2virt() doesn't check for buffer overrun. +In order to do so in the next commit, pass the buffer size +as argument. + +For QXLCursor in qxl_render_cursor() -> qxl_cursor() we +verify the size of the chunked data ahead, checking we can +access 'sizeof(QXLCursor) + chunk->data_size' bytes. +Since in the SPICE_CURSOR_TYPE_MONO case the cursor is +assumed to fit in one chunk, no change are required. +In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in +qxl_unpack_chunks(). + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-4-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 ++++++++--- + hw/display/qxl-render.c | 20 ++++++++++++++++---- + hw/display/qxl.c | 14 +++++++++----- + hw/display/qxl.h | 3 ++- + 4 files changed, 35 insertions(+), 13 deletions(-) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 1bcf803..35c38f6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) + QXLImage *image; + QXLImageDescriptor *desc; + +- image = qxl_phys2virt(qxl, addr, group_id); ++ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); + if (!image) { + return 1; + } +@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) + cmd->u.set.position.y, + cmd->u.set.visible ? "yes" : "no", + cmd->u.set.shape); +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, ++ sizeof(QXLCursor)); + if (!cursor) { + return 1; + } +@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + { + bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; + void *data; ++ size_t datasz; + int ret; + + if (!qxl->cmdlog) { +@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + + switch (ext->cmd.type) { + case QXL_CMD_DRAW: ++ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); + break; + case QXL_CMD_SURFACE: ++ datasz = sizeof(QXLSurfaceCmd); + break; + case QXL_CMD_CURSOR: ++ datasz = sizeof(QXLCursorCmd); + break; + default: + goto out; + } +- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); + if (!data) { + return 1; + } +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index ca21700..fcfd40c 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) + qxl->guest_primary.resized = 0; + qxl->guest_primary.data = qxl_phys2virt(qxl, + qxl->guest_primary.surface.mem, +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, ++ qxl->guest_primary.abs_stride ++ * height); + if (!qxl->guest_primary.data) { + goto end; + } +@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, + if (offset == size) { + return; + } +- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); ++ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, ++ sizeof(QXLDataChunk) + chunk->data_size); + if (!chunk) { + return; + } +@@ -295,7 +298,8 @@ fail: + /* called from spice server thread context only */ + int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + QXLCursor *cursor; + QEMUCursor *c; + +@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + } + switch (cmd->type) { + case QXL_CURSOR_SET: +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); ++ /* First read the QXLCursor to get QXLDataChunk::data_size ... */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor)); ++ if (!cursor) { ++ return 1; ++ } ++ /* Then read including the chunked data following QXLCursor. */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor) + cursor->chunk.data_size); + if (!cursor) { + return 1; + } +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index ae8aa07..2a4b2d4 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) + QXL_IO_MONITORS_CONFIG_ASYNC)); + } + +- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST); ++ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST, ++ sizeof(QXLMonitorsConfig)); + if (cfg != NULL && cfg->count == 1) { + qxl->guest_primary.resized = 1; + qxl->guest_head0_width = cfg->heads[0].width; +@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + switch (le32_to_cpu(ext->cmd.type)) { + case QXL_CMD_SURFACE: + { +- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLSurfaceCmd)); + + if (!cmd) { + return 1; +@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + } + case QXL_CMD_CURSOR: + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + + if (!cmd) { + return 1; +@@ -1463,7 +1466,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + } + + /* can be also called from spice server thread context */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, ++ size_t size) + { + uint64_t offset; + uint32_t slot; +@@ -1971,7 +1975,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) + } + + cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); + assert(cmd); + assert(cmd->type == QXL_SURFACE_CMD_CREATE); + qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, +diff --git a/hw/display/qxl.h b/hw/display/qxl.h +index 30d21f4..4551c23 100644 +--- a/hw/display/qxl.h ++++ b/hw/display/qxl.h +@@ -147,7 +147,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) + #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) + + /* qxl.c */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, ++ size_t size); + void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) + GCC_FMT_ATTR(2, 3); + +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch new file mode 100644 index 0000000000..6c85a77ba7 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch @@ -0,0 +1,64 @@ +CVE: CVE-2022-2962 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma <zheyuma97@gmail.com> +Date: Sun, 21 Aug 2022 20:43:43 +0800 +Subject: [PATCH] net: tulip: Restrict DMA engine to memories + +The DMA engine is started by I/O access and then itself accesses the +I/O registers, triggering a reentrancy bug. + +The following log can reveal it: +==5637==ERROR: AddressSanitizer: stack-overflow + #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673 + #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 + #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 + #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c + #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 + #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12 + #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18 + #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 + #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 + #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12 + #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1 + #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1 + #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9 + #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9 + #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + +Fix this bug by restricting the DMA engine to memories regions. + +Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 097e905bec..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); +@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + stl_be_pci_dma(&s->dev, p, desc->status, attrs); +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch new file mode 100644 index 0000000000..e9c47f6901 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch @@ -0,0 +1,75 @@ +From 0bec1ded33a857f59cf5f3ceca2f72694256e710 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 01/21] softfloat: Extend float_exception_flags to 16 bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will shortly have more than 8 bits of exceptions. +Repack the existing flags into low bits and reformat to hex. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Message-Id: <20211119160502.17432-2-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + include/fpu/softfloat-types.h | 16 ++++++++-------- + include/fpu/softfloat.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5bcbd041f7..65a43aff59 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -145,13 +145,13 @@ typedef enum __attribute__((__packed__)) { + */ + + enum { +- float_flag_invalid = 1, +- float_flag_divbyzero = 4, +- float_flag_overflow = 8, +- float_flag_underflow = 16, +- float_flag_inexact = 32, +- float_flag_input_denormal = 64, +- float_flag_output_denormal = 128 ++ float_flag_invalid = 0x0001, ++ float_flag_divbyzero = 0x0002, ++ float_flag_overflow = 0x0004, ++ float_flag_underflow = 0x0008, ++ float_flag_inexact = 0x0010, ++ float_flag_input_denormal = 0x0020, ++ float_flag_output_denormal = 0x0040, + }; + + /* +@@ -171,8 +171,8 @@ typedef enum __attribute__((__packed__)) { + */ + + typedef struct float_status { ++ uint16_t float_exception_flags; + FloatRoundMode float_rounding_mode; +- uint8_t float_exception_flags; + FloatX80RoundPrec floatx80_rounding_precision; + bool tininess_before_rounding; + /* should denormalised results go to zero and set the inexact flag? */ +diff --git a/include/fpu/softfloat.h b/include/fpu/softfloat.h +index a249991e61..0d3b407807 100644 +--- a/include/fpu/softfloat.h ++++ b/include/fpu/softfloat.h +@@ -100,7 +100,7 @@ typedef enum { + | Routine to raise any or all of the software IEC/IEEE floating-point + | exception flags. + *----------------------------------------------------------------------------*/ +-static inline void float_raise(uint8_t flags, float_status *status) ++static inline void float_raise(uint16_t flags, float_status *status) + { + status->float_exception_flags |= flags; + } +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch new file mode 100644 index 0000000000..37e122f781 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch @@ -0,0 +1,83 @@ +From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:43:05 +0100 +Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While the reply queue values fit in 16-bit, they are accessed +as 32-bit: + + 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); + 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; + 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); + 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + +Having: + + 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ + +In order to update the ld/st*_pci_dma() API to pass the address +of the value to access, it is simpler to have the head/tail declared +as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in +the MegasasState structure. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997] + +Acked-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-20-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/scsi/megasas.c | 4 ++-- + hw/scsi/trace-events | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8f35784..14ec6d6 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -109,8 +109,8 @@ struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + uint16_t reply_queue_len; +- uint16_t reply_queue_head; +- uint16_t reply_queue_tail; ++ uint32_t reply_queue_head; ++ uint32_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 92d5b40..ae8551f 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ + + # megasas.c + megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " +-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" ++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" + megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" + megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 + megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" + megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" + megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 + megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" +-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" ++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" ++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" + megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " +-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" ++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" + megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" + megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch new file mode 100644 index 0000000000..2713ff370d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch @@ -0,0 +1,59 @@ +From 9b0737858b2b68c3a4d1e0611f2732679c997c6d Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 02/21] softfloat: Add flag specific to Inf - Inf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-3-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 3 ++- + include/fpu/softfloat-types.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 41d4b17e41..eb2b475ca4 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -354,7 +354,7 @@ static FloatPartsN *partsN(addsub)(FloatPartsN *a, FloatPartsN *b, + return a; + } + /* Inf - Inf */ +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + parts_default_nan(a, s); + return a; + } +@@ -494,6 +494,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (ab_mask & float_cmask_inf) { + if (c->cls == float_class_inf && a->sign != c->sign) { ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + goto d_nan; + } + goto return_inf; +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 65a43aff59..eaa12e1e00 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -152,6 +152,7 @@ enum { + float_flag_inexact = 0x0010, + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, ++ float_flag_invalid_isi = 0x0080, /* inf - inf */ + }; + + /* +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..04a655315f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,60 @@ +From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:28:49 +0200 +Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_valid(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-2-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/hw/ppc/spapr_vio.h | 2 +- + include/sysemu/dma.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4bea87f..4c45f15 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev) + static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + uint32_t size, DMADirection dir) + { +- return dma_memory_valid(&dev->as, taddr, size, dir); ++ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED); + } + + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3201e79..296f3b5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir) + * dma_memory_{read,write}() and check for errors */ + static inline bool dma_memory_valid(AddressSpace *as, + dma_addr_t addr, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return address_space_access_valid(as, addr, len, + dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + } + + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch new file mode 100644 index 0000000000..1b21e3cfeb --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch @@ -0,0 +1,126 @@ +From 613f373f0b652ab2fb2572633e7a23807096790b Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 03/21] softfloat: Add flag specific to Inf * 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-4-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 4 ++-- + fpu/softfloat-specialize.c.inc | 12 ++++++------ + include/fpu/softfloat-types.h | 1 + + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index eb2b475ca4..3ed793347b 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -423,7 +423,7 @@ static FloatPartsN *partsN(mul)(FloatPartsN *a, FloatPartsN *b, + + /* Inf * Zero == NaN */ + if (unlikely(ab_mask == float_cmask_infzero)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + parts_default_nan(a, s); + return a; + } +@@ -489,6 +489,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (unlikely(ab_mask != float_cmask_normal)) { + if (unlikely(ab_mask == float_cmask_infzero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + goto d_nan; + } + +@@ -567,7 +568,6 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + goto finish_sign; + + d_nan: +- float_raise(float_flag_invalid, s); + parts_default_nan(a, s); + return a; + } +diff --git a/fpu/softfloat-specialize.c.inc b/fpu/softfloat-specialize.c.inc +index f2ad0f335e..943e3301d2 100644 +--- a/fpu/softfloat-specialize.c.inc ++++ b/fpu/softfloat-specialize.c.inc +@@ -506,7 +506,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * the default NaN + */ + if (infzero && is_qnan(c_cls)) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + +@@ -533,7 +533,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + /* Prefer sNaN over qNaN, in the a, b, c order. */ +@@ -556,7 +556,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the input value 'c' + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + /* Prefer sNaN over qNaN, in the c, a, b order. */ +@@ -580,7 +580,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * a default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + +@@ -597,7 +597,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + #elif defined(TARGET_RISCV) + /* For RISC-V, InvalidOp is set when multiplicands are Inf and zero */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + } + return 3; /* default NaN */ + #elif defined(TARGET_XTENSA) +@@ -606,7 +606,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * an input NaN if we have one (ie c). + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + if (status->use_first_nan) { +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index eaa12e1e00..56b4cf7835 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -153,6 +153,7 @@ enum { + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ ++ float_flag_invalid_imz = 0x0100, /* inf * 0 */ + }; + + /* +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..f13707a407 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,98 @@ +From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 10:28:32 +0200 +Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_set(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-3-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/nvram/fw_cfg.c | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 3 ++- + softmmu/dma-helpers.c | 5 ++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c06b30d..f7803fe 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + * tested before. + */ + if (read) { +- if (dma_memory_set(s->dma_as, dma.address, 0, len)) { ++ if (dma_memory_set(s->dma_as, dma.address, 0, len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4c45f15..c90e74a 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + uint8_t c, uint32_t size) + { +- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ? ++ return (dma_memory_set(&dev->as, taddr, ++ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 296f3b5..d23516f 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @c: constant byte to fill the memory + * @len: the number of bytes to fill with the constant byte ++ * @attrs: memory transaction attributes + */ + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len); ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs); + + /** + * address_space_map: Map a physical memory region into a host virtual address. +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7d766a5..1f07217 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -19,7 +19,7 @@ + /* #define DEBUG_IOMMU */ + + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len) ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs) + { + dma_barrier(as, DMA_DIRECTION_FROM_DEVICE); + +@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + memset(fillbuf, c, FILLBUF_SIZE); + while (len > 0) { + l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE; +- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED, +- fillbuf, l); ++ error |= address_space_write(as, addr, attrs, fillbuf, l); + len -= l; + addr += l; + } +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch new file mode 100644 index 0000000000..c5377fbe70 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch @@ -0,0 +1,73 @@ +From 52f1760d2d65e1a61028cb9d8610c8a38aa44cfc Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 04/21] softfloat: Add flags specific to Inf / Inf and 0 / 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has these flags, and it's easier to compute them here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-5-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 16 +++++++++++----- + include/fpu/softfloat-types.h | 2 ++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 3ed793347b..b8563cd2df 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -590,11 +590,13 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + } + + /* 0/0 or Inf/Inf => NaN */ +- if (unlikely(ab_mask == float_cmask_zero) || +- unlikely(ab_mask == float_cmask_inf)) { +- float_raise(float_flag_invalid, s); +- parts_default_nan(a, s); +- return a; ++ if (unlikely(ab_mask == float_cmask_zero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_zdz, s); ++ goto d_nan; ++ } ++ if (unlikely(ab_mask == float_cmask_inf)) { ++ float_raise(float_flag_invalid | float_flag_invalid_idi, s); ++ goto d_nan; + } + + /* All the NaN cases */ +@@ -625,6 +627,10 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + float_raise(float_flag_divbyzero, s); + a->cls = float_class_inf; + return a; ++ ++ d_nan: ++ parts_default_nan(a, s); ++ return a; + } + + /* +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 56b4cf7835..5a9671e564 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -154,6 +154,8 @@ enum { + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ + float_flag_invalid_imz = 0x0100, /* inf * 0 */ ++ float_flag_invalid_idi = 0x0200, /* inf / inf */ ++ float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ + }; + + /* +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..cacb12909c --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,78 @@ +From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:30:10 +0200 +Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +We will add the MemTxAttrs argument to dma_memory_rw() in +the next commit. Since dma_memory_rw_relaxed() is only used +by dma_memory_rw(), modify it first in a separate commit to +keep the next commit easier to review. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-4-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/sysemu/dma.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d23516f..3be803c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as, + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, ++ MemTxAttrs attrs) + { +- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED, ++ return address_space_rw(as, addr, attrs, + buf, len, dir == DMA_DIRECTION_FROM_DEVICE); + } + +@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw_relaxed(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, +@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + dma_addr_t len) + { + return dma_memory_rw_relaxed(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch new file mode 100644 index 0000000000..e4ecb496ae --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch @@ -0,0 +1,121 @@ +From 6bc0b2cffab0ee280ae9730262f162f25c16f6c2 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 05/21] softfloat: Add flag specific to signaling nans +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-8-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 18 ++++++++++++------ + fpu/softfloat.c | 4 +++- + include/fpu/softfloat-types.h | 1 + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index b8563cd2df..9518f3dc61 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -19,7 +19,7 @@ static void partsN(return_nan)(FloatPartsN *a, float_status *s) + { + switch (a->cls) { + case float_class_snan: +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + if (s->default_nan_mode) { + parts_default_nan(a, s); + } else { +@@ -40,7 +40,7 @@ static FloatPartsN *partsN(pick_nan)(FloatPartsN *a, FloatPartsN *b, + float_status *s) + { + if (is_snan(a->cls) || is_snan(b->cls)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + if (s->default_nan_mode) { +@@ -68,7 +68,7 @@ static FloatPartsN *partsN(pick_nan_muladd)(FloatPartsN *a, FloatPartsN *b, + int which; + + if (unlikely(abc_mask & float_cmask_snan)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + which = pickNaNMulAdd(a->cls, b->cls, c->cls, +@@ -1049,8 +1049,10 @@ static int64_t partsN(float_to_sint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1114,8 +1116,10 @@ static uint64_t partsN(float_to_uint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1341,7 +1345,9 @@ static FloatRelation partsN(compare)(FloatPartsN *a, FloatPartsN *b, + } + + if (unlikely(ab_mask & float_cmask_anynan)) { +- if (!is_quiet || (ab_mask & float_cmask_snan)) { ++ if (ab_mask & float_cmask_snan) { ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); ++ } else if (!is_quiet) { + float_raise(float_flag_invalid, s); + } + return float_relation_unordered; +diff --git a/fpu/softfloat.c b/fpu/softfloat.c +index 9a28720d82..834ed3a054 100644 +--- a/fpu/softfloat.c ++++ b/fpu/softfloat.c +@@ -2543,8 +2543,10 @@ floatx80 floatx80_mod(floatx80 a, floatx80 b, float_status *status) + static void parts_float_to_ahp(FloatParts64 *a, float_status *s) + { + switch (a->cls) { +- case float_class_qnan: + case float_class_snan: ++ float_raise(float_flag_invalid_snan, s); ++ /* fall through */ ++ case float_class_qnan: + /* + * There is no NaN in the destination format. Raise Invalid + * and return a zero with the sign of the input NaN. +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5a9671e564..e557b9126b 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -156,6 +156,7 @@ enum { + float_flag_invalid_imz = 0x0100, /* inf * 0 */ + float_flag_invalid_idi = 0x0200, /* inf / inf */ + float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ ++ float_flag_invalid_snan = 0x2000, /* any operand was snan */ + }; + + /* +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..e5daf966d5 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,158 @@ +From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:37:43 +0200 +Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_rw(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-5-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/spapr_xive.c | 3 ++- + hw/usb/hcd-ohci.c | 10 ++++++---- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + softmmu/dma-helpers.c | 3 ++- + 5 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c +index 4ec659b..eae95c7 100644 +--- a/hw/intc/spapr_xive.c ++++ b/hw/intc/spapr_xive.c +@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu, + mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset; + + if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8, +- (flags & SPAPR_XIVE_ESB_STORE))) { ++ (flags & SPAPR_XIVE_ESB_STORE), ++ MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%" + HWADDR_PRIx "\n", mmio_addr); + return H_HARDWARE; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1cf2816..56e2315 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + ptr = td->be & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci, + ptr = end_addr & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index e7cdf2d..4383f1c 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, + DMADirection dir) + { +- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir); ++ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, ++ dir, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3be803c..e8ad422 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + * @buf: buffer with the data transferred + * @len: the number of bytes to read or write + * @dir: indicates the transfer direction ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs); + } + + /** +@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + const void *buf, dma_addr_t len) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 1f07217..5bf76ff 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, ++ MEMTXATTRS_UNSPECIFIED); + ptr += xfer; + len -= xfer; + resid -= xfer; +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch new file mode 100644 index 0000000000..5f38c7265f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch @@ -0,0 +1,114 @@ +From ba4a60dd5df31b9fff8b7b8006bf9f15140cc6c5 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 06/21] target/ppc: Update float_invalid_op_addsub for new + flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxisi and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-9-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index c4896cecc8..f0deada84b 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -450,13 +450,12 @@ void helper_reset_fpstatus(CPUPPCState *env) + set_float_exception_flags(0, &env->fp_status); + } + +-static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_addsub(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) + { +- if ((classes & ~is_neg) == is_inf) { +- /* Magnitude subtraction of infinities */ ++ if (flags & float_flag_invalid_isi) { + float_invalid_op_vxisi(env, set_fpcc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -465,12 +464,10 @@ static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, + float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_add(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -480,12 +477,10 @@ float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_sub(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -1616,9 +1611,8 @@ void helper_##name(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_addsub(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_addsub(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1660,9 +1654,7 @@ void helper_xsaddqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +@@ -3278,9 +3270,7 @@ void helper_xssubqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..1973e477f3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,1453 @@ +From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 10:08:29 +0200 +Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_read() or dma_memory_write(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + ( + - dma_memory_read(E1, E2, E3, E4) + + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + | + - dma_memory_write(E1, E2, E3, E4) + + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + ) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-6-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/arm/musicpal.c | 13 +++++++------ + hw/arm/smmu-common.c | 3 ++- + hw/arm/smmuv3.c | 14 +++++++++----- + hw/core/generic-loader.c | 3 ++- + hw/dma/pl330.c | 12 ++++++++---- + hw/dma/sparc32_dma.c | 16 ++++++++++------ + hw/dma/xlnx-zynq-devcfg.c | 6 ++++-- + hw/dma/xlnx_dpdma.c | 10 ++++++---- + hw/i386/amd_iommu.c | 16 +++++++++------- + hw/i386/intel_iommu.c | 28 +++++++++++++++++----------- + hw/ide/macio.c | 2 +- + hw/intc/xive.c | 7 ++++--- + hw/misc/bcm2835_property.c | 3 ++- + hw/misc/macio/mac_dbdma.c | 10 ++++++---- + hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------ + hw/net/ftgmac100.c | 25 ++++++++++++++++--------- + hw/net/imx_fec.c | 32 ++++++++++++++++++++------------ + hw/net/npcm7xx_emc.c | 20 ++++++++++++-------- + hw/nvram/fw_cfg.c | 9 ++++++--- + hw/pci-host/pnv_phb3.c | 5 +++-- + hw/pci-host/pnv_phb3_msi.c | 9 ++++++--- + hw/pci-host/pnv_phb4.c | 5 +++-- + hw/sd/allwinner-sdhost.c | 14 ++++++++------ + hw/sd/sdhci.c | 35 ++++++++++++++++++++++------------- + hw/usb/hcd-dwc2.c | 8 ++++---- + hw/usb/hcd-ehci.c | 6 ++++-- + hw/usb/hcd-ohci.c | 18 +++++++++++------- + hw/usb/hcd-xhci.c | 18 +++++++++++------- + include/hw/ppc/spapr_vio.h | 6 ++++-- + include/sysemu/dma.h | 20 ++++++++++++-------- + 30 files changed, 241 insertions(+), 150 deletions(-) + +diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c +index 2d612cc..2680ec5 100644 +--- a/hw/arm/musicpal.c ++++ b/hw/arm/musicpal.c +@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->buffer_size); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_rx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->bytes); + le16_to_cpus(&desc->buffer_size); +@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size) + eth_rx_desc_get(&s->dma_as, desc_addr, &desc); + if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) { + dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header, +- buf, size); ++ buf, size, MEMTXATTRS_UNSPECIFIED); + desc.bytes = size + s->vlan_header; + desc.cmdstat &= ~MP_ETH_RX_OWN; + s->cur_rx[i] = desc.next; +@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->bytes); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_tx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->res); + le16_to_cpus(&desc->bytes); +@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index) + if (desc.cmdstat & MP_ETH_TX_OWN) { + len = desc.bytes; + if (len < 2048) { +- dma_memory_read(&s->dma_as, desc.buffer, buf, len); ++ dma_memory_read(&s->dma_as, desc.buffer, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + qemu_send_packet(qemu_get_queue(s->nic), buf, len); + } + desc.cmdstat &= ~MP_ETH_TX_OWN; +diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c +index 0459850..e09b9c1 100644 +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte, + dma_addr_t addr = baseaddr + index * sizeof(*pte); + + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte)); ++ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte), ++ MEMTXATTRS_UNSPECIFIED); + + if (ret != MEMTX_OK) { + info->type = SMMU_PTW_ERR_WALK_EABT; +diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c +index 01b60be..3b43368 100644 +--- a/hw/arm/smmuv3.c ++++ b/hw/arm/smmuv3.c +@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMMUQueue *q, void *data) + { + dma_addr_t addr = Q_CONS_ENTRY(q); + +- return dma_memory_read(&address_space_memory, addr, data, q->entry_size); ++ return dma_memory_read(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + } + + static MemTxResult queue_write(SMMUQueue *q, void *data) +@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue *q, void *data) + dma_addr_t addr = Q_PROD_ENTRY(q); + MemTxResult ret; + +- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size); ++ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + return ret; + } +@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf, + + trace_smmuv3_get_ste(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid, + + trace_smmuv3_get_cd(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, + l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); + /* TODO: guarantee 64-bit single-copy atomicity */ + ret = dma_memory_read(&address_space_memory, l1ptr, &l1std, +- sizeof(l1std)); ++ sizeof(l1std), MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr); +diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c +index d14f932..9a24ffb 100644 +--- a/hw/core/generic-loader.c ++++ b/hw/core/generic-loader.c +@@ -57,7 +57,8 @@ static void generic_loader_reset(void *opaque) + + if (s->data_len) { + assert(s->data_len < sizeof(s->data)); +- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len); ++ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len, ++ MEMTXATTRS_UNSPECIFIED); + } + } + +diff --git a/hw/dma/pl330.c b/hw/dma/pl330.c +index 0cb4619..31ce01b 100644 +--- a/hw/dma/pl330.c ++++ b/hw/dma/pl330.c +@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330_fetch_insn(PL330Chan *ch) + uint8_t opcode; + int i; + +- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1); ++ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1, ++ MEMTXATTRS_UNSPECIFIED); + for (i = 0; insn_desc[i].size; i++) { + if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) { + return &insn_desc[i]; +@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330Chan *ch, const PL330InsnDesc *insn) + uint8_t buf[PL330_INSN_MAXSIZE]; + + assert(insn->size <= PL330_INSN_MAXSIZE); +- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size); ++ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size, ++ MEMTXATTRS_UNSPECIFIED); + insn->exec(ch, buf[0], &buf[1], insn->size - 1); + } + +@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) { + int len = q->len - (q->addr & (q->len - 1)); + +- dma_memory_read(s->mem_as, q->addr, buf, len); ++ dma_memory_read(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag); + } + if (fifo_res == PL330_FIFO_OK || q->z) { +- dma_memory_write(s->mem_as, q->addr, buf, len); ++ dma_memory_write(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +diff --git a/hw/dma/sparc32_dma.c b/hw/dma/sparc32_dma.c +index 03bc500..0ef13c5 100644 +--- a/hw/dma/sparc32_dma.c ++++ b/hw/dma/sparc32_dma.c +@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_read(addr, len); + if (do_bswap) { +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + for(i = 0; i < len; i += 2) { + bswap16s((uint16_t *)(buf + i)); + } +@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_write(addr, len); + if (do_bswap) { +- dma_memory_write(&is->iommu_as, addr, buf, len); ++ dma_memory_write(&is->iommu_as, addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + for(i = 0; i < l; i += 2) { + tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i)); + } +- dma_memory_write(&is->iommu_as, addr, tmp_buf, l); ++ dma_memory_write(&is->iommu_as, addr, tmp_buf, l, ++ MEMTXATTRS_UNSPECIFIED); + len -= l; + buf += l; + addr += l; +@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_read(s->dmaregs[1], len); +- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_write(s->dmaregs[1], len); +- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c +index e33112b..f5ad1a0 100644 +--- a/hw/dma/xlnx-zynq-devcfg.c ++++ b/hw/dma/xlnx-zynq-devcfg.c +@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(XlnxZynqDevcfg *s) + btt = MIN(btt, dmah->dest_len); + } + DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr); +- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt); ++ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->src_len -= btt; + dmah->src_addr += btt; + if (loopback && (dmah->src_len || dmah->dest_len)) { + DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr); +- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt); ++ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->dest_len -= btt; + dmah->dest_addr += btt; + } +diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c +index 967548a..2d7eae7 100644 +--- a/hw/dma/xlnx_dpdma.c ++++ b/hw/dma/xlnx_dpdma.c +@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + } + + if (dma_memory_read(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor))) { ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_EISR] |= ((1 << 1) << channel); + xlnx_dpdma_update_irq(s); + s->operation_finished[channel] = true; +@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[0], + &s->data[channel][ptr], +- line_size)) { ++ line_size, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[frag], + &(s->data[channel][ptr]), +- fragment_len)) { ++ fragment_len, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + DPRINTF("update the descriptor with the done flag set.\n"); + xlnx_dpdma_desc_set_done(&desc); + dma_memory_write(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor)); ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); + } + + if (xlnx_dpdma_desc_completion_interrupt(&desc)) { +diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c +index 91fe34a..4d13d8e 100644 +--- a/hw/i386/amd_iommu.c ++++ b/hw/i386/amd_iommu.c +@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt) + } + + if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, +- evt, AMDVI_EVENT_LEN)) { ++ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); + } + +@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIState *s, uint64_t *cmd) + } + if (extract64(cmd[0], 0, 1)) { + if (dma_memory_write(&address_space_memory, addr, &data, +- AMDVI_COMPLETION_DATA_SIZE)) { ++ AMDVI_COMPLETION_DATA_SIZE, ++ MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_completion_wait_fail(addr); + } + } +@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState *s) + uint64_t cmd[2]; + + if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head, +- cmd, AMDVI_COMMAND_SIZE)) { ++ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head); + amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head); + return; +@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, int devid, uint64_t *entry) + uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE; + + if (dma_memory_read(&address_space_memory, s->devtab + offset, entry, +- AMDVI_DEVTAB_ENTRY_SIZE)) { ++ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_dte_get_fail(s->devtab, offset); + /* log error accessing dte */ + amdvi_log_devtab_error(s, devid, s->devtab + offset, 0); +@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_entry(AMDVIState *s, uint64_t pte_addr, + { + uint64_t pte; + +- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) { ++ if (dma_memory_read(&address_space_memory, pte_addr, ++ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_get_pte_hwerror(pte_addr); + amdvi_log_pagetab_error(s, devid, pte_addr, 0); + pte = 0; +@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte"); + return -AMDVI_IR_GET_IRTE; + } +@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte_ga"); + return -AMDVI_IR_GET_IRTE; + } +diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c +index f584449..5b865ac 100644 +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index, + dma_addr_t addr; + + addr = s->root + index * sizeof(*re); +- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) { + re->lo = 0; + return -VTD_FR_ROOT_TABLE_INV; + } +@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_root(IntelIOMMUState *s, + } + + addr = addr + index * ce_size; +- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_CONTEXT_TABLE_INV; + } + +@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index) + assert(index < VTD_SL_PT_ENTRY_NR); + + if (dma_memory_read(&address_space_memory, +- base_addr + index * sizeof(slpte), &slpte, +- sizeof(slpte))) { ++ base_addr + index * sizeof(slpte), ++ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) { + slpte = (uint64_t)-1; + return slpte; + } +@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base, + index = VTD_PASID_DIR_INDEX(pasid); + entry_size = VTD_PASID_DIR_ENTRY_SIZE; + addr = pasid_dir_base + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s, + index = VTD_PASID_TABLE_INDEX(pasid); + entry_size = VTD_PASID_ENTRY_SIZE; + addr = addr + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s, + uint32_t dw = s->iq_dw ? 32 : 16; + dma_addr_t addr = base_addr + offset * dw; + +- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) { + error_report_once("Read INV DESC failed."); + return false; + } +@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc) + dma_addr_t status_addr = inv_desc->hi; + trace_vtd_inv_desc_wait_sw(status_addr, status_data); + status_data = cpu_to_le32(status_data); +- if (dma_memory_write(&address_space_memory, status_addr, &status_data, +- sizeof(status_data))) { ++ if (dma_memory_write(&address_space_memory, status_addr, ++ &status_data, sizeof(status_data), ++ MEMTXATTRS_UNSPECIFIED)) { + trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo); + return false; + } +@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index, + } + + addr = iommu->intr_root + index * sizeof(*entry); +- if (dma_memory_read(&address_space_memory, addr, entry, +- sizeof(*entry))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) { + error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64, + __func__, index, addr); + return -VTD_FR_IR_ROOT_INVAL; +diff --git a/hw/ide/macio.c b/hw/ide/macio.c +index b03d401..f08318c 100644 +--- a/hw/ide/macio.c ++++ b/hw/ide/macio.c +@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret) + /* Non-block ATAPI transfer - just copy to RAM */ + s->io_buffer_size = MIN(s->io_buffer_size, io->len); + dma_memory_write(&address_space_memory, io->addr, s->io_buffer, +- s->io_buffer_size); ++ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED); + io->len = 0; + ide_atapi_cmd_ok(s); + m->dma_active = false; +diff --git a/hw/intc/xive.c b/hw/intc/xive.c +index 190194d..f15f985 100644 +--- a/hw/intc/xive.c ++++ b/hw/intc/xive.c +@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon) + uint64_t qaddr = qaddr_base + (qindex << 2); + uint32_t qdata = -1; + +- if (dma_memory_read(&address_space_memory, qaddr, &qdata, +- sizeof(qdata))) { ++ if (dma_memory_read(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%" + HWADDR_PRIx "\n", qaddr); + return; +@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *end, uint32_t data) + uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff)); + uint32_t qentries = 1 << (qsize + 10); + +- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) { ++ if (dma_memory_write(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%" + HWADDR_PRIx "\n", qaddr); + return; +diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c +index 73941bd..76ea511 100644 +--- a/hw/misc/bcm2835_property.c ++++ b/hw/misc/bcm2835_property.c +@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value) + break; + case 0x00010003: /* Get board MAC address */ + resplen = sizeof(s->macaddr.a); +- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen); ++ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, ++ MEMTXATTRS_UNSPECIFIED); + break; + case 0x00010004: /* Get board serial */ + qemu_log_mask(LOG_UNIMP, +diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c +index e220f1a..efcc026 100644 +--- a/hw/misc/macio/mac_dbdma.c ++++ b/hw/misc/macio/mac_dbdma.c +@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_channel *ch) + DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n", + ch->regs[DBDMA_CMDPTR_LO]); + dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void dbdma_cmdptr_save(DBDMA_channel *ch) +@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_channel *ch) + le16_to_cpu(ch->current.xfer_status), + le16_to_cpu(ch->current.res_count)); + dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void kill_channel(DBDMA_channel *ch) +@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c +index ff611f1..ecc0245 100644 +--- a/hw/net/allwinner-sun8i-emac.c ++++ b/hw/net/allwinner-sun8i-emac.c +@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s, +@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool allwinner_sun8i_emac_can_receive(NetClientState *nc) +@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc, + << RX_DESC_STATUS_FRM_LEN_SHIFT; + } + +- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes); ++ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes, ++ MEMTXATTRS_UNSPECIFIED); + allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr); + trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr, + desc_bytes); +@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s) + desc.status |= TX_DESC_STATUS_LENGTH_ERR; + break; + } +- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes); ++ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, ++ bytes, MEMTXATTRS_UNSPECIFIED); + packet_bytes += bytes; + desc.status &= ~DESC_STATUS_CTL; + allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr); +@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_TX_CUR_BUF: /* Transmit Current Buffer */ + if (s->tx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_RX_CUR_BUF: /* Receive Current Buffer */ + if (s->rx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c +index 25685ba..83ef0a7 100644 +--- a/hw/net/ftgmac100.c ++++ b/hw/net/ftgmac100.c +@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s) + + static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr) + { +- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_addr_t addr) + lebd.des1 = cpu_to_le32(bd->des1); + lebd.des2 = cpu_to_le32(bd->des2); + lebd.des3 = cpu_to_le32(bd->des3); +- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) { ++ if (dma_memory_write(&address_space_memory, addr, ++ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring, + len = sizeof(s->frame) - frame_size; + } + +- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) { ++ if (dma_memory_read(&address_space_memory, bd.des3, ++ ptr, len, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n", + __func__, bd.des3); + s->isr |= FTGMAC100_INT_AHB_ERR; +@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf, + bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL; + + if (s->maccr & FTGMAC100_MACCR_RM_VLAN) { +- dma_memory_write(&address_space_memory, buf_addr, buf, 12); +- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16, +- buf_len - 16); ++ dma_memory_write(&address_space_memory, buf_addr, buf, 12, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(&address_space_memory, buf_addr + 12, ++ buf + 16, buf_len - 16, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, ++ buf_len, MEMTXATTRS_UNSPECIFIED); + } + } else { + bd.des1 = 0; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + } + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + +diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c +index 9c7035b..0db9aaf 100644 +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val) + + static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data); + } + + static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data, + bd->option, bd->status); +@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + + static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_eth_update(IMXFECState *s) +@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf, + buf_len += size - 4; + } + buf_addr = bd.data; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + */ + const uint8_t zeros[2] = { 0 }; + +- dma_memory_write(&address_space_memory, buf_addr, +- zeros, sizeof(zeros)); ++ dma_memory_write(&address_space_memory, buf_addr, zeros, ++ sizeof(zeros), MEMTXATTRS_UNSPECIFIED); + + buf_addr += sizeof(zeros); + buf_len -= sizeof(zeros); +@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + shift16 = false; + } + +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c +index 545b2b7..9a23289 100644 +--- a/hw/net/npcm7xx_emc.c ++++ b/hw/net/npcm7xx_emc.c +@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_change(NPCM7xxEMCState *emc) + + static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + le_desc.status_and_length = cpu_to_le32(desc->status_and_length); + le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + + static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7xxEMCRxDesc *desc, dma_addr_t addr) + le_desc.reserved = cpu_to_le32(desc->reserved); + le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -366,7 +368,8 @@ static void emc_try_send_next_packet(NPCM7xxEMCState *emc) + buf = malloced_buf; + } + +- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) { ++ if (dma_memory_read(&address_space_memory, next_buf_addr, buf, ++ length, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n", + __func__, next_buf_addr); + emc_set_mista(emc, REG_MISTA_TXBERR); +@@ -551,10 +554,11 @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1) + + buf_addr = rx_desc.rxbsa; + emc->regs[REG_CRXBSA] = buf_addr; +- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) || ++ if (dma_memory_write(&address_space_memory, buf_addr, buf, ++ len, MEMTXATTRS_UNSPECIFIED) || + (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) && +- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr, +- 4))) { ++ dma_memory_write(&address_space_memory, buf_addr + len, ++ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n", + __func__); + emc_set_mista(emc, REG_MISTA_RXBERR); +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index f7803fe..9b91b15 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + dma_addr = s->dma_addr; + s->dma_addr = 0; + +- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) { ++ if (dma_memory_read(s->dma_as, dma_addr, ++ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), + FW_CFG_DMA_CTL_ERROR); + return; +@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + */ + if (read) { + if (dma_memory_write(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (!e->allow_write || + len != dma.length || + dma_memory_read(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } else if (e->write_cb) { + e->write_cb(e->callback_opaque, s->cur_offset, len); +diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c +index 9c4451c..c6e7871 100644 +--- a/hw/pci-host/pnv_phb3.c ++++ b/hw/pci-host/pnv_phb3.c +@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * ((bus_num << 8) | ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPhb3DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c +index 099d209..8bcbc2c 100644 +--- a/hw/pci-host/pnv_phb3_msi.c ++++ b/hw/pci-host/pnv_phb3_msi.c +@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *phb, int srcno, uint64_t *out_ive) + return false; + } + +- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) { ++ if (dma_memory_read(&address_space_memory, ive_addr, ++ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64, + ive_addr); + return false; +@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState *msi, int srcno, uint8_t gen) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 4, ++ &p, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr); + } +@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState *msi, int srcno) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 5, ++ &q, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr); + } +diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c +index 40b7932..1fbf732 100644 +--- a/hw/pci-host/pnv_phb4.c ++++ b/hw/pci-host/pnv_phb4.c +@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPhb4DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c +index 9166d66..de5bc49 100644 +--- a/hw/sd/allwinner-sdhost.c ++++ b/hw/sd/allwinner-sdhost.c +@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + uint8_t buf[1024]; + + /* Read descriptor */ +- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + if (desc->size == 0) { + desc->size = klass->max_desc_size; + } else if (desc->size > klass->max_desc_size) { +@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + /* Write to SD bus */ + if (is_write) { + dma_memory_read(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, buf, buf_bytes); + + /* Read from SD bus */ + } else { + sdbus_read_data(&s->sdbus, buf, buf_bytes); + dma_memory_write(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + } + num_done += buf_bytes; + } + + /* Clear hold flag and flush descriptor */ + desc->status &= ~DESC_STATUS_HOLD; +- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + + return num_done; + } +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index c9dc065..e0bbc90 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->blkcnt--; + } + } +- dma_memory_write(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->data_count = block_size; + boundary_count -= block_size - begin; + } +- dma_memory_read(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s) + + if (s->trnmod & SDHC_TRNS_READ) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt); +- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt); + } + s->blkcnt--; +@@ -694,7 +696,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + hwaddr entry_addr = (hwaddr)s->admasysaddr; + switch (SDHC_DMA_TYPE(s->hostctl1)) { + case SDHC_CTRL_ADMA2_32: +- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2)); ++ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2), ++ MEMTXATTRS_UNSPECIFIED); + adma2 = le64_to_cpu(adma2); + /* The spec does not specify endianness of descriptor table. + * We currently assume that it is LE. +@@ -705,7 +708,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + dscr->incr = 8; + break; + case SDHC_CTRL_ADMA1_32: +- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1)); ++ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1), ++ MEMTXATTRS_UNSPECIFIED); + adma1 = le32_to_cpu(adma1); + dscr->addr = (hwaddr)(adma1 & 0xFFFFF000); + dscr->attr = (uint8_t)extract32(adma1, 0, 7); +@@ -717,10 +721,13 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + } + break; + case SDHC_CTRL_ADMA2_64: +- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1); +- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2); ++ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2, ++ MEMTXATTRS_UNSPECIFIED); + dscr->length = le16_to_cpu(dscr->length); +- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8); ++ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, ++ MEMTXATTRS_UNSPECIFIED); + dscr->addr = le64_to_cpu(dscr->addr); + dscr->attr &= (uint8_t) ~0xC0; + dscr->incr = 12; +@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_write(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_read(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c +index e1d96ac..8755e9c 100644 +--- a/hw/usb/hcd-dwc2.c ++++ b/hw/usb/hcd-dwc2.c +@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev, + + if (pid != USB_TOKEN_IN) { + trace_usb_dwc2_memory_read(hcdma, tlen); +- if (dma_memory_read(&s->dma_as, hcdma, +- s->usb_buf[chan], tlen) != MEMTX_OK) { ++ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n", + __func__); + } +@@ -328,8 +328,8 @@ babble: + + if (pid == USB_TOKEN_IN) { + trace_usb_dwc2_memory_write(hcdma, actual); +- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], +- actual) != MEMTX_OK) { ++ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n", + __func__); + } +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 6caa7ac..33a8a37 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr, + } + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); ++ dma_memory_read(ehci->as, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + *buf = le32_to_cpu(*buf); + } + +@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState *ehci, uint32_t addr, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); ++ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp), ++ MEMTXATTRS_UNSPECIFIED); + } + + return num; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 56e2315..a93d6b2 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le32_to_cpu(*buf); +@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le16_to_cpu(*buf); +@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint16_t tmp = cpu_to_le16(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIState *ohci, + static inline int ohci_read_hcca(OHCIState *ohci, + dma_addr_t addr, struct ohci_hcca *hcca) + { +- return dma_memory_read(ohci->as, addr + ohci->localmem_base, +- hcca, sizeof(*hcca)); ++ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca, ++ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED); + } + + static inline int ohci_put_ed(OHCIState *ohci, +@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIState *ohci, + return dma_memory_write(ohci->as, + addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET, + (char *)hcca + HCCA_WRITEBACK_OFFSET, +- HCCA_WRITEBACK_SIZE); ++ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED); + } + + /* Read/Write the contents of a TD from/to main memory. */ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index e017000..ed2b9ea 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -487,7 +487,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr, + + assert((len % sizeof(uint32_t)) == 0); + +- dma_memory_read(xhci->as, addr, buf, len); ++ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + + for (i = 0; i < (len / sizeof(uint32_t)); i++) { + buf[i] = le32_to_cpu(buf[i]); +@@ -507,7 +507,7 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr, + for (i = 0; i < n; i++) { + tmp[i] = cpu_to_le32(buf[i]); + } +- dma_memory_write(xhci->as, addr, tmp, len); ++ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED); + } + + static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport) +@@ -618,7 +618,7 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v) + ev_trb.status, ev_trb.control); + + addr = intr->er_start + TRB_SIZE*intr->er_ep_idx; +- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE); ++ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED); + + intr->er_ep_idx++; + if (intr->er_ep_idx >= intr->er_size) { +@@ -679,7 +679,8 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE); ++ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + trb->addr = ring->dequeue; + trb->ccs = ring->ccs; + le64_to_cpus(&trb->parameter); +@@ -726,7 +727,8 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE); ++ dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -781,7 +783,8 @@ static void xhci_er_reset(XHCIState *xhci, int v) + xhci_die(xhci); + return; + } +- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg)); ++ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg), ++ MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&seg.addr_low); + le32_to_cpus(&seg.addr_high); + le32_to_cpus(&seg.size); +@@ -2397,7 +2400,8 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx) + /* TODO: actually implement real values here */ + bw_ctx[0] = 0; + memset(&bw_ctx[1], 80, xhci->numports); /* 80% */ +- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx)); ++ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx), ++ MEMTXATTRS_UNSPECIFIED); + + return CC_SUCCESS; + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index c90e74a..5d2ea8e 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, + void *buf, uint32_t size) + { +- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_read(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + + static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + const void *buf, uint32_t size) + { +- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_write(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e8ad422..522682b 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: length of the data transferred ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, +- void *buf, dma_addr_t len) ++ void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, buf, len, +- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_TO_DEVICE, attrs); + } + + /** +@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: the number of bytes to write ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, +- const void *buf, dma_addr_t len) ++ const void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_FROM_DEVICE, attrs); + } + + /** +@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_addr_t addr) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(AddressSpace *as, + uint##_bits##_t val) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1); ++ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + return val; + } + + static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) + { +- dma_memory_write(as, addr, &val, 1); ++ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch new file mode 100644 index 0000000000..1cc4e9e35c --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch @@ -0,0 +1,86 @@ +From ee8ba2dbb046f48457566b64ad95bf0440d2513e Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 07/21] target/ppc: Update float_invalid_op_mul for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-10-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index f0deada84b..23264e6528 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -486,13 +486,12 @@ float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_mul(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- if ((classes & (is_zero | is_inf)) == (is_zero | is_inf)) { +- /* Multiplication of zero by infinity */ ++ if (flags & float_flag_invalid_imz) { + float_invalid_op_vximz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -501,12 +500,10 @@ static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, + float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_mul(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_mul(env, flags, 1, GETPC()); + } + + return ret; +@@ -1687,9 +1684,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_mul(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_mul(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1727,9 +1723,7 @@ void helper_xsmulqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_mul(env, tstat.float_exception_flags, 1, GETPC()); + } + helper_compute_fprf_float128(env, t.f128); + +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8dd0476953 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,227 @@ +From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 11:00:47 +0200 +Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_map(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + - dma_memory_map(E1, E2, E3, E4) + + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-7-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/display/virtio-gpu.c | 10 ++++++---- + hw/hyperv/vmbus.c | 8 +++++--- + hw/ide/ahci.c | 8 +++++--- + hw/usb/libhw.c | 3 ++- + hw/virtio/virtio.c | 6 ++++-- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 5 +++-- + softmmu/dma-helpers.c | 3 ++- + 8 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index d78b970..c6dc818 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + + do { + len = l; +- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- a, &len, DMA_DIRECTION_TO_DEVICE); ++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!map) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" + " element %d\n", __func__, e); +@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, + for (i = 0; i < res->iov_cnt; i++) { + hwaddr len = res->iov[i].iov_len; + res->iov[i].iov_base = +- dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE); ++ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + + if (!res->iov[i].iov_base || len != res->iov[i].iov_len) { + /* Clean up the half-a-mapping we just created... */ +diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c +index dbce3b3..8aad29f 100644 +--- a/hw/hyperv/vmbus.c ++++ b/hw/hyperv/vmbus.c +@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len) + + maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page; + +- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir); ++ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir, ++ MEMTXATTRS_UNSPECIFIED); + if (mlen != pgleft) { + dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0); + iter->map = NULL; +@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, + goto err; + } + +- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir); ++ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!l) { + ret = -EFAULT; + goto err; +@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf) + dma_addr_t mlen = sizeof(*rb); + + rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (mlen != sizeof(*rb)) { + dma_memory_unmap(ringbuf->as, rb, mlen, + DMA_DIRECTION_FROM_DEVICE, 0); +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index a94c6e2..8e77ddb 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr, + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + } + +- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE); ++ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (len < wanted && *ptr) { + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + *ptr = NULL; +@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, + + /* map PRDT */ + if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len, +- DMA_DIRECTION_TO_DEVICE))){ ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED))){ + trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no); + return -1; + } +@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot) + tbl_addr = le64_to_cpu(cmd->tbl_addr); + cmd_len = 0x80; + cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len, +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (!cmd_fis) { + trace_handle_cmd_badfis(s, port); + return -1; +diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c +index 9c33a16..f350eae 100644 +--- a/hw/usb/libhw.c ++++ b/hw/usb/libhw.c +@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl) + + while (len) { + dma_addr_t xlen = len; +- mem = dma_memory_map(sgl->as, base, &xlen, dir); ++ mem = dma_memory_map(sgl->as, base, &xlen, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!mem) { + goto err; + } +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index ea7c079..e11a8a0d 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg, + iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len, + is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!iov[num_sg].iov_base) { + virtio_error(vdev, "virtio: bogus descriptor or out of resources"); + goto out; +@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg, + sg[i].iov_base = dma_memory_map(vdev->dma_as, + addr[i], &len, is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!sg[i].iov_base) { + error_report("virtio: error trying to map MMIO memory"); + exit(1); +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 4383f1c..1acefc2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr, + { + void *buf; + +- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir); ++ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir, ++ MEMTXATTRS_UNSPECIFIED); + return buf; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 522682b..97ff6f2 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @len: pointer to length of buffer; updated on return + * @dir: indicates the transfer direction ++ * @attrs: memory attributes + */ + static inline void *dma_memory_map(AddressSpace *as, + dma_addr_t addr, dma_addr_t *len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + hwaddr xlen = *len; + void *p; + + p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + *len = xlen; + return p; + } +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 5bf76ff..3c06a2f 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret) + while (dbs->sg_cur_index < dbs->sg->nsg) { + cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte; + cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte; +- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir); ++ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir, ++ MEMTXATTRS_UNSPECIFIED); + /* + * Make reads deterministic in icount mode. Windows sometimes issues + * disk read requests with overlapping SGs. It leads +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch b/poky/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch new file mode 100644 index 0000000000..cb657eefd5 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch @@ -0,0 +1,99 @@ +From a13c0819ef14120a0e30077fcc6a7470409fa732 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 08/21] target/ppc: Update float_invalid_op_div for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxidi, vxzdz, and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-11-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 23264e6528..2ab34236a3 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -509,17 +509,14 @@ float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_div(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- classes &= ~is_neg; +- if (classes == is_inf) { +- /* Division of infinity by infinity */ ++ if (flags & float_flag_invalid_idi) { + float_invalid_op_vxidi(env, set_fprc, retaddr); +- } else if (classes == is_zero) { +- /* Division of zero by zero */ ++ } else if (flags & float_flag_invalid_zdz) { + float_invalid_op_vxzdz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -528,17 +525,13 @@ static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, + float64 helper_fdiv(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_div(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status)) { +- if (status & float_flag_invalid) { +- float_invalid_op_div(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); +- } +- if (status & float_flag_divbyzero) { +- float_zero_divide_excp(env, GETPC()); +- } ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_div(env, flags, 1, GETPC()); ++ } ++ if (unlikely(flags & float_flag_divbyzero)) { ++ float_zero_divide_excp(env, GETPC()); + } + + return ret; +@@ -1755,9 +1748,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_div(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_div(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { \ + float_zero_divide_excp(env, GETPC()); \ +@@ -1798,9 +1790,7 @@ void helper_xsdivqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_div(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_div(env, tstat.float_exception_flags, 1, GETPC()); + } + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { + float_zero_divide_excp(env, GETPC()); +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch b/poky/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch new file mode 100644 index 0000000000..0876ef184d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch @@ -0,0 +1,41 @@ +From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 16 Dec 2021 11:24:56 +0100 +Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_rw() to take a void pointer argument +to save us pointless casts to uint8_t *. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-8-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 3c06a2f..09e2999 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, ++static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + DMADirection dir) + { ++ uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; + +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch b/poky/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch new file mode 100644 index 0000000000..2e723582b7 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch @@ -0,0 +1,102 @@ +From ce768160ee1ee9673d60e800389c41b3c707411a Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 09/21] target/ppc: Update fmadd for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz, vxisi, and vxsnan are computed directly by +softfloat, we don't need to recompute it. This replaces the +separate float{32,64}_maddsub_update_excp functions with a +single float_invalid_op_madd function. + +Fix VSX_MADD by passing sfprf to float_invalid_op_madd, +whereas the previous *_maddsub_update_excp assumed it true. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-19-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 46 ++++++++++------------------------------- + 1 file changed, 11 insertions(+), 35 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 2ab34236a3..3b1cb25666 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -639,38 +639,15 @@ uint64_t helper_frim(CPUPPCState *env, uint64_t arg) + return do_fri(env, arg, float_round_down); + } + +-#define FPU_MADDSUB_UPDATE(NAME, TP) \ +-static void NAME(CPUPPCState *env, TP arg1, TP arg2, TP arg3, \ +- unsigned int madd_flags, uintptr_t retaddr) \ +-{ \ +- if (TP##_is_signaling_nan(arg1, &env->fp_status) || \ +- TP##_is_signaling_nan(arg2, &env->fp_status) || \ +- TP##_is_signaling_nan(arg3, &env->fp_status)) { \ +- /* sNaN operation */ \ +- float_invalid_op_vxsnan(env, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) && TP##_is_zero(arg2)) || \ +- (TP##_is_zero(arg1) && TP##_is_infinity(arg2))) { \ +- /* Multiplication of zero by infinity */ \ +- float_invalid_op_vximz(env, 1, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) || TP##_is_infinity(arg2)) && \ +- TP##_is_infinity(arg3)) { \ +- uint8_t aSign, bSign, cSign; \ +- \ +- aSign = TP##_is_neg(arg1); \ +- bSign = TP##_is_neg(arg2); \ +- cSign = TP##_is_neg(arg3); \ +- if (madd_flags & float_muladd_negate_c) { \ +- cSign ^= 1; \ +- } \ +- if (aSign ^ bSign ^ cSign) { \ +- float_invalid_op_vxisi(env, 1, retaddr); \ +- } \ +- } \ ++static void float_invalid_op_madd(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) ++{ ++ if (flags & float_flag_invalid_imz) { ++ float_invalid_op_vximz(env, set_fpcc, retaddr); ++ } else { ++ float_invalid_op_addsub(env, flags, set_fpcc, retaddr); ++ } + } +-FPU_MADDSUB_UPDATE(float32_maddsub_update_excp, float32) +-FPU_MADDSUB_UPDATE(float64_maddsub_update_excp, float64) + + #define FPU_FMADD(op, madd_flags) \ + uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +@@ -682,8 +659,7 @@ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ + flags = get_float_exception_flags(&env->fp_status); \ + if (flags) { \ + if (flags & float_flag_invalid) { \ +- float64_maddsub_update_excp(env, arg1, arg2, arg3, \ +- madd_flags, GETPC()); \ ++ float_invalid_op_madd(env, flags, 1, GETPC()); \ + } \ + do_float_check_status(env, GETPC()); \ + } \ +@@ -2087,8 +2063,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- tp##_maddsub_update_excp(env, xa->fld, b->fld, \ +- c->fld, maddflgs, GETPC()); \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch new file mode 100644 index 0000000000..d65e0b4305 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch @@ -0,0 +1,167 @@ +From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 16 Dec 2021 11:27:23 +0100 +Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void + pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_read/dma_buf_write functions to take +a void pointer argument and save us pointless casts to uint8_t *. + +Remove this pointless casts in the megasas device model. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-9-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/scsi/megasas.c | 22 +++++++++++----------- + include/sysemu/dma.h | 4 ++-- + softmmu/dma-helpers.c | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 14ec6d6..2dae33f 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 97ff6f2..0d5b836 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 09e2999..7f37548 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); + } + +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); + } +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch b/poky/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch new file mode 100644 index 0000000000..4d19773200 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch @@ -0,0 +1,71 @@ +From f024b8937d8b614994b94e86d2240fafcc7d2d73 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 10/21] target/ppc: Split out do_fmadd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Create a common function for all of the madd helpers. +Let the compiler tail call or inline as it chooses. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-20-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 3b1cb25666..9a1e7e6244 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -649,23 +649,26 @@ static void float_invalid_op_madd(CPUPPCState *env, int flags, + } + } + +-#define FPU_FMADD(op, madd_flags) \ +-uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +- uint64_t arg2, uint64_t arg3) \ +-{ \ +- uint32_t flags; \ +- float64 ret = float64_muladd(arg1, arg2, arg3, madd_flags, \ +- &env->fp_status); \ +- flags = get_float_exception_flags(&env->fp_status); \ +- if (flags) { \ +- if (flags & float_flag_invalid) { \ +- float_invalid_op_madd(env, flags, 1, GETPC()); \ +- } \ +- do_float_check_status(env, GETPC()); \ +- } \ +- return ret; \ ++static float64 do_fmadd(CPUPPCState *env, float64 a, float64 b, ++ float64 c, int madd_flags, uintptr_t retaddr) ++{ ++ float64 ret = float64_muladd(a, b, c, madd_flags, &env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); ++ ++ if (flags) { ++ if (flags & float_flag_invalid) { ++ float_invalid_op_madd(env, flags, 1, retaddr); ++ } ++ do_float_check_status(env, retaddr); ++ } ++ return ret; + } + ++#define FPU_FMADD(op, madd_flags) \ ++ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ ++ uint64_t arg2, uint64_t arg3) \ ++ { return do_fmadd(env, arg1, arg2, arg3, madd_flags, GETPC()); } ++ + #define MADD_FLGS 0 + #define MSUB_FLGS float_muladd_negate_c + #define NMADD_FLGS float_muladd_negate_result +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8207058aca --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,91 @@ +From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 22:18:19 +0100 +Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling pci_dma_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-10-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 3 ++- + hw/scsi/esp-pci.c | 2 +- + include/hw/pci/pci.h | 10 ++++++---- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 8ce9df6..fb3d34a 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n", + st->be, st->bp, st->bpl[st->be].len, copy); + +- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output); ++ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, ++ MEMTXATTRS_UNSPECIFIED); + st->lpib += copy; + st->bp += copy; + buf += copy; +diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c +index dac054a..1792f84 100644 +--- a/hw/scsi/esp-pci.c ++++ b/hw/scsi/esp-pci.c +@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len, + len = pci->dma_regs[DMA_WBC]; + } + +- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir); ++ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED); + + /* update status registers */ + pci->dma_regs[DMA_WBC] -= len; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 1acefc2..a751ab5 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev) + */ + static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, +- dir, MEMTXATTRS_UNSPECIFIED); ++ dir, attrs); + } + + /** +@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return pci_dma_rw(dev, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + const void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE); ++ return pci_dma_rw(dev, addr, (void *) buf, len, ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch b/poky/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch new file mode 100644 index 0000000000..0daae55b99 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch @@ -0,0 +1,93 @@ +From a1821ad612994b95cb6597efd15e0a888676386c Mon Sep 17 00:00:00 2001 +From: Victor Colombo <victor.colombo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 11/21] target/ppc: Fix xs{max, min}[cj]dp to use VSX registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PPC instruction xsmaxcdp, xsmincdp, xsmaxjdp, and xsminjdp are using +vector registers when they should be using VSX ones. This happens +because the instructions are using GEN_VSX_HELPER_R3, which adds 32 +to the register numbers, effectively making them vector registers. + +This patch fixes it by changing these instructions to use +GEN_VSX_HELPER_X3. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br> +Message-Id: <20211213120958.24443-2-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 4 ++-- + target/ppc/helper.h | 8 ++++---- + target/ppc/translate/vsx-impl.c.inc | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 9a1e7e6244..ecdcd36a11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2375,7 +2375,7 @@ VSX_MAX_MIN(xvmindp, minnum, 2, float64, VsrD(i)) + VSX_MAX_MIN(xvminsp, minnum, 4, float32, VsrW(i)) + + #define VSX_MAX_MINC(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +@@ -2410,7 +2410,7 @@ VSX_MAX_MINC(xsmaxcdp, 1); + VSX_MAX_MINC(xsmincdp, 0); + + #define VSX_MAX_MINJ(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 627811cefc..12a3d5f269 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -392,10 +392,10 @@ DEF_HELPER_4(xscmpoqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscmpuqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xsmaxdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xsmindp, void, env, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxcdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmincdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxjdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsminjdp, void, env, i32, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxcdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmincdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxjdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsminjdp, void, env, vsr, vsr, vsr) + DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c0e38060b4..02df75339e 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,10 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_R3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4f7276ef8b --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,65 @@ +From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 22:59:46 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling dma_buf_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-11-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7f37548..fa81d2b 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + + + static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; +@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, +- MEMTXATTRS_UNSPECIFIED); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; +@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch b/poky/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch new file mode 100644 index 0000000000..e9b99c9b4e --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch @@ -0,0 +1,121 @@ +From 1cbb2622de34ee034f1dd7196567673c52c84805 Mon Sep 17 00:00:00 2001 +From: Victor Colombo <victor.colombo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 12/21] target/ppc: Move xs{max,min}[cj]dp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br> +Message-Id: <20211213120958.24443-3-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 17 +++++++++++++--- + target/ppc/translate/vsx-impl.c.inc | 30 +++++++++++++++++++++++++---- + target/ppc/translate/vsx-ops.c.inc | 4 ---- + 3 files changed, 40 insertions(+), 11 deletions(-) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e135b8aba4..759b2a9aa5 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -123,10 +123,14 @@ + &X_vrt_frbp vrt frbp + @X_vrt_frbp ...... vrt:5 ..... ....0 .......... . &X_vrt_frbp frbp=%x_frbp + ++%xx_xt 0:1 21:5 ++%xx_xb 1:1 11:5 ++%xx_xa 2:1 16:5 + &XX2 xt xb uim:uint8_t +-%xx2_xt 0:1 21:5 +-%xx2_xb 1:1 11:5 +-@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx2_xt xb=%xx2_xb ++@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx_xt xb=%xx_xb ++ ++&XX3 xt xa xb ++@XX3 ...... ..... ..... ..... ........ ... &XX3 xt=%xx_xt xa=%xx_xa xb=%xx_xb + + &Z22_bf_fra bf fra dm + @Z22_bf_fra ...... bf:3 .. fra:5 dm:6 ......... . &Z22_bf_fra +@@ -427,3 +431,10 @@ XXSPLTW 111100 ..... ---.. ..... 010100100 . . @XX2 + ## VSX Vector Load Special Value Instruction + + LXVKQ 111100 ..... 11111 ..... 0101101000 . @X_uim5 ++ ++## VSX Comparison Instructions ++ ++XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 ++XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 ++XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 ++XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 02df75339e..e2447750dd 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,6 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +@@ -2185,6 +2181,32 @@ TRANS(XXBLENDVH, do_xxblendv, MO_16) + TRANS(XXBLENDVW, do_xxblendv, MO_32) + TRANS(XXBLENDVD, do_xxblendv, MO_64) + ++static bool do_xsmaxmincjdp(DisasContext *ctx, arg_XX3 *a, ++ void (*helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr xt, xa, xb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ xt = gen_vsr_ptr(a->xt); ++ xa = gen_vsr_ptr(a->xa); ++ xb = gen_vsr_ptr(a->xb); ++ ++ helper(cpu_env, xt, xa, xb); ++ ++ tcg_temp_free_ptr(xt); ++ tcg_temp_free_ptr(xa); ++ tcg_temp_free_ptr(xb); ++ ++ return true; ++} ++ ++TRANS(XSMAXCDP, do_xsmaxmincjdp, gen_helper_xsmaxcdp) ++TRANS(XSMINCDP, do_xsmaxmincjdp, gen_helper_xsmincdp) ++TRANS(XSMAXJDP, do_xsmaxmincjdp, gen_helper_xsmaxjdp) ++TRANS(XSMINJDP, do_xsmaxmincjdp, gen_helper_xsminjdp) ++ + #undef GEN_XX2FORM + #undef GEN_XX3FORM + #undef GEN_XX2IFORM +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index 152d1e5c3b..f980bc1bae 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -207,10 +207,6 @@ GEN_VSX_XFORM_300(xscmpoqp, 0x04, 0x04, 0x00600001), + GEN_VSX_XFORM_300(xscmpuqp, 0x04, 0x14, 0x00600001), + GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), + GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), +-GEN_XX3FORM(xsmaxcdp, 0x00, 0x10, PPC2_ISA300), +-GEN_XX3FORM(xsmincdp, 0x00, 0x11, PPC2_ISA300), +-GEN_XX3FORM(xsmaxjdp, 0x00, 0x12, PPC2_ISA300), +-GEN_XX3FORM(xsminjdp, 0x00, 0x13, PPC2_ISA300), + GEN_XX2FORM_EO(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300), + GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), + GEN_XX2FORM(xscvdpspn, 0x16, 0x10, PPC2_VSX207), +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..9837516422 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,129 @@ +From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:02:21 +0100 +Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_write(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-12-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/ide/ahci.c | 6 ++++-- + hw/nvme/ctrl.c | 3 ++- + hw/scsi/megasas.c | 2 +- + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 8e77ddb..079d297 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDEDMA *dma) + has_sglist ? "" : "o"); + + if (has_sglist && size) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (is_write) { +- dma_buf_write(s->data_ptr, size, &s->sg); ++ dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { + dma_buf_read(s->data_ptr, size, &s->sg); + } +@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + if (is_write) { + dma_buf_read(p, l, &s->sg); + } else { +- dma_buf_write(p, l, &s->sg); ++ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } + + /* free sglist, update byte count */ +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c4..e1a531d 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1146,10 +1146,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + assert(sg->flags & NVME_SG_ALLOC); + + if (sg->flags & NVME_SG_DMA) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint64_t residual; + + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { +- residual = dma_buf_write(ptr, len, &sg->qsg); ++ residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { + residual = dma_buf_read(ptr, len, &sg->qsg); + } +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 2dae33f..79fd14c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write(&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 77325d8..64a506a 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int len) + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { + req->resid = dma_buf_read(buf, len, req->sg); + } else { +- req->resid = dma_buf_write(buf, len, req->sg); ++ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } + scsi_req_continue(req); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 0d5b836..e3dd74a 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index fa81d2b..2f1a241 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + MEMTXATTRS_UNSPECIFIED); + } + +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch b/poky/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch new file mode 100644 index 0000000000..100dcd25bc --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch @@ -0,0 +1,41 @@ +From 98ff271a4d1a1d60ae53b1f742df7c188b163375 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 13/21] target/ppc: fix xscvqpdp register access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This instruction has VRT and VRB fields instead of T/TX and B/BX. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211213120958.24443-4-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/translate/vsx-impl.c.inc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index e2447750dd..ab5cb21f13 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -913,8 +913,9 @@ static void gen_xscvqpdp(DisasContext *ctx) + return; + } + opc = tcg_const_i32(ctx->opcode); +- xt = gen_vsr_ptr(xT(ctx->opcode)); +- xb = gen_vsr_ptr(xB(ctx->opcode)); ++ ++ xt = gen_vsr_ptr(rD(ctx->opcode) + 32); ++ xb = gen_vsr_ptr(rB(ctx->opcode) + 32); + gen_helper_xscvqpdp(cpu_env, opc, xt, xb); + tcg_temp_free_i32(opc); + tcg_temp_free_ptr(xt); +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4057caa8b0 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,222 @@ +From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:29:52 +0100 +Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_read(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-13-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/ide/ahci.c | 4 ++-- + hw/nvme/ctrl.c | 2 +- + hw/scsi/megasas.c | 24 ++++++++++++------------ + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 079d297..205dfdc 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDEDMA *dma) + if (is_write) { + dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { +- dma_buf_read(s->data_ptr, size, &s->sg); ++ dma_buf_read(s->data_ptr, size, &s->sg, attrs); + } + } + +@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + } + + if (is_write) { +- dma_buf_read(p, l, &s->sg); ++ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } else { + dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index e1a531d..462f79a 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1152,7 +1152,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { + residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { +- residual = dma_buf_read(ptr, len, &sg->qsg); ++ residual = dma_buf_read(ptr, len, &sg->qsg, attrs); + } + + if (unlikely(residual)) { +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 79fd14c..091a350 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1100,7 +1100,7 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + info->connected_port_bitmap = 0x1; + info->device_speed = 1; + info->link_speed = 1; +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1271,7 +1271,7 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + info->ld_config.span[0].num_blocks = info->size; + info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id); + +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 64a506a..2b5e9dc 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int len) + + buf = scsi_req_get_buf(req); + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { +- req->resid = dma_buf_read(buf, len, req->sg); ++ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } else { + req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e3dd74a..fd8f160 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 2f1a241..a391773 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch b/poky/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch new file mode 100644 index 0000000000..345a49c90c --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch @@ -0,0 +1,130 @@ +From c76ea6322bd70c36c9b396cf356167b36928e811 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 14/21] target/ppc: move xscvqpdp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211213120958.24443-5-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 10 +++------- + target/ppc/helper.h | 2 +- + target/ppc/insn32.decode | 4 ++++ + target/ppc/translate/vsx-impl.c.inc | 24 +++++++++++++----------- + target/ppc/translate/vsx-ops.c.inc | 1 - + 5 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index ecdcd36a11..5cc7fb1dcb 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2631,18 +2631,14 @@ VSX_CVT_FP_TO_FP_HP(xscvhpdp, 1, float16, float64, VsrH(3), VsrD(0), 1) + VSX_CVT_FP_TO_FP_HP(xvcvsphp, 4, float32, float16, VsrW(i), VsrH(2 * i + 1), 0) + VSX_CVT_FP_TO_FP_HP(xvcvhpsp, 4, float16, float32, VsrH(2 * i + 1), VsrW(i), 0) + +-/* +- * xscvqpdp isn't using VSX_CVT_FP_TO_FP() because xscvqpdpo will be +- * added to this later. +- */ +-void helper_xscvqpdp(CPUPPCState *env, uint32_t opcode, +- ppc_vsr_t *xt, ppc_vsr_t *xb) ++void helper_XSCVQPDP(CPUPPCState *env, uint32_t ro, ppc_vsr_t *xt, ++ ppc_vsr_t *xb) + { + ppc_vsr_t t = { }; + float_status tstat; + + tstat = env->fp_status; +- if (unlikely(Rc(opcode) != 0)) { ++ if (ro != 0) { + tstat.float_rounding_mode = float_round_to_odd; + } + +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 12a3d5f269..ef5bdd38a7 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -400,7 +400,7 @@ DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) + DEF_HELPER_2(xscvdpspn, i64, env, i64) +-DEF_HELPER_4(xscvqpdp, void, env, i32, vsr, vsr) ++DEF_HELPER_4(XSCVQPDP, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpsdz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpswz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpudz, void, env, i32, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 759b2a9aa5..fd6bb13fa0 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -438,3 +438,7 @@ XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 + XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 + XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 + XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 ++ ++## VSX Binary Floating-Point Convert Instructions ++ ++XSCVQPDP 111111 ..... 10100 ..... 1101000100 . @X_tb_rc +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index ab5cb21f13..c08185e857 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -904,22 +904,24 @@ VSX_CMP(xvcmpgesp, 0x0C, 0x0A, 0, PPC2_VSX) + VSX_CMP(xvcmpgtsp, 0x0C, 0x09, 0, PPC2_VSX) + VSX_CMP(xvcmpnesp, 0x0C, 0x0B, 0, PPC2_VSX) + +-static void gen_xscvqpdp(DisasContext *ctx) ++static bool trans_XSCVQPDP(DisasContext *ctx, arg_X_tb_rc *a) + { +- TCGv_i32 opc; ++ TCGv_i32 ro; + TCGv_ptr xt, xb; +- if (unlikely(!ctx->vsx_enabled)) { +- gen_exception(ctx, POWERPC_EXCP_VSXU); +- return; +- } +- opc = tcg_const_i32(ctx->opcode); + +- xt = gen_vsr_ptr(rD(ctx->opcode) + 32); +- xb = gen_vsr_ptr(rB(ctx->opcode) + 32); +- gen_helper_xscvqpdp(cpu_env, opc, xt, xb); +- tcg_temp_free_i32(opc); ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ ro = tcg_const_i32(a->rc); ++ ++ xt = gen_avr_ptr(a->rt); ++ xb = gen_avr_ptr(a->rb); ++ gen_helper_XSCVQPDP(cpu_env, ro, xt, xb); ++ tcg_temp_free_i32(ro); + tcg_temp_free_ptr(xt); + tcg_temp_free_ptr(xb); ++ ++ return true; + } + + #define GEN_VSX_HELPER_2(name, op1, op2, inval, type) \ +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index f980bc1bae..c974324c4c 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -133,7 +133,6 @@ GEN_VSX_XFORM_300_EO(xsnabsqp, 0x04, 0x19, 0x08, 0x00000001), + GEN_VSX_XFORM_300_EO(xsnegqp, 0x04, 0x19, 0x10, 0x00000001), + GEN_VSX_XFORM_300(xscpsgnqp, 0x04, 0x03, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvdpqp, 0x04, 0x1A, 0x16, 0x00000001), +-GEN_VSX_XFORM_300_EO(xscvqpdp, 0x04, 0x1A, 0x14, 0x0), + GEN_VSX_XFORM_300_EO(xscvqpsdz, 0x04, 0x1A, 0x19, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpswz, 0x04, 0x1A, 0x09, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpudz, 0x04, 0x1A, 0x11, 0x00000001), +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch b/poky/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..571ce9cc9b --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch @@ -0,0 +1,91 @@ +From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:38:52 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_rw() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Since dma_buf_rw() was previously returning the QEMUSGList +size not consumed, add an extra argument where this size +can be stored. + +Update the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-14-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index a391773..b0be156 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir, MemTxAttrs attrs) ++static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp, ++ QEMUSGList *sg, DMADirection dir, ++ MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; ++ MemTxResult res = MEMTX_OK; + + resid = sg->size; + sg_cur_index = 0; +@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); ++ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; + } + +- return resid; ++ if (residp) { ++ *residp = resid; ++ } ++ return res; + } + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ ++ return resid; + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ ++ return resid; + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch b/poky/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch new file mode 100644 index 0000000000..5c5f972961 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch @@ -0,0 +1,70 @@ +From 7448ee811d86b18a7f7f59e20853bd852e548f59 Mon Sep 17 00:00:00 2001 +From: "Lucas Mateus Castro (alqotel)" <lucas.araujo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 15/21] target/ppc: ppc_store_fpscr doesn't update bits 0 to 28 + and 52 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit fixes the difference reported in the bug in the reserved +bit 52, it does this by adding this bit to the mask of bits to not be +directly altered in the ppc_store_fpscr function (the hardware used to +compare to QEMU was a Power9). + +The bits 0 to 27 were also added to the mask, as they are marked as +reserved in the PowerISA and bit 28 is a reserved extension of the DRN +field (bits 29:31) but can't be set using mtfsfi, while the other DRN +bits may be set using mtfsfi instruction, so bit 28 was also added to +the mask. + +Although this is a difference reported in the bug, since it's a reserved +bit it may be a "don't care" case, as put in the bug report. Looking at +the ISA it doesn't explicitly mention this bit can't be set, like it +does for FEX and VX, so I'm unsure if this is necessary. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/266 + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45] + +Signed-off-by: Lucas Mateus Castro (alqotel) <lucas.araujo@eldorado.org.br> +Message-Id: <20211201163808.440385-4-lucas.araujo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/cpu.c | 2 +- + target/ppc/cpu.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/target/ppc/cpu.c b/target/ppc/cpu.c +index f933d9f2bd..d7b42bae52 100644 +--- a/target/ppc/cpu.c ++++ b/target/ppc/cpu.c +@@ -112,7 +112,7 @@ static inline void fpscr_set_rounding_mode(CPUPPCState *env) + + void ppc_store_fpscr(CPUPPCState *env, target_ulong val) + { +- val &= ~(FP_VX | FP_FEX); ++ val &= FPSCR_MTFS_MASK; + if (val & FPSCR_IX) { + val |= FP_VX; + } +diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h +index e946da5f3a..441d3dce19 100644 +--- a/target/ppc/cpu.h ++++ b/target/ppc/cpu.h +@@ -759,6 +759,10 @@ enum { + FP_VXZDZ | FP_VXIMZ | FP_VXVC | FP_VXSOFT | \ + FP_VXSQRT | FP_VXCVI) + ++/* FPSCR bits that can be set by mtfsf, mtfsfi and mtfsb1 */ ++#define FPSCR_MTFS_MASK (~(MAKE_64BIT_MASK(36, 28) | PPC_BIT(28) | \ ++ FP_FEX | FP_VX | PPC_BIT(52))) ++ + /*****************************************************************************/ + /* Vector status and control register */ + #define VSCR_NJ 16 /* Vector non-java */ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f56dcb6eb --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,120 @@ +From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:53:34 +0100 +Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-16-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/nvram/fw_cfg.c | 4 ++-- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 12 ++++++++---- + include/sysemu/dma.h | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index 9b91b15..e5f3c981 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (dma_memory_read(s->dma_as, dma_addr, + &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- FW_CFG_DMA_CTL_ERROR); ++ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED); + return; + } + +@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- dma.control); ++ dma.control, MEMTXATTRS_UNSPECIFIED); + + trace_fw_cfg_read(s, 0); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index a751ab5..d07e970 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val); \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 5d2ea8e..e87f8e6 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + H_DEST_PARM : H_SUCCESS; + } + +-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val))) ++#define vio_stb(_dev, _addr, _val) \ ++ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_sth(_dev, _addr, _val) \ ++ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stl(_dev, _addr, _val) \ ++ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stq(_dev, _addr, _val) \ ++ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index fd8f160..009dd3c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ +- uint##_bits##_t val) \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) +@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) ++static inline void stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch b/poky/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch new file mode 100644 index 0000000000..3b651c0b3e --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch @@ -0,0 +1,133 @@ +From 232f979babccd6dfac40a54ee33521e652a0577c Mon Sep 17 00:00:00 2001 +From: Luis Pires <luis.pires@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:36 +0100 +Subject: [PATCH 16/21] target/ppc: Introduce TRANS*FLAGS macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New macros that add FLAGS and FLAGS2 checking were added for +both TRANS and TRANS64. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Luis Pires <luis.pires@eldorado.org.br> +[ferst: - TRANS_FLAGS2 instead of TRANS_FLAGS_E + - Use the new macros in load/store vector insns ] +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/translate.c | 19 +++++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 37 ++++++++++------------------- + 2 files changed, 31 insertions(+), 25 deletions(-) + +diff --git a/target/ppc/translate.c b/target/ppc/translate.c +index 9960df6e18..c12abc32f6 100644 +--- a/target/ppc/translate.c ++++ b/target/ppc/translate.c +@@ -7377,10 +7377,29 @@ static int times_16(DisasContext *ctx, int x) + #define TRANS(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS_FLAGS(FLAGS, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS(ctx, FLAGS); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } ++#define TRANS_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + #define TRANS64(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { REQUIRE_64BIT(ctx); return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS64_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_64BIT(ctx); \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + /* TODO: More TRANS* helpers for extra insn_flags checks. */ + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c08185e857..99c8a57e50 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -2070,12 +2070,6 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ, + + static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2089,7 +2083,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + bool store, bool paired) + { + arg_D d; +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); + REQUIRE_VSX(ctx); + + if (!resolve_PLS_D(ctx, &d, a)) { +@@ -2101,12 +2094,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + + static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2116,18 +2103,18 @@ static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired); + } + +-TRANS(STXV, do_lstxv_D, true, false) +-TRANS(LXV, do_lstxv_D, false, false) +-TRANS(STXVP, do_lstxv_D, true, true) +-TRANS(LXVP, do_lstxv_D, false, true) +-TRANS(STXVX, do_lstxv_X, true, false) +-TRANS(LXVX, do_lstxv_X, false, false) +-TRANS(STXVPX, do_lstxv_X, true, true) +-TRANS(LXVPX, do_lstxv_X, false, true) +-TRANS64(PSTXV, do_lstxv_PLS_D, true, false) +-TRANS64(PLXV, do_lstxv_PLS_D, false, false) +-TRANS64(PSTXVP, do_lstxv_PLS_D, true, true) +-TRANS64(PLXVP, do_lstxv_PLS_D, false, true) ++TRANS_FLAGS2(ISA300, STXV, do_lstxv_D, true, false) ++TRANS_FLAGS2(ISA300, LXV, do_lstxv_D, false, false) ++TRANS_FLAGS2(ISA310, STXVP, do_lstxv_D, true, true) ++TRANS_FLAGS2(ISA310, LXVP, do_lstxv_D, false, true) ++TRANS_FLAGS2(ISA300, STXVX, do_lstxv_X, true, false) ++TRANS_FLAGS2(ISA300, LXVX, do_lstxv_X, false, false) ++TRANS_FLAGS2(ISA310, STXVPX, do_lstxv_X, true, true) ++TRANS_FLAGS2(ISA310, LXVPX, do_lstxv_X, false, true) ++TRANS64_FLAGS2(ISA310, PSTXV, do_lstxv_PLS_D, true, false) ++TRANS64_FLAGS2(ISA310, PLXV, do_lstxv_PLS_D, false, false) ++TRANS64_FLAGS2(ISA310, PSTXVP, do_lstxv_PLS_D, true, true) ++TRANS64_FLAGS2(ISA310, PLXVP, do_lstxv_PLS_D, false, true) + + static void gen_xxblendv_vec(unsigned vece, TCGv_vec t, TCGv_vec a, TCGv_vec b, + TCGv_vec c) +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..a51451d343 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,151 @@ +From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:18:07 +0100 +Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-17-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/pnv_xive.c | 7 ++++--- + hw/usb/hcd-xhci.c | 6 +++--- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + 5 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index ad43483..d9249bb 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index ed2b9ea..d960b81 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid); ++ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3437,8 +3437,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = +- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid)); ++ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, ++ MEMTXATTRS_UNSPECIFIED)); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index d07e970..0613308 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr); \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index e87f8e6..d2ec9b0 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) +-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) ++#define vio_ldq(_dev, _addr) \ ++ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 009dd3c..d1635f5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ + static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(AddressSpace *as, + MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) ++static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(as, addr, &val, 1, attrs); + return val; + } + +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch b/poky/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch new file mode 100644 index 0000000000..6d6d6b86ed --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch @@ -0,0 +1,105 @@ +From 4c6a16c2bcdd14249eef876d3d029c445716fb13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 17/21] target/ppc: Implement Vector Expand Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vexpandbm: Vector Expand Byte Mask +vexpandhm: Vector Expand Halfword Mask +vexpandwm: Vector Expand Word Mask +vexpanddm: Vector Expand Doubleword Mask +vexpandqm: Vector Expand Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211203194229.746275-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 11 ++++++++++ + target/ppc/translate/vmx-impl.c.inc | 34 +++++++++++++++++++++++++++++ + 2 files changed, 45 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index fd6bb13fa0..e032251c74 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -56,6 +56,9 @@ + &VX_uim4 vrt uim vrb + @VX_uim4 ...... vrt:5 . uim:4 vrb:5 ........... &VX_uim4 + ++&VX_tb vrt vrb ++@VX_tb ...... vrt:5 ..... vrb:5 ........... &VX_tb ++ + &X rt ra rb + @X ...... rt:5 ra:5 rb:5 .......... . &X + +@@ -412,6 +415,14 @@ VINSWVRX 000100 ..... ..... ..... 00110001111 @VX + VSLDBI 000100 ..... ..... ..... 00 ... 010110 @VN + VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + ++## Vector Mask Manipulation Instructions ++ ++VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb ++VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb ++VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb ++VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb ++VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 8eb8d3a067..ebb0484323 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1491,6 +1491,40 @@ static bool trans_VSRDBI(DisasContext *ctx, arg_VN *a) + return true; + } + ++static bool do_vexpand(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tcg_gen_gvec_sari(vece, avr_full_offset(a->vrt), avr_full_offset(a->vrb), ++ (8 << vece) - 1, 16, 16); ++ ++ return true; ++} ++ ++TRANS(VEXPANDBM, do_vexpand, MO_8) ++TRANS(VEXPANDHM, do_vexpand, MO_16) ++TRANS(VEXPANDWM, do_vexpand, MO_32) ++TRANS(VEXPANDDM, do_vexpand, MO_64) ++ ++static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_sari_i64(tmp, tmp, 63); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch b/poky/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..3fc7b631a4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,65 @@ +From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:56:14 +0100 +Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_write() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-18-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/sysemu/dma.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d1635f5..895044d 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ +- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ +- { \ +- val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ val = cpu_to_##_end##_bits(val); \ ++ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) +@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, +- uint8_t val, MemTxAttrs attrs) ++static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, attrs); ++ return dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch b/poky/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch new file mode 100644 index 0000000000..57450c6fb7 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch @@ -0,0 +1,141 @@ +From 2dc8450e80b82c481904570dce789843b031db13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 18/21] target/ppc: Implement Vector Extract Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vextractbm: Vector Extract Byte Mask +vextracthm: Vector Extract Halfword Mask +vextractwm: Vector Extract Word Mask +vextractdm: Vector Extract Doubleword Mask +vextractqm: Vector Extract Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb] + +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211203194229.746275-3-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 6 +++ + target/ppc/translate/vmx-impl.c.inc | 82 +++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e032251c74..b0568b1356 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -423,6 +423,12 @@ VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb + VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb + VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb + ++VEXTRACTBM 000100 ..... 01000 ..... 11001000010 @VX_tb ++VEXTRACTHM 000100 ..... 01001 ..... 11001000010 @VX_tb ++VEXTRACTWM 000100 ..... 01010 ..... 11001000010 @VX_tb ++VEXTRACTDM 000100 ..... 01011 ..... 11001000010 @VX_tb ++VEXTRACTQM 000100 ..... 01100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index ebb0484323..96c97bf6e7 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1525,6 +1525,88 @@ static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_vextractm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece, ++ mask = dup_const(vece, 1 << (elem_width - 1)); ++ uint64_t i, j; ++ TCGv_i64 lo, hi, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ get_avr64(lo, a->vrb, false); ++ get_avr64(hi, a->vrb, true); ++ ++ tcg_gen_andi_i64(lo, lo, mask); ++ tcg_gen_andi_i64(hi, hi, mask); ++ ++ /* ++ * Gather the most significant bit of each element in the highest element ++ * element. E.g. for bytes: ++ * aXXXXXXXbXXXXXXXcXXXXXXXdXXXXXXXeXXXXXXXfXXXXXXXgXXXXXXXhXXXXXXX ++ * & dup(1 << (elem_width - 1)) ++ * a0000000b0000000c0000000d0000000e0000000f0000000g0000000h0000000 ++ * << 32 - 4 ++ * 0000e0000000f0000000g0000000h00000000000000000000000000000000000 ++ * | ++ * a000e000b000f000c000g000d000h000e0000000f0000000g0000000h0000000 ++ * << 16 - 2 ++ * 00c000g000d000h000e0000000f0000000g0000000h000000000000000000000 ++ * | ++ * a0c0e0g0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h0000000 ++ * << 8 - 1 ++ * 0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h00000000000000 ++ * | ++ * abcdefghbcdefgh0cdefgh00defgh000efgh0000fgh00000gh000000h0000000 ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ tcg_gen_shri_i64(hi, hi, 64 - elem_count_half); ++ tcg_gen_extract2_i64(lo, lo, hi, 64 - elem_count_half); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], lo); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(VEXTRACTBM, do_vextractm, MO_8) ++TRANS(VEXTRACTHM, do_vextractm, MO_16) ++TRANS(VEXTRACTWM, do_vextractm, MO_32) ++TRANS(VEXTRACTDM, do_vextractm, MO_64) ++ ++static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_shri_i64(tmp, tmp, 63); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], tmp); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch b/poky/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..d8a136c47f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,175 @@ +From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:31:11 +0100 +Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_read() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-19-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/pnv_xive.c | 8 ++++---- + hw/usb/hcd-xhci.c | 7 ++++--- + include/hw/pci/pci.h | 6 ++++-- + include/hw/ppc/spapr_vio.h | 6 +++++- + include/sysemu/dma.h | 25 ++++++++++++------------- + 5 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index d9249bb..bb20751 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index d960b81..da5a407 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + uint32_t slot_ctx[4]; + uint32_t ep_ctx[5]; + int slotid, epid, state; ++ uint64_t addr; + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); + +@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, +- MEMTXATTRS_UNSPECIFIED)); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); ++ slot->ctx = xhci_mask64(addr); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 0613308..8c5f2ed 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ uint##_bits##_t val; \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ ++ MEMTXATTRS_UNSPECIFIED); \ ++ return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index d2ec9b0..7eae1a4 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) \ +- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) ++ ({ \ ++ uint64_t _val; \ ++ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \ ++ _val; \ ++ }) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 895044d..b3faef4 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as, + } + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ +- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ +- return _end##_bits##_to_cpu(val); \ +- } \ ++ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *pval, \ ++ MemTxAttrs attrs) \ ++ { \ ++ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \ ++ _end##_bits##_to_cpus(pval); \ ++ return res; \ ++ } \ + static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as, + return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) ++static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t *val, MemTxAttrs attrs) + { +- uint8_t val; +- +- dma_memory_read(as, addr, &val, 1, attrs); +- return val; ++ return dma_memory_read(as, addr, val, 1, attrs); + } + + static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch b/poky/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch new file mode 100644 index 0000000000..96fda98771 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch @@ -0,0 +1,187 @@ +From 4d5202aad706fd338646d19aafbf255c3864333c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 19/21] target/ppc: Implement Vector Mask Move insns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +mtvsrbm: Move to VSR Byte Mask +mtvsrhm: Move to VSR Halfword Mask +mtvsrwm: Move to VSR Word Mask +mtvsrdm: Move to VSR Doubleword Mask +mtvsrqm: Move to VSR Quadword Mask +mtvsrbmi: Move to VSR Byte Mask Immediate + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211203194229.746275-4-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 11 +++ + target/ppc/translate/vmx-impl.c.inc | 115 ++++++++++++++++++++++++++++ + 2 files changed, 126 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index b0568b1356..8bdc059a4c 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -40,6 +40,10 @@ + %ds_rtp 22:4 !function=times_2 + @DS_rtp ...... ....0 ra:5 .............. .. &D rt=%ds_rtp si=%ds_si + ++&DX_b vrt b ++%dx_b 6:10 16:5 0:1 ++@DX_b ...... vrt:5 ..... .......... ..... . &DX_b b=%dx_b ++ + &DX rt d + %dx_d 6:s10 16:5 0:1 + @DX ...... rt:5 ..... .......... ..... . &DX d=%dx_d +@@ -417,6 +421,13 @@ VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + + ## Vector Mask Manipulation Instructions + ++MTVSRBM 000100 ..... 10000 ..... 11001000010 @VX_tb ++MTVSRHM 000100 ..... 10001 ..... 11001000010 @VX_tb ++MTVSRWM 000100 ..... 10010 ..... 11001000010 @VX_tb ++MTVSRDM 000100 ..... 10011 ..... 11001000010 @VX_tb ++MTVSRQM 000100 ..... 10100 ..... 11001000010 @VX_tb ++MTVSRBMI 000100 ..... ..... .......... 01010 . @DX_b ++ + VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb + VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb + VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 96c97bf6e7..d5e02fd7f2 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1607,6 +1607,121 @@ static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_mtvsrm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece; ++ uint64_t c; ++ int i, j; ++ TCGv_i64 hi, lo, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ tcg_gen_extu_tl_i64(t0, cpu_gpr[a->vrb]); ++ tcg_gen_extract_i64(hi, t0, elem_count_half, elem_count_half); ++ tcg_gen_extract_i64(lo, t0, 0, elem_count_half); ++ ++ /* ++ * Spread the bits into their respective elements. ++ * E.g. for bytes: ++ * 00000000000000000000000000000000000000000000000000000000abcdefgh ++ * << 32 - 4 ++ * 0000000000000000000000000000abcdefgh0000000000000000000000000000 ++ * | ++ * 0000000000000000000000000000abcdefgh00000000000000000000abcdefgh ++ * << 16 - 2 ++ * 00000000000000abcdefgh00000000000000000000abcdefgh00000000000000 ++ * | ++ * 00000000000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh ++ * << 8 - 1 ++ * 0000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh0000000 ++ * | ++ * 0000000abcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgh ++ * & dup(1) ++ * 0000000a0000000b0000000c0000000d0000000e0000000f0000000g0000000h ++ * * 0xff ++ * aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhh ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ c = dup_const(vece, 1); ++ tcg_gen_andi_i64(hi, hi, c); ++ tcg_gen_andi_i64(lo, lo, c); ++ ++ c = MAKE_64BIT_MASK(0, elem_width); ++ tcg_gen_muli_i64(hi, hi, c); ++ tcg_gen_muli_i64(lo, lo, c); ++ ++ set_avr64(a->vrt, lo, false); ++ set_avr64(a->vrt, hi, true); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(MTVSRBM, do_mtvsrm, MO_8) ++TRANS(MTVSRHM, do_mtvsrm, MO_16) ++TRANS(MTVSRWM, do_mtvsrm, MO_32) ++TRANS(MTVSRDM, do_mtvsrm, MO_64) ++ ++static bool trans_MTVSRQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ tcg_gen_ext_tl_i64(tmp, cpu_gpr[a->vrb]); ++ tcg_gen_sextract_i64(tmp, tmp, 0, 1); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ ++static bool trans_MTVSRBMI(DisasContext *ctx, arg_DX_b *a) ++{ ++ const uint64_t mask = dup_const(MO_8, 1); ++ uint64_t hi, lo; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = extract16(a->b, 8, 8); ++ lo = extract16(a->b, 0, 8); ++ ++ for (int i = 4, j = 32; i > 0; i >>= 1, j >>= 1) { ++ hi |= hi << (j - i); ++ lo |= lo << (j - i); ++ } ++ ++ hi = (hi & mask) * 0xFF; ++ lo = (lo & mask) * 0xFF; ++ ++ set_avr64(a->vrt, tcg_constant_i64(hi), true); ++ set_avr64(a->vrt, tcg_constant_i64(lo), false); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..69101f308d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,303 @@ +From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:39:42 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-21-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 10 ++++++---- + hw/net/eepro100.c | 29 ++++++++++++++++++----------- + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 15 ++++++++++----- + hw/scsi/vmw_pvscsi.c | 3 ++- + include/hw/pci/pci.h | 11 ++++++----- + 6 files changed, 52 insertions(+), 34 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index fb3d34a..3309ae0 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*wp, response); +- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + uint8_t *buf, uint32_t len) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + st->be, st->bp, st->bpl[st->be].len, copy); + + pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + st->lpib += copy; + st->bp += copy; + buf += copy; +@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + if (d->dp_lbase & 0x01) { + s = st - d->st; + addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib); ++ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs); + } + dprint(d, 3, "dma: --\n"); + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 16e95ef..83c4431 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * s, ru_state_t state) + + static void dump_statistics(EEPRO100State * s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + /* Dump statistical data. Most data is never changed by the emulation + * and always 0, so we first just copy the whole block and then those + * values which really matter. +@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100State * s) + */ + pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size); + stl_le_pci_dma(&s->dev, s->statsaddr + 0, +- s->statistics.tx_good_frames); ++ s->statistics.tx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 36, +- s->statistics.rx_good_frames); ++ s->statistics.rx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 48, +- s->statistics.rx_resource_errors); ++ s->statistics.rx_resource_errors, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 60, +- s->statistics.rx_short_frame_errors); ++ s->statistics.rx_short_frame_errors, attrs); + #if 0 +- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames); +- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 76, ++ s->statistics.xmt_tco_frames, attrs); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 78, ++ s->statistics.rcv_tco_frames, attrs); + missing("CU dump statistical counters"); + #endif + } +@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + /* The loop below won't stop if it gets special handcrafted data. + Therefore we limit the number of iterations. */ + unsigned max_loop_count = 16; +@@ -911,7 +916,7 @@ static void action_command(EEPRO100State *s) + } + /* Write new status. */ + stw_le_pci_dma(&s->dev, s->cb_address, +- s->tx.status | ok_status | STATUS_C); ++ s->tx.status | ok_status | STATUS_C, attrs); + if (bit_i) { + /* CU completed action. */ + eepro100_cx_interrupt(s); +@@ -937,6 +942,7 @@ static void action_command(EEPRO100State *s) + + static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + cu_state_t cu_state; + switch (val) { + case CU_NOP: +@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs); + break; + case CU_CMD_BASE: + /* Load CU base. */ +@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump and reset statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs); + memset(&s->statistics, 0, sizeof(s->statistics)); + break; + case CU_SRESUME: +@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + * - Magic packets should set bit 30 in power management driver register. + * - Interesting packets should set bit 29 in power management driver register. + */ ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + EEPRO100State *s = qemu_get_nic_opaque(nc); + uint16_t rfd_status = 0xa000; + #if defined(CONFIG_PAD_RECEIVED_FRAMES) +@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n", + rfd_command, rx.link, rx.rx_buf_addr, rfd_size)); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, status), rfd_status); ++ offsetof(eepro100_rx_t, status), rfd_status, attrs); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, count), size); ++ offsetof(eepro100_rx_t, count), size, attrs); + /* Early receive interrupt not supported. */ + #if 0 + eepro100_er_interrupt(s); +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index ca69f7e..1f2c79d 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- stl_be_pci_dma(&s->dev, p, desc->status); +- stl_be_pci_dma(&s->dev, p + 4, desc->control); +- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_be_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } else { +- stl_le_pci_dma(&s->dev, p, desc->status); +- stl_le_pci_dma(&s->dev, p + 4, desc->control); +- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_le_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 091a350..b5e8b14 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static void megasas_frame_set_scsi_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static inline const char *mfi_frame_desc(unsigned int cmd) +@@ -542,6 +544,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + + static void megasas_complete_frame(MegasasState *s, uint64_t context) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci_dev = PCI_DEVICE(s); + int tail, queue_offset; + +@@ -555,10 +558,12 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + */ + if (megasas_use_queue64(s)) { + queue_offset = s->reply_queue_head * sizeof(uint64_t); +- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } else { + queue_offset = s->reply_queue_head * sizeof(uint32_t); +- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } + s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); + trace_megasas_qf_complete(context, s->reply_queue_head, +@@ -572,7 +577,7 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, + s->busy); +- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head); ++ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs); + /* Notify HBA */ + if (msix_enabled(pci_dev)) { + trace_megasas_msix_raise(0); +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index cd76bd6..59c3e8b 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -55,7 +55,8 @@ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val)) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ ++ MEMTXATTRS_UNSPECIFIED)) + + struct PVSCSIClass { + PCIDeviceClass parent_class; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 8c5f2ed..9f51ef2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + MEMTXATTRS_UNSPECIFIED); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, uint##_bits##_t val) \ +- { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ static inline void st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch b/poky/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch new file mode 100644 index 0000000000..7e747298a9 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch @@ -0,0 +1,258 @@ +From a3c7553efdec661a8f7d7dfc0c0618a35fab005c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 20/21] target/ppc: move xs[n]madd[am][ds]p/xs[n]msub[am][ds]p + to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-37-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 23 ++++++------ + target/ppc/helper.h | 16 ++++----- + target/ppc/insn32.decode | 22 ++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 56 ++++++++++++++++++++++++----- + target/ppc/translate/vsx-ops.c.inc | 16 --------- + 5 files changed, 90 insertions(+), 43 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 5cc7fb1dcb..853e5f6029 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2036,10 +2036,11 @@ VSX_TSQRT(xvtsqrtsp, 4, float32, VsrW(i), -126, 23) + * maddflgs - flags for the float*muladd routine that control the + * various forms (madd, msub, nmadd, nmsub) + * sfprf - set FPRF ++ * r2sp - round intermediate double precision result to single precision + */ + #define VSX_MADD(op, nels, tp, fld, maddflgs, sfprf, r2sp) \ + void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ +- ppc_vsr_t *xa, ppc_vsr_t *b, ppc_vsr_t *c) \ ++ ppc_vsr_t *s1, ppc_vsr_t *s2, ppc_vsr_t *s3) \ + { \ + ppc_vsr_t t = *xt; \ + int i; \ +@@ -2055,12 +2056,12 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + * result to odd. \ + */ \ + set_float_rounding_mode(float_round_to_zero, &tstat); \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + t.fld |= (get_float_exception_flags(&tstat) & \ + float_flag_inexact) != 0; \ + } else { \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + } \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ +@@ -2082,14 +2083,14 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + do_float_check_status(env, GETPC()); \ + } + +-VSX_MADD(xsmadddp, 1, float64, VsrD(0), MADD_FLGS, 1, 0) +-VSX_MADD(xsmsubdp, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) +-VSX_MADD(xsnmadddp, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) +-VSX_MADD(xsnmsubdp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) +-VSX_MADD(xsmaddsp, 1, float64, VsrD(0), MADD_FLGS, 1, 1) +-VSX_MADD(xsmsubsp, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) +-VSX_MADD(xsnmaddsp, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) +-VSX_MADD(xsnmsubsp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) ++VSX_MADD(XSMADDDP, 1, float64, VsrD(0), MADD_FLGS, 1, 0) ++VSX_MADD(XSMSUBDP, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) ++VSX_MADD(XSNMADDDP, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) ++VSX_MADD(XSNMSUBDP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) ++VSX_MADD(XSMADDSP, 1, float64, VsrD(0), MADD_FLGS, 1, 1) ++VSX_MADD(XSMSUBSP, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) ++VSX_MADD(XSNMADDSP, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) ++VSX_MADD(XSNMSUBSP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) + + VSX_MADD(xvmadddp, 2, float64, VsrD(i), MADD_FLGS, 0, 0) + VSX_MADD(xvmsubdp, 2, float64, VsrD(i), MSUB_FLGS, 0, 0) +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index ef5bdd38a7..e147b37644 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -376,10 +376,10 @@ DEF_HELPER_3(xssqrtdp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtedp, void, env, vsr, vsr) + DEF_HELPER_4(xstdivdp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xstsqrtdp, void, env, i32, vsr) +-DEF_HELPER_5(xsmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubdp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubdp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBDP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_4(xscmpeqdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgtdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgedp, void, env, vsr, vsr, vsr) +@@ -439,10 +439,10 @@ DEF_HELPER_3(xsresp, void, env, vsr, vsr) + DEF_HELPER_2(xsrsp, i64, env, i64) + DEF_HELPER_3(xssqrtsp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtesp, void, env, vsr, vsr) +-DEF_HELPER_5(xsmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubsp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 8bdc059a4c..0ff8818084 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -451,6 +451,28 @@ STXVX 011111 ..... ..... ..... 0110001100 . @X_TSX + LXVPX 011111 ..... ..... ..... 0101001101 - @X_TSXP + STXVPX 011111 ..... ..... ..... 0111001101 - @X_TSXP + ++## VSX Scalar Multiply-Add Instructions ++ ++XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 ++XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 ++XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 ++XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++ ++XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 ++XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 ++XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 ++XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++ ++XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 ++XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 ++XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 ++XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++ ++XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 ++XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 ++XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 ++XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++ + ## VSX splat instruction + + XXSPLTIB 111100 ..... 00 ........ 0101101000 . @X_imm8 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 99c8a57e50..90d3ac665b 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1201,6 +1201,54 @@ GEN_VSX_HELPER_2(xvtstdcdp, 0x14, 0x1E, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xxperm, 0x08, 0x03, 0, PPC2_ISA300) + GEN_VSX_HELPER_X3(xxpermr, 0x08, 0x07, 0, PPC2_ISA300) + ++static bool do_xsmadd(DisasContext *ctx, int tgt, int src1, int src2, int src3, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr t, s1, s2, s3; ++ ++ t = gen_vsr_ptr(tgt); ++ s1 = gen_vsr_ptr(src1); ++ s2 = gen_vsr_ptr(src2); ++ s3 = gen_vsr_ptr(src3); ++ ++ gen_helper(cpu_env, t, s1, s2, s3); ++ ++ tcg_temp_free_ptr(t); ++ tcg_temp_free_ptr(s1); ++ tcg_temp_free_ptr(s2); ++ tcg_temp_free_ptr(s3); ++ ++ return true; ++} ++ ++static bool do_xsmadd_XX3(DisasContext *ctx, arg_XX3 *a, bool type_a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ REQUIRE_VSX(ctx); ++ ++ if (type_a) { ++ return do_xsmadd(ctx, a->xt, a->xa, a->xt, a->xb, gen_helper); ++ } ++ return do_xsmadd(ctx, a->xt, a->xa, a->xb, a->xt, gen_helper); ++} ++ ++TRANS_FLAGS2(VSX, XSMADDADP, do_xsmadd_XX3, true, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMADDMDP, do_xsmadd_XX3, false, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMSUBADP, do_xsmadd_XX3, true, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSNMADDADP, do_xsmadd_XX3, true, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMADDMDP, do_xsmadd_XX3, false, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMSUBADP, do_xsmadd_XX3, true, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX, XSNMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX207, XSMADDASP, do_xsmadd_XX3, true, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMADDMSP, do_xsmadd_XX3, false, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMSUBASP, do_xsmadd_XX3, true, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMADDASP, do_xsmadd_XX3, true, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +@@ -1231,14 +1279,6 @@ static void gen_##name(DisasContext *ctx) \ + tcg_temp_free_ptr(c); \ + } + +-GEN_VSX_HELPER_VSX_MADD(xsmadddp, 0x04, 0x04, 0x05, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmsubdp, 0x04, 0x06, 0x07, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmadddp, 0x04, 0x14, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubdp, 0x04, 0x16, 0x17, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmaddsp, 0x04, 0x00, 0x01, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsmsubsp, 0x04, 0x02, 0x03, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmaddsp, 0x04, 0x10, 0x11, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubsp, 0x04, 0x12, 0x13, 0, PPC2_VSX207) + GEN_VSX_HELPER_VSX_MADD(xvmadddp, 0x04, 0x0C, 0x0D, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvmsubdp, 0x04, 0x0E, 0x0F, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvnmadddp, 0x04, 0x1C, 0x1D, 0, PPC2_VSX) +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index c974324c4c..ef0200eead 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -186,14 +186,6 @@ GEN_XX2FORM(xssqrtdp, 0x16, 0x04, PPC2_VSX), + GEN_XX2FORM(xsrsqrtedp, 0x14, 0x04, PPC2_VSX), + GEN_XX3FORM(xstdivdp, 0x14, 0x07, PPC2_VSX), + GEN_XX2FORM(xstsqrtdp, 0x14, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddadp", 0x04, 0x04, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddmdp", 0x04, 0x05, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubadp", 0x04, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubmdp", 0x04, 0x07, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddadp", 0x04, 0x14, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddmdp", 0x04, 0x15, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubadp", 0x04, 0x16, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubmdp", 0x04, 0x17, PPC2_VSX), + GEN_XX3FORM(xscmpeqdp, 0x0C, 0x00, PPC2_ISA300), + GEN_XX3FORM(xscmpgtdp, 0x0C, 0x01, PPC2_ISA300), + GEN_XX3FORM(xscmpgedp, 0x0C, 0x02, PPC2_ISA300), +@@ -235,14 +227,6 @@ GEN_XX2FORM(xsresp, 0x14, 0x01, PPC2_VSX207), + GEN_XX2FORM(xsrsp, 0x12, 0x11, PPC2_VSX207), + GEN_XX2FORM(xssqrtsp, 0x16, 0x00, PPC2_VSX207), + GEN_XX2FORM(xsrsqrtesp, 0x14, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddasp", 0x04, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddmsp", 0x04, 0x01, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubasp", 0x04, 0x02, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubmsp", 0x04, 0x03, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddasp", 0x04, 0x10, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddmsp", 0x04, 0x11, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubasp", 0x04, 0x12, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubmsp", 0x04, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvsxdsp, 0x10, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvuxdsp, 0x10, 0x12, PPC2_VSX207), + +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/poky/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f9de244be --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,271 @@ +From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:45:06 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-22-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 19 +++++++++++++------ + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 16 ++++++++++------ + hw/scsi/mptsas.c | 10 ++++++---- + hw/scsi/vmw_pvscsi.c | 3 ++- + hw/usb/hcd-xhci.c | 1 + + include/hw/pci/pci.h | 6 +++--- + 8 files changed, 46 insertions(+), 29 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 3309ae0..e34b7ab 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp); ++ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 83c4431..eb82e9c 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s) + + static void tx_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint32_t tbd_array = s->tx.tbd_array_addr; + uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff; + /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */ +@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s) + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { + uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address); ++ tbd_address, ++ attrs); + uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4); ++ tbd_address + 4, ++ attrs); + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6); ++ tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); ++ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, ++ attrs); ++ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, ++ attrs); ++ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 1f2c79d..c76e486 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_be_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_le_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index b5e8b14..98b1370 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context)); ++ return ldq_le_pci_dma(pci, ++ frame + offsetof(struct mfi_frame_header, context), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -534,7 +536,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -565,14 +568,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -637,6 +640,7 @@ static void megasas_abort_command(MegasasCmd *cmd) + + static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pcid = PCI_DEVICE(s); + uint32_t pa_hi, pa_lo; + hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo); +@@ -675,9 +679,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index f6c7765..ac9f4df 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = { + static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t *sgaddr) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci = (PCIDevice *) s; + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 8; + } + return addr; +@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr); ++ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr); ++ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 59c3e8b..33e16f9 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -52,7 +52,8 @@ + + #define RS_GET_FIELD(m, field) \ + (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ ++ MEMTXATTRS_UNSPECIFIED)) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index da5a407..14bdb89 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3440,6 +3440,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + } + ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); + slot->ctx = xhci_mask64(addr); ++ + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 9f51ef2..7a46c1f 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch b/poky/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch new file mode 100644 index 0000000000..11d732ac13 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch @@ -0,0 +1,174 @@ +From 1c1f82fbf0a434948b041eb35c671137628d5538 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 21/21] target/ppc: implement xs[n]maddqp[o]/xs[n]msubqp[o] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.0 instuctions: +xsmaddqp[o]: VSX Scalar Multiply-Add Quad-Precision [using round to Odd] +xsmsubqp[o]: VSX Scalar Multiply-Subtract Quad-Precision [using round + to Odd] +xsnmaddqp[o]: VSX Scalar Negative Multiply-Add Quad-Precision [using + round to Odd] +xsnmsubqp[o]: VSX Scalar Negative Multiply-Subtract Quad-Precision + [using round to Odd] + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-38-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 42 +++++++++++++++++++++++++++++ + target/ppc/helper.h | 9 +++++++ + target/ppc/insn32.decode | 4 +++ + target/ppc/translate/vsx-impl.c.inc | 25 +++++++++++++++++ + 4 files changed, 80 insertions(+) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 853e5f6029..bdbbdb3b11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2102,6 +2102,48 @@ VSX_MADD(xvmsubsp, 4, float32, VsrW(i), MSUB_FLGS, 0, 0) + VSX_MADD(xvnmaddsp, 4, float32, VsrW(i), NMADD_FLGS, 0, 0) + VSX_MADD(xvnmsubsp, 4, float32, VsrW(i), NMSUB_FLGS, 0, 0) + ++/* ++ * VSX_MADDQ - VSX floating point quad-precision muliply/add ++ * op - instruction mnemonic ++ * maddflgs - flags for the float*muladd routine that control the ++ * various forms (madd, msub, nmadd, nmsub) ++ * ro - round to odd ++ */ ++#define VSX_MADDQ(op, maddflgs, ro) \ ++void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, ppc_vsr_t *s1, ppc_vsr_t *s2,\ ++ ppc_vsr_t *s3) \ ++{ \ ++ ppc_vsr_t t = *xt; \ ++ \ ++ helper_reset_fpstatus(env); \ ++ \ ++ float_status tstat = env->fp_status; \ ++ set_float_exception_flags(0, &tstat); \ ++ if (ro) { \ ++ tstat.float_rounding_mode = float_round_to_odd; \ ++ } \ ++ t.f128 = float128_muladd(s1->f128, s3->f128, s2->f128, maddflgs, &tstat); \ ++ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ ++ \ ++ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ false, GETPC()); \ ++ } \ ++ \ ++ helper_compute_fprf_float128(env, t.f128); \ ++ *xt = t; \ ++ do_float_check_status(env, GETPC()); \ ++} ++ ++VSX_MADDQ(XSMADDQP, MADD_FLGS, 0) ++VSX_MADDQ(XSMADDQPO, MADD_FLGS, 1) ++VSX_MADDQ(XSMSUBQP, MSUB_FLGS, 0) ++VSX_MADDQ(XSMSUBQPO, MSUB_FLGS, 1) ++VSX_MADDQ(XSNMADDQP, NMADD_FLGS, 0) ++VSX_MADDQ(XSNMADDQPO, NMADD_FLGS, 1) ++VSX_MADDQ(XSNMSUBQP, NMSUB_FLGS, 0) ++VSX_MADDQ(XSNMSUBQPO, NMSUB_FLGS, 0) ++ + /* + * VSX_SCALAR_CMP_DP - VSX scalar floating point compare double precision + * op - instruction mnemonic +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index e147b37644..b5080c4955 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -444,6 +444,15 @@ DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + ++DEF_HELPER_5(XSMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++ + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvmuldp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 0ff8818084..6bcb1e6804 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -457,21 +457,25 @@ XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 + XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 + XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 + XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++XSMADDQP 111111 ..... ..... ..... 0110000100 . @X_rc + + XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 + XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 + XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 + XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++XSMSUBQP 111111 ..... ..... ..... 0110100100 . @X_rc + + XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 + XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 + XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 + XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++XSNMADDQP 111111 ..... ..... ..... 0111000100 . @X_rc + + XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 + XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 + XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 + XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++XSNMSUBQP 111111 ..... ..... ..... 0111100100 . @X_rc + + ## VSX splat instruction + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 90d3ac665b..4253f01319 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1249,6 +1249,31 @@ TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) + TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) + TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) + ++static bool do_xsmadd_X(DisasContext *ctx, arg_X_rc *a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr), ++ void (*gen_helper_ro)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ int vrt, vra, vrb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ vrt = a->rt + 32; ++ vra = a->ra + 32; ++ vrb = a->rb + 32; ++ ++ if (a->rc) { ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper_ro); ++ } ++ ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper); ++} ++ ++TRANS(XSMADDQP, do_xsmadd_X, gen_helper_XSMADDQP, gen_helper_XSMADDQPO) ++TRANS(XSMSUBQP, do_xsmadd_X, gen_helper_XSMSUBQP, gen_helper_XSMSUBQPO) ++TRANS(XSNMADDQP, do_xsmadd_X, gen_helper_XSNMADDQP, gen_helper_XSNMADDQPO) ++TRANS(XSNMSUBQP, do_xsmadd_X, gen_helper_XSNMSUBQP, gen_helper_XSNMSUBQPO) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch b/poky/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..e52a45b90f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,47 @@ +From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:47:30 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +st*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-23-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/hw/pci/pci.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 7a46c1f..c90cecc 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ ++ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch b/poky/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..6bd6350f44 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,296 @@ +From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:49:30 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +ld*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-24-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 25 ++++++++++--------------- + hw/net/tulip.c | 16 ++++++++-------- + hw/scsi/megasas.c | 21 ++++++++++++--------- + hw/scsi/mptsas.c | 16 +++++++++++----- + hw/scsi/vmw_pvscsi.c | 16 ++++++++++------ + include/hw/pci/pci.h | 17 ++++++++--------- + 7 files changed, 60 insertions(+), 53 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index e34b7ab..2b55d52 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index eb82e9c..679f52f 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s) + } else { + /* Flexible mode. */ + uint8_t tbd_count = 0; ++ uint32_t tx_buffer_address; ++ uint16_t tx_buffer_size; ++ uint16_t tx_buffer_el; ++ + if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) { + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index c76e486..d5b6cc5 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); ++ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); ++ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 98b1370..dc9bbdb 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, +- frame + offsetof(struct mfi_frame_header, context), +- MEMTXATTRS_UNSPECIFIED); ++ uint64_t val; ++ ++ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context), ++ &val, MEMTXATTRS_UNSPECIFIED); ++ ++ return val; + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -536,8 +539,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -568,14 +571,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -679,9 +682,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index ac9f4df..5181b0c 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint64_t addr64; ++ ++ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs); ++ addr = addr64; + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint32_t addr32; ++ ++ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs); ++ addr = addr32; + *sgaddr += 8; + } + return addr; +@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 33e16f9..4d9969f 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -50,10 +50,10 @@ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +-#define RS_GET_FIELD(m, field) \ +- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ ++#define RS_GET_FIELD(pval, m, field) \ ++ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ +- MEMTXATTRS_UNSPECIFIED)) ++ pval, MEMTXATTRS_UNSPECIFIED) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr) + static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { +- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ready_ptr; + uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING + * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + ++ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx); + if (ready_ptr != mgr->consumed_ptr + && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = +@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mgr) + static bool + pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr) + { +- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx); +- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx); ++ uint32_t prodIdx; ++ uint32_t consIdx; ++ ++ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx); ++ RS_GET_FIELD(&consIdx, mgr, msgConsIdx); + + return (prodIdx - consIdx) < (mgr->msg_len_mask + 1); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index c90cecc..5b36334 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + +-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ +- return val; \ +- } \ ++#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ ++ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ } \ + static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch deleted file mode 100644 index 4201610f4d..0000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 963ac2cd5186b28fbfdecd15ac43afe1dbaf871a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> -Date: Thu, 18 Nov 2021 12:57:32 +0100 -Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun - (CVE-2021-3507) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per the 82078 datasheet, if the end-of-track (EOT byte in -the FIFO) is more than the number of sectors per side, the -command is terminated unsuccessfully: - -* 5.2.5 DATA TRANSFER TERMINATION - - The 82078 supports terminal count explicitly through - the TC pin and implicitly through the underrun/over- - run and end-of-track (EOT) functions. For full sector - transfers, the EOT parameter can define the last - sector to be transferred in a single or multisector - transfer. If the last sector to be transferred is a par- - tial sector, the host can stop transferring the data in - mid-sector, and the 82078 will continue to complete - the sector as if a hardware TC was received. The - only difference between these implicit functions and - TC is that they return "abnormal termination" result - status. Such status indications can be ignored if they - were expected. - -* 6.1.3 READ TRACK - - This command terminates when the EOT specified - number of sectors have been read. If the 82078 - does not find an I D Address Mark on the diskette - after the second· occurrence of a pulse on the - INDX# pin, then it sets the IC code in Status Regis- - ter 0 to "01" (Abnormal termination), sets the MA bit - in Status Register 1 to "1", and terminates the com- - mand. - -* 6.1.6 VERIFY - - Refer to Table 6-6 and Table 6-7 for information - concerning the values of MT and EC versus SC and - EOT value. - -* Table 6·6. Result Phase Table - -* Table 6-7. Verify Command Result Phase Table - -Fix by aborting the transfer when EOT > # Sectors Per Side. - -Cc: qemu-stable@nongnu.org -Cc: Hervé Poussineau <hpoussin@reactos.org> -Fixes: baca51faff0 ("floppy driver: disk geometry auto detect") -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339 -Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-Id: <20211118115733.4038610-2-philmd@redhat.com> -Reviewed-by: Hanna Reitz <hreitz@redhat.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> - -Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/block/fdc.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 21d18ac2e..24b05406e 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1529,6 +1529,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction) - int tmp; - fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]); - tmp = (fdctrl->fifo[6] - ks + 1); -+ if (tmp < 0) { -+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp); -+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00); -+ fdctrl->fifo[3] = kt; -+ fdctrl->fifo[4] = kh; -+ fdctrl->fifo[5] = ks; -+ return; -+ } - if (fdctrl->fifo[0] & 0x80) - tmp += fdctrl->fifo[6]; - fdctrl->data_len *= tmp; --- -2.33.0 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch deleted file mode 100644 index 9f00d9c0d0..0000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From ec5725982f811d9728ad1f9940df0e9349397e67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> -Date: Thu, 18 Nov 2021 12:57:33 +0100 -Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for - CVE-2021-3507 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339 - -Without the previous commit, when running 'make check-qtest-i386' -with QEMU configured with '--enable-sanitizers' we get: - - ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0 - READ of size 786432 at 0x619000062a00 thread T0 - #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919) - #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13 - #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14 - #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18 - #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16 - #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5 - #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5 - #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9 - #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13 - #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13 - #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13 - #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9 - #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17 - - 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00) - allocated by thread T0 here: - #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec) - #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11 - #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27 - #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20 - #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5 - #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13 - - SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy - Shadow bytes around the buggy address: - 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa - 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd - Shadow byte legend (one shadow byte represents 8 application bytes): - Addressable: 00 - Heap left redzone: fa - Freed heap region: fd - ==4028352==ABORTING - -[ kwolf: Added snapshot=on to prevent write file lock failure ] - -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Reviewed-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> - -Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc] -CVE: CVE-2021-3507 - -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - tests/qtest/fdc-test.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c -index 8f6eee84a..6f5850354 100644 ---- a/tests/qtest/fdc-test.c -+++ b/tests/qtest/fdc-test.c -@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void) - qtest_quit(s); - } - -+static void test_cve_2021_3507(void) -+{ -+ QTestState *s; -+ -+ s = qtest_initf("-nographic -m 32M -nodefaults " -+ "-drive file=%s,format=raw,if=floppy,snapshot=on", -+ test_image); -+ qtest_outl(s, 0x9, 0x0a0206); -+ qtest_outw(s, 0x3f4, 0x1600); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0200); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_outw(s, 0x3f4, 0x0000); -+ qtest_quit(s); -+} -+ - int main(int argc, char **argv) - { - int fd; -@@ -614,6 +634,7 @@ int main(int argc, char **argv) - qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19); - qtest_add_func("/fdc/fuzz-registers", fuzz_registers); - qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196); -+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507); - - ret = g_test_run(); - --- -2.33.0 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch new file mode 100644 index 0000000000..dc7990d1b7 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch @@ -0,0 +1,74 @@ +From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Sat, 18 Dec 2021 17:09:10 +0100 +Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Per the "High Definition Audio Specification" manual (rev. 1.0a), +section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": + + Response Overrun Interrupt Status (RIRBOIS): + + Hardware sets this bit to a 1 when an overrun occurs in the RIRB. + An interrupt may be generated if the Response Overrun Interrupt + Control bit is set. + + This bit will be set if the RIRB DMA engine is not able to write + the incoming responses to memory before additional incoming + responses overrun the internal FIFO. + + When hardware detects an overrun, it will drop the responses which + overrun the buffer and set the RIRBOIS status bit to indicate the + error condition. Optionally, if the RIRBOIC is set, the hardware + will also generate an error to alert software to the problem. + +QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This +function returns a MemTxResult indicating whether the DMA access +was successful. +Handle any MemTxResult error as "DMA engine is not able to write the +incoming responses to memory" and raise the Overrun Interrupt flag +when this case occurs. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40] + +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211218160912.1591633-2-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 5f8a878..47a36ac 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; + uint32_t wp, ex; ++ MemTxResult res = MEMTX_OK; + + if (d->ics & ICH6_IRS_BUSY) { + dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", +@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); +- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { ++ d->rirb_sts |= ICH6_RBSTS_OVERRUN; ++ intel_hda_update_irq(d); ++ } + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch new file mode 100644 index 0000000000..b79fadf3f6 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch @@ -0,0 +1,43 @@ +From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Sat, 18 Dec 2021 17:09:11 +0100 +Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO + devices) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Issue #542 reports a reentrancy problem when the DMA engine accesses +the HDA controller I/O registers. Fix by restricting the DMA engine +to memories regions (forbidding MMIO devices such the HDA controller). + +Reported-by: OSS-Fuzz (Issue 28435) +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511] + +Message-Id: <20211218160912.1591633-3-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 47a36ac..78a47bc 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +-- +1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch new file mode 100644 index 0000000000..e898c20767 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch @@ -0,0 +1,59 @@ +From b9d383ab797f54ae5fa8746117770709921dc529 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529] +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index c8ff3ec..99b11ca 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch new file mode 100644 index 0000000000..f163b4fab3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch @@ -0,0 +1,65 @@ +From 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Message-Id: <20211215182421.418374-3-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] +--- + softmmu/physmem.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 43ae70f..3d968ca 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -2826,14 +2826,11 @@ static MemTxResult flatview_write(FlatVi + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3130,12 +3127,10 @@ bool address_space_access_valid(AddressS + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch new file mode 100644 index 0000000000..24668ad1a5 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch @@ -0,0 +1,156 @@ +From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced] +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20..9fb98bc 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3d968ca..4e1b27a 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -41,6 +41,7 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" + #include "exec/memory.h" + #include "exec/ioport.h" + #include "sysemu/dma.h" +@@ -2759,6 +2760,33 @@ static bool prepare_mmio_access(MemoryRe + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2773,7 +2801,10 @@ static MemTxResult flatview_write_contin + const uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -2818,6 +2849,9 @@ static MemTxResult flatview_write(FlatVi + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -2836,7 +2870,10 @@ MemTxResult flatview_read_continue(FlatV + + fuzz_dma_read_cb(addr, len, mr); + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -2879,6 +2916,9 @@ static MemTxResult flatview_read(FlatVie + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch new file mode 100644 index 0000000000..a7d061eb99 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch @@ -0,0 +1,61 @@ +From a15f7d9913d050fb72a79bbbefa5c2329d92e71d Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 8 Nov 2022 17:10:00 +0530 +Subject: [PATCH] CVE-2022-3165 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/d307040b18] +CVE: CVE-2022-3165 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext + +Extended ClientCutText messages start with a 4-byte header. If len < 4, +an integer underflow occurs in vnc_client_cut_text_ext. The result is +used to decompress data in a while loop in inflate_buffer, leading to +CPU consumption and denial of service. Prevent this by checking dlen in +protocol_client_msg. + +Fixes: CVE-2022-3165 + +("ui/vnc: clipboard support") +Reported-by: default avatarTangPeng <tangpeng@qianxin.com> +Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com> +Message-Id: <20220925204511.1103214-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> +--- + ui/vnc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index af02522e8..a14b6861b 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + if (len == 1) { + return 8; + } ++ uint32_t dlen = abs(read_s32(data, 4)); + if (len == 8) { +- uint32_t dlen = abs(read_s32(data, 4)); + if (dlen > (1 << 20)) { + error_report("vnc: client_cut_text msg payload has %u bytes" + " which exceeds our limit of 1MB.", dlen); +@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + } + + if (read_s32(data, 4) < 0) { +- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), +- read_u32(data, 8), data + 12); ++ if (dlen < 4) { ++ error_report("vnc: malformed payload (header less than 4 bytes)" ++ " in extended clipboard pseudo-encoding."); ++ vnc_client_error(vs); ++ break; ++ } ++ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); + break; + } + vnc_client_cut_text(vs, read_u32(data, 4), data + 8); +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..96052a19e8 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch @@ -0,0 +1,99 @@ +From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:40 +0100 +Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt + (CVE-2022-4144) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Have qxl_get_check_slot_offset() return false if the requested +buffer size does not fit within the slot memory region. + +Similarly qxl_phys2virt() now returns NULL in such case, and +qxl_dirty_one_surface() aborts. + +This avoids buffer overrun in the host pointer returned by +memory_region_get_ram_ptr(). + +Fixes: CVE-2022-4144 (out-of-bounds read) +Reported-by: Wenxu Yin (@awxylitol) +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 + +CVE: CVE-2022-4144 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] +Comments: Deleted patch hunk in qxl.h,as it contains change +in comments which is not present in current version of qemu + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-5-philmd@linaro.org> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/display/qxl.c | 27 +++++++++++++++++++++++---- + 1 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 231d733250..0b21626aad 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) + + /* can be also called from spice server thread context */ + static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, +- uint32_t *s, uint64_t *o) ++ uint32_t *s, uint64_t *o, ++ size_t size_requested) + { + uint64_t phys = le64_to_cpu(pqxl); + uint32_t slot = (phys >> (64 - 8)) & 0xff; + uint64_t offset = phys & 0xffffffffffff; ++ uint64_t size_available; + + if (slot >= NUM_MEMSLOTS) { + qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, +@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + slot, offset, qxl->guest_slots[slot].size); + return false; + } ++ size_available = memory_region_size(qxl->guest_slots[slot].mr); ++ if (qxl->guest_slots[slot].offset + offset >= size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" > region size %"PRIu64"\n", ++ slot, qxl->guest_slots[slot].offset + offset, ++ size_available); ++ return false; ++ } ++ size_available -= qxl->guest_slots[slot].offset + offset; ++ if (size_requested > size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" size %zu: " ++ "overrun by %"PRIu64" bytes\n", ++ slot, offset, size_requested, ++ size_requested - size_available); ++ return false; ++ } + + *s = slot; + *o = offset; +@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, + offset = le64_to_cpu(pqxl) & 0xffffffffffff; + return (void *)(intptr_t)offset; + case MEMSLOT_GROUP_GUEST: +- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { ++ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + return NULL; + } + ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); +@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + uint32_t slot; + bool rc; + +- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); +- assert(rc == true); + size = (uint64_t)height * abs(stride); ++ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); ++ assert(rc == true); + trace_qxl_surfaces_dirty(qxl->id, offset, size); + qxl_set_dirty(qxl->guest_slots[slot].mr, + qxl->guest_slots[slot].offset + offset, diff --git a/poky/meta/recipes-devtools/quilt/quilt.inc b/poky/meta/recipes-devtools/quilt/quilt.inc index 07611e6d85..fce81016d8 100644 --- a/poky/meta/recipes-devtools/quilt/quilt.inc +++ b/poky/meta/recipes-devtools/quilt/quilt.inc @@ -12,6 +12,8 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quilt/quilt-${PV}.tar.gz \ file://Makefile \ file://test.sh \ file://0001-tests-Allow-different-output-from-mv.patch \ + file://fix-grep-3.8.patch \ + file://faildiff-order.patch \ " SRC_URI:append:class-target = " file://gnu_patch_test_fix_target.patch" diff --git a/poky/meta/recipes-devtools/quilt/quilt/faildiff-order.patch b/poky/meta/recipes-devtools/quilt/quilt/faildiff-order.patch new file mode 100644 index 0000000000..f22065a250 --- /dev/null +++ b/poky/meta/recipes-devtools/quilt/quilt/faildiff-order.patch @@ -0,0 +1,41 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 4dfe7f9e702c85243a71e4de267a13e434b6d6c2 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 20 Jan 2023 12:56:08 +0100 +Subject: [PATCH] test: Fix a race condition + +The test suite does not differentiate between stdout and stderr. When +messages are printed to both, the order in which they will reach us +is apparently not guaranteed. Ideally this would be deterministic, but +until then, explicitly test stdout and stderr separately in the test +case itself. Otherwise the test suite fails randomly, which is a pain +for distribution package maintainers. + +This fixes bug #63651 reported by Ross Burton: +https://savannah.nongnu.org/bugs/index.php?63651 + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +--- + test/faildiff.test | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/faildiff.test b/test/faildiff.test +index 5afb8e3..0444c15 100644 +--- a/test/faildiff.test ++++ b/test/faildiff.test +@@ -27,8 +27,9 @@ What happens on binary files? + > File test.bin added to patch %{P}test.diff + + $ printf "\\003\\000\\001" > test.bin +- $ quilt diff -pab --no-index ++ $ quilt diff -pab --no-index 2>/dev/null + >~ (Files|Binary files) a/test\.bin and b/test\.bin differ ++ $ quilt diff -pab --no-index >/dev/null + > Diff failed on file 'test.bin', aborting + $ echo %{?} + > 1 +-- +2.34.1 + diff --git a/poky/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch b/poky/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch new file mode 100644 index 0000000000..68a4b4c195 --- /dev/null +++ b/poky/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch @@ -0,0 +1,144 @@ +From f73f8d7f71de2878d3f92881a5fcb8eafd78cb5f Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 9 Sep 2022 10:10:37 +0200 +Subject: Avoid warnings with grep 3.8 + +GNU grep version 3.8 became more strict about needless quoting in +patterns. We have one occurrence of that in quilt, where "/" +characters are being quoted by default. There are cases where they +indeed need to be quoted (typically when used in a sed s/// command) +but most of the time they do not, and this results in the following +warning: + +grep: warning: stray \ before / + +So rename quote_bre() to quote_sed_re(), and introduce +quote_grep_re() which does not quote "/". + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/quilt.git/commit/?id=f73f8d7f71de2878d3f92881a5fcb8eafd78cb5f] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + quilt/diff.in | 2 +- + quilt/patches.in | 2 +- + quilt/scripts/patchfns.in | 20 +++++++++++++------- + quilt/upgrade.in | 4 ++-- + 4 files changed, 17 insertions(+), 11 deletions(-) + +diff --git a/quilt/diff.in b/quilt/diff.in +index e90dc33..07788ff 100644 +--- a/quilt/diff.in ++++ b/quilt/diff.in +@@ -255,7 +255,7 @@ then + # Add all files in the snapshot into the file list (they may all + # have changed). + files=( $(find $QUILT_PC/$snap_subdir -type f \ +- | sed -e "s/^$(quote_bre $QUILT_PC/$snap_subdir/)//" \ ++ | sed -e "s/^$(quote_sed_re $QUILT_PC/$snap_subdir/)//" \ + | sort) ) + printf "%s\n" "${files[@]}" >&4 + unset files +diff --git a/quilt/patches.in b/quilt/patches.in +index bb17a46..eac45a9 100644 +--- a/quilt/patches.in ++++ b/quilt/patches.in +@@ -60,7 +60,7 @@ scan_unapplied() + # Quote each file name only once + for file in "${opt_files[@]}" + do +- files_bre[${#files_bre[@]}]=$(quote_bre "$file") ++ files_bre[${#files_bre[@]}]=$(quote_grep_re "$file") + done + + # "Or" all files in a single pattern +diff --git a/quilt/scripts/patchfns.in b/quilt/scripts/patchfns.in +index c2d5f9d..1bd7233 100644 +--- a/quilt/scripts/patchfns.in ++++ b/quilt/scripts/patchfns.in +@@ -78,8 +78,14 @@ array_join() + done + } + +-# Quote a string for use in a basic regular expression. +-quote_bre() ++# Quote a string for use in a regular expression for a grep pattern. ++quote_grep_re() ++{ ++ echo "$1" | sed -e 's:\([][^$.*\\]\):\\\1:g' ++} ++ ++# Quote a string for use in a regular expression for a sed s/// command. ++quote_sed_re() + { + echo "$1" | sed -e 's:\([][^$/.*\\]\):\\\1:g' + } +@@ -215,7 +221,7 @@ patch_in_series() + + if [ -e "$SERIES" ] + then +- grep -q "^$(quote_bre $patch)\([ \t]\|$\)" "$SERIES" ++ grep -q "^$(quote_grep_re $patch)\([ \t]\|$\)" "$SERIES" + else + return 1 + fi +@@ -365,7 +371,7 @@ is_applied() + { + local patch=$1 + [ -e $DB ] || return 1 +- grep -q "^$(quote_bre $patch)\$" $DB ++ grep -q "^$(quote_grep_re $patch)\$" $DB + } + + applied_patches() +@@ -465,7 +471,7 @@ remove_from_db() + local tmpfile + if tmpfile=$(gen_tempfile) + then +- grep -v "^$(quote_bre $patch)\$" $DB > $tmpfile ++ grep -v "^$(quote_grep_re $patch)\$" $DB > $tmpfile + cat $tmpfile > $DB + rm -f $tmpfile + [ -s $DB ] || rm -f $DB +@@ -520,7 +526,7 @@ find_patch() + fi + + local patch=${1#$SUBDIR_DOWN$QUILT_PATCHES/} +- local bre=$(quote_bre "$patch") ++ local bre=$(quote_sed_re "$patch") + set -- $(sed -e "/^$bre\(\|\.patch\|\.diff\?\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.lz\)\([ "$'\t'"]\|$\)/!d" \ + -e 's/[ '$'\t''].*//' "$SERIES") + if [ $# -eq 1 ] +@@ -631,7 +637,7 @@ files_in_patch() + then + find "$path" -type f \ + -a ! -path "$(quote_glob "$path")/.timestamp" | +- sed -e "s/$(quote_bre "$path")\///" ++ sed -e "s/$(quote_sed_re "$path")\///" + fi + } + +diff --git a/quilt/upgrade.in b/quilt/upgrade.in +index dbf7d05..866aa33 100644 +--- a/quilt/upgrade.in ++++ b/quilt/upgrade.in +@@ -74,7 +74,7 @@ printf $"Converting meta-data to version %s\n" "$DB_VERSION" + + for patch in $(applied_patches) + do +- proper_name="$(grep "^$(quote_bre $patch)"'\(\|\.patch\|\.diff?\)\(\|\.gz\|\.bz2\)\([ \t]\|$\)' $SERIES)" ++ proper_name="$(grep "^$(quote_grep_re $patch)"'\(\|\.patch\|\.diff?\)\(\|\.gz\|\.bz2\)\([ \t]\|$\)' $SERIES)" + proper_name=${proper_name#$QUILT_PATCHES/} + proper_name=${proper_name%% *} + if [ -z "$proper_name" ] +@@ -84,7 +84,7 @@ do + fi + + if [ "$patch" != "$proper_name" -a -d $QUILT_PC/$patch ] \ +- && grep -q "^$(quote_bre $patch)\$" \ ++ && grep -q "^$(quote_grep_re $patch)\$" \ + $QUILT_PC/applied-patches + then + mv $QUILT_PC/$patch $QUILT_PC/$proper_name \ +-- +cgit v1.1 + diff --git a/poky/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch b/poky/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch new file mode 100644 index 0000000000..474d82db22 --- /dev/null +++ b/poky/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch @@ -0,0 +1,173 @@ +From 785c0072c80c2f6e0839478453cf65fdeac15da0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 29 Aug 2022 19:53:28 -0700 +Subject: [PATCH] Add missing prototypes to function declarations + +With Clang 15+ compiler -Wstrict-prototypes is triggering warnings which +are turned into errors with -Werror, this fixes the problem by adding +missing prototypes + +Fixes errors like +| log.c:134:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| static void syslog_init() +| ^ +| void + +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032858.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + checksum.c | 2 +- + exclude.c | 2 +- + hlink.c | 3 +-- + lib/pool_alloc.c | 2 +- + log.c | 2 +- + main.c | 2 +- + syscall.c | 4 ++-- + zlib/crc32.c | 2 +- + zlib/trees.c | 2 +- + zlib/zutil.c | 4 ++-- + 10 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/checksum.c b/checksum.c +index fb8c0a0..174c28c 100644 +--- a/checksum.c ++++ b/checksum.c +@@ -629,7 +629,7 @@ int sum_end(char *sum) + return csum_len_for_type(cursum_type, 0); + } + +-void init_checksum_choices() ++void init_checksum_choices(void) + { + #ifdef SUPPORT_XXH3 + char buf[32816]; +diff --git a/exclude.c b/exclude.c +index adc82e2..79f5a82 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -358,7 +358,7 @@ void implied_include_partial_string(const char *s_start, const char *s_end) + memcpy(partial_string_buf, s_start, partial_string_len); + } + +-void free_implied_include_partial_string() ++void free_implied_include_partial_string(void) + { + if (partial_string_buf) { + free(partial_string_buf); +diff --git a/hlink.c b/hlink.c +index 66810a3..6511dfb 100644 +--- a/hlink.c ++++ b/hlink.c +@@ -117,8 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count) + struct ht_int32_node *node = NULL; + int32 gnum, gnum_next; + +- qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)()) hlink_compare_gnum); +- ++ qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)(const void *, const void *)) hlink_compare_gnum); + for (from = 0; from < ndx_count; from++) { + file = hlink_flist->sorted[ndx_list[from]]; + gnum = F_HL_GNUM(file); +diff --git a/lib/pool_alloc.c b/lib/pool_alloc.c +index a1a7245..4eae062 100644 +--- a/lib/pool_alloc.c ++++ b/lib/pool_alloc.c +@@ -9,7 +9,7 @@ struct alloc_pool + size_t size; /* extent size */ + size_t quantum; /* allocation quantum */ + struct pool_extent *extents; /* top extent is "live" */ +- void (*bomb)(); /* called if malloc fails */ ++ void (*bomb)(const char *, const char *, int); /* called if malloc fails */ + int flags; + + /* statistical data */ +diff --git a/log.c b/log.c +index 44344e2..991e359 100644 +--- a/log.c ++++ b/log.c +@@ -131,7 +131,7 @@ static void logit(int priority, const char *buf) + } + } + +-static void syslog_init() ++static void syslog_init(void) + { + int options = LOG_PID; + +diff --git a/main.c b/main.c +index 9ebfbea..affa244 100644 +--- a/main.c ++++ b/main.c +@@ -244,7 +244,7 @@ void read_del_stats(int f) + stats.deleted_files += stats.deleted_specials = read_varint(f); + } + +-static void become_copy_as_user() ++static void become_copy_as_user(void) + { + char *gname; + uid_t uid; +diff --git a/syscall.c b/syscall.c +index d92074a..92ca86d 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -389,9 +389,9 @@ OFF_T do_lseek(int fd, OFF_T offset, int whence) + { + #ifdef HAVE_LSEEK64 + #if !SIZEOF_OFF64_T +- OFF_T lseek64(); ++ OFF_T lseek64(int fd, OFF_T offset, int whence); + #else +- off64_t lseek64(); ++ off64_t lseek64(int fd, off64_t offset, int whence); + #endif + return lseek64(fd, offset, whence); + #else +diff --git a/zlib/crc32.c b/zlib/crc32.c +index 05733f4..50c6c02 100644 +--- a/zlib/crc32.c ++++ b/zlib/crc32.c +@@ -187,7 +187,7 @@ local void write_table(out, table) + /* ========================================================================= + * This function can be used by asm versions of crc32() + */ +-const z_crc_t FAR * ZEXPORT get_crc_table() ++const z_crc_t FAR * ZEXPORT get_crc_table(void) + { + #ifdef DYNAMIC_CRC_TABLE + if (crc_table_empty) +diff --git a/zlib/trees.c b/zlib/trees.c +index 9c66770..0d9047e 100644 +--- a/zlib/trees.c ++++ b/zlib/trees.c +@@ -231,7 +231,7 @@ local void send_bits(s, value, length) + /* =========================================================================== + * Initialize the various 'constant' tables. + */ +-local void tr_static_init() ++local void tr_static_init(void) + { + #if defined(GEN_TREES_H) || !defined(STDC) + static int static_init_done = 0; +diff --git a/zlib/zutil.c b/zlib/zutil.c +index bbba7b2..61f8dc9 100644 +--- a/zlib/zutil.c ++++ b/zlib/zutil.c +@@ -27,12 +27,12 @@ z_const char * const z_errmsg[10] = { + ""}; + + +-const char * ZEXPORT zlibVersion() ++const char * ZEXPORT zlibVersion(void) + { + return ZLIB_VERSION; + } + +-uLong ZEXPORT zlibCompileFlags() ++uLong ZEXPORT zlibCompileFlags(void) + { + uLong flags; + +-- +2.37.2 + diff --git a/poky/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch b/poky/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch new file mode 100644 index 0000000000..1d9c4bfe48 --- /dev/null +++ b/poky/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch @@ -0,0 +1,68 @@ +From e64a58387db46239902b610871a0eb81626e99ff Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Thu, 18 Aug 2022 07:46:28 -0700 +Subject: [PATCH] Turn on -pedantic-errors at the end of 'configure' + +Problem reported by Khem Raj in: +https://lists.gnu.org/r/autoconf-patches/2022-08/msg00009.html +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032862.html] +--- + configure.ac | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d185b2d3..7e9514f7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then + with_included_popt=yes + fi + +-if test x"$GCC" = x"yes"; then +- if test x"$with_included_popt" != x"yes"; then +- # Turn pedantic warnings into errors to ensure an array-init overflow is an error. +- CFLAGS="$CFLAGS -pedantic-errors" +- else +- # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to +- # turn off pedantic warnings (which will not lose the error for array-init overflow). +- # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists +- # -Wpedantic and use that as a flag. +- case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in +- *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; +- esac +- fi +-fi +- + AC_MSG_CHECKING([whether to use included libpopt]) + if test x"$with_included_popt" = x"yes"; then + AC_MSG_RESULT($srcdir/popt) +@@ -1444,6 +1429,26 @@ case "$CC" in + ;; + esac + ++# Enable -pedantic-errors last, so that it doesn't mess up other ++# 'configure' tests. For example, Autoconf uses empty function ++# prototypes like 'int main () {}' which Clang 15's -pedantic-errors ++# would reject. Generally it's not a good idea to try to run ++# 'configure' itself with strict compiler checking. ++if test x"$GCC" = x"yes"; then ++ if test x"$with_included_popt" != x"yes"; then ++ # Turn pedantic warnings into errors to ensure an array-init overflow is an error. ++ CFLAGS="$CFLAGS -pedantic-errors" ++ else ++ # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to ++ # turn off pedantic warnings (which will not lose the error for array-init overflow). ++ # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists ++ # -Wpedantic and use that as a flag. ++ case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in ++ *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; ++ esac ++ fi ++fi ++ + AC_CONFIG_FILES([Makefile lib/dummy zlib/dummy popt/dummy shconfig]) + AC_OUTPUT + +-- +2.37.1 + diff --git a/poky/meta/recipes-devtools/rsync/rsync_3.2.5.bb b/poky/meta/recipes-devtools/rsync/rsync_3.2.5.bb index e43f35ea2f..983bdd5ab0 100644 --- a/poky/meta/recipes-devtools/rsync/rsync_3.2.5.bb +++ b/poky/meta/recipes-devtools/rsync/rsync_3.2.5.bb @@ -14,6 +14,8 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ file://determism.patch \ + file://0001-Add-missing-prototypes-to-function-declarations.patch \ + file://0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch \ " SRC_URI[sha256sum] = "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba" diff --git a/poky/meta/recipes-devtools/ruby/ruby.inc b/poky/meta/recipes-devtools/ruby/ruby.inc deleted file mode 100644 index ebff5efd1f..0000000000 --- a/poky/meta/recipes-devtools/ruby/ruby.inc +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "An interpreter of object-oriented scripting language" -DESCRIPTION = "Ruby is an interpreted scripting language for quick \ -and easy object-oriented programming. It has many features to process \ -text files and to do system management tasks (as in Perl). \ -It is simple, straight-forward, and extensible. \ -" -HOMEPAGE = "http://www.ruby-lang.org/" -SECTION = "devel/ruby" -LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ - file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ - file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ - " - -DEPENDS = "zlib openssl libyaml gdbm readline libffi" -DEPENDS:append:class-target = " ruby-native" - -SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" -SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ - file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ - file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ - " -UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" - -inherit autotools ptest pkgconfig - - -# This snippet lets compiled extensions which rely on external libraries, -# such as zlib, compile properly. If we don't do this, then when extmk.rb -# runs, it uses the native libraries instead of the target libraries, and so -# none of the linking operations succeed -- which makes extconf.rb think -# that the libraries aren't available and hence that the extension can't be -# built. - -do_configure:prepend() { - sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk - rm -rf ${S}/ruby/ -} diff --git a/poky/meta/recipes-devtools/ruby/ruby/0001-Remove-dependency-on-libcapstone.patch b/poky/meta/recipes-devtools/ruby/ruby/0001-Remove-dependency-on-libcapstone.patch deleted file mode 100644 index 5d0f8fcc09..0000000000 --- a/poky/meta/recipes-devtools/ruby/ruby/0001-Remove-dependency-on-libcapstone.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 222203297966f312109e8eaa2520f2cf2f59c09d Mon Sep 17 00:00:00 2001 -From: Alan Wu <XrXr@users.noreply.github.com> -Date: Thu, 31 Mar 2022 17:26:28 -0400 -Subject: [PATCH] Remove dependency on libcapstone - -We have received reports of build failures due to this configuration -check modifying compile flags. Since only YJIT devs use this library -we can remove it to make Ruby easier to build for users. - -See: https://github.com/rbenv/ruby-build/discussions/1933 - -Upstream-Status: Backport ---- - configure.ac | 9 --------- - 1 file changed, 9 deletions(-) - -Index: ruby-3.1.2/configure.ac -=================================================================== ---- ruby-3.1.2.orig/configure.ac -+++ ruby-3.1.2/configure.ac -@@ -1244,15 +1244,6 @@ AC_CHECK_LIB(dl, dlopen) # Dynamic linki - AC_CHECK_LIB(dld, shl_load) # Dynamic linking for HP-UX - AC_CHECK_LIB(socket, shutdown) # SunOS/Solaris - --if pkg-config --exists capstone; then -- CAPSTONE_CFLAGS=`pkg-config --cflags capstone` -- CAPSTONE_LIB_L=`pkg-config --libs-only-L capstone` -- LDFLAGS="$LDFLAGS $CAPSTONE_LIB_L" -- CFLAGS="$CFLAGS $CAPSTONE_CFLAGS" --fi -- --AC_CHECK_LIB(capstone, cs_open) # Capstone disassembler for debugging YJIT -- - dnl Checks for header files. - AC_HEADER_DIRENT - dnl AC_HEADER_STDC has been checked in AC_USE_SYSTEM_EXTENSIONS diff --git a/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..cf24b13f53 --- /dev/null +++ b/poky/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch @@ -0,0 +1,73 @@ +From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Date: Wed, 29 Mar 2023 13:28:25 +0900 +Subject: [PATCH] CVE-2023-28756 + +CVE: CVE-2023-28756 +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/time.gemspec | 2 +- + lib/time.rb | 6 +++--- + test/test_time.rb | 9 +++++++++ + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/lib/time.gemspec b/lib/time.gemspec +index 72fba34..bada91a 100644 +--- a/lib/time.gemspec ++++ b/lib/time.gemspec +@@ -1,6 +1,6 @@ + Gem::Specification.new do |spec| + spec.name = "time" +- spec.version = "0.2.0" ++ spec.version = "0.2.2" + spec.authors = ["Tanaka Akira"] + spec.email = ["akr@fsij.org"] + +diff --git a/lib/time.rb b/lib/time.rb +index bd20a1a..6a13212 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -509,8 +509,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +@@ -701,7 +701,7 @@ class Time + # + # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise. + # +- # +fractional_digits+ specifies a number of digits to use for fractional ++ # +fraction_digits+ specifies a number of digits to use for fractional + # seconds. Its default value is 0. + # + # require 'time' +diff --git a/test/test_time.rb b/test/test_time.rb +index b50d841..23e8e10 100644 +--- a/test/test_time.rb ++++ b/test/test_time.rb +@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: + assert_equal(true, t.utc?) + end + ++ def test_rfc2822_nonlinear ++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n} ++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| ++ assert_raise(ArgumentError) do ++ Time.rfc2822(s) ++ end ++ end ++ end ++ + if defined?(Ractor) + def test_rfc2822_ractor + assert_ractor(<<~RUBY, require: 'time') +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.1.2.bb b/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 387bfa9b44..92efc5db91 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_3.1.2.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -1,8 +1,25 @@ -require ruby.inc - -DEPENDS:append:libc-musl = " libucontext" - -SRC_URI += " \ +SUMMARY = "An interpreter of object-oriented scripting language" +DESCRIPTION = "Ruby is an interpreted scripting language for quick \ +and easy object-oriented programming. It has many features to process \ +text files and to do system management tasks (as in Perl). \ +It is simple, straight-forward, and extensible. \ +" +HOMEPAGE = "http://www.ruby-lang.org/" +SECTION = "devel/ruby" +LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ + file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ + file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ + " + +DEPENDS = "zlib openssl libyaml gdbm readline libffi" +DEPENDS:append:class-target = " ruby-native" + +SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" +SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ + file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ + file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ file://remove_has_include_macros.patch \ file://run-ptest \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ @@ -12,10 +29,28 @@ SRC_URI += " \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ - file://0001-Remove-dependency-on-libcapstone.patch \ + file://CVE-2023-28756.patch \ " +UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" + +inherit autotools ptest pkgconfig + + +# This snippet lets compiled extensions which rely on external libraries, +# such as zlib, compile properly. If we don't do this, then when extmk.rb +# runs, it uses the native libraries instead of the target libraries, and so +# none of the linking operations succeed -- which makes extconf.rb think +# that the libraries aren't available and hence that the extension can't be +# built. + +do_configure:prepend() { + sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk + rm -rf ${S}/ruby/ +} + +DEPENDS:append:libc-musl = " libucontext" -SRC_URI[sha256sum] = "61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e" +SRC_URI[sha256sum] = "5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" diff --git a/poky/meta/recipes-devtools/rust/rust-common.inc b/poky/meta/recipes-devtools/rust/rust-common.inc index ef70c48d0f..db0bd8fc1b 100644 --- a/poky/meta/recipes-devtools/rust/rust-common.inc +++ b/poky/meta/recipes-devtools/rust/rust-common.inc @@ -109,7 +109,7 @@ def llvm_features_from_target_fpu(d): # TARGET_FPU can be hard or soft. +soft-float tell llvm to use soft float # ABI. There is no option for hard. - fpu = d.getVar('TARGET_FPU', True) + fpu = d.getVar('TARGET_FPU') return ["+soft-float"] if fpu == "soft" else [] def llvm_features(d): diff --git a/poky/meta/recipes-devtools/rust/rust.inc b/poky/meta/recipes-devtools/rust/rust.inc index f39228e3c0..008b2ce4a4 100644 --- a/poky/meta/recipes-devtools/rust/rust.inc +++ b/poky/meta/recipes-devtools/rust/rust.inc @@ -79,7 +79,7 @@ python do_configure() { config = configparser.RawConfigParser() # [target.ARCH-poky-linux] - target_section = "target.{}".format(d.getVar('TARGET_SYS', True)) + target_section = "target.{}".format(d.getVar('TARGET_SYS')) config.add_section(target_section) llvm_config = d.expand("${YOCTO_ALTERNATE_EXE_PATH}") @@ -90,7 +90,7 @@ python do_configure() { # If we don't do this rust-native will compile it's own llvm for BUILD. # [target.${BUILD_ARCH}-unknown-linux-gnu] - target_section = "target.{}".format(d.getVar('SNAPSHOT_BUILD_SYS', True)) + target_section = "target.{}".format(d.getVar('SNAPSHOT_BUILD_SYS')) config.add_section(target_section) config.set(target_section, "llvm-config", e(llvm_config)) @@ -124,26 +124,26 @@ python do_configure() { config.set("build", "vendor", e(True)) if not "targets" in locals(): - targets = [d.getVar("TARGET_SYS", True)] + targets = [d.getVar("TARGET_SYS")] config.set("build", "target", e(targets)) if not "hosts" in locals(): - hosts = [d.getVar("HOST_SYS", True)] + hosts = [d.getVar("HOST_SYS")] config.set("build", "host", e(hosts)) # We can't use BUILD_SYS since that is something the rust snapshot knows # nothing about when trying to build some stage0 tools (like fabricate) - config.set("build", "build", e(d.getVar("SNAPSHOT_BUILD_SYS", True))) + config.set("build", "build", e(d.getVar("SNAPSHOT_BUILD_SYS"))) # [install] config.add_section("install") # ./x.py install doesn't have any notion of "destdir" # but we can prepend ${D} to all the directories instead - config.set("install", "prefix", e(d.getVar("D", True) + d.getVar("prefix", True))) - config.set("install", "bindir", e(d.getVar("D", True) + d.getVar("bindir", True))) - config.set("install", "libdir", e(d.getVar("D", True) + d.getVar("libdir", True))) - config.set("install", "datadir", e(d.getVar("D", True) + d.getVar("datadir", True))) - config.set("install", "mandir", e(d.getVar("D", True) + d.getVar("mandir", True))) + config.set("install", "prefix", e(d.getVar("D") + d.getVar("prefix"))) + config.set("install", "bindir", e(d.getVar("D") + d.getVar("bindir"))) + config.set("install", "libdir", e(d.getVar("D") + d.getVar("libdir"))) + config.set("install", "datadir", e(d.getVar("D") + d.getVar("datadir"))) + config.set("install", "mandir", e(d.getVar("D") + d.getVar("mandir"))) with open("config.toml", "w") as f: f.write('changelog-seen = 2\n\n') diff --git a/poky/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch b/poky/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch index 44b2ce0a30..5a10c93a31 100644 --- a/poky/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch +++ b/poky/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch @@ -1,4 +1,4 @@ -Upstream-Status: Pending +Upstream-Status: Inappropriate [upstream does not support installed tests] Index: unix/Makefile.in =================================================================== diff --git a/poky/meta/recipes-devtools/vala/vala.inc b/poky/meta/recipes-devtools/vala/vala.inc index 974baa33f5..162e99bb03 100644 --- a/poky/meta/recipes-devtools/vala/vala.inc +++ b/poky/meta/recipes-devtools/vala/vala.inc @@ -42,20 +42,23 @@ EXTRA_OECONF += " --disable-valadoc" # Vapigen wrapper needs to be available system-wide, because it will be used # to build vapi files from all other packages with vala support do_install:append:class-target() { - install -d ${D}${bindir}/ - install ${B}/vapigen-wrapper ${D}${bindir}/ + install -d ${D}${bindir_crossscripts}/ + install ${B}/vapigen-wrapper ${D}${bindir_crossscripts}/ } # Put vapigen wrapper into target sysroot so that it can be used when building # vapi files. -SYSROOT_DIRS:append:class-target = " ${bindir}" +SYSROOT_DIRS += "${bindir_crossscripts}" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}:${bindir}/vala-gen-introspect-0.56" SYSROOT_PREPROCESS_FUNCS:append:class-target = " vapigen_sysroot_preprocess" vapigen_sysroot_preprocess() { # Tweak the vapigen name in the vapigen pkgconfig file, so that it picks # up our wrapper. sed -i \ - -e "s|vapigen=.*|vapigen=${bindir}/vapigen-wrapper|" \ + -e "s|vapigen=.*|vapigen=${bindir_crossscripts}/vapigen-wrapper|" \ ${SYSROOT_DESTDIR}${libdir}/pkgconfig/vapigen-${SHRT_VER}.pc } @@ -64,5 +67,5 @@ SSTATE_SCAN_FILES += "vapigen-wrapper" PACKAGE_PREPROCESS_FUNCS += "vala_package_preprocess" vala_package_preprocess () { - sed -i -e 's:${RECIPE_SYSROOT}::g;' ${PKGD}${bindir}/vapigen-wrapper + rm -rf ${PKGD}${bindir_crossscripts} } diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 index 887bfd2766..4477f39132 100644 --- a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 +++ b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 @@ -1,211 +1,7 @@ -gdbserver_tests/hgtls -cachegrind/tests/ann1 -callgrind/tests/simwork1 -callgrind/tests/simwork2 -callgrind/tests/simwork3 -callgrind/tests/simwork-both -callgrind/tests/simwork-cache -callgrind/tests/threads -callgrind/tests/threads-use -drd/tests/annotate_barrier -drd/tests/annotate_barrier_xml -drd/tests/annotate_hbefore -drd/tests/annotate_hb_err -drd/tests/annotate_hb_race -drd/tests/annotate_ignore_read -drd/tests/annotate_ignore_rw -drd/tests/annotate_ignore_rw2 -drd/tests/annotate_ignore_write -drd/tests/annotate_ignore_write2 -drd/tests/annotate_order_1 -drd/tests/annotate_order_2 -drd/tests/annotate_order_3 -drd/tests/annotate_publish_hg -drd/tests/annotate_rwlock -drd/tests/annotate_rwlock_hg -drd/tests/annotate_sem -drd/tests/annotate_smart_pointer -drd/tests/annotate_smart_pointer2 -drd/tests/annotate_spinlock -drd/tests/annotate_static -drd/tests/annotate_trace_memory -drd/tests/annotate_trace_memory_xml -drd/tests/atomic_var -drd/tests/bar_bad -drd/tests/bar_trivial drd/tests/boost_thread -drd/tests/bug-235681 -drd/tests/bug322621 -drd/tests/circular_buffer -drd/tests/concurrent_close -drd/tests/custom_alloc -drd/tests/custom_alloc_fiw -drd/tests/dlopen -drd/tests/fork-parallel -drd/tests/fork-serial -drd/tests/fp_race -drd/tests/fp_race2 -drd/tests/fp_race_xml -drd/tests/free_is_write -drd/tests/free_is_write2 -drd/tests/hg01_all_ok -drd/tests/hg02_deadlock -drd/tests/hg03_inherit -drd/tests/hg04_race -drd/tests/hg05_race2 -drd/tests/hg06_readshared -drd/tests/hold_lock_1 -drd/tests/hold_lock_2 -drd/tests/linuxthreads_det -drd/tests/matinv -drd/tests/memory_allocation -drd/tests/monitor_example -drd/tests/new_delete -drd/tests/pth_barrier -drd/tests/pth_barrier2 -drd/tests/pth_barrier3 -drd/tests/pth_barrier_race -drd/tests/pth_barrier_reinit -drd/tests/pth_broadcast -drd/tests/pth_cancel_locked -drd/tests/pth_cleanup_handler -drd/tests/pth_cond_race -drd/tests/pth_cond_race2 -drd/tests/pth_detached2 -drd/tests/pth_detached3 -drd/tests/pth_detached_sem -drd/tests/pth_inconsistent_cond_wait -drd/tests/pth_mutex_reinit -drd/tests/pth_once -drd/tests/pth_process_shared_mutex -drd/tests/pth_spinlock -drd/tests/pth_uninitialized_cond -drd/tests/read_and_free_race -drd/tests/recursive_mutex -drd/tests/rwlock_race -drd/tests/rwlock_test -drd/tests/rwlock_type_checking -drd/tests/sem_as_mutex -drd/tests/sem_as_mutex2 -drd/tests/sem_as_mutex3 -drd/tests/sem_open -drd/tests/sem_open2 -drd/tests/sem_open3 -drd/tests/sem_open_traced -drd/tests/sem_wait -drd/tests/sigalrm -drd/tests/sigaltstack -drd/tests/std_atomic -drd/tests/std_string -drd/tests/std_thread -drd/tests/std_thread2 -drd/tests/str_tester -drd/tests/tc01_simple_race -drd/tests/tc02_simple_tls -drd/tests/tc03_re_excl -drd/tests/tc04_free_lock -drd/tests/tc05_simple_race -drd/tests/tc06_two_races -drd/tests/tc07_hbl1 -drd/tests/tc08_hbl2 -drd/tests/tc10_rec_lock -drd/tests/tc11_XCHG -drd/tests/tc12_rwl_trivial -drd/tests/tc13_laog1 -drd/tests/tc15_laog_lockdel -drd/tests/tc16_byterace -drd/tests/tc17_sembar -drd/tests/tc18_semabuse -drd/tests/tc19_shadowmem -drd/tests/tc21_pthonce -drd/tests/tc22_exit_w_lock -drd/tests/tc23_bogus_condwait -helgrind/tests/annotate_rwlock -helgrind/tests/annotate_smart_pointer -helgrind/tests/bar_bad -helgrind/tests/bar_trivial -helgrind/tests/bug322621 -helgrind/tests/cond_init_destroy -helgrind/tests/cond_timedwait_invalid -helgrind/tests/cond_timedwait_test -helgrind/tests/free_is_write -helgrind/tests/hg01_all_ok -helgrind/tests/hg03_inherit -helgrind/tests/hg04_race -helgrind/tests/hg05_race2 -helgrind/tests/hg06_readshared -helgrind/tests/locked_vs_unlocked1_fwd -helgrind/tests/locked_vs_unlocked1_rev -helgrind/tests/locked_vs_unlocked2 -helgrind/tests/locked_vs_unlocked3 -helgrind/tests/pth_barrier1 -helgrind/tests/pth_barrier2 -helgrind/tests/pth_barrier3 -helgrind/tests/pth_destroy_cond -helgrind/tests/rwlock_race -helgrind/tests/rwlock_test -helgrind/tests/shmem_abits -helgrind/tests/stackteardown -helgrind/tests/t2t_laog -helgrind/tests/tc01_simple_race -helgrind/tests/tc02_simple_tls -helgrind/tests/tc03_re_excl -helgrind/tests/tc04_free_lock -helgrind/tests/tc05_simple_race -helgrind/tests/tc06_two_races -helgrind/tests/tc06_two_races_xml -helgrind/tests/tc07_hbl1 -helgrind/tests/tc08_hbl2 -helgrind/tests/tc09_bad_unlock -helgrind/tests/tc10_rec_lock -helgrind/tests/tc11_XCHG -helgrind/tests/tc12_rwl_trivial -helgrind/tests/tc13_laog1 -helgrind/tests/tc14_laog_dinphils -helgrind/tests/tc15_laog_lockdel -helgrind/tests/tc16_byterace -helgrind/tests/tc17_sembar -helgrind/tests/tc18_semabuse -helgrind/tests/tc19_shadowmem -helgrind/tests/tc20_verifywrap -helgrind/tests/tc21_pthonce -helgrind/tests/tc22_exit_w_lock -helgrind/tests/tc23_bogus_condwait -helgrind/tests/tc24_nonzero_sem -memcheck/tests/accounting -memcheck/tests/addressable -memcheck/tests/arm64-linux/scalar -memcheck/tests/atomic_incs -memcheck/tests/badaddrvalue -memcheck/tests/badfree -memcheck/tests/badfree-2trace -memcheck/tests/badfree3 -memcheck/tests/badjump -memcheck/tests/badjump2 -memcheck/tests/badloop -memcheck/tests/badpoll -memcheck/tests/badrw -memcheck/tests/big_blocks_freed_list -memcheck/tests/brk2 +gdbserver_tests/hgtls memcheck/tests/dw4 -memcheck/tests/err_disable4 -memcheck/tests/err_disable_arange1 -memcheck/tests/leak-autofreepool-5 -memcheck/tests/linux/lsframe1 -memcheck/tests/linux/lsframe2 -memcheck/tests/linux/with-space -memcheck/tests/origin5-bz2 -memcheck/tests/origin6-fp -memcheck/tests/partial_load_dflt -memcheck/tests/pdb-realloc2 -memcheck/tests/sh-mem -memcheck/tests/sh-mem-random -memcheck/tests/sigaltstack -memcheck/tests/sigkill -memcheck/tests/signal2 -memcheck/tests/threadname -memcheck/tests/threadname_xml -memcheck/tests/unit_oset +memcheck/tests/leak_cpp_interior memcheck/tests/varinfo1 memcheck/tests/varinfo2 memcheck/tests/varinfo3 @@ -213,21 +9,5 @@ memcheck/tests/varinfo4 memcheck/tests/varinfo5 memcheck/tests/varinfo6 memcheck/tests/varinforestrict -memcheck/tests/vcpu_bz2 -memcheck/tests/vcpu_fbench -memcheck/tests/vcpu_fnfns -memcheck/tests/wcs -memcheck/tests/wrap1 -memcheck/tests/wrap2 -memcheck/tests/wrap3 -memcheck/tests/wrap4 -memcheck/tests/wrap5 -memcheck/tests/wrap6 -memcheck/tests/wrap7 -memcheck/tests/wrap8 -memcheck/tests/wrapmalloc -memcheck/tests/wrapmallocstatic -memcheck/tests/writev1 -memcheck/tests/xml1 -memcheck/tests/linux/stack_changes -memcheck/tests/linux/timerfd-syscall +helgrind/tests/hg05_race2 +helgrind/tests/tc20_verifywrap diff --git a/poky/meta/recipes-extended/at/at_3.2.5.bb b/poky/meta/recipes-extended/at/at_3.2.5.bb index 87a436173f..c0c876a644 100644 --- a/poky/meta/recipes-extended/at/at_3.2.5.bb +++ b/poky/meta/recipes-extended/at/at_3.2.5.bb @@ -52,8 +52,10 @@ INITSCRIPT_PARAMS = "defaults" SYSTEMD_SERVICE:${PN} = "atd.service" -do_configure:prepend() { - cp -f ${WORKDIR}/posixtm.[ch] ${S} +do_patch[postfuncs] += "copy_posix_files" + +copy_posix_files() { + cp -f ${WORKDIR}/posixtm.[ch] ${S} } do_install () { diff --git a/poky/meta/recipes-extended/bash/bash/CVE-2022-3715.patch b/poky/meta/recipes-extended/bash/bash/CVE-2022-3715.patch new file mode 100644 index 0000000000..44f4d91949 --- /dev/null +++ b/poky/meta/recipes-extended/bash/bash/CVE-2022-3715.patch @@ -0,0 +1,33 @@ +From 15d2428d5d3df8dd826008baf51579ab7750d8b2 Mon Sep 17 00:00:00 2001 +From: Xiangyu Chen <xiangyu.chen@windriver.com> +Date: Wed, 23 Nov 2022 11:17:01 +0800 +Subject: [OE-Core][kirkstone][PATCH] bash: heap-buffer-overflow in + valid_parameter_transform CVE-2022-3715 + +Reference:https://bugzilla.redhat.com/show_bug.cgi?id=2126720 + +CVE: CVE-2022-3715 +Upstream-Status: Backport from +[https://git.savannah.gnu.org/cgit/bash.git/diff/subst.c?h=bash-5.2-testing&id=9cef6d01181525de119832d2b6a925899cdec08e] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + subst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/subst.c b/subst.c +index 2b76256..38ee9ac 100644 +--- a/subst.c ++++ b/subst.c +@@ -7962,7 +7962,7 @@ parameter_brace_transform (varname, value, ind, xform, rtype, quoted, pflags, fl + return ((char *)NULL); + } + +- if (valid_parameter_transform (xform) == 0) ++ if (xform[0] == 0 || valid_parameter_transform (xform) == 0) + { + this_command_name = oname; + #if 0 /* TAG: bash-5.2 Martin Schulte <gnu@schrader-schulte.de> 10/2020 */ +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/bash/bash_5.1.16.bb b/poky/meta/recipes-extended/bash/bash_5.1.16.bb index d046faa4e5..11c2314fbf 100644 --- a/poky/meta/recipes-extended/bash/bash_5.1.16.bb +++ b/poky/meta/recipes-extended/bash/bash_5.1.16.bb @@ -15,6 +15,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \ file://use_aclocal.patch \ file://makerace.patch \ file://makerace2.patch \ + file://CVE-2022-3715.patch \ " SRC_URI[tarball.sha256sum] = "5bac17218d3911834520dad13cd1f85ab944e1c09ae1aba55906be1f8192f558" diff --git a/poky/meta/recipes-extended/bc/bc_1.07.1.bb b/poky/meta/recipes-extended/bc/bc_1.07.1.bb index 1bec76bb2a..5a03751304 100644 --- a/poky/meta/recipes-extended/bc/bc_1.07.1.bb +++ b/poky/meta/recipes-extended/bc/bc_1.07.1.bb @@ -32,4 +32,4 @@ do_compile:prepend() { ALTERNATIVE:${PN} = "bc dc" ALTERNATIVE_PRIORITY = "100" -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-extended/cracklib/cracklib_2.9.8.bb b/poky/meta/recipes-extended/cracklib/cracklib_2.9.8.bb index 786940a7e0..a3db6eb394 100644 --- a/poky/meta/recipes-extended/cracklib/cracklib_2.9.8.bb +++ b/poky/meta/recipes-extended/cracklib/cracklib_2.9.8.bb @@ -9,7 +9,7 @@ DEPENDS = "cracklib-native zlib" EXTRA_OECONF = "--without-python --libdir=${base_libdir}" -SRC_URI = "git://github.com/cracklib/cracklib;protocol=https;branch=master \ +SRC_URI = "git://github.com/cracklib/cracklib;protocol=https;branch=main \ file://0001-packlib.c-support-dictionary-byte-order-dependent.patch \ file://0002-craklib-fix-testnum-and-teststr-failed.patch \ " diff --git a/poky/meta/recipes-extended/cups/cups.inc b/poky/meta/recipes-extended/cups/cups.inc index 4592980766..0acc5c575e 100644 --- a/poky/meta/recipes-extended/cups/cups.inc +++ b/poky/meta/recipes-extended/cups/cups.inc @@ -48,6 +48,7 @@ PACKAGECONFIG[gnutls] = "--with-tls=gnutls,--with-tls=no,gnutls" PACKAGECONFIG[pam] = "--enable-pam --with-pam-module=unix, --disable-pam, libpam" PACKAGECONFIG[systemd] = "--with-systemd=${systemd_system_unitdir},--without-systemd,systemd" PACKAGECONFIG[xinetd] = "--with-xinetd=${sysconfdir}/xinetd.d,--without-xinetd,xinetd" +PACKAGECONFIG[webif] = "--enable-webif,--disable-webif" EXTRA_OECONF = " \ --enable-dbus \ @@ -67,7 +68,7 @@ EXTRA_OECONF = " \ EXTRA_AUTORECONF += "--exclude=autoheader" do_install () { - oe_runmake "DESTDIR=${D}" install + oe_runmake "BUILDROOT=${D}" install # Remove /var/run from package as cupsd will populate it on startup rm -fr ${D}/${localstatedir}/run @@ -75,7 +76,7 @@ do_install () { rmdir ${D}/${libexecdir}/${BPN}/driver # Fix the pam configuration file permissions - if ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'true', 'false', d)}; then + if ${@bb.utils.contains('PACKAGECONFIG', 'pam', 'true', 'false', d)}; then chmod 0644 ${D}${sysconfdir}/pam.d/cups fi @@ -93,7 +94,7 @@ do_install () { fi } -PACKAGES =+ "${PN}-lib ${PN}-libimage" +PACKAGES =+ "${PN}-lib ${PN}-libimage ${PN}-webif" RDEPENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'procps', '', d)}" FILES:${PN} += "${libexecdir}/cups/" @@ -102,13 +103,10 @@ FILES:${PN}-lib = "${libdir}/libcups.so.*" FILES:${PN}-libimage = "${libdir}/libcupsimage.so.*" -#package the html for the webgui inside the main packages (~1MB uncompressed) +# put the html for the web interface into its own PACKAGE +FILES:${PN}-webif += "${datadir}/doc/cups/ ${datadir}/icons/" +RRECOMMENDS:${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'webif', '${PN}-webif', '', d)}" -FILES:${PN} += "${datadir}/doc/cups/images \ - ${datadir}/doc/cups/*html \ - ${datadir}/doc/cups/*.css \ - ${datadir}/icons/ \ - " CONFFILES:${PN} += "${sysconfdir}/cups/cupsd.conf" MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/cups-config" diff --git a/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch b/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch index aac1c43465..8b88c308f2 100644 --- a/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch +++ b/poky/meta/recipes-extended/diffutils/diffutils/0001-Skip-strip-trailing-cr-test-case.patch @@ -1,4 +1,4 @@ -From bd7fb8be2ae2d75347cf7733302d5093046ffa85 Mon Sep 17 00:00:00 2001 +From 027229d25392b22d7280c0abbc3efde4f467d167 Mon Sep 17 00:00:00 2001 From: Peiran Hong <peiran.hong@windriver.com> Date: Thu, 5 Sep 2019 15:42:22 -0400 Subject: [PATCH] Skip strip-trailing-cr test case @@ -10,19 +10,21 @@ package. Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Peiran Hong <peiran.hong@windriver.com> + --- tests/Makefile.am | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/Makefile.am b/tests/Makefile.am -index 83a7c9d..04d51b5 100644 +index d98df82..757ea52 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am -@@ -21,8 +21,10 @@ TESTS = \ +@@ -21,9 +21,11 @@ TESTS = \ stdin \ strcoll-0-names \ filename-quoting \ - strip-trailing-cr \ + timezone \ colors +# Skipping this test since it requires valgrind +# and thus is too heavy for diffutils package @@ -30,6 +32,3 @@ index 83a7c9d..04d51b5 100644 XFAIL_TESTS = large-subopt --- -2.21.0 - diff --git a/poky/meta/recipes-extended/diffutils/diffutils/0001-mcontext-is-not-a-standard-layout-so-glibc-and-musl-.patch b/poky/meta/recipes-extended/diffutils/diffutils/0001-mcontext-is-not-a-standard-layout-so-glibc-and-musl-.patch deleted file mode 100644 index 4928e1eaff..0000000000 --- a/poky/meta/recipes-extended/diffutils/diffutils/0001-mcontext-is-not-a-standard-layout-so-glibc-and-musl-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f385ad6639380eb6dfa8b8eb4a5ba65dd12db744 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Fri, 25 Mar 2022 13:43:19 -0700 -Subject: [PATCH] mcontext is not a standard layout so glibc and musl differ - -This is already applied to libsigsegv upstream, hopefully next version -of grep will update its internal copy and we can drop this patch - -Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=libsigsegv.git;a=commitdiff;h=a6ff69873110c0a8ba6f7fd90532dbc11224828c] - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - lib/sigsegv.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/sigsegv.c b/lib/sigsegv.c -index 998c827..b6f4841 100644 ---- a/lib/sigsegv.c -+++ b/lib/sigsegv.c -@@ -219,8 +219,8 @@ int libsigsegv_version = LIBSIGSEGV_VERSION; - # define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *) ucp)->uc_mcontext.gp_regs[1] - # else /* 32-bit */ - /* both should be equivalent */ --# if 0 --# define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *) ucp)->uc_mcontext.regs->gpr[1] -+# if ! defined __GLIBC__ -+# define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *) ucp)->uc_regs->gregs[1] - # else - # define SIGSEGV_FAULT_STACKPOINTER ((ucontext_t *) ucp)->uc_mcontext.uc_regs->gregs[1] - # endif --- -2.35.1 - diff --git a/poky/meta/recipes-extended/diffutils/diffutils_3.8.bb b/poky/meta/recipes-extended/diffutils/diffutils_3.9.bb index 8889c83ee2..2bb9e6f32d 100644 --- a/poky/meta/recipes-extended/diffutils/diffutils_3.8.bb +++ b/poky/meta/recipes-extended/diffutils/diffutils_3.9.bb @@ -6,10 +6,9 @@ require diffutils.inc SRC_URI = "${GNU_MIRROR}/diffutils/diffutils-${PV}.tar.xz \ file://run-ptest \ file://0001-Skip-strip-trailing-cr-test-case.patch \ - file://0001-mcontext-is-not-a-standard-layout-so-glibc-and-musl-.patch \ " -SRC_URI[sha256sum] = "a6bdd7d1b31266d11c4f4de6c1b748d4607ab0231af5188fc2533d0ae2438fec" +SRC_URI[sha256sum] = "d80d3be90a201868de83d78dad3413ad88160cc53bcc36eb9eaf7c20dbf023f1" EXTRA_OECONF += "ac_cv_path_PR_PROGRAM=${bindir}/pr --without-libsigsegv-prefix" diff --git a/poky/meta/recipes-extended/groff/files/0001-Make-manpages-mulitlib-identical.patch b/poky/meta/recipes-extended/groff/files/0001-Make-manpages-mulitlib-identical.patch index 9105da6457..c3cfc7cea8 100644 --- a/poky/meta/recipes-extended/groff/files/0001-Make-manpages-mulitlib-identical.patch +++ b/poky/meta/recipes-extended/groff/files/0001-Make-manpages-mulitlib-identical.patch @@ -3,7 +3,7 @@ From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Sat, 7 Mar 2020 00:59:13 +0000 Subject: [PATCH] Make manpages mulitlib identical -Upstream-Status: Pending +Upstream-Status: Submitted [by email to g.branden.robinson@gmail.com] Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> --- Makefile.am | 2 +- diff --git a/poky/meta/recipes-extended/groff/files/0001-replace-perl-w-with-use-warnings.patch b/poky/meta/recipes-extended/groff/files/0001-replace-perl-w-with-use-warnings.patch index eda6a40f51..b028fa20aa 100644 --- a/poky/meta/recipes-extended/groff/files/0001-replace-perl-w-with-use-warnings.patch +++ b/poky/meta/recipes-extended/groff/files/0001-replace-perl-w-with-use-warnings.patch @@ -15,7 +15,7 @@ doesn't work: So replace "perl -w" with "use warnings" to make it work. -Upstream-Status: Pending +Upstream-Status: Submitted [by email to g.branden.robinson@gmail.com] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> diff --git a/poky/meta/recipes-extended/less/less/CVE-2022-46663.patch b/poky/meta/recipes-extended/less/less/CVE-2022-46663.patch new file mode 100644 index 0000000000..4d61a52fa6 --- /dev/null +++ b/poky/meta/recipes-extended/less/less/CVE-2022-46663.patch @@ -0,0 +1,31 @@ +From a78e1351113cef564d790a730d657a321624d79c Mon Sep 17 00:00:00 2001 +From: Mark Nudelman <markn@greenwoodsoftware.com> +Date: Fri, 7 Oct 2022 19:25:46 -0700 +Subject: [PATCH] End OSC8 hyperlink on invalid embedded escape sequence. + + +CVE: CVE-2022-46663 +Upstream-Status: Backport [https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + line.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/line.c b/line.c +index 0ef9b07..9d49cf8 100644 +--- a/line.c ++++ b/line.c +@@ -633,8 +633,8 @@ ansi_step(pansi, ch) + /* Hyperlink ends with \7 or ESC-backslash. */ + if (ch == '\7') + return ANSI_END; +- if (pansi->prev_esc && ch == '\\') +- return ANSI_END; ++ if (pansi->prev_esc) ++ return (ch == '\\') ? ANSI_END : ANSI_ERR; + pansi->prev_esc = (ch == ESC); + return ANSI_MID; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/less/less_600.bb b/poky/meta/recipes-extended/less/less_600.bb index 9ebe39daab..f68281ac93 100644 --- a/poky/meta/recipes-extended/less/less_600.bb +++ b/poky/meta/recipes-extended/less/less_600.bb @@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \ DEPENDS = "ncurses" SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \ + file://CVE-2022-46663.patch \ " SRC_URI[sha256sum] = "6633d6aa2b3cc717afb2c205778c7c42c4620f63b1d682f3d12c98af0be74d20" diff --git a/poky/meta/recipes-extended/libarchive/libarchive_3.6.1.bb b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb index c795b41628..acc84de9da 100644 --- a/poky/meta/recipes-extended/libarchive/libarchive_3.6.1.bb +++ b/poky/meta/recipes-extended/libarchive/libarchive_3.6.2.bb @@ -30,12 +30,12 @@ PACKAGECONFIG[lz4] = "--with-lz4,--without-lz4,lz4," PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls," PACKAGECONFIG[zstd] = "--with-zstd,--without-zstd,zstd," -EXTRA_OECONF += "--enable-largefile" +EXTRA_OECONF += "--enable-largefile --without-iconv" SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz" UPSTREAM_CHECK_URI = "http://libarchive.org/" -SRC_URI[sha256sum] = "c676146577d989189940f1959d9e3980d28513d74eedfbc6b7f15ea45fe54ee2" +SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3" inherit autotools update-alternatives pkgconfig diff --git a/poky/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb b/poky/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb index 66bc4ecdd1..6980135a92 100644 --- a/poky/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb +++ b/poky/meta/recipes-extended/libtirpc/libtirpc_1.3.2.bb @@ -21,7 +21,7 @@ inherit autotools pkgconfig EXTRA_OECONF = "--disable-gssapi" do_install:append() { - chown root:root ${D}${sysconfdir}/netconfig + test -e ${D}${sysconfdir}/netconfig && chown root:root ${D}${sysconfdir}/netconfig } BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.67.bb index 801162867c..838881f238 100644 --- a/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.66.bb +++ b/poky/meta/recipes-extended/lighttpd/lighttpd_1.4.67.bb @@ -19,7 +19,7 @@ SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.t file://lighttpd \ " -SRC_URI[sha256sum] = "47ac6e60271aa0196e65472d02d019556dc7c6d09df3b65df2c1ab6866348e3b" +SRC_URI[sha256sum] = "7e04d767f51a8d824b32e2483ef2950982920d427d1272ef4667f49d6f89f358" DEPENDS = "virtual/crypt" diff --git a/poky/meta/recipes-extended/lsof/lsof_4.94.0.bb b/poky/meta/recipes-extended/lsof/lsof_4.94.0.bb index c2b8bc839b..d50959d73c 100644 --- a/poky/meta/recipes-extended/lsof/lsof_4.94.0.bb +++ b/poky/meta/recipes-extended/lsof/lsof_4.94.0.bb @@ -19,6 +19,15 @@ SRCREV = "005e014e1abdadb2493d8b3ce87b37a2c0a2351d" S = "${WORKDIR}/git" + +inherit update-alternatives + +ALTERNATIVE:${PN} = "lsof" +ALTERNATIVE_LINK_NAME[lsof] = "${sbindir}/lsof" +# Make our priority higher than busybox +ALTERNATIVE_PRIORITY = "100" + + export LSOF_INCLUDE = "${STAGING_INCDIR}" do_configure () { diff --git a/poky/meta/recipes-extended/ltp/ltp/0001-clock_gettime04-set-threshold-based-on-the-clock-res.patch b/poky/meta/recipes-extended/ltp/ltp/0001-clock_gettime04-set-threshold-based-on-the-clock-res.patch new file mode 100644 index 0000000000..b4879221ad --- /dev/null +++ b/poky/meta/recipes-extended/ltp/ltp/0001-clock_gettime04-set-threshold-based-on-the-clock-res.patch @@ -0,0 +1,89 @@ +From 9851deb86ef257a98d7433280161d8ca685aa669 Mon Sep 17 00:00:00 2001 +From: Li Wang <liwang@redhat.com> +Date: Tue, 29 Mar 2022 13:03:51 +0800 +Subject: [PATCH] clock_gettime04: set threshold based on the clock resolution + +This is to get rid of the intermittent failures in clock_gettime04, +which are likely caused by different clock tick rates on platforms. +Here give two thresholds (in milliseconds) for comparison, one for +COARSE clock and one for the rest. + +Error log: + clock_gettime04.c:163: TFAIL: CLOCK_REALTIME_COARSE(syscall with old kernel spec): + Difference between successive readings greater than 5 ms (1): 10 + clock_gettime04.c:163: TFAIL: CLOCK_MONOTONIC_COARSE(vDSO with old kernel spec): + Difference between successive readings greater than 5 ms (2): 10 + +From Waiman Long: + That failure happens for CLOCK_REALTIME_COARSE which is a faster but less + precise version of CLOCK_REALTIME. The time resolution is actually a clock + tick. Since arm64 has a HZ rate of 100. That means each tick is 10ms. So a + CLOCK_REALTIME_COARSE threshold of 5ms is probably not enough. I would say + in the case of CLOCK_REALTIME_COARSE, we have to increase the threshold based + on the clock tick rate of the system. This is more a test failure than is + an inherent problem in the kernel. + +Fixes #898 + +Upstream-Status: Backport +[https://github.com/linux-test-project/ltp/commit/9851deb86ef257a98d7433280161d8ca685aa669] + +Reported-by: Eirik Fuller <efuller@redhat.com> +Signed-off-by: Li Wang <liwang@redhat.com> +Cc: Waiman Long <llong@redhat.com> +Cc: Viresh Kumar <viresh.kumar@linaro.org> +Reviewed-by: Cyril Hrubis <chrubis@suse.cz> +Acked-by: Waiman Long <longman@redhat.com> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + .../syscalls/clock_gettime/clock_gettime04.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/testcases/kernel/syscalls/clock_gettime/clock_gettime04.c b/testcases/kernel/syscalls/clock_gettime/clock_gettime04.c +index a8d2c5b38..c279da79e 100644 +--- a/testcases/kernel/syscalls/clock_gettime/clock_gettime04.c ++++ b/testcases/kernel/syscalls/clock_gettime/clock_gettime04.c +@@ -35,7 +35,7 @@ clockid_t clks[] = { + }; + + static gettime_t ptr_vdso_gettime, ptr_vdso_gettime64; +-static long long delta = 5; ++static long long delta, precise_delta, coarse_delta; + + static inline int do_vdso_gettime(gettime_t vdso, clockid_t clk_id, void *ts) + { +@@ -92,9 +92,18 @@ static struct time64_variants variants[] = { + + static void setup(void) + { ++ struct timespec res; ++ ++ clock_getres(CLOCK_REALTIME, &res); ++ precise_delta = 5 + res.tv_nsec / 1000000; ++ ++ clock_getres(CLOCK_REALTIME_COARSE, &res); ++ coarse_delta = 5 + res.tv_nsec / 1000000; ++ + if (tst_is_virt(VIRT_ANY)) { + tst_res(TINFO, "Running in a virtual machine, multiply the delta by 10."); +- delta *= 10; ++ precise_delta *= 10; ++ coarse_delta *= 10; + } + + find_clock_gettime_vdso(&ptr_vdso_gettime, &ptr_vdso_gettime64); +@@ -108,6 +117,11 @@ static void run(unsigned int i) + int count = 10000, ret; + unsigned int j; + ++ if (clks[i] == CLOCK_REALTIME_COARSE || clks[i] == CLOCK_MONOTONIC_COARSE) ++ delta = coarse_delta; ++ else ++ delta = precise_delta; ++ + do { + for (j = 0; j < ARRAY_SIZE(variants); j++) { + /* Refresh time in start */ +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/ltp/ltp_20220121.bb b/poky/meta/recipes-extended/ltp/ltp_20220121.bb index 4ae54492f3..51e8db4f1e 100644 --- a/poky/meta/recipes-extended/ltp/ltp_20220121.bb +++ b/poky/meta/recipes-extended/ltp/ltp_20220121.bb @@ -29,6 +29,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git;branch=master;protocol=ht file://0001-metadata-parse.sh-sort-filelist-for-reproducibility.patch \ file://disable_hanging_tests.patch \ file://0001-syscalls-pread02-extend-buffer-to-avoid-glibc-overflow-detection.patch \ + file://0001-clock_gettime04-set-threshold-based-on-the-clock-res.patch \ " S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-extended/mdadm/files/0001-mdadm-Fix-optional-write-behind-parameter.patch b/poky/meta/recipes-extended/mdadm/files/0001-mdadm-Fix-optional-write-behind-parameter.patch new file mode 100644 index 0000000000..186d1e76f2 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-mdadm-Fix-optional-write-behind-parameter.patch @@ -0,0 +1,45 @@ +From 41edf6f45895193f4a523cb0a08d639c9ff9ccc9 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 22 Jun 2022 14:25:12 -0600 +Subject: [PATCH] mdadm: Fix optional --write-behind parameter + +The commit noted below changed the behaviour of --write-behind to +require an argument. This broke the 06wrmostly test with the error: + + mdadm: Invalid value for maximum outstanding write-behind writes: (null). + Must be between 0 and 16383. + +To fix this, check if optarg is NULL before parising it, as the origial +code did. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=41edf6f45895193f4a523cb0a08d639c9ff9ccc9] + +Fixes: 60815698c0ac ("Refactor parse_num and use it to parse optarg.") +Cc: Mateusz Grzonka <mateusz.grzonka@intel.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Acked-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + mdadm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/mdadm.c b/mdadm.c +index d0c5e6de..56722ed9 100644 +--- a/mdadm.c ++++ b/mdadm.c +@@ -1201,8 +1201,9 @@ int main(int argc, char *argv[]) + case O(BUILD, WriteBehind): + case O(CREATE, WriteBehind): + s.write_behind = DEFAULT_MAX_WRITE_BEHIND; +- if (parse_num(&s.write_behind, optarg) != 0 || +- s.write_behind < 0 || s.write_behind > 16383) { ++ if (optarg && ++ (parse_num(&s.write_behind, optarg) != 0 || ++ s.write_behind < 0 || s.write_behind > 16383)) { + pr_err("Invalid value for maximum outstanding write-behind writes: %s.\n\tMust be between 0 and 16383.\n", + optarg); + exit(2); +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-00raid0-add-a-test-that-validates-raid0-with-l.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-00raid0-add-a-test-that-validates-raid0-with-l.patch new file mode 100644 index 0000000000..1c95834a7e --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-00raid0-add-a-test-that-validates-raid0-with-l.patch @@ -0,0 +1,41 @@ +From 7539254342bc591717b0051734cc6c09c1b88640 Mon Sep 17 00:00:00 2001 +From: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Date: Wed, 22 Jun 2022 14:25:13 -0600 +Subject: [PATCH] tests/00raid0: add a test that validates raid0 with layout + fails for 0.9 + +329dfc28debb disallows the creation of raid0 with layouts for 0.9 +metadata. This test confirms the new behavior. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=7539254342bc591717b0051734cc6c09c1b88640] + +Signed-off-by: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Signed-off-by: Himanshu Madhani <himanshu.madhani@oracle.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/00raid0 | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tests/00raid0 b/tests/00raid0 +index 8bc18985..e6b21cc4 100644 +--- a/tests/00raid0 ++++ b/tests/00raid0 +@@ -6,11 +6,9 @@ check raid0 + testdev $md0 3 $mdsize2_l 512 + mdadm -S $md0 + +-# now with version-0.90 superblock ++# verify raid0 with layouts fail for 0.90 + mdadm -CR $md0 -e0.90 -l0 -n4 $dev0 $dev1 $dev2 $dev3 +-check raid0 +-testdev $md0 4 $mdsize0 512 +-mdadm -S $md0 ++check opposite_result + + # now with no superblock + mdadm -B $md0 -l0 -n5 $dev0 $dev1 $dev2 $dev3 $dev4 +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-00readonly-Run-udevadm-settle-before-setting-r.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-00readonly-Run-udevadm-settle-before-setting-r.patch new file mode 100644 index 0000000000..c621c082e8 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-00readonly-Run-udevadm-settle-before-setting-r.patch @@ -0,0 +1,39 @@ +From 39b381252c32275079344d30de18b76fda4bba26 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe <logang@deltatee.com> +Date: Wed, 27 Jul 2022 15:52:45 -0600 +Subject: [PATCH] tests/00readonly: Run udevadm settle before setting ro + +In some recent kernel versions, 00readonly fails with: + + mdadm: failed to set readonly for /dev/md0: Device or resource busy + ERROR: array is not read-only! + +This was traced down to a race condition with udev holding a reference +to the block device at the same time as trying to set it read only. + +To fix this, call udevadm settle before setting the array read only. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=39b381252c32275079344d30de18b76fda4bba26] + +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jsorensen@fb.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/00readonly | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/00readonly b/tests/00readonly +index 39202487..afe243b3 100644 +--- a/tests/00readonly ++++ b/tests/00readonly +@@ -12,6 +12,7 @@ do + $dev1 $dev2 $dev3 $dev4 --assume-clean + check nosync + check $level ++ udevadm settle + mdadm -ro $md0 + check readonly + state=$(cat /sys/block/md0/md/array_state) +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-02lineargrow-clear-the-superblock-at-every-ite.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-02lineargrow-clear-the-superblock-at-every-ite.patch new file mode 100644 index 0000000000..1a7104b76d --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-02lineargrow-clear-the-superblock-at-every-ite.patch @@ -0,0 +1,33 @@ +From a2c832465fc75202e244327b2081231dfa974617 Mon Sep 17 00:00:00 2001 +From: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Date: Wed, 22 Jun 2022 14:25:16 -0600 +Subject: [PATCH] tests/02lineargrow: clear the superblock at every iteration + +This fixes 02lineargrow test as prior metadata causes --add operation +to misbehave. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=a2c832465fc75202e244327b2081231dfa974617] + +Signed-off-by: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Signed-off-by: Himanshu Madhani <himanshu.madhani@oracle.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/02lineargrow | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/02lineargrow b/tests/02lineargrow +index e05c219d..595bf9f2 100644 +--- a/tests/02lineargrow ++++ b/tests/02lineargrow +@@ -20,4 +20,6 @@ do + testdev $md0 3 $sz 1 + + mdadm -S $md0 ++ mdadm --zero /dev/loop2 ++ mdadm --zero /dev/loop3 + done +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-04update-metadata-avoid-passing-chunk-size-to.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-04update-metadata-avoid-passing-chunk-size-to.patch new file mode 100644 index 0000000000..9098fb2540 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-04update-metadata-avoid-passing-chunk-size-to.patch @@ -0,0 +1,41 @@ +From de045db607b1ac4b70fc2a8878463e029c2ab1dc Mon Sep 17 00:00:00 2001 +From: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Date: Wed, 22 Jun 2022 14:25:15 -0600 +Subject: [PATCH] tests/04update-metadata: avoid passing chunk size to raid1 + +'04update-metadata' test fails with error, "specifying chunk size is +forbidden for this level" added by commit, 5b30a34aa4b5e. Hence, +correcting the test to ignore passing chunk size to raid1. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=de045db607b1ac4b70fc2a8878463e029c2ab1dc] + +Signed-off-by: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Signed-off-by: Himanshu Madhani <himanshu.madhani@oracle.com> +[logang@deltatee.com: fix if/then style and dropped unrelated hunk] +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/04update-metadata | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tests/04update-metadata b/tests/04update-metadata +index 08c14af7..2b72a303 100644 +--- a/tests/04update-metadata ++++ b/tests/04update-metadata +@@ -11,7 +11,11 @@ dlist="$dev0 $dev1 $dev2 $dev3" + for ls in linear/4 raid1/1 raid5/3 raid6/2 + do + s=${ls#*/} l=${ls%/*} +- mdadm -CR --assume-clean -e 0.90 $md0 --level $l -n 4 -c 64 $dlist ++ if [[ $l == 'raid1' ]]; then ++ mdadm -CR --assume-clean -e 0.90 $md0 --level $l -n 4 $dlist ++ else ++ mdadm -CR --assume-clean -e 0.90 $md0 --level $l -n 4 -c 64 $dlist ++ fi + testdev $md0 $s 19904 64 + mdadm -S $md0 + mdadm -A $md0 --update=metadata $dlist +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/files/0001-tests-fix-raid0-tests-for-0.90-metadata.patch b/poky/meta/recipes-extended/mdadm/files/0001-tests-fix-raid0-tests-for-0.90-metadata.patch new file mode 100644 index 0000000000..d2e7d8ee50 --- /dev/null +++ b/poky/meta/recipes-extended/mdadm/files/0001-tests-fix-raid0-tests-for-0.90-metadata.patch @@ -0,0 +1,102 @@ +From 14c2161edb77d7294199e8aa7daa9f9d1d0ad5d7 Mon Sep 17 00:00:00 2001 +From: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Date: Wed, 22 Jun 2022 14:25:14 -0600 +Subject: [PATCH] tests: fix raid0 tests for 0.90 metadata + +Some of the test cases fail because raid0 creation fails with the error, +"0.90 metadata does not support layouts for RAID0" added by commit, +329dfc28debb. Fix some of the test cases by switching from raid0 to +linear level for 0.9 metadata where possible. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=14c2161edb77d7294199e8aa7daa9f9d1d0ad5d7] + +Signed-off-by: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com> +Signed-off-by: Himanshu Madhani <himanshu.madhani@oracle.com> +Signed-off-by: Logan Gunthorpe <logang@deltatee.com> +Signed-off-by: Jes Sorensen <jes@trained-monkey.org> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/00raid0 | 4 ++-- + tests/00readonly | 4 ++++ + tests/03r0assem | 6 +++--- + tests/04r0update | 4 ++-- + tests/04update-metadata | 2 +- + 5 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/tests/00raid0 b/tests/00raid0 +index e6b21cc4..9b8896cb 100644 +--- a/tests/00raid0 ++++ b/tests/00raid0 +@@ -20,8 +20,8 @@ mdadm -S $md0 + # now same again with different chunk size + for chunk in 4 32 256 + do +- mdadm -CR $md0 -e0.90 -l raid0 --chunk $chunk -n3 $dev0 $dev1 $dev2 +- check raid0 ++ mdadm -CR $md0 -e0.90 -l linear --chunk $chunk -n3 $dev0 $dev1 $dev2 ++ check linear + testdev $md0 3 $mdsize0 $chunk + mdadm -S $md0 + +diff --git a/tests/00readonly b/tests/00readonly +index 28b0fa13..39202487 100644 +--- a/tests/00readonly ++++ b/tests/00readonly +@@ -4,6 +4,10 @@ for metadata in 0.9 1.0 1.1 1.2 + do + for level in linear raid0 raid1 raid4 raid5 raid6 raid10 + do ++ if [[ $metadata == "0.9" && $level == "raid0" ]]; ++ then ++ continue ++ fi + mdadm -CR $md0 -l $level -n 4 --metadata=$metadata \ + $dev1 $dev2 $dev3 $dev4 --assume-clean + check nosync +diff --git a/tests/03r0assem b/tests/03r0assem +index 6744e322..44df0645 100644 +--- a/tests/03r0assem ++++ b/tests/03r0assem +@@ -68,9 +68,9 @@ mdadm -S $md2 + ### Now for version 0... + + mdadm --zero-superblock $dev0 $dev1 $dev2 +-mdadm -CR $md2 -l0 --metadata=0.90 -n3 $dev0 $dev1 $dev2 +-check raid0 +-tst="testdev $md2 3 $mdsize0 512" ++mdadm -CR $md2 -llinear --metadata=0.90 -n3 $dev0 $dev1 $dev2 ++check linear ++tst="testdev $md2 3 $mdsize0 1" + $tst + + uuid=`mdadm -Db $md2 | sed 's/.*UUID=//'` +diff --git a/tests/04r0update b/tests/04r0update +index 73ee3b9f..b95efb06 100644 +--- a/tests/04r0update ++++ b/tests/04r0update +@@ -1,7 +1,7 @@ + + # create a raid0, re-assemble with a different super-minor +-mdadm -CR -e 0.90 $md0 -l0 -n3 $dev0 $dev1 $dev2 +-testdev $md0 3 $mdsize0 512 ++mdadm -CR -e 0.90 $md0 -llinear -n3 $dev0 $dev1 $dev2 ++testdev $md0 3 $mdsize0 1 + minor1=`mdadm -E $dev0 | sed -n -e 's/.*Preferred Minor : //p'` + mdadm -S /dev/md0 + +diff --git a/tests/04update-metadata b/tests/04update-metadata +index 232fc1ff..08c14af7 100644 +--- a/tests/04update-metadata ++++ b/tests/04update-metadata +@@ -8,7 +8,7 @@ set -xe + + dlist="$dev0 $dev1 $dev2 $dev3" + +-for ls in raid0/4 linear/4 raid1/1 raid5/3 raid6/2 ++for ls in linear/4 raid1/1 raid5/3 raid6/2 + do + s=${ls#*/} l=${ls%/*} + mdadm -CR --assume-clean -e 0.90 $md0 --level $l -n 4 -c 64 $dlist +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb b/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb index 19035caaec..4aa3737562 100644 --- a/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb +++ b/poky/meta/recipes-extended/mdadm/mdadm_4.2.bb @@ -24,6 +24,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ file://0001-mdadm-skip-test-11spare-migration.patch \ file://0001-Fix-parsing-of-r-in-monitor-manager-mode.patch \ file://0001-Makefile-install-mdcheck.patch \ + file://0001-mdadm-Fix-optional-write-behind-parameter.patch \ + file://0001-tests-02lineargrow-clear-the-superblock-at-every-ite.patch \ + file://0001-tests-00raid0-add-a-test-that-validates-raid0-with-l.patch \ + file://0001-tests-fix-raid0-tests-for-0.90-metadata.patch \ + file://0001-tests-00readonly-Run-udevadm-settle-before-setting-r.patch \ + file://0001-tests-04update-metadata-avoid-passing-chunk-size-to.patch \ " SRC_URI[sha256sum] = "461c215670864bb74a4d1a3620684aa2b2f8296dffa06743f26dda5557acf01d" diff --git a/poky/meta/recipes-extended/newt/files/0001-detect-gold-as-GNU-linker-too.patch b/poky/meta/recipes-extended/newt/files/0001-detect-gold-as-GNU-linker-too.patch index a4b3afd959..090ed5c1c9 100644 --- a/poky/meta/recipes-extended/newt/files/0001-detect-gold-as-GNU-linker-too.patch +++ b/poky/meta/recipes-extended/newt/files/0001-detect-gold-as-GNU-linker-too.patch @@ -1,4 +1,4 @@ -From 58245b859ffbcb1780575bf1b0a018d55e74e434 Mon Sep 17 00:00:00 2001 +From 08ba909500412611953aea0fa2fe0d8fe76b6e24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@googlemail.com> Date: Wed, 21 Sep 2016 21:14:40 +0200 Subject: [PATCH] detect gold as GNU linker too @@ -9,23 +9,21 @@ Content-Transfer-Encoding: 8bit Upstream-Status: Pending Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> + --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 03e8bda..c2fce51 100644 +index 468c718..cd93f30 100644 --- a/configure.ac +++ b/configure.ac @@ -28,7 +28,7 @@ AC_CHECK_SIZEOF([void *]) AC_MSG_CHECKING([for GNU ld]) - LD=`$CC -print-prog-name=ld 2>&5` + LD=$($CC -print-prog-name=ld 2>&5) --if test `$LD -v 2>&1 | $ac_cv_path_GREP -c "GNU ld"` = 0; then -+if test `$LD -v 2>&1 | $ac_cv_path_GREP -c "GNU "` = 0; then +-if test $($LD -v 2>&1 | $ac_cv_path_GREP -c "GNU ld") = 0; then ++if test $($LD -v 2>&1 | $ac_cv_path_GREP -c "GNU ") = 0; then # Not GNU_LD="" AC_MSG_RESULT([no]) --- -2.5.5 - diff --git a/poky/meta/recipes-extended/newt/files/0002-don-t-ignore-CFLAGS-when-building-snack.patch b/poky/meta/recipes-extended/newt/files/0002-don-t-ignore-CFLAGS-when-building-snack.patch deleted file mode 100644 index ca235d5108..0000000000 --- a/poky/meta/recipes-extended/newt/files/0002-don-t-ignore-CFLAGS-when-building-snack.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f60dc1063607ca1f201ba4cbda467d8af3f78f64 Mon Sep 17 00:00:00 2001 -From: Miroslav Lichvar <mlichvar@redhat.com> -Date: Tue, 1 Oct 2019 16:37:55 +0200 -Subject: [PATCH] don't ignore CFLAGS when building snack - -In addition to the flags returned by python-config --cflags, use the -user-specified CFLAGS when building the snack object. - -Upstream-Status: Backport from master -Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> ---- - Makefile.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index be5f87b..6facd5e 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -96,8 +96,8 @@ _snack.$(SOEXT): snack.c $(LIBNEWTSH) - PIFLAGS=`$$pyconfig --includes`; \ - PLDFLAGS=`$$pyconfig --ldflags`; \ - PLFLAGS=`$$pyconfig --libs`; \ -- echo $(CC) $(SHCFLAGS) $(CPPFLAGS) $$PIFLAGS $$PCFLAGS -c -o $$ver/snack.o snack.c; \ -- $(CC) $(SHCFLAGS) $(CPPFLAGS) $$PIFLAGS $$PCFLAGS -c -o $$ver/snack.o snack.c; \ -+ echo $(CC) $(SHCFLAGS) $(CFLAGS) $(CPPFLAGS) $$PIFLAGS $$PCFLAGS -c -o $$ver/snack.o snack.c; \ -+ $(CC) $(SHCFLAGS) $(CFLAGS) $(CPPFLAGS) $$PIFLAGS $$PCFLAGS -c -o $$ver/snack.o snack.c; \ - echo $(CC) --shared $$PLDFLAGS $$PLFLAGS $(LDFLAGS) -o $$ver/_snack.$(SOEXT) $$ver/snack.o -L. -lnewt $(LIBS); \ - $(CC) --shared $$PLDFLAGS $$PLFLAGS $(LDFLAGS) -o $$ver/_snack.$(SOEXT) $$ver/snack.o -L. -lnewt $(LIBS); \ - done || : diff --git a/poky/meta/recipes-extended/newt/libnewt_0.52.21.bb b/poky/meta/recipes-extended/newt/libnewt_0.52.23.bb index 430e481b36..cd3731cf74 100644 --- a/poky/meta/recipes-extended/newt/libnewt_0.52.21.bb +++ b/poky/meta/recipes-extended/newt/libnewt_0.52.23.bb @@ -21,11 +21,9 @@ SRC_URI = "https://releases.pagure.org/newt/newt-${PV}.tar.gz \ file://cross_ar.patch \ file://Makefile.in-Add-tinfo-library-to-the-linking-librari.patch \ file://0001-detect-gold-as-GNU-linker-too.patch \ - file://0002-don-t-ignore-CFLAGS-when-building-snack.patch \ " -SRC_URI[md5sum] = "a0a5fd6b53bb167a65e15996b249ebb5" -SRC_URI[sha256sum] = "265eb46b55d7eaeb887fca7a1d51fe115658882dfe148164b6c49fccac5abb31" +SRC_URI[sha256sum] = "caa372907b14ececfe298f0d512a62f41d33b290610244a58aed07bbc5ada12a" S = "${WORKDIR}/newt-${PV}" diff --git a/poky/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch b/poky/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch new file mode 100644 index 0000000000..e7bf03f9f7 --- /dev/null +++ b/poky/meta/recipes-extended/pam/libpam/CVE-2022-28321-0002.patch @@ -0,0 +1,205 @@ +From 23393bef92c1e768eda329813d7af55481c6ca9f Mon Sep 17 00:00:00 2001 +From: Thorsten Kukuk <kukuk@suse.com> +Date: Thu, 24 Feb 2022 10:37:32 +0100 +Subject: [PATCH 2/2] pam_access: handle hostnames in access.conf + +According to the manual page, the following entry is valid but does not +work: +-:root:ALL EXCEPT localhost + +See https://bugzilla.suse.com/show_bug.cgi?id=1019866 + +Patched is based on PR#226 from Josef Moellers + +Upstream-Status: Backport +CVE: CVE-2022-28321 + +Reference to upstream patch: +[https://github.com/linux-pam/linux-pam/commit/23393bef92c1e768eda329813d7af55481c6ca9f] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + modules/pam_access/pam_access.c | 95 ++++++++++++++++++++++++++------- + 1 file changed, 76 insertions(+), 19 deletions(-) + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 277192b..bca424f 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -637,7 +637,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + if ((str_len = strlen(string)) > tok_len + && strcasecmp(tok, string + str_len - tok_len) == 0) + return YES; +- } else if (tok[tok_len - 1] == '.') { ++ } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); +@@ -678,7 +678,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) + return NO; + } + +- /* Assume network/netmask with an IP of a host. */ ++ /* Assume network/netmask, IP address or hostname. */ + return network_netmask_match(pamh, tok, string, item); + } + +@@ -696,7 +696,7 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + /* + * If the token has the magic value "ALL" the match always succeeds. + * Otherwise, return YES if the token fully matches the string. +- * "NONE" token matches NULL string. ++ * "NONE" token matches NULL string. + */ + + if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ +@@ -714,7 +714,8 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, + + /* network_netmask_match - match a string against one token + * where string is a hostname or ip (v4,v6) address and tok +- * represents either a single ip (v4,v6) address or a network/netmask ++ * represents either a hostname, a single ip (v4,v6) address ++ * or a network/netmask + */ + static int + network_netmask_match (pam_handle_t *pamh, +@@ -723,10 +724,12 @@ network_netmask_match (pam_handle_t *pamh, + char *netmask_ptr; + char netmask_string[MAXHOSTNAMELEN + 1]; + int addr_type; ++ struct addrinfo *ai = NULL; + + if (item->debug) +- pam_syslog (pamh, LOG_DEBUG, ++ pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s, item=%s", tok, string); ++ + /* OK, check if tok is of type addr/mask */ + if ((netmask_ptr = strchr(tok, '/')) != NULL) + { +@@ -760,54 +763,108 @@ network_netmask_match (pam_handle_t *pamh, + netmask_ptr = number_to_netmask(netmask, addr_type, + netmask_string, MAXHOSTNAMELEN); + } +- } ++ ++ /* ++ * Construct an addrinfo list from the IP address. ++ * This should not fail as the input is a correct IP address... ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) ++ { ++ return NO; ++ } ++ } + else +- /* NO, then check if it is only an addr */ +- if (isipaddr(tok, NULL, NULL) != YES) ++ { ++ /* ++ * It is either an IP address or a hostname. ++ * Let getaddrinfo sort everything out ++ */ ++ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { ++ pam_syslog(pamh, LOG_ERR, "cannot resolve hostname \"%s\"", tok); ++ + return NO; + } ++ netmask_ptr = NULL; ++ } + + if (isipaddr(string, NULL, NULL) != YES) + { +- /* Assume network/netmask with a name of a host. */ + struct addrinfo hint; + ++ /* Assume network/netmask with a name of a host. */ + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_UNSPEC; + + if (item->gai_rv != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else if (!item->res && + (item->gai_rv = getaddrinfo (string, NULL, &hint, &item->res)) != 0) ++ { ++ freeaddrinfo(ai); + return NO; ++ } + else + { + struct addrinfo *runp = item->res; ++ struct addrinfo *runp1; + + while (runp != NULL) + { + char buf[INET6_ADDRSTRLEN]; + +- DIAG_PUSH_IGNORE_CAST_ALIGN; +- inet_ntop (runp->ai_family, +- runp->ai_family == AF_INET +- ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr +- : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, +- buf, sizeof (buf)); +- DIAG_POP_IGNORE_CAST_ALIGN; ++ if (getnameinfo (runp->ai_addr, runp->ai_addrlen, buf, sizeof (buf), NULL, 0, NI_NUMERICHOST) != 0) ++ { ++ freeaddrinfo(ai); ++ return NO; ++ } + +- if (are_addresses_equal(buf, tok, netmask_ptr)) ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) + { +- return YES; ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ if (runp->ai_family != runp1->ai_family) ++ continue; ++ ++ if (getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST) != 0) ++ { ++ freeaddrinfo(ai); ++ return NO; ++ } ++ ++ if (are_addresses_equal (buf, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } + } + runp = runp->ai_next; + } + } + } + else +- return (are_addresses_equal(string, tok, netmask_ptr)); ++ { ++ struct addrinfo *runp1; ++ ++ for (runp1 = ai; runp1 != NULL; runp1 = runp1->ai_next) ++ { ++ char buf1[INET6_ADDRSTRLEN]; ++ ++ (void) getnameinfo (runp1->ai_addr, runp1->ai_addrlen, buf1, sizeof (buf1), NULL, 0, NI_NUMERICHOST); ++ ++ if (are_addresses_equal(string, buf1, netmask_ptr)) ++ { ++ freeaddrinfo(ai); ++ return YES; ++ } ++ } ++ } ++ ++ freeaddrinfo(ai); + + return NO; + } +-- +2.37.3 + diff --git a/poky/meta/recipes-extended/screen/screen/CVE-2023-24626.patch b/poky/meta/recipes-extended/screen/screen/CVE-2023-24626.patch new file mode 100644 index 0000000000..73caf9d81b --- /dev/null +++ b/poky/meta/recipes-extended/screen/screen/CVE-2023-24626.patch @@ -0,0 +1,40 @@ +From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001 +From: Alexander Naumov <alexander_naumov@opensuse.org> +Date: Mon, 30 Jan 2023 17:22:25 +0200 +Subject: fix: missing signal sending permission check on failed query messages + +Signed-off-by: Alexander Naumov <alexander_naumov@opensuse.org> + +CVE: CVE-2023-24626 +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + socket.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/socket.c b/socket.c +index bb68b35..9d87445 100644 +--- a/socket.c ++++ b/socket.c +@@ -1285,11 +1285,16 @@ ReceiveMsg() + else + queryflag = -1; + +- Kill(m.m.command.apid, ++ if (CheckPid(m.m.command.apid)) { ++ Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid); ++ } ++ else { ++ Kill(m.m.command.apid, + (queryflag >= 0) + ? SIGCONT + : SIG_BYE); /* Send SIG_BYE if an error happened */ +- queryflag = -1; ++ queryflag = -1; ++ } + } + break; + case MSG_COMMAND: +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/screen/screen_4.9.0.bb b/poky/meta/recipes-extended/screen/screen_4.9.0.bb index b36173b8de..19070d87d8 100644 --- a/poky/meta/recipes-extended/screen/screen_4.9.0.bb +++ b/poky/meta/recipes-extended/screen/screen_4.9.0.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ file://0002-comm.h-now-depends-on-term.h.patch \ file://0001-fix-for-multijob-build.patch \ file://0001-Remove-more-compatibility-stuff.patch \ + file://CVE-2023-24626.patch \ " SRC_URI[sha256sum] = "f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4" diff --git a/poky/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch b/poky/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch new file mode 100644 index 0000000000..ac08be515b --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch @@ -0,0 +1,65 @@ +From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> +Date: Fri, 31 Mar 2023 14:46:50 +0200 +Subject: [PATCH] Overhaul valid_field() + +e5905c4b ("Added control character check") introduced checking for +control characters but had the logic inverted, so it rejects all +characters that are not control ones. + +Cast the character to `unsigned char` before passing to the character +checking functions to avoid UB. + +Use strpbrk(3) for the illegal character test and return early. + +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + lib/fields.c | 24 ++++++++++-------------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index fb51b582..53929248 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal) + + /* For each character of field, search if it appears in the list + * of illegal characters. */ ++ if (illegal && NULL != strpbrk (field, illegal)) { ++ return -1; ++ } ++ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { +- if (strchr (illegal, *cp) != NULL) { ++ unsigned char c = *cp; ++ if (!isprint (c)) { ++ err = 1; ++ } ++ if (iscntrl (c)) { + err = -1; + break; + } + } + +- if (0 == err) { +- /* Search if there are non-printable or control characters */ +- for (cp = field; '\0' != *cp; cp++) { +- if (!isprint (*cp)) { +- err = 1; +- } +- if (!iscntrl (*cp)) { +- err = -1; +- break; +- } +- } +- } +- + return err; + } + +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/shadow/files/CVE-2023-29383.patch b/poky/meta/recipes-extended/shadow/files/CVE-2023-29383.patch new file mode 100644 index 0000000000..f53341d3fc --- /dev/null +++ b/poky/meta/recipes-extended/shadow/files/CVE-2023-29383.patch @@ -0,0 +1,53 @@ +From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001 +From: tomspiderlabs <128755403+tomspiderlabs@users.noreply.github.com> +Date: Thu, 23 Mar 2023 23:39:38 +0000 +Subject: [PATCH] Added control character check + +Added control character check, returning -1 (to "err") if control characters are present. + +CVE: CVE-2023-29383 +Upstream-Status: Backport + +Reference to upstream: +https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + lib/fields.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/fields.c b/lib/fields.c +index 640be931..fb51b582 100644 +--- a/lib/fields.c ++++ b/lib/fields.c +@@ -21,9 +21,9 @@ + * + * The supplied field is scanned for non-printable and other illegal + * characters. +- * + -1 is returned if an illegal character is present. +- * + 1 is returned if no illegal characters are present, but the field +- * contains a non-printable character. ++ * + -1 is returned if an illegal or control character is present. ++ * + 1 is returned if no illegal or control characters are present, ++ * but the field contains a non-printable character. + * + 0 is returned otherwise. + */ + int valid_field (const char *field, const char *illegal) +@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) + } + + if (0 == err) { +- /* Search if there are some non-printable characters */ ++ /* Search if there are non-printable or control characters */ + for (cp = field; '\0' != *cp; cp++) { + if (!isprint (*cp)) { + err = 1; ++ } ++ if (!iscntrl (*cp)) { ++ err = -1; + break; + } + } +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc index 5106b95571..3c1dd2f98e 100644 --- a/poky/meta/recipes-extended/shadow/shadow.inc +++ b/poky/meta/recipes-extended/shadow/shadow.inc @@ -16,6 +16,8 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP} ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ file://shadow-relaxed-usernames.patch \ file://useradd \ + file://CVE-2023-29383.patch \ + file://0001-Overhaul-valid_field.patch \ " SRC_URI:append:class-target = " \ diff --git a/poky/meta/recipes-extended/shadow/shadow_4.11.1.bb b/poky/meta/recipes-extended/shadow/shadow_4.11.1.bb index 40b11345c9..d1a3fd5593 100644 --- a/poky/meta/recipes-extended/shadow/shadow_4.11.1.bb +++ b/poky/meta/recipes-extended/shadow/shadow_4.11.1.bb @@ -9,3 +9,6 @@ BBCLASSEXTEND = "native nativesdk" # Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 CVE_CHECK_IGNORE += "CVE-2013-4235" + +# This is an issue for a different shadow +CVE_CHECK_IGNORE += "CVE-2016-15024" diff --git a/poky/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch b/poky/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch index f4fc376bb8..041c717e00 100644 --- a/poky/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch +++ b/poky/meta/recipes-extended/sudo/files/0001-sudo.conf.in-fix-conflict-with-multilib.patch @@ -1,4 +1,7 @@ -sudo.conf.in: fix conflict with multilib +From 6e835350b7413210c410d3578cfab804186b7a4f Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Tue, 17 Nov 2020 11:13:40 +0800 +Subject: [PATCH] sudo.conf.in: fix conflict with multilib When pass ${libdir} to --libexecdir of sudo, it fails to install sudo and lib32-sudo at same time: @@ -12,12 +15,13 @@ Update the comments in sudo.conf.in to avoid the conflict. Signed-off-by: Kai Kang <kai.kang@windriver.com> Upstream-Status: Inappropriate [OE configuration specific] + --- examples/sudo.conf.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/sudo.conf.in b/examples/sudo.conf.in -index 6535d3a..50afc8f 100644 +index 2187457..0908d24 100644 --- a/examples/sudo.conf.in +++ b/examples/sudo.conf.in @@ -4,7 +4,7 @@ @@ -33,8 +37,8 @@ index 6535d3a..50afc8f 100644 # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. # --#Path intercept @plugindir@/sudo_intercept.so -+#Path intercept $plugindir/sudo_intercept.so +-#Path intercept @intercept_file@ ++#Path intercept $intercept_file # # Sudo noexec: @@ -42,8 +46,8 @@ index 6535d3a..50afc8f 100644 # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_noexec.so file. # --#Path noexec @plugindir@/sudo_noexec.so -+#Path noexec $plugindir/sudo_noexec.so +-#Path noexec @noexec_file@ ++#Path noexec $noexec_file # # Sudo plugin directory: @@ -55,7 +59,4 @@ index 6535d3a..50afc8f 100644 +#Path plugin_dir $plugindir # - # Sudo developer mode: --- -2.17.1 - + # Core dumps: diff --git a/poky/meta/recipes-extended/sudo/sudo.inc b/poky/meta/recipes-extended/sudo/sudo.inc index 8947c46129..f22b3eab99 100644 --- a/poky/meta/recipes-extended/sudo/sudo.inc +++ b/poky/meta/recipes-extended/sudo/sudo.inc @@ -4,7 +4,7 @@ HOMEPAGE = "http://www.sudo.ws" BUGTRACKER = "http://www.sudo.ws/bugs/" SECTION = "admin" LICENSE = "ISC & BSD-3-Clause & BSD-2-Clause & Zlib" -LIC_FILES_CHKSUM = "file://LICENSE.md;md5=16cf60b466f3a0606427a7b624a3a670 \ +LIC_FILES_CHKSUM = "file://LICENSE.md;md5=5100e20d35f9015f9eef6bdb27ba194f \ file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=03e35317699ba00b496251e0dfe9f109 \ file://lib/util/reallocarray.c;beginline=3;endline=15;md5=397dd45c7683e90b9f8bf24638cf03bf \ file://lib/util/fnmatch.c;beginline=3;endline=27;md5=004d7d2866ba1f5b41174906849d2e0f \ diff --git a/poky/meta/recipes-extended/sudo/sudo_1.9.10.bb b/poky/meta/recipes-extended/sudo/sudo_1.9.13p3.bb index aa0d814ed7..2e11739470 100644 --- a/poky/meta/recipes-extended/sudo/sudo_1.9.10.bb +++ b/poky/meta/recipes-extended/sudo/sudo_1.9.13p3.bb @@ -8,7 +8,7 @@ SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ PAM_SRC_URI = "file://sudo.pam" -SRC_URI[sha256sum] = "44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4" +SRC_URI[sha256sum] = "92334a12bb93e0c056b09f53e255ccb7d6f67c6350e2813cd9593ceeca78560b" DEPENDS += " virtual/crypt ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" RDEPENDS:${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" diff --git a/poky/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch new file mode 100644 index 0000000000..dce7b0d61f --- /dev/null +++ b/poky/meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch @@ -0,0 +1,93 @@ +From 9c4eaf150662ad40607923389d4519bc83b93540 Mon Sep 17 00:00:00 2001 +From: Sebastien <seb@fedora-2.home> +Date: Sat, 15 Oct 2022 14:24:22 +0200 +Subject: [PATCH] Fix size_t overflow in sa_common.c (GHSL-2022-074) + +allocate_structures function located in sa_common.c insufficiently +checks bounds before arithmetic multiplication allowing for an +overflow in the size allocated for the buffer representing system +activities. + +This patch checks that the post-multiplied value is not greater than +UINT_MAX. + +Signed-off-by: Sebastien <seb@fedora-2.home> + +Upstream-Status: Backport from +[https://github.com/sysstat/sysstat/commit/a953ee3307d51255cc96e1f211882e97f795eed9] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + common.c | 25 +++++++++++++++++++++++++ + common.h | 2 ++ + sa_common.c | 6 ++++++ + 3 files changed, 33 insertions(+) + +diff --git a/common.c b/common.c +index 81c7762..1a84b05 100644 +--- a/common.c ++++ b/common.c +@@ -1655,4 +1655,29 @@ int parse_values(char *strargv, unsigned char bitmap[], int max_val, const char + + return 0; + } ++ ++/* ++ *************************************************************************** ++ * Check if the multiplication of the 3 values may be greater than UINT_MAX. ++ * ++ * IN: ++ * @val1 First value. ++ * @val2 Second value. ++ * @val3 Third value. ++ *************************************************************************** ++ */ ++void check_overflow(size_t val1, size_t val2, size_t val3) ++{ ++ if ((unsigned long long) val1 * ++ (unsigned long long) val2 * ++ (unsigned long long) val3 > UINT_MAX) { ++#ifdef DEBUG ++ fprintf(stderr, "%s: Overflow detected (%llu). Aborting...\n", ++ __FUNCTION__, ++ (unsigned long long) val1 * (unsigned long long) val2 * (unsigned long long) val3); ++#endif ++ exit(4); ++ } ++} ++ + #endif /* SOURCE_SADC undefined */ +diff --git a/common.h b/common.h +index 55b6657..e8ab98a 100644 +--- a/common.h ++++ b/common.h +@@ -260,6 +260,8 @@ int check_dir + (char *); + + #ifndef SOURCE_SADC ++void check_overflow ++ (size_t, size_t, size_t); + int count_bits + (void *, int); + int count_csvalues +diff --git a/sa_common.c b/sa_common.c +index 3699a84..b2cec4a 100644 +--- a/sa_common.c ++++ b/sa_common.c +@@ -459,7 +459,13 @@ void allocate_structures(struct activity *act[]) + int i, j; + + for (i = 0; i < NR_ACT; i++) { ++ + if (act[i]->nr_ini > 0) { ++ ++ /* Look for a possible overflow */ ++ check_overflow((size_t) act[i]->msize, (size_t) act[i]->nr_ini, ++ (size_t) act[i]->nr2); ++ + for (j = 0; j < 3; j++) { + SREALLOC(act[i]->buf[j], void, + (size_t) act[i]->msize * (size_t) act[i]->nr_ini * (size_t) act[i]->nr2); +-- +2.34.1 + diff --git a/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb b/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb index fe3db4d8a5..3a3d1fb6ba 100644 --- a/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb +++ b/poky/meta/recipes-extended/sysstat/sysstat_12.4.5.bb @@ -2,6 +2,7 @@ require sysstat.inc LIC_FILES_CHKSUM = "file://COPYING;md5=a23a74b3f4caf9616230789d94217acb" -SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch" +SRC_URI += "file://0001-configure.in-remove-check-for-chkconfig.patch \ + file://CVE-2022-39377.patch" SRC_URI[sha256sum] = "ef445acea301bbb996e410842f6290a8d049e884d4868cfef7e85dc04b7eee5b" diff --git a/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch b/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch new file mode 100644 index 0000000000..b2f40f3e64 --- /dev/null +++ b/poky/meta/recipes-extended/tar/tar/CVE-2022-48303.patch @@ -0,0 +1,43 @@ +From 3da78400eafcccb97e2f2fd4b227ea40d794ede8 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sat, 11 Feb 2023 11:57:39 +0200 +Subject: Fix boundary checking in base-256 decoder + +* src/list.c (from_header): Base-256 encoding is at least 2 bytes +long. + +Upstream-Status: Backport [see reference below] +CVE: CVE-2022-48303 + +Reference to upstream patch: +https://savannah.gnu.org/bugs/?62387 +https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 + +Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + src/list.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-)Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> + + +(limited to 'src/list.c') + +diff --git a/src/list.c b/src/list.c +index 9fafc42..86bcfdd 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, + where++; + } + } +- else if (*where == '\200' /* positive base-256 */ +- || *where == '\377' /* negative base-256 */) ++ else if (where <= lim - 2 ++ && (*where == '\200' /* positive base-256 */ ++ || *where == '\377' /* negative base-256 */)) + { + /* Parse base-256 output. A nonnegative number N is + represented as (256**DIGS)/2 + N; a negative number -N is +-- +cgit v1.1 + diff --git a/poky/meta/recipes-extended/tar/tar_1.34.bb b/poky/meta/recipes-extended/tar/tar_1.34.bb index 7307cd57a2..1ef5fe221e 100644 --- a/poky/meta/recipes-extended/tar/tar_1.34.bb +++ b/poky/meta/recipes-extended/tar/tar_1.34.bb @@ -6,7 +6,9 @@ SECTION = "base" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2" +SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ + file://CVE-2022-48303.patch \ +" SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" diff --git a/poky/meta/recipes-extended/timezone/timezone.inc b/poky/meta/recipes-extended/timezone/timezone.inc index d3c78e9157..eec7177228 100644 --- a/poky/meta/recipes-extended/timezone/timezone.inc +++ b/poky/meta/recipes-extended/timezone/timezone.inc @@ -6,14 +6,15 @@ SECTION = "base" LICENSE = "PD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2022d" +PV = "2022g" -SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ - http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ +SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \ + http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \ " -UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" +S = "${WORKDIR}/tz" -SRC_URI[tzcode.sha256sum] = "d644ba0f938899374ea8cb554e35fb4afa0f7bd7b716c61777cd00500b8759e0" -SRC_URI[tzdata.sha256sum] = "6ecdbee27fa43dcfa49f3d4fd8bb1dfef54c90da1abcd82c9abcf2dc4f321de0" +UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" +SRC_URI[tzcode.sha256sum] = "9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74" +SRC_URI[tzdata.sha256sum] = "4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478" diff --git a/poky/meta/recipes-extended/timezone/tzcode-native.bb b/poky/meta/recipes-extended/timezone/tzcode-native.bb index e3582ba674..6d52b3c422 100644 --- a/poky/meta/recipes-extended/timezone/tzcode-native.bb +++ b/poky/meta/recipes-extended/timezone/tzcode-native.bb @@ -1,9 +1,8 @@ require timezone.inc -# SUMMARY = "tzcode, timezone zoneinfo utils -- zic, zdump, tzselect" -S = "${WORKDIR}" +SRC_URI += "file://0001-Fix-C23-related-conformance-bug.patch" inherit native diff --git a/poky/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch b/poky/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch new file mode 100644 index 0000000000..c91ef93e95 --- /dev/null +++ b/poky/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch @@ -0,0 +1,301 @@ +From 509c5974398952618abdd17f39117b88e3f50057 Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Thu, 1 Dec 2022 10:28:04 -0800 +Subject: [PATCH] Fix C23-related conformance bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Houge Langley for ‘gcc -std=gnu99’ in: +https://bugs.gentoo.org/show_bug.cgi?id=883719 +* NEWS: Mention this. +* date.c, localtime.c, private.h, zdump.c, zic.c: +Use ATTRIBUTE_* at the start of function declarations, +not later (such as after the keyword ‘static’). +This is required for strict conformance to C23. + +Upstream-Status: Backport [https://github.com/eggert/tz/commit/9cfe9507fcc22cd4a0c4da486ea1c7f0de6b075f] + +NEWS change skipped to avoid conflicts. + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + date.c | 2 +- + localtime.c | 4 ++-- + private.h | 6 +++--- + zdump.c | 12 ++++++------ + zic.c | 34 +++++++++++++++++----------------- + 5 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/date.c b/date.c +index 11c5e5fe..97df6ab0 100644 +--- a/date.c ++++ b/date.c +@@ -42,7 +42,7 @@ static void display(const char *, time_t); + static void dogmt(void); + static void errensure(void); + static void timeout(FILE *, const char *, const struct tm *); +-static ATTRIBUTE_NORETURN void usage(void); ++ATTRIBUTE_NORETURN static void usage(void); + + int + main(const int argc, char *argv[]) +diff --git a/localtime.c b/localtime.c +index 1d22d351..3bf1b911 100644 +--- a/localtime.c ++++ b/localtime.c +@@ -838,7 +838,7 @@ is_digit(char c) + ** Return a pointer to that character. + */ + +-static ATTRIBUTE_REPRODUCIBLE const char * ++ATTRIBUTE_REPRODUCIBLE static const char * + getzname(register const char *strp) + { + register char c; +@@ -859,7 +859,7 @@ getzname(register const char *strp) + ** We don't do any checking here; checking is done later in common-case code. + */ + +-static ATTRIBUTE_REPRODUCIBLE const char * ++ATTRIBUTE_REPRODUCIBLE static const char * + getqzname(register const char *strp, const int delim) + { + register int c; +diff --git a/private.h b/private.h +index 7a73eff7..ae522986 100644 +--- a/private.h ++++ b/private.h +@@ -628,7 +628,7 @@ char *asctime(struct tm const *); + char *asctime_r(struct tm const *restrict, char *restrict); + char *ctime(time_t const *); + char *ctime_r(time_t const *, char *); +-double difftime(time_t, time_t) ATTRIBUTE_UNSEQUENCED; ++ATTRIBUTE_UNSEQUENCED double difftime(time_t, time_t); + size_t strftime(char *restrict, size_t, char const *restrict, + struct tm const *restrict); + # if HAVE_STRFTIME_L +@@ -740,10 +740,10 @@ timezone_t tzalloc(char const *); + void tzfree(timezone_t); + # ifdef STD_INSPIRED + # if TZ_TIME_T || !defined posix2time_z +-time_t posix2time_z(timezone_t, time_t) ATTRIBUTE_REPRODUCIBLE; ++ATTRIBUTE_REPRODUCIBLE time_t posix2time_z(timezone_t, time_t); + # endif + # if TZ_TIME_T || !defined time2posix_z +-time_t time2posix_z(timezone_t, time_t) ATTRIBUTE_REPRODUCIBLE; ++ATTRIBUTE_REPRODUCIBLE time_t time2posix_z(timezone_t, time_t); + # endif + # endif + #endif +diff --git a/zdump.c b/zdump.c +index 7acb3e2d..3e482ba3 100644 +--- a/zdump.c ++++ b/zdump.c +@@ -89,7 +89,7 @@ static bool warned; + static bool errout; + + static char const *abbr(struct tm const *); +-static intmax_t delta(struct tm *, struct tm *) ATTRIBUTE_REPRODUCIBLE; ++ATTRIBUTE_REPRODUCIBLE static intmax_t delta(struct tm *, struct tm *); + static void dumptime(struct tm const *); + static time_t hunt(timezone_t, time_t, time_t, bool); + static void show(timezone_t, char *, time_t, bool); +@@ -97,7 +97,7 @@ static void showextrema(timezone_t, char *, time_t, struct tm *, time_t); + static void showtrans(char const *, struct tm const *, time_t, char const *, + char const *); + static const char *tformat(void); +-static time_t yeartot(intmax_t) ATTRIBUTE_REPRODUCIBLE; ++ATTRIBUTE_REPRODUCIBLE static time_t yeartot(intmax_t); + + /* Is C an ASCII digit? */ + static bool +@@ -125,7 +125,7 @@ is_alpha(char a) + } + } + +-static ATTRIBUTE_NORETURN void ++ATTRIBUTE_NORETURN static void + size_overflow(void) + { + fprintf(stderr, _("%s: size overflow\n"), progname); +@@ -134,7 +134,7 @@ size_overflow(void) + + /* Return A + B, exiting if the result would overflow either ptrdiff_t + or size_t. */ +-static ATTRIBUTE_REPRODUCIBLE ptrdiff_t ++ATTRIBUTE_REPRODUCIBLE static ptrdiff_t + sumsize(size_t a, size_t b) + { + #ifdef ckd_add +@@ -151,7 +151,7 @@ sumsize(size_t a, size_t b) + + /* Return a pointer to a newly allocated buffer of size SIZE, exiting + on failure. SIZE should be nonzero. */ +-static void * ATTRIBUTE_MALLOC ++ATTRIBUTE_MALLOC static void * + xmalloc(size_t size) + { + void *p = malloc(size); +@@ -920,7 +920,7 @@ showextrema(timezone_t tz, char *zone, time_t lo, struct tm *lotmp, time_t hi) + # include <stdarg.h> + + /* A substitute for snprintf that is good enough for zdump. */ +-static int ATTRIBUTE_FORMAT((printf, 3, 4)) ++ATTRIBUTE_FORMAT((printf, 3, 4)) static int + my_snprintf(char *s, size_t size, char const *format, ...) + { + int n; +diff --git a/zic.c b/zic.c +index 892414af..f143fcef 100644 +--- a/zic.c ++++ b/zic.c +@@ -459,20 +459,20 @@ static char roll[TZ_MAX_LEAPS]; + ** Memory allocation. + */ + +-static ATTRIBUTE_NORETURN void ++ATTRIBUTE_NORETURN static void + memory_exhausted(const char *msg) + { + fprintf(stderr, _("%s: Memory exhausted: %s\n"), progname, msg); + exit(EXIT_FAILURE); + } + +-static ATTRIBUTE_NORETURN void ++ATTRIBUTE_NORETURN static void + size_overflow(void) + { + memory_exhausted(_("size overflow")); + } + +-static ATTRIBUTE_REPRODUCIBLE ptrdiff_t ++ATTRIBUTE_REPRODUCIBLE static ptrdiff_t + size_sum(size_t a, size_t b) + { + #ifdef ckd_add +@@ -487,7 +487,7 @@ size_sum(size_t a, size_t b) + size_overflow(); + } + +-static ATTRIBUTE_REPRODUCIBLE ptrdiff_t ++ATTRIBUTE_REPRODUCIBLE static ptrdiff_t + size_product(ptrdiff_t nitems, ptrdiff_t itemsize) + { + #ifdef ckd_mul +@@ -502,7 +502,7 @@ size_product(ptrdiff_t nitems, ptrdiff_t itemsize) + size_overflow(); + } + +-static ATTRIBUTE_REPRODUCIBLE ptrdiff_t ++ATTRIBUTE_REPRODUCIBLE static ptrdiff_t + align_to(ptrdiff_t size, ptrdiff_t alignment) + { + ptrdiff_t lo_bits = alignment - 1, sum = size_sum(size, lo_bits); +@@ -526,7 +526,7 @@ memcheck(void *ptr) + return ptr; + } + +-static void * ATTRIBUTE_MALLOC ++ATTRIBUTE_MALLOC static void * + emalloc(size_t size) + { + return memcheck(malloc(size)); +@@ -538,7 +538,7 @@ erealloc(void *ptr, size_t size) + return memcheck(realloc(ptr, size)); + } + +-static char * ATTRIBUTE_MALLOC ++ATTRIBUTE_MALLOC static char * + estrdup(char const *str) + { + return memcheck(strdup(str)); +@@ -608,7 +608,7 @@ eat(int fnum, lineno num) + eats(fnum, num, 0, -1); + } + +-static void ATTRIBUTE_FORMAT((printf, 1, 0)) ++ATTRIBUTE_FORMAT((printf, 1, 0)) static void + verror(const char *const string, va_list args) + { + /* +@@ -626,7 +626,7 @@ verror(const char *const string, va_list args) + fprintf(stderr, "\n"); + } + +-static void ATTRIBUTE_FORMAT((printf, 1, 2)) ++ATTRIBUTE_FORMAT((printf, 1, 2)) static void + error(const char *const string, ...) + { + va_list args; +@@ -636,7 +636,7 @@ error(const char *const string, ...) + errors = true; + } + +-static void ATTRIBUTE_FORMAT((printf, 1, 2)) ++ATTRIBUTE_FORMAT((printf, 1, 2)) static void + warning(const char *const string, ...) + { + va_list args; +@@ -666,7 +666,7 @@ close_file(FILE *stream, char const *dir, char const *name, + } + } + +-static ATTRIBUTE_NORETURN void ++ATTRIBUTE_NORETURN static void + usage(FILE *stream, int status) + { + fprintf(stream, +@@ -3597,7 +3597,7 @@ lowerit(char a) + } + + /* case-insensitive equality */ +-static ATTRIBUTE_REPRODUCIBLE bool ++ATTRIBUTE_REPRODUCIBLE static bool + ciequal(register const char *ap, register const char *bp) + { + while (lowerit(*ap) == lowerit(*bp++)) +@@ -3606,7 +3606,7 @@ ciequal(register const char *ap, register const char *bp) + return false; + } + +-static ATTRIBUTE_REPRODUCIBLE bool ++ATTRIBUTE_REPRODUCIBLE static bool + itsabbr(register const char *abbr, register const char *word) + { + if (lowerit(*abbr) != lowerit(*word)) +@@ -3622,7 +3622,7 @@ itsabbr(register const char *abbr, register const char *word) + + /* Return true if ABBR is an initial prefix of WORD, ignoring ASCII case. */ + +-static ATTRIBUTE_REPRODUCIBLE bool ++ATTRIBUTE_REPRODUCIBLE static bool + ciprefix(char const *abbr, char const *word) + { + do +@@ -3725,14 +3725,14 @@ getfields(char *cp, char **array, int arrayelts) + return nsubs; + } + +-static ATTRIBUTE_NORETURN void ++ATTRIBUTE_NORETURN static void + time_overflow(void) + { + error(_("time overflow")); + exit(EXIT_FAILURE); + } + +-static ATTRIBUTE_REPRODUCIBLE zic_t ++ATTRIBUTE_REPRODUCIBLE static zic_t + oadd(zic_t t1, zic_t t2) + { + #ifdef ckd_add +@@ -3746,7 +3746,7 @@ oadd(zic_t t1, zic_t t2) + time_overflow(); + } + +-static ATTRIBUTE_REPRODUCIBLE zic_t ++ATTRIBUTE_REPRODUCIBLE static zic_t + tadd(zic_t t1, zic_t t2) + { + #ifdef ckd_add diff --git a/poky/meta/recipes-extended/timezone/tzdata.bb b/poky/meta/recipes-extended/timezone/tzdata.bb index 7f4322d867..dd1960ffa7 100644 --- a/poky/meta/recipes-extended/timezone/tzdata.bb +++ b/poky/meta/recipes-extended/timezone/tzdata.bb @@ -4,8 +4,6 @@ DEPENDS = "tzcode-native" inherit allarch -S = "${WORKDIR}" - DEFAULT_TIMEZONE ?= "Universal" INSTALL_TIMEZONE_FILE ?= "1" @@ -18,17 +16,21 @@ TZONES = " \ # "fat" is needed by e.g. MariaDB's mysql_tzinfo_to_sql ZIC_FMT ?= "slim" +do_configure[cleandirs] = "${B}" +B = "${WORKDIR}/build" + do_compile() { for zone in ${TZONES}; do - ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo -L /dev/null ${S}/${zone} - ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/posix -L /dev/null ${S}/${zone} - ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${WORKDIR}${datadir}/zoneinfo/right -L ${S}/leapseconds ${S}/${zone} + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${B}/zoneinfo -L /dev/null ${S}/${zone} + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${B}/zoneinfo/posix -L /dev/null ${S}/${zone} + ${STAGING_BINDIR_NATIVE}/zic -b ${ZIC_FMT} -d ${B}/zoneinfo/right -L ${S}/leapseconds ${S}/${zone} done } do_install() { - install -d ${D}$exec_prefix ${D}${datadir}/zoneinfo - cp -pPR ${WORKDIR}$exec_prefix ${D}${base_prefix} + install -d ${D}${datadir}/zoneinfo + cp -pPR ${B}/zoneinfo/* ${D}${datadir}/zoneinfo + # libc is removing zoneinfo files from package cp -pP "${S}/zone.tab" ${D}${datadir}/zoneinfo cp -pP "${S}/zone1970.tab" ${D}${datadir}/zoneinfo diff --git a/poky/meta/recipes-gnome/epiphany/epiphany_42.4.bb b/poky/meta/recipes-gnome/epiphany/epiphany_42.4.bb index 9efd2800da..98923a3bdc 100644 --- a/poky/meta/recipes-gnome/epiphany/epiphany_42.4.bb +++ b/poky/meta/recipes-gnome/epiphany/epiphany_42.4.bb @@ -27,6 +27,7 @@ SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@oe.utils.trim_version("${PV}", 1)}/${GN file://0002-help-meson.build-disable-the-use-of-yelp.patch \ file://migrator.patch \ file://distributor.patch \ + file://CVE-2023-26081.patch \ " SRC_URI[archive.sha256sum] = "370938ad2920eeb28bc2435944776b7ba55a0e2ede65836f79818cfb7e8f0860" diff --git a/poky/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch b/poky/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch new file mode 100644 index 0000000000..af1e20bd8f --- /dev/null +++ b/poky/meta/recipes-gnome/epiphany/files/CVE-2023-26081.patch @@ -0,0 +1,90 @@ +From 53363c3c8178bf9193dad9fa3516f4e10cff0ffd Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@redhat.com> +Date: Fri, 3 Feb 2023 13:07:15 -0600 +Subject: [PATCH] Don't autofill passwords in sandboxed contexts + +If using the sandbox CSP or iframe tag, the web content is supposed to +be not trusted by the main resource origin. Therefore, we'd better +disable the password manager entirely so the untrusted web content +cannot exfiltrate passwords. + +https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x + +Part-of: <https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275> + +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd] +CVE: CVE-2023-26081 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + .../resources/js/ephy.js | 26 +++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/embed/web-process-extension/resources/js/ephy.js b/embed/web-process-extension/resources/js/ephy.js +index 38b806f..44d1792 100644 +--- a/embed/web-process-extension/resources/js/ephy.js ++++ b/embed/web-process-extension/resources/js/ephy.js +@@ -352,6 +352,12 @@ Ephy.hasModifiedForms = function() + } + }; + ++Ephy.isSandboxedWebContent = function() ++{ ++ // https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x ++ return self.origin === null || self.origin === 'null'; ++}; ++ + Ephy.PasswordManager = class PasswordManager + { + constructor(pageID, frameID) +@@ -385,6 +391,11 @@ Ephy.PasswordManager = class PasswordManager + + query(origin, targetOrigin, username, usernameField, passwordField) + { ++ if (Ephy.isSandboxedWebContent()) { ++ Ephy.log(`Not querying passwords for origin=${origin} because web content is sandboxed`); ++ return Promise.resolve(null); ++ } ++ + Ephy.log(`Querying passwords for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}`); + + return new Promise((resolver, reject) => { +@@ -396,6 +407,11 @@ Ephy.PasswordManager = class PasswordManager + + save(origin, targetOrigin, username, password, usernameField, passwordField, isNew) + { ++ if (Ephy.isSandboxedWebContent()) { ++ Ephy.log(`Not saving password for origin=${origin} because web content is sandboxed`); ++ return; ++ } ++ + Ephy.log(`Saving password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerSave.postMessage({ +@@ -407,6 +423,11 @@ Ephy.PasswordManager = class PasswordManager + // FIXME: Why is pageID a parameter here? + requestSave(origin, targetOrigin, username, password, usernameField, passwordField, isNew, pageID) + { ++ if (Ephy.isSandboxedWebContent()) { ++ Ephy.log(`Not requesting to save password for origin=${origin} because web content is sandboxed`); ++ return; ++ } ++ + Ephy.log(`Requesting to save password for origin=${origin}, targetOrigin=${targetOrigin}, username=${username}, usernameField=${usernameField}, passwordField=${passwordField}, isNew=${isNew}`); + + window.webkit.messageHandlers.passwordManagerRequestSave.postMessage({ +@@ -426,6 +447,11 @@ Ephy.PasswordManager = class PasswordManager + + queryUsernames(origin) + { ++ if (Ephy.isSandboxedWebContent()) { ++ Ephy.log(`Not querying usernames for origin=${origin} because web content is sandboxed`); ++ return Promise.resolve(null); ++ } ++ + Ephy.log(`Requesting usernames for origin=${origin}`); + + return new Promise((resolver, reject) => { +-- +2.35.5 + diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-Add-use_prebuilt_tools-option.patch b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-Add-use_prebuilt_tools-option.patch deleted file mode 100644 index 02cc9a2a70..0000000000 --- a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-Add-use_prebuilt_tools-option.patch +++ /dev/null @@ -1,173 +0,0 @@ -From f81b60ebcbbfd9548c8aa1e388662c429068d1e3 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Sat, 8 May 2021 21:58:54 +0200 -Subject: [PATCH] Add use_prebuilt_tools option - -This allows using the gdk-pixbuf tools from the host to -build and install tests in a cross-compile scenarion. - -Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/119] -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> - ---- - gdk-pixbuf/meson.build | 11 +++++++++-- - meson.build | 6 +++--- - meson_options.txt | 4 ++++ - tests/meson.build | 16 ++++++++-------- - thumbnailer/meson.build | 24 ++++++++++++++++++------ - 5 files changed, 42 insertions(+), 19 deletions(-) - -diff --git a/gdk-pixbuf/meson.build b/gdk-pixbuf/meson.build -index 54ff9dd..2e321cf 100644 ---- a/gdk-pixbuf/meson.build -+++ b/gdk-pixbuf/meson.build -@@ -342,13 +342,20 @@ foreach bin: gdkpixbuf_bin - include_directories: [ root_inc, gdk_pixbuf_inc ], - c_args: common_cflags + gdk_pixbuf_cflags, - install: true) -- meson.override_find_program(bin_name, bin) -+ if not get_option('use_prebuilt_tools') -+ meson.override_find_program(bin_name, bin) -+ endif - - # Used in tests - set_variable(bin_name.underscorify(), bin) - endforeach - --if not meson.is_cross_build() -+if get_option('use_prebuilt_tools') -+ gdk_pixbuf_query_loaders = find_program('gdk-pixbuf-query-loaders', required: true) -+ gdk_pixbuf_pixdata = find_program('gdk-pixbuf-pixdata', required: true) -+endif -+ -+if not meson.is_cross_build() or get_option('use_prebuilt_tools') - # The 'loaders.cache' used for testing, so we don't accidentally - # load the installed cache; we always build it by default - loaders_cache = custom_target('loaders.cache', -diff --git a/meson.build b/meson.build -index 813bd43..a93e6f7 100644 ---- a/meson.build -+++ b/meson.build -@@ -369,18 +369,18 @@ subdir('gdk-pixbuf') - # i18n - subdir('po') - --if not meson.is_cross_build() -+if not meson.is_cross_build() or get_option('use_prebuilt_tools') - if get_option('tests') - subdir('tests') - endif -- subdir('thumbnailer') - endif -+subdir('thumbnailer') - - # Documentation - build_docs = get_option('gtk_doc') or get_option('docs') - subdir('docs') - --if not meson.is_cross_build() -+if not meson.is_cross_build() or get_option('use_prebuilt_tools') - meson.add_install_script('build-aux/post-install.py', - gdk_pixbuf_bindir, - gdk_pixbuf_libdir, -diff --git a/meson_options.txt b/meson_options.txt -index d198d99..1c899e9 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -53,4 +53,8 @@ option('gio_sniffing', - description: 'Perform file type detection using GIO (Unused on MacOS and Windows)', - type: 'boolean', - value: true) -+option('use_prebuilt_tools', -+ description: 'Use prebuilt gdk-pixbuf tools from the host for cross-compilation', -+ type: 'boolean', -+ value: false) - -diff --git a/tests/meson.build b/tests/meson.build -index 28c2525..d97c02d 100644 ---- a/tests/meson.build -+++ b/tests/meson.build -@@ -5,6 +5,12 @@ - # $PATH. Ideally we should use gnome.compile_resources() and let Meson deal with - # this problem: See https://github.com/mesonbuild/meson/issues/8266. - if enabled_loaders.contains('png') and host_system != 'windows' -+ -+ resources_deps = [loaders_cache,] -+ if not get_option('use_prebuilt_tools') -+ resources_deps += [gdk_pixbuf_pixdata,] -+ endif -+ - # Resources; we cannot use gnome.compile_resources() here, because we need to - # override the environment in order to use the utilities we just built instead - # of the system ones -@@ -21,10 +27,7 @@ if enabled_loaders.contains('png') and host_system != 'windows' - '@INPUT@', - '@OUTPUT@', - ], -- depends: [ -- gdk_pixbuf_pixdata, -- loaders_cache, -- ], -+ depends: resources_deps, - ) - - resources_h = custom_target('resources.h', -@@ -40,10 +43,7 @@ if enabled_loaders.contains('png') and host_system != 'windows' - '@INPUT@', - '@OUTPUT@', - ], -- depends: [ -- gdk_pixbuf_pixdata, -- loaders_cache, -- ], -+ depends: resources_deps, - ) - no_resources = false - else -diff --git a/thumbnailer/meson.build b/thumbnailer/meson.build -index b6a206d..9336c21 100644 ---- a/thumbnailer/meson.build -+++ b/thumbnailer/meson.build -@@ -6,13 +6,29 @@ bin = executable('gdk-pixbuf-thumbnailer', - ], - dependencies: gdk_pixbuf_deps + [ gdkpixbuf_dep ], - install: true) --meson.override_find_program('gdk-pixbuf-thumbnailer', bin) -+if not get_option('use_prebuilt_tools') -+ meson.override_find_program('gdk-pixbuf-thumbnailer', bin) -+endif - - gdk_pixbuf_print_mime_types = executable('gdk-pixbuf-print-mime-types', - 'gdk-pixbuf-print-mime-types.c', -+ install: true, - c_args: common_cflags, - dependencies: gdk_pixbuf_deps + [ gdkpixbuf_dep ]) - -+if get_option('use_prebuilt_tools') -+ gdk_pixbuf_print_mime_types = find_program('gdk-pixbuf-print-mime-types', required: true) -+endif -+ -+thumbnailer_deps = [loaders_cache,] -+ -+if not get_option('use_prebuilt_tools') -+ thumbnailer_deps += [ -+ gdk_pixbuf_print_mime_types, -+ gdk_pixbuf_pixdata, -+ ] -+endif -+ - custom_target('thumbnailer', - input: 'gdk-pixbuf-thumbnailer.thumbnailer.in', - output: 'gdk-pixbuf-thumbnailer.thumbnailer', -@@ -25,10 +41,6 @@ custom_target('thumbnailer', - '@INPUT@', - '@OUTPUT@', - ], -- depends: [ -- gdk_pixbuf_print_mime_types, -- gdk_pixbuf_pixdata, -- loaders_cache, -- ], -+ depends: thumbnailer_deps, - install: true, - install_dir: join_paths(gdk_pixbuf_datadir, 'thumbnailers')) diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch new file mode 100644 index 0000000000..7250fa3f62 --- /dev/null +++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch @@ -0,0 +1,66 @@ +From 9d3b374e75692da3d1d05344a1693c85a3098f47 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Thu, 26 Jan 2023 20:29:46 +0100 +Subject: [PATCH] meson.build: allow (a subset of) tests in cross compile + settings + +There is no need to completely disable tests: most of them +do not require running target executables at build time, +and so can be built and installed. + +This requires inserting a couple of specific guards around +items that do require running target executables. + +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/150] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + meson.build | 6 +++--- + tests/meson.build | 10 ++++++---- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index 8a16c8f..7c8b20f 100644 +--- a/meson.build ++++ b/meson.build +@@ -369,10 +369,10 @@ subdir('gdk-pixbuf') + # i18n + subdir('po') + ++if get_option('tests') ++ subdir('tests') ++endif + if not meson.is_cross_build() +- if get_option('tests') +- subdir('tests') +- endif + subdir('thumbnailer') + endif + +diff --git a/tests/meson.build b/tests/meson.build +index 28c2525..c45e765 100644 +--- a/tests/meson.build ++++ b/tests/meson.build +@@ -4,7 +4,7 @@ + # gdk-pixbuf-pixdata from build directory because it needs all DLL locations in + # $PATH. Ideally we should use gnome.compile_resources() and let Meson deal with + # this problem: See https://github.com/mesonbuild/meson/issues/8266. +-if enabled_loaders.contains('png') and host_system != 'windows' ++if enabled_loaders.contains('png') and host_system != 'windows' and not meson.is_cross_build() + # Resources; we cannot use gnome.compile_resources() here, because we need to + # override the environment in order to use the utilities we just built instead + # of the system ones +@@ -166,9 +166,11 @@ endif + test_deps = gdk_pixbuf_deps + [ gdkpixbuf_dep, ] + test_args = [ '-k' ] + test_env = environment() +-test_env.set('G_TEST_SRCDIR', meson.current_source_dir()) +-test_env.set('G_TEST_BUILDDIR', meson.current_build_dir()) +-test_env.set('GDK_PIXBUF_MODULE_FILE', loaders_cache.full_path()) ++if not meson.is_cross_build() ++ test_env.set('G_TEST_SRCDIR', meson.current_source_dir()) ++ test_env.set('G_TEST_BUILDDIR', meson.current_build_dir()) ++ test_env.set('GDK_PIXBUF_MODULE_FILE', loaders_cache.full_path()) ++endif + + foreach test_name, test_data: installed_tests + test_sources = [ test_name + '.c', 'test-common.c' ] diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.9.bb b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb index d33718e3ea..cca89a9059 100644 --- a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.9.bb +++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.10.bb @@ -12,18 +12,17 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SECTION = "libs" -DEPENDS = "glib-2.0 gdk-pixbuf-native shared-mime-info" -DEPENDS:remove:class-native = "gdk-pixbuf-native" +DEPENDS = "glib-2.0 shared-mime-info" MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://run-ptest \ file://fatal-loader.patch \ - file://0001-Add-use_prebuilt_tools-option.patch \ + file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \ " -SRC_URI[sha256sum] = "28f7958e7bf29a32d4e963556d241d0a41a6786582ff6a5ad11665e0347fc962" +SRC_URI[sha256sum] = "ee9b6c75d13ba096907a2e3c6b27b61bcd17f5c7ebeab5a5b439d2f2e39fe44b" inherit meson pkgconfig gettext pixbufcache ptest-gnome upstream-version-is-even gobject-introspection gi-docgen lib_package @@ -46,14 +45,6 @@ PACKAGECONFIG[tests] = "-Dinstalled_tests=true,-Dinstalled_tests=false" EXTRA_OEMESON = "-Dman=false" -EXTRA_OEMESON:append:class-target = " \ - -Duse_prebuilt_tools=true \ -" - -EXTRA_OEMESON:append:class-nativesdk = " \ - -Duse_prebuilt_tools=true \ -" - PACKAGES =+ "${PN}-xlib" # For GIO image type sniffing @@ -115,10 +106,6 @@ do_install:append:class-native() { XDG_DATA_DIRS=${STAGING_DATADIR} \ GDK_PIXBUF_MODULE_FILE=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/${LIBV}/loaders.cache - create_wrapper ${D}/${bindir}/gdk-pixbuf-print-mime-types \ - XDG_DATA_DIRS=${STAGING_DATADIR} \ - GDK_PIXBUF_MODULE_FILE=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/${LIBV}/loaders.cache - create_wrapper ${D}/${libdir}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders \ XDG_DATA_DIRS=${STAGING_DATADIR} \ GDK_PIXBUF_MODULE_FILE=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/${LIBV}/loaders.cache \ diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch index 5232cf70c6..a2dba6cb20 100644 --- a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch +++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch @@ -1,19 +1,20 @@ -There is a potential infinite-loop in function _arc_error_normalized(). +There is an assertion in function _cairo_arc_in_direction(). CVE: CVE-2019-6461 Upstream-Status: Pending Signed-off-by: Ross Burton <ross.burton@intel.com> diff --git a/src/cairo-arc.c b/src/cairo-arc.c -index 390397bae..f9249dbeb 100644 +index 390397bae..1bde774a4 100644 --- a/src/cairo-arc.c +++ b/src/cairo-arc.c -@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) - do { - angle = M_PI / i++; - error = _arc_error_normalized (angle); -- } while (error > tolerance); -+ } while (error > tolerance && error > __DBL_EPSILON__); +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; - return angle; - } +- assert (angle_max >= angle_min); ++ if (angle_max < angle_min) ++ return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch index 4e4598c5b5..7c3209291b 100644 --- a/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch +++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch @@ -1,20 +1,40 @@ -There is an assertion in function _cairo_arc_in_direction(). - CVE: CVE-2019-6462 -Upstream-Status: Pending -Signed-off-by: Ross Burton <ross.burton@intel.com> +Upstream-Status: Backport +Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> + +From ab2c5ee21e5f3d3ee4b3f67cfcd5811a4f99c3a0 Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <hlewin@gmx.de> +Date: Sun, 1 Aug 2021 11:16:03 +0000 +Subject: [PATCH] _arc_max_angle_for_tolerance_normalized: fix infinite loop + +--- + src/cairo-arc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/cairo-arc.c b/src/cairo-arc.c -index 390397bae..1bde774a4 100644 +index 390397bae..1c891d1a0 100644 --- a/src/cairo-arc.c +++ b/src/cairo-arc.c -@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, - if (cairo_status (cr)) - return; +@@ -90,16 +90,18 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + { M_PI / 11.0, 9.81410988043554039085e-09 }, + }; + int table_size = ARRAY_LENGTH (table); ++ const int max_segments = 1000; /* this value is chosen arbitrarily. this gives an error of about 1.74909e-20 */ -- assert (angle_max >= angle_min); -+ if (angle_max < angle_min) -+ return; + for (i = 0; i < table_size; i++) + if (table[i].error < tolerance) + return table[i].angle; - if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { - angle_max = fmod (angle_max - angle_min, 2 * M_PI); + ++i; ++ + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && i < max_segments); + + return angle; + } +-- +2.38.1 + diff --git a/poky/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/poky/meta/recipes-graphics/freetype/freetype_2.11.1.bb index 5b464d3d70..d425e162bc 100644 --- a/poky/meta/recipes-graphics/freetype/freetype_2.11.1.bb +++ b/poky/meta/recipes-graphics/freetype/freetype_2.11.1.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.TXT;md5=a5927784d823d443c6cae55701d01553 \ file://docs/FTL.TXT;md5=9f37b4e6afa3fef9dba8932b16bd3f97 \ file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec" -SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ +SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://CVE-2022-27404.patch \ file://CVE-2022-27405.patch \ file://CVE-2022-27406.patch \ diff --git a/poky/meta/recipes-graphics/glslang/glslang_1.3.204.1.bb b/poky/meta/recipes-graphics/glslang/glslang_1.3.204.1.bb index 2af406212f..ff08f251cd 100644 --- a/poky/meta/recipes-graphics/glslang/glslang_1.3.204.1.bb +++ b/poky/meta/recipes-graphics/glslang/glslang_1.3.204.1.bb @@ -9,7 +9,7 @@ LICENSE = "BSD-3-Clause & BSD-2-Clause & MIT & Apache-2.0 & GPL-3-with-bison-exc LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=2a2b5acd7bc4844964cfda45fe807dc3" SRCREV = "2742e959347ae2fac58acd0d022c92a0ff1f24bf" -SRC_URI = "git://github.com/KhronosGroup/glslang.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/KhronosGroup/glslang.git;protocol=https;branch=main \ file://0001-generate-glslang-pkg-config.patch" PE = "1" UPSTREAM_CHECK_GITTAGREGEX = "sdk-(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch b/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch new file mode 100644 index 0000000000..6721b1bd70 --- /dev/null +++ b/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193-pre1.patch @@ -0,0 +1,135 @@ +From b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad@behdad.org> +Date: Mon, 6 Feb 2023 13:08:52 -0700 +Subject: [PATCH] [gsubgpos] Refactor skippy_iter.match() + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/b29fbd16fa82b82bdf0dcb2f13a63f7dc23cf324] +Comment1: To backport the fix for CVE-2023-25193, add defination for MATCH, NOT_MATCH and SKIP. +Signed-off-by: Siddharth <sdoshi@mvista.com> +--- + src/hb-ot-layout-gsubgpos.hh | 94 +++++++++++++++++++++--------------- + 1 file changed, 54 insertions(+), 40 deletions(-) + +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index d9a068c..d17a4da 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -522,33 +522,52 @@ struct hb_ot_apply_context_t : + may_skip (const hb_glyph_info_t &info) const + { return matcher.may_skip (c, info); } + ++ enum match_t { ++ MATCH, ++ NOT_MATCH, ++ SKIP ++ }; ++ ++ match_t match (hb_glyph_info_t &info) ++ { ++ matcher_t::may_skip_t skip = matcher.may_skip (c, info); ++ if (unlikely (skip == matcher_t::SKIP_YES)) ++ return SKIP; ++ ++ matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); ++ if (match == matcher_t::MATCH_YES || ++ (match == matcher_t::MATCH_MAYBE && ++ skip == matcher_t::SKIP_NO)) ++ return MATCH; ++ ++ if (skip == matcher_t::SKIP_NO) ++ return NOT_MATCH; ++ ++ return SKIP; ++ } ++ + bool next (unsigned *unsafe_to = nullptr) + { + assert (num_items > 0); + while (idx + num_items < end) + { + idx++; +- const hb_glyph_info_t &info = c->buffer->info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +- continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +- num_items--; +- if (match_glyph_data) match_glyph_data++; +- return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->info[idx])) + { +- if (unsafe_to) +- *unsafe_to = idx + 1; +- return false; ++ case MATCH: ++ { ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++ } ++ case NOT_MATCH: ++ { ++ if (unsafe_to) ++ *unsafe_to = idx + 1; ++ return false; ++ } ++ case SKIP: ++ continue; + } + } + if (unsafe_to) +@@ -561,27 +580,22 @@ struct hb_ot_apply_context_t : + while (idx > num_items - 1) + { + idx--; +- const hb_glyph_info_t &info = c->buffer->out_info[idx]; +- +- matcher_t::may_skip_t skip = matcher.may_skip (c, info); +- if (unlikely (skip == matcher_t::SKIP_YES)) +- continue; +- +- matcher_t::may_match_t match = matcher.may_match (info, match_glyph_data); +- if (match == matcher_t::MATCH_YES || +- (match == matcher_t::MATCH_MAYBE && +- skip == matcher_t::SKIP_NO)) +- { +- num_items--; +- if (match_glyph_data) match_glyph_data++; +- return true; +- } +- +- if (skip == matcher_t::SKIP_NO) ++ switch (match (c->buffer->out_info[idx])) + { +- if (unsafe_from) +- *unsafe_from = hb_max (1u, idx) - 1u; +- return false; ++ case MATCH: ++ { ++ num_items--; ++ if (match_glyph_data) match_glyph_data++; ++ return true; ++ } ++ case NOT_MATCH: ++ { ++ if (unsafe_from) ++ *unsafe_from = hb_max (1u, idx) - 1u; ++ return false; ++ } ++ case SKIP: ++ continue; + } + } + if (unsafe_from) +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch new file mode 100644 index 0000000000..a1ec1422cc --- /dev/null +++ b/poky/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch @@ -0,0 +1,185 @@ +From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001 +From: Behdad Esfahbod <behdad@behdad.org> +Date: Mon, 6 Feb 2023 14:51:25 -0700 +Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment + +Upstream-Status: Backport from [https://github.com/harfbuzz/harfbuzz/commit/8708b9e081192786c027bb7f5f23d76dbe5c19e8] +Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc] causes regression and was reverted. This Patch completes the fix. +Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00 +CVE: CVE-2023-25193 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/hb-ot-layout-gpos-table.hh | 98 ++++++++++++++++++++++------------ + src/hb-ot-layout-gsubgpos.hh | 5 +- + 2 files changed, 68 insertions(+), 35 deletions(-) + +diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh +index 2f9186a..46b09d0 100644 +--- a/src/hb-ot-layout-gpos-table.hh ++++ b/src/hb-ot-layout-gpos-table.hh +@@ -2150,6 +2150,25 @@ struct MarkBasePosFormat1 + + const Coverage &get_coverage () const { return this+markCoverage; } + ++ static inline bool accept (hb_buffer_t *buffer, unsigned idx) ++ { ++ /* We only want to attach to the first of a MultipleSubst sequence. ++ * https://github.com/harfbuzz/harfbuzz/issues/740 ++ * Reject others... ++ * ...but stop if we find a mark in the MultipleSubst sequence: ++ * https://github.com/harfbuzz/harfbuzz/issues/1020 */ ++ return !_hb_glyph_info_multiplied (&buffer->info[idx]) || ++ 0 == _hb_glyph_info_get_lig_comp (&buffer->info[idx]) || ++ (idx == 0 || ++ _hb_glyph_info_is_mark (&buffer->info[idx - 1]) || ++ !_hb_glyph_info_multiplied (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_id (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_id (&buffer->info[idx - 1]) || ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx]) != ++ _hb_glyph_info_get_lig_comp (&buffer->info[idx - 1]) + 1 ++ ); ++ } ++ + bool apply (hb_ot_apply_context_t *c) const + { + TRACE_APPLY (this); +@@ -2157,47 +2176,46 @@ struct MarkBasePosFormat1 + unsigned int mark_index = (this+markCoverage).get_coverage (buffer->cur().codepoint); + if (likely (mark_index == NOT_COVERED)) return_trace (false); + +- /* Now we search backwards for a non-mark glyph */ ++ /* Now we search backwards for a non-mark glyph. ++ * We don't use skippy_iter.prev() to avoid O(n^2) behavior. */ ++ + hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; +- skippy_iter.reset (buffer->idx, 1); + skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); +- do { +- unsigned unsafe_from; +- if (!skippy_iter.prev (&unsafe_from)) ++ unsigned j; ++ for (j = buffer->idx; j > c->last_base_until; j--) ++ { ++ auto match = skippy_iter.match (buffer->info[j - 1]); ++ if (match == skippy_iter.MATCH) + { +- buffer->unsafe_to_concat_from_outbuffer (unsafe_from, buffer->idx + 1); +- return_trace (false); ++ if (!accept (buffer, j - 1)) ++ match = skippy_iter.SKIP; + } ++ if (match == skippy_iter.MATCH) ++ { ++ c->last_base = (signed) j - 1; ++ break; ++ } ++ } ++ c->last_base_until = buffer->idx; ++ if (c->last_base == -1) ++ { ++ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); ++ return_trace (false); ++ } + +- /* We only want to attach to the first of a MultipleSubst sequence. +- * https://github.com/harfbuzz/harfbuzz/issues/740 +- * Reject others... +- * ...but stop if we find a mark in the MultipleSubst sequence: +- * https://github.com/harfbuzz/harfbuzz/issues/1020 */ +- if (!_hb_glyph_info_multiplied (&buffer->info[skippy_iter.idx]) || +- 0 == _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) || +- (skippy_iter.idx == 0 || +- _hb_glyph_info_is_mark (&buffer->info[skippy_iter.idx - 1]) || +- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx]) != +- _hb_glyph_info_get_lig_id (&buffer->info[skippy_iter.idx - 1]) || +- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx]) != +- _hb_glyph_info_get_lig_comp (&buffer->info[skippy_iter.idx - 1]) + 1 +- )) +- break; +- skippy_iter.reject (); +- } while (true); ++ unsigned idx = (unsigned) c->last_base; + + /* Checking that matched glyph is actually a base glyph by GDEF is too strong; disabled */ +- //if (!_hb_glyph_info_is_base_glyph (&buffer->info[skippy_iter.idx])) { return_trace (false); } ++ //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); } + +- unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint); ++ unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint); + if (base_index == NOT_COVERED) + { +- buffer->unsafe_to_concat_from_outbuffer (skippy_iter.idx, buffer->idx + 1); ++ buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1); + return_trace (false); + } + +- return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, skippy_iter.idx)); ++ return_trace ((this+markArray).apply (c, mark_index, base_index, this+baseArray, classCount, idx)); + } + + bool subset (hb_subset_context_t *c) const +@@ -2423,20 +2441,32 @@ struct MarkLigPosFormat1 + if (likely (mark_index == NOT_COVERED)) return_trace (false); + + /* Now we search backwards for a non-mark glyph */ ++ + hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input; +- skippy_iter.reset (buffer->idx, 1); + skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks); +- unsigned unsafe_from; +- if (!skippy_iter.prev (&unsafe_from)) ++ ++ unsigned j; ++ for (j = buffer->idx; j > c->last_base_until; j--) + { +- buffer->unsafe_to_concat_from_outbuffer (unsafe_from, buffer->idx + 1); ++ auto match = skippy_iter.match (buffer->info[j - 1]); ++ if (match == skippy_iter.MATCH) ++ { ++ c->last_base = (signed) j - 1; ++ break; ++ } ++ } ++ c->last_base_until = buffer->idx; ++ if (c->last_base == -1) ++ { ++ buffer->unsafe_to_concat_from_outbuffer (0, buffer->idx + 1); + return_trace (false); + } + ++ j = (unsigned) c->last_base; ++ + /* Checking that matched glyph is actually a ligature by GDEF is too strong; disabled */ +- //if (!_hb_glyph_info_is_ligature (&buffer->info[skippy_iter.idx])) { return_trace (false); } ++ //if (!_hb_glyph_info_is_ligature (&buffer->info[j])) { return_trace (false); } + +- unsigned int j = skippy_iter.idx; + unsigned int lig_index = (this+ligatureCoverage).get_coverage (buffer->info[j].codepoint); + if (lig_index == NOT_COVERED) + { +diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh +index 65de131..d9a068c 100644 +--- a/src/hb-ot-layout-gsubgpos.hh ++++ b/src/hb-ot-layout-gsubgpos.hh +@@ -641,6 +641,9 @@ struct hb_ot_apply_context_t : + uint32_t random_state; + + ++ signed last_base = -1; // GPOS uses ++ unsigned last_base_until = 0; // GPOS uses ++ + hb_ot_apply_context_t (unsigned int table_index_, + hb_font_t *font_, + hb_buffer_t *buffer_) : +@@ -673,7 +676,7 @@ struct hb_ot_apply_context_t : + iter_context.init (this, true); + } + +- void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; init_iters (); } ++ void set_lookup_mask (hb_mask_t mask) { lookup_mask = mask; last_base = -1; last_base_until = 0; init_iters (); } + void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); } + void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); } + void set_random (bool random_) { random = random_; } +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb b/poky/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb index b639c276db..f7dc61ebd5 100644 --- a/poky/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb +++ b/poky/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb @@ -13,7 +13,9 @@ UPSTREAM_CHECK_REGEX = "harfbuzz-(?P<pver>\d+(\.\d+)+).tar" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.xz \ file://CVE-2022-33068.patch \ - file://0001-Fix-conditional.patch" + file://0001-Fix-conditional.patch \ + file://CVE-2023-25193-pre1.patch \ + file://CVE-2023-25193.patch" SRC_URI[sha256sum] = "98f68777272db6cd7a3d5152bac75083cd52a26176d87bc04c8b3929d33bce49" inherit meson pkgconfig lib_package gtk-doc gobject-introspection @@ -35,9 +37,9 @@ PACKAGES =+ "${PN}-icu ${PN}-icu-dev ${PN}-subset" LEAD_SONAME = "libharfbuzz.so" do_install:append() { - # If no tools are installed due to PACKAGECONFIG then this directory is - #still installed, so remove it to stop packaging wanings. - rmdir --ignore-fail-on-non-empty ${D}${bindir} + # If no tools are installed due to PACKAGECONFIG then this directory might + # still be installed, so remove it to stop packaging warnings. + [ ! -d ${D}${bindir} ] || rmdir --ignore-fail-on-non-empty ${D}${bindir} } FILES:${PN}-icu = "${libdir}/libharfbuzz-icu.so.*" diff --git a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.4.bb b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb index 1708fa97f0..e086830c02 100644 --- a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.4.bb +++ b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.5.1.bb @@ -14,7 +14,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \ file://0001-libjpeg-turbo-fix-package_qa-error.patch \ " -SRC_URI[sha256sum] = "d3ed26a1131a13686dfca4935e520eb7c90ae76fbc45d98bb50a8dc86230342b" +SRC_URI[sha256sum] = "2fdc3feb6e9deb17adec9bafa3321419aa19f8f4e5dea7bf8486844ca22207bf" UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/libjpeg-turbo/files/" UPSTREAM_CHECK_REGEX = "/libjpeg-turbo/files/(?P<pver>(\d+[\.\-_]*)+)/" diff --git a/poky/meta/recipes-graphics/libepoxy/files/0001-dispatch_common.h-define-also-EGL_NO_X11.patch b/poky/meta/recipes-graphics/libepoxy/files/0001-dispatch_common.h-define-also-EGL_NO_X11.patch deleted file mode 100644 index 971a3f54e0..0000000000 --- a/poky/meta/recipes-graphics/libepoxy/files/0001-dispatch_common.h-define-also-EGL_NO_X11.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7211120d1e2f059d900f3379b9790484dbcf7761 Mon Sep 17 00:00:00 2001 -From: Martin Jansa <Martin.Jansa@gmail.com> -Date: Fri, 25 Oct 2019 11:09:34 +0000 -Subject: [PATCH] dispatch_common.h: define also EGL_NO_X11 - -MESA_EGL_NO_X11_HEADERS was renamed to EGL_NO_X11 in: -https://github.com/mesa3d/mesa/commit/6202a13b71e18dc31ba7e2f4ea915b67eacc1ddb - -Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> -Upstream-Status: Pending - ---- - src/dispatch_common.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/dispatch_common.h b/src/dispatch_common.h -index a136943..448c9b1 100644 ---- a/src/dispatch_common.h -+++ b/src/dispatch_common.h -@@ -55,6 +55,7 @@ - * as EGL_NO_X11 - */ - # define MESA_EGL_NO_X11_HEADERS 1 -+# define EGL_NO_X11 1 - # endif - #include "epoxy/egl.h" - #endif diff --git a/poky/meta/recipes-graphics/libepoxy/libepoxy_1.5.9.bb b/poky/meta/recipes-graphics/libepoxy/libepoxy_1.5.10.bb index 487fc00360..3e29935640 100644 --- a/poky/meta/recipes-graphics/libepoxy/libepoxy_1.5.9.bb +++ b/poky/meta/recipes-graphics/libepoxy/libepoxy_1.5.10.bb @@ -9,10 +9,9 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=58ef4c80d401e07bd9ee8b6b58cf464b" -SRC_URI = "https://github.com/anholt/${BPN}/releases/download/${PV}/${BP}.tar.xz \ - file://0001-dispatch_common.h-define-also-EGL_NO_X11.patch \ - " -SRC_URI[sha256sum] = "d168a19a6edfdd9977fef1308ccf516079856a4275cf876de688fb7927e365e4" +SRC_URI = "git://github.com/anholt/libepoxy;branch=master;protocol=https" +SRCREV = "c84bc9459357a40e46e2fec0408d04fbdde2c973" +S = "${WORKDIR}/git" UPSTREAM_CHECK_URI = "https://github.com/anholt/libepoxy/releases" inherit meson pkgconfig features_check diff --git a/poky/meta/recipes-graphics/libsdl2/libsdl2/0001-Fix-potential-memory-leak-in-GLES_CreateTextur.patch b/poky/meta/recipes-graphics/libsdl2/libsdl2/0001-Fix-potential-memory-leak-in-GLES_CreateTextur.patch new file mode 100644 index 0000000000..31bda54dd3 --- /dev/null +++ b/poky/meta/recipes-graphics/libsdl2/libsdl2/0001-Fix-potential-memory-leak-in-GLES_CreateTextur.patch @@ -0,0 +1,40 @@ +From 3cf2048b647484cc3a6abd0d78be60cead47b42d Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Fri, 24 Feb 2023 16:59:19 +0800 +Subject: [PATCH] Fix potential memory leak in GLES_CreateTextur + +CVE: CVE-2022-4743 +Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/00b67f55727bc0944c3266e2b875440da132ce4b] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/render/opengles/SDL_render_gles.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/render/opengles/SDL_render_gles.c b/src/render/opengles/SDL_render_gles.c +index a6b58f2..237b1d6 100644 +--- a/src/render/opengles/SDL_render_gles.c ++++ b/src/render/opengles/SDL_render_gles.c +@@ -368,6 +368,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) + renderdata->glGenTextures(1, &data->texture); + result = renderdata->glGetError(); + if (result != GL_NO_ERROR) { ++ if (texture->access == SDL_TEXTUREACCESS_STREAMING) { ++ SDL_free(data->pixels); ++ } + SDL_free(data); + return GLES_SetError("glGenTextures()", result); + } +@@ -396,6 +399,9 @@ GLES_CreateTexture(SDL_Renderer * renderer, SDL_Texture * texture) + + result = renderdata->glGetError(); + if (result != GL_NO_ERROR) { ++ if (texture->access == SDL_TEXTUREACCESS_STREAMING) { ++ SDL_free(data->pixels); ++ } + SDL_free(data); + return GLES_SetError("glTexImage2D()", result); + } +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb b/poky/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb index c1c827af79..abcf232e25 100644 --- a/poky/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb +++ b/poky/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb @@ -24,6 +24,7 @@ PROVIDES = "virtual/libsdl2" SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ file://optional-libunwind-generic.patch \ file://0001-sdlchecks.cmake-pass-cflags-to-the-appropriate-cmake.patch \ + file://0001-Fix-potential-memory-leak-in-GLES_CreateTextur.patch \ " SRC_URI:append:class-native = " file://0001-Disable-libunwind-in-native-OE-builds-by-not-looking.patch" diff --git a/poky/meta/recipes-graphics/spir/spirv-headers_1.3.204.1.bb b/poky/meta/recipes-graphics/spir/spirv-headers_1.3.204.1.bb index 72416b441f..9e4a695325 100644 --- a/poky/meta/recipes-graphics/spir/spirv-headers_1.3.204.1.bb +++ b/poky/meta/recipes-graphics/spir/spirv-headers_1.3.204.1.bb @@ -8,7 +8,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=c938b85bceb8fb26c1a807f28a52ae2d" SRCREV = "b42ba6d92faf6b4938e6f22ddd186dbdacc98d78" -SRC_URI = "git://github.com/KhronosGroup/SPIRV-Headers;protocol=https;branch=master" +SRC_URI = "git://github.com/KhronosGroup/SPIRV-Headers;protocol=https;branch=main" PE = "1" UPSTREAM_CHECK_GITTAGREGEX = "sdk-(?P<pver>\d+(\.\d+)+)" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-graphics/vulkan/vulkan-samples_git.bb b/poky/meta/recipes-graphics/vulkan/vulkan-samples_git.bb index 53c7254ce7..ffb8d88ee6 100644 --- a/poky/meta/recipes-graphics/vulkan/vulkan-samples_git.bb +++ b/poky/meta/recipes-graphics/vulkan/vulkan-samples_git.bb @@ -5,7 +5,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=48aa35cefb768436223a6e7f18dc2a2a" -SRC_URI = "gitsm://github.com/KhronosGroup/Vulkan-Samples.git;branch=master;protocol=https \ +SRC_URI = "gitsm://github.com/KhronosGroup/Vulkan-Samples.git;branch=main;protocol=https;lfs=0 \ file://0001-CMakeLists.txt-do-not-hardcode-lib-as-installation-t.patch \ file://debugfix.patch \ " diff --git a/poky/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch b/poky/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch new file mode 100644 index 0000000000..df204508e9 --- /dev/null +++ b/poky/meta/recipes-graphics/wayland/wayland/CVE-2021-3782.patch @@ -0,0 +1,111 @@ +From 5eed6609619cc2e4eaa8618d11c15d442abf54be Mon Sep 17 00:00:00 2001 +From: Derek Foreman <derek.foreman@collabora.com> +Date: Fri, 28 Jan 2022 13:18:37 -0600 +Subject: [PATCH] util: Limit size of wl_map + +Since server IDs are basically indistinguishable from really big client +IDs at many points in the source, it's theoretically possible to overflow +a map and either overflow server IDs into the client ID space, or grow +client IDs into the server ID space. This would currently take a massive +amount of RAM, but the definition of massive changes yearly. + +Prevent this by placing a ridiculous but arbitrary upper bound on the +number of items we can put in a map: 0xF00000, somewhere over 15 million. +This should satisfy pathological clients without restriction, but stays +well clear of the 0xFF000000 transition point between server and client +IDs. It will still take an improbable amount of RAM to hit this, and a +client could still exhaust all RAM in this way, but our goal is to prevent +overflow and undefined behaviour. + +Fixes #224 + +Signed-off-by: Derek Foreman <derek.foreman@collabora.com> + +Upstream-Status: Backport +CVE: CVE-2021-3782 + +Reference to upstream patch: +https://gitlab.freedesktop.org/wayland/wayland/-/commit/b19488c7154b902354cb26a27f11415d7799b0b2 + +[DP: adjust context for wayland version 1.20.0] +Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com> +--- + src/wayland-private.h | 1 + + src/wayland-util.c | 25 +++++++++++++++++++++++-- + 2 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/wayland-private.h b/src/wayland-private.h +index 9bf8cb7..35dc40e 100644 +--- a/src/wayland-private.h ++++ b/src/wayland-private.h +@@ -45,6 +45,7 @@ + #define WL_MAP_SERVER_SIDE 0 + #define WL_MAP_CLIENT_SIDE 1 + #define WL_SERVER_ID_START 0xff000000 ++#define WL_MAP_MAX_OBJECTS 0x00f00000 + #define WL_CLOSURE_MAX_ARGS 20 + + struct wl_object { +diff --git a/src/wayland-util.c b/src/wayland-util.c +index d5973bf..3e45d19 100644 +--- a/src/wayland-util.c ++++ b/src/wayland-util.c +@@ -195,6 +195,7 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + union map_entry *start, *entry; + struct wl_array *entries; + uint32_t base; ++ uint32_t count; + + if (map->side == WL_MAP_CLIENT_SIDE) { + entries = &map->client_entries; +@@ -215,10 +216,25 @@ wl_map_insert_new(struct wl_map *map, uint32_t flags, void *data) + start = entries->data; + } + ++ /* wl_array only grows, so if we have too many objects at ++ * this point there's no way to clean up. We could be more ++ * pro-active about trying to avoid this allocation, but ++ * it doesn't really matter because at this point there is ++ * nothing to be done but disconnect the client and delete ++ * the whole array either way. ++ */ ++ count = entry - start; ++ if (count > WL_MAP_MAX_OBJECTS) { ++ /* entry->data is freshly malloced garbage, so we'd ++ * better make it a NULL so wl_map_for_each doesn't ++ * dereference it later. */ ++ entry->data = NULL; ++ return 0; ++ } + entry->data = data; + entry->next |= (flags & 0x1) << 1; + +- return (entry - start) + base; ++ return count + base; + } + + int +@@ -235,6 +251,9 @@ wl_map_insert_at(struct wl_map *map, uint32_t flags, uint32_t i, void *data) + i -= WL_SERVER_ID_START; + } + ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; ++ + count = entries->size / sizeof *start; + if (count < i) + return -1; +@@ -269,8 +288,10 @@ wl_map_reserve_new(struct wl_map *map, uint32_t i) + i -= WL_SERVER_ID_START; + } + +- count = entries->size / sizeof *start; ++ if (i > WL_MAP_MAX_OBJECTS) ++ return -1; + ++ count = entries->size / sizeof *start; + if (count < i) + return -1; + +-- +2.37.3 diff --git a/poky/meta/recipes-graphics/wayland/wayland_1.20.0.bb b/poky/meta/recipes-graphics/wayland/wayland_1.20.0.bb index bd437767b2..9351d2ed6a 100644 --- a/poky/meta/recipes-graphics/wayland/wayland_1.20.0.bb +++ b/poky/meta/recipes-graphics/wayland/wayland_1.20.0.bb @@ -16,7 +16,9 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ file://run-ptest \ file://0002-Do-not-hardcode-the-path-to-wayland-scanner.patch \ file://0001-build-Fix-strndup-detection-on-MinGW.patch \ + file://CVE-2021-3782.patch \ " + SRC_URI[sha256sum] = "b8a034154c7059772e0fdbd27dbfcda6c732df29cae56a82274f6ec5d7cd8725" UPSTREAM_CHECK_URI = "https://wayland.freedesktop.org/releases.html" diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch b/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch new file mode 100644 index 0000000000..973f328304 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch @@ -0,0 +1,58 @@ +From 1d11822601fd24a396b354fa616b04ed3df8b4ef Mon Sep 17 00:00:00 2001 +From: "Thomas E. Dickey" <dickey@invisible-island.net> +Date: Tue, 4 Oct 2022 18:26:17 -0400 +Subject: [PATCH] fix a memory leak in XRegisterIMInstantiateCallback + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef] +CVE: CVE-2022-3554 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +fix a memory leak in XRegisterIMInstantiateCallback + +Analysis: + + _XimRegisterIMInstantiateCallback() opens an XIM and closes it using + the internal function pointers, but the internal close function does + not free the pointer to the XIM (this would be done in XCloseIM()). + +Report/patch: + + Date: Mon, 03 Oct 2022 18:47:32 +0800 + From: Po Lu <luangruo@yahoo.com> + To: xorg-devel@lists.x.org + Subject: Re: Yet another leak in Xlib + + For reference, here's how I'm calling XRegisterIMInstantiateCallback: + + XSetLocaleModifiers (""); + XRegisterIMInstantiateCallback (compositor.display, + XrmGetDatabase (compositor.display), + (char *) compositor.resource_name, + (char *) compositor.app_name, + IMInstantiateCallback, NULL); + and XMODIFIERS is: + + @im=ibus + +Signed-off-by: Thomas E. Dickey's avatarThomas E. Dickey <dickey@invisible-island.net> +--- + modules/im/ximcp/imInsClbk.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/modules/im/ximcp/imInsClbk.c b/modules/im/ximcp/imInsClbk.c +index 95b379c..c10e347 100644 +--- a/modules/im/ximcp/imInsClbk.c ++++ b/modules/im/ximcp/imInsClbk.c +@@ -212,6 +212,9 @@ _XimRegisterIMInstantiateCallback( + if( xim ) { + lock = True; + xim->methods->close( (XIM)xim ); ++ /* XIMs must be freed manually after being opened; close just ++ does the protocol to deinitialize the IM. */ ++ XFree( xim ); + lock = False; + icb->call = True; + callback( display, client_data, NULL ); +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch b/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch new file mode 100644 index 0000000000..919e7a00fb --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch @@ -0,0 +1,40 @@ +From 8a368d808fec166b5fb3dfe6312aab22c7ee20af Mon Sep 17 00:00:00 2001 +From: Hodong <hodong@yozmos.com> +Date: Thu, 20 Jan 2022 00:57:41 +0900 +Subject: [PATCH] Fix two memory leaks in _XFreeX11XCBStructure() + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af] +CVE: CVE-2022-3555 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +Fix two memory leaks in _XFreeX11XCBStructure() + +Even when XCloseDisplay() was called, some memory was leaked. + +XCloseDisplay() calls _XFreeDisplayStructure(), which calls +_XFreeX11XCBStructure(). + +However, _XFreeX11XCBStructure() did not destroy the condition variables, +resulting in the leaking of some 40 bytes. + +Signed-off-by: default avatarHodong <hodong@yozmos.com> +--- + src/xcb_disp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/xcb_disp.c b/src/xcb_disp.c +index 70a602f..e9becee 100644 +--- a/src/xcb_disp.c ++++ b/src/xcb_disp.c +@@ -102,6 +102,8 @@ void _XFreeX11XCBStructure(Display *dpy) + dpy->xcb->pending_requests = tmp->next; + free(tmp); + } ++ xcondition_clear(dpy->xcb->event_notify); ++ xcondition_clear(dpy->xcb->reply_notify); + xcondition_free(dpy->xcb->event_notify); + xcondition_free(dpy->xcb->reply_notify); + Xfree(dpy->xcb); +-- +2.25.1 + diff --git a/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb b/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb index 0c3abcd896..3e6b50c0a3 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libx11_1.7.3.1.bb @@ -15,6 +15,8 @@ PE = "1" SRC_URI = "${XORG_MIRROR}/individual/lib/${XORG_PN}-${PV}.tar.xz" SRC_URI += "file://disable_tests.patch \ + file://CVE-2022-3554.patch \ + file://CVE-2022-3555.patch \ " SRC_URI[sha256sum] = "2ffd417266fb875028fdc0ef349694f63dbcd76d0b0cfacfb52e6151f4b60989" diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch b/poky/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch new file mode 100644 index 0000000000..d226766d49 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch @@ -0,0 +1,33 @@ +CVE: CVE-2022-44638 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From a1f88e842e0216a5b4df1ab023caebe33c101395 Mon Sep 17 00:00:00 2001 +From: Matt Turner <mattst88@gmail.com> +Date: Wed, 2 Nov 2022 12:07:32 -0400 +Subject: [PATCH] Avoid integer overflow leading to out-of-bounds write + +Thanks to Maddie Stone and Google's Project Zero for discovering this +issue, providing a proof-of-concept, and a great analysis. + +Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 +--- + pixman/pixman-trap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c +index 91766fd..7560405 100644 +--- a/pixman/pixman-trap.c ++++ b/pixman/pixman-trap.c +@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y, + + if (f < Y_FRAC_FIRST (n)) + { +- if (pixman_fixed_to_int (i) == 0x8000) ++ if (pixman_fixed_to_int (i) == 0xffff8000) + { + f = 0; /* saturate */ + } +-- +GitLab + diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb index ccfe277746..c56733eefd 100644 --- a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb +++ b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb @@ -9,6 +9,7 @@ DEPENDS = "zlib" SRC_URI = "https://www.cairographics.org/releases/${BP}.tar.gz \ file://0001-ARM-qemu-related-workarounds-in-cpu-features-detecti.patch \ + file://CVE-2022-44638.patch \ " SRC_URI[md5sum] = "73858c0862dd9896fb5f62ae267084a4" SRC_URI[sha256sum] = "6d200dec3740d9ec4ec8d1180e25779c00bc749f94278c8b9021f5534db223fc" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index 057a1ba6ad..6b11c79be6 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -80,9 +80,9 @@ PACKAGES =+ "${PN}-sdl \ SUMMARY:xf86-video-modesetting = "X.Org X server -- modesetting display driver" INSANE_SKIP:${MLPREFIX}xf86-video-modesetting = "xorg-driver-abi" -XSERVER_RRECOMMENDS = "xkeyboard-config rgb xserver-xf86-config xkbcomp xf86-input-libinput" -RRECOMMENDS:${PN} += "${XSERVER_RRECOMMENDS}" -RRECOMMENDS:${PN}-xwayland += "${XSERVER_RRECOMMENDS}" +XSERVER_RDEPENDS = "xkeyboard-config rgb xserver-xf86-config xkbcomp xf86-input-libinput" +RDEPENDS:${PN} += "${XSERVER_RDEPENDS}" +RDEPENDS:${PN}-xwayland += "${XSERVER_RDEPENDS}" RDEPENDS:${PN}-xvfb += "xkeyboard-config" RDEPENDS:${PN}-module-exa = "${PN} (= ${EXTENDPKGV})" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb index b9cbc9989e..212c7d39c2 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.4.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.7.bb @@ -3,7 +3,7 @@ require xserver-xorg.inc SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \ file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ " -SRC_URI[sha256sum] = "5cc4be8ee47edb58d4a90e603a59d56b40291ad38371b0bd2471fc3cbee1c587" +SRC_URI[sha256sum] = "d9c60b2dd0ec52326ca6ab20db0e490b1ff4f566f59ca742d6532e92795877bb" # These extensions are now integrated into the server, so declare the migration # path for in-place upgrades. diff --git a/poky/meta/recipes-graphics/xwayland/xwayland_22.1.3.bb b/poky/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb index da1b27525d..6919ba421b 100644 --- a/poky/meta/recipes-graphics/xwayland/xwayland_22.1.3.bb +++ b/poky/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb @@ -10,7 +10,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=5df87950af51ac2c5822094553ea1880" SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz" -SRC_URI[sha256sum] = "a712eb7bce32cd934df36814b5dd046aa670899c16fe98f2afb003578f86a1c5" +SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73" UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" @@ -23,7 +23,7 @@ OPENGL_PKGCONFIGS = "glx glamor dri3" PACKAGECONFIG ??= "${XORG_CRYPTO} \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', '${OPENGL_PKGCONFIGS}', '', d)} \ " -PACKAGECONFIG[dri3] = "-Ddri3=true,-Ddri3=false" +PACKAGECONFIG[dri3] = "-Ddri3=true,-Ddri3=false,libxshmfence" PACKAGECONFIG[glx] = "-Dglx=true,-Dglx=false,virtual/libgl virtual/libx11" PACKAGECONFIG[glamor] = "-Dglamor=true,-Dglamor=false,libepoxy virtual/libgbm,libegl" PACKAGECONFIG[unwind] = "-Dlibunwind=true,-Dlibunwind=false,libunwind" diff --git a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb index dea7b65a7c..12f1cf516e 100644 --- a/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb +++ b/poky/meta/recipes-kernel/kern-tools/kern-tools-native_git.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "\ DEPENDS = "git-native" -SRCREV = "ba600ef61a85966596126a6e8d936971905e8749" +SRCREV = "2d01f24bc78256c709728eb3f204491bce13e0e5" PV = "0.3+git${SRCPV}" inherit native diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb index 45c9d0e861..bf5d4f54e6 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20220913.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb @@ -45,6 +45,7 @@ LICENSE = "\ & Firmware-phanfw \ & Firmware-qat \ & Firmware-qcom \ + & Firmware-qcom-yamato \ & Firmware-qla1280 \ & Firmware-qla2xxx \ & Firmware-qualcommAthos_ar3k \ @@ -70,8 +71,8 @@ LICENSE = "\ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.adsp_sst;md5=615c45b91a5a4a9fe046d6ab9a2df728 \ file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \ - file://LICENSE.amdgpu;md5=44c1166d052226cb2d6c8d7400090203 \ - file://LICENSE.amd-ucode;md5=3c5399dc9148d7f0e1f41e34b69cf14f \ + file://LICENSE.amdgpu;md5=a2589a05ea5b6bd2b7f4f623c7e7a649 \ + file://LICENSE.amd-ucode;md5=6ca90c57f7b248de1e25c7f68ffc4698 \ file://LICENSE.amlogic_vdec;md5=dc44f59bf64a81643e500ad3f39a468a \ file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \ file://LICENSE.atmel;md5=aa74ac0c60595dee4d4e239107ea77a3 \ @@ -109,6 +110,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \ file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \ + file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \ file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \ file://LICENCE.qla2xxx;md5=505855e921b75f1be4a437ad9b79dff0 \ file://LICENSE.QualcommAtheros_ar3k;md5=b5fe244fb2b532311de1472a3bc06da5 \ @@ -132,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "98ecc3d3223df7ebdc23b0ec56aafb20" +WHENCE_CHKSUM = "aadb3cccbde1e53fc244a409e9bd5a22" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -177,6 +179,7 @@ NO_GENERIC_LICENSE[Firmware-ath9k-htc] = "LICENCE.open-ath9k-htc-firmware" NO_GENERIC_LICENSE[Firmware-phanfw] = "LICENCE.phanfw" NO_GENERIC_LICENSE[Firmware-qat] = "LICENCE.qat_firmware" NO_GENERIC_LICENSE[Firmware-qcom] = "LICENSE.qcom" +NO_GENERIC_LICENSE[Firmware-qcom-yamato] = "LICENSE.qcom_yamato" NO_GENERIC_LICENSE[Firmware-qla1280] = "LICENCE.qla1280" NO_GENERIC_LICENSE[Firmware-qla2xxx] = "LICENCE.qla2xxx" NO_GENERIC_LICENSE[Firmware-qualcommAthos_ar3k] = "LICENSE.QualcommAtheros_ar3k" @@ -209,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "26fd00f2d8e96c4af6f44269a6b893eb857253044f75ad28ef6706a2250cd8e9" +SRC_URI[sha256sum] = "6e3d9e8d52cffc4ec0dbe8533a8445328e0524a20f159a5b61c2706f983ce38a" inherit allarch @@ -228,6 +231,7 @@ do_install() { PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-mt7601u-license ${PN}-mt7601u \ ${PN}-radeon-license ${PN}-radeon \ + ${PN}-amdgpu-license ${PN}-amdgpu \ ${PN}-marvell-license ${PN}-pcie8897 ${PN}-pcie8997 \ ${PN}-sd8686 ${PN}-sd8688 ${PN}-sd8787 ${PN}-sd8797 ${PN}-sd8801 \ ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ @@ -235,6 +239,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-vt6656-license ${PN}-vt6656 \ ${PN}-rs9113 ${PN}-rs9116 \ ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ + ${PN}-rtl8761 \ ${PN}-rtl8168 \ ${PN}-cypress-license \ ${PN}-broadcom-license \ @@ -305,7 +310,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-nvidia-gpu \ ${PN}-netronome-license ${PN}-netronome \ ${PN}-qat ${PN}-qat-license \ - ${PN}-qcom-license \ + ${PN}-qcom-license ${PN}-qcom-yamato-license \ ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \ ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \ ${PN}-qcom-adreno-a2xx ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a4xx ${PN}-qcom-adreno-a530 \ @@ -428,6 +433,17 @@ FILES:${PN}-radeon = " \ RDEPENDS:${PN}-radeon += "${PN}-radeon-license" +# For amdgpu +LICENSE:${PN}-amdgpu = "Firmware-amdgpu" +LICENSE:${PN}-amdgpu-license = "Firmware-amdgpu" + +FILES:${PN}-amdgpu-license = "${nonarch_base_libdir}/firmware/LICENSE.amdgpu" +FILES:${PN}-amdgpu = " \ + ${nonarch_base_libdir}/firmware/amdgpu \ +" + +RDEPENDS:${PN}-amdgpu += "${PN}-amdgpu-license" + # For lontium LICENSE:${PN}-lt9611uxc = "Firmware-Lontium" @@ -563,6 +579,7 @@ LICENSE:${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8192ce = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8192su = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8723 = "Firmware-rtlwifi_firmware" +LICENSE:${PN}-rtl8761 = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8821 = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl-license = "Firmware-rtlwifi_firmware" LICENSE:${PN}-rtl8168 = "WHENCE" @@ -588,6 +605,9 @@ FILES:${PN}-rtl8723 = " \ FILES:${PN}-rtl8821 = " \ ${nonarch_base_libdir}/firmware/rtlwifi/rtl8821*.bin \ " +FILES:${PN}-rtl8761 = " \ + ${nonarch_base_libdir}/firmware/rtl_bt/rtl8761*.bin \ +" FILES:${PN}-rtl8168 = " \ ${nonarch_base_libdir}/firmware/rtl_nic/rtl8168*.fw \ " @@ -598,6 +618,7 @@ RDEPENDS:${PN}-rtl8192cu += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8192su = "${PN}-rtl-license" RDEPENDS:${PN}-rtl8723 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8821 += "${PN}-rtl-license" +RDEPENDS:${PN}-rtl8761 += "${PN}-rtl-license" RDEPENDS:${PN}-rtl8168 += "${PN}-whence-license" # For ti-connectivity @@ -965,17 +986,44 @@ RDEPENDS:${PN}-qat = "${PN}-qat-license" # For QCOM VPU/GPU and SDM845 LICENSE:${PN}-qcom-license = "Firmware-qcom" +LICENSE:${PN}-qcom-yamato-license = "Firmware-qcom-yamato" +LICENSE:${PN}-qcom-venus-1.8 = "Firmware-qcom" +LICENSE:${PN}-qcom-venus-4.2 = "Firmware-qcom" +LICENSE:${PN}-qcom-venus-5.2 = "Firmware-qcom" +LICENSE:${PN}-qcom-venus-5.4 = "Firmware-qcom" +LICENSE:${PN}-qcom-vpu-1.0 = "Firmware-qcom" +LICENSE:${PN}-qcom-vpu-2.0 = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a2xx = "Firmware-qcom Firmware-qcom-yamato" +LICENSE:${PN}-qcom-adreno-a3xx = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a4xx = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a530 = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a630 = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a650 = "Firmware-qcom" +LICENSE:${PN}-qcom-adreno-a660 = "Firmware-qcom" +LICENSE:${PN}-qcom-apq8096-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-apq8096-modem = "Firmware-qcom" +LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-adreno = "Firmware-qcom" +LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-compute = "Firmware-qcom" +LICENSE:${PN}-qcom-sc8280xp-lenovo-x13s-sensors = "Firmware-qcom" +LICENSE:${PN}-qcom-sdm845-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-sdm845-compute = "Firmware-qcom" +LICENSE:${PN}-qcom-sdm845-modem = "Firmware-qcom" +LICENSE:${PN}-qcom-sm8250-audio = "Firmware-qcom" +LICENSE:${PN}-qcom-sm8250-compute = "Firmware-qcom" + FILES:${PN}-qcom-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom ${nonarch_base_libdir}/firmware/qcom/NOTICE.txt" +FILES:${PN}-qcom-yamato-license = "${nonarch_base_libdir}/firmware/LICENSE.qcom_yamato" FILES:${PN}-qcom-venus-1.8 = "${nonarch_base_libdir}/firmware/qcom/venus-1.8/*" FILES:${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*" FILES:${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*" FILES:${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*" FILES:${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*" FILES:${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*" -FILES:${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw" +FILES:${PN}-qcom-adreno-a2xx = "${nonarch_base_libdir}/firmware/qcom/leia_*.fw ${nonarch_base_libdir}/firmware/qcom/yamato_*.fw" FILES:${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a3*_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw" FILES:${PN}-qcom-adreno-a4xx = "${nonarch_base_libdir}/firmware/qcom/a4*_*.fw" -FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*" +FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.* ${nonarch_base_libdir}/firmware/qcom/apq8096/a530*.*" FILES:${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*" FILES:${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*" FILES:${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*" @@ -991,13 +1039,14 @@ FILES:${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/c FILES:${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn" FILES:${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*" FILES:${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*" + RDEPENDS:${PN}-qcom-venus-1.8 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-venus-4.2 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-venus-5.2 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-venus-5.4 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-vpu-1.0 = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-vpu-2.0 = "${PN}-qcom-license" -RDEPENDS:${PN}-qcom-adreno-a2xx = "${PN}-qcom-license" +RDEPENDS:${PN}-qcom-adreno-a2xx = "${PN}-qcom-license ${PN}-qcom-yamato-license" RDEPENDS:${PN}-qcom-adreno-a3xx = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-adreno-a4xx = "${PN}-qcom-license" RDEPENDS:${PN}-qcom-adreno-a530 = "${PN}-qcom-license" @@ -1103,3 +1152,6 @@ INSANE_SKIP = "arch" # Don't warn about already stripped files INSANE_SKIP:${PN} = "already-stripped" + +# No need to put firmware into the sysroot +SYSROOT_DIRS_IGNORE += "${nonarch_base_libdir}/firmware" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb index 75b1cb2a49..94800aeaca 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb @@ -10,8 +10,6 @@ inherit kernel require recipes-kernel/linux/linux-yocto.inc -# for ncurses tests -inherit pkgconfig # provide this .inc to set specific revisions include recipes-kernel/linux/linux-yocto-dev-revisions.inc @@ -50,7 +48,7 @@ PACKAGECONFIG[dt-validation] = ",,python3-dtschema-native" # we need the wrappers if validation isn't in the packageconfig DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'dt-validation', '', 'python3-dtschema-wrapper-native', d)}" -COMPATIBLE_MACHINE = "^(qemuarm|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$" +COMPATIBLE_MACHINE = "^(qemuarm|qemuarm64|qemux86|qemuppc|qemumips|qemumips64|qemux86-64|qemuriscv32|qemuriscv64)$" KERNEL_DEVICETREE:qemuarmv5 = "versatile-pb.dtb" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index 7ce21f0719..f25745194a 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "932359383ea84843300c03ee6633881de1af488b" -SRCREV_meta ?= "92c947578207d27db250ee7250bacc11d9d80d4f" +SRCREV_machine ?= "6462fa707bd003b62bee6042c20e8ab1f391df96" +SRCREV_meta ?= "8ea689ac1980b5c09cd049a3403f72e75a8739da" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.143" +LINUX_VERSION ?= "5.10.175" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb index 6f8648e004..38daab6bbe 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.15.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "dba1b7d90813231782bdeda1bd169c93b35c94e0" -SRCREV_meta ?= "1128d7bcdcde490d4f35cc00c97f5410bb240d99" +SRCREV_machine ?= "e1ca9a177aff19013178aa30a8eccb4d7b2b67d7" +SRCREV_meta ?= "441f5fe00073620cec471166cf6e94c4ef9c69b2" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.15.68" +LINUX_VERSION ?= "5.15.103" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index 760b2be437..798fb84565 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.143" +LINUX_VERSION ?= "5.10.175" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine:qemuarm ?= "f794496466680c6dbd36cb34b3e0884d0ee48d2d" -SRCREV_machine ?= "8173de3a22ec3395be1ae01dbe823d076313641a" -SRCREV_meta ?= "92c947578207d27db250ee7250bacc11d9d80d4f" +SRCREV_machine:qemuarm ?= "d90caed79c490df9aab86920b33698bc29899d45" +SRCREV_machine ?= "878a6b6459feacfa733cf27a14b9f70b9922ba65" +SRCREV_meta ?= "8ea689ac1980b5c09cd049a3403f72e75a8739da" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb index 4f2bb48743..eb6af62015 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.15.bb @@ -5,7 +5,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.15.68" +LINUX_VERSION ?= "5.15.103" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -14,8 +14,8 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine ?= "33e7eea5c4545a973cf01a849c2b45fa0cd1fa13" -SRCREV_meta ?= "1128d7bcdcde490d4f35cc00c97f5410bb240d99" +SRCREV_machine ?= "4ae6c9a73f4e6e356186a541e3fcbea4fa6a09f1" +SRCREV_meta ?= "441f5fe00073620cec471166cf6e94c4ef9c69b2" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto.inc b/poky/meta/recipes-kernel/linux/linux-yocto.inc index 7ea661e138..1f8289b6b6 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto.inc +++ b/poky/meta/recipes-kernel/linux/linux-yocto.inc @@ -46,7 +46,6 @@ LINUX_VERSION_EXTENSION ??= "-yocto-${LINUX_KERNEL_TYPE}" # Pick up shared functions inherit kernel inherit kernel-yocto -inherit pkgconfig B = "${WORKDIR}/linux-${PACKAGE_ARCH}-${LINUX_KERNEL_TYPE}-build" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index bf43f77100..92666e4865 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,23 +13,23 @@ KBRANCH:qemux86 ?= "v5.10/standard/base" KBRANCH:qemux86-64 ?= "v5.10/standard/base" KBRANCH:qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "1cfbadeee39ed8d3a8840586a57eee0cf1686f62" -SRCREV_machine:qemuarm64 ?= "12f0f8c4af04c4d4cb7762b7a2e5cfaa917f8fe9" -SRCREV_machine:qemumips ?= "4b9e240c03b2b60be378ae2cc9a321922201de8f" -SRCREV_machine:qemuppc ?= "7914a529e3ccd64f347439d5cabc202d24af3ea0" -SRCREV_machine:qemuriscv64 ?= "8cf777336c9b7160ffdf1e8d7e4d8ee0cd8cdb37" -SRCREV_machine:qemuriscv32 ?= "8cf777336c9b7160ffdf1e8d7e4d8ee0cd8cdb37" -SRCREV_machine:qemux86 ?= "8cf777336c9b7160ffdf1e8d7e4d8ee0cd8cdb37" -SRCREV_machine:qemux86-64 ?= "8cf777336c9b7160ffdf1e8d7e4d8ee0cd8cdb37" -SRCREV_machine:qemumips64 ?= "05365e1787c60331f88bec98dd0fcca08ce78b06" -SRCREV_machine ?= "8cf777336c9b7160ffdf1e8d7e4d8ee0cd8cdb37" -SRCREV_meta ?= "92c947578207d27db250ee7250bacc11d9d80d4f" +SRCREV_machine:qemuarm ?= "1784e127b2ebee50ade30dc697d9f2c9ccda64d6" +SRCREV_machine:qemuarm64 ?= "3189034276f25e203dae9df3df5fd33849a63ddb" +SRCREV_machine:qemumips ?= "ed305aee0a2d924dd532eea364036736a43b008e" +SRCREV_machine:qemuppc ?= "43e2751f24c4c35341b877429f5c62f57cc23616" +SRCREV_machine:qemuriscv64 ?= "96f3a7ef51f544080250e995b21e66004fdbb2bb" +SRCREV_machine:qemuriscv32 ?= "96f3a7ef51f544080250e995b21e66004fdbb2bb" +SRCREV_machine:qemux86 ?= "96f3a7ef51f544080250e995b21e66004fdbb2bb" +SRCREV_machine:qemux86-64 ?= "96f3a7ef51f544080250e995b21e66004fdbb2bb" +SRCREV_machine:qemumips64 ?= "82870b2da104e88b79174aece820f233e0c4bd72" +SRCREV_machine ?= "96f3a7ef51f544080250e995b21e66004fdbb2bb" +SRCREV_meta ?= "8ea689ac1980b5c09cd049a3403f72e75a8739da" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.143" +LINUX_VERSION ?= "5.10.175" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb index 2f91fb7a37..41f20c96dd 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.15.bb @@ -13,24 +13,24 @@ KBRANCH:qemux86 ?= "v5.15/standard/base" KBRANCH:qemux86-64 ?= "v5.15/standard/base" KBRANCH:qemumips64 ?= "v5.15/standard/mti-malta64" -SRCREV_machine:qemuarm ?= "efe28b4b16d4a1a19f59b4650a0bfb23ffc8c40e" -SRCREV_machine:qemuarm64 ?= "66986670c45f63d2ed2078e07aa817ede88025ad" -SRCREV_machine:qemumips ?= "aeeb80fd7f684aca830adb7daf32cfd80637cf3a" -SRCREV_machine:qemuppc ?= "5c6387a562af89ec92546c1374a120ac240f14e6" -SRCREV_machine:qemuriscv64 ?= "0e51e571701842db33ad96f6ddc8cc6b23230627" -SRCREV_machine:qemuriscv32 ?= "0e51e571701842db33ad96f6ddc8cc6b23230627" -SRCREV_machine:qemux86 ?= "0e51e571701842db33ad96f6ddc8cc6b23230627" -SRCREV_machine:qemux86-64 ?= "0e51e571701842db33ad96f6ddc8cc6b23230627" -SRCREV_machine:qemumips64 ?= "20ec37851f4ee9965120937dcf2567f15e72e07a" -SRCREV_machine ?= "0e51e571701842db33ad96f6ddc8cc6b23230627" -SRCREV_meta ?= "1128d7bcdcde490d4f35cc00c97f5410bb240d99" +SRCREV_machine:qemuarm ?= "21687086c27bb112f19b0aac455d800961c0b830" +SRCREV_machine:qemuarm64 ?= "7144f86a73fe2ffe4fe57c9e6cf28d8fc8db4b6a" +SRCREV_machine:qemumips ?= "557c06060cb218ade536fccc66f8f3e755537f31" +SRCREV_machine:qemuppc ?= "db19dbdcdf51b9d2a071dcf180ba9e20b8286e9b" +SRCREV_machine:qemuriscv64 ?= "024d08fb706170a9723e9751e505681f9d4c7ab6" +SRCREV_machine:qemuriscv32 ?= "024d08fb706170a9723e9751e505681f9d4c7ab6" +SRCREV_machine:qemux86 ?= "024d08fb706170a9723e9751e505681f9d4c7ab6" +SRCREV_machine:qemux86-64 ?= "024d08fb706170a9723e9751e505681f9d4c7ab6" +SRCREV_machine:qemumips64 ?= "6f1dbe8c258d49f4dba59827124dfe9aa2c151db" +SRCREV_machine ?= "024d08fb706170a9723e9751e505681f9d4c7ab6" +SRCREV_meta ?= "441f5fe00073620cec471166cf6e94c4ef9c69b2" # set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll # get the <version>/base branch, which is pure upstream -stable, and the same # meta SRCREV as the linux-yocto-standard builds. Select your version using the # normal PREFERRED_VERSION settings. BBCLASSEXTEND = "devupstream:target" -SRCREV_machine:class-devupstream ?= "dd20085f2a88b6cdb12bdcdbd2d7a761c86b184a" +SRCREV_machine:class-devupstream ?= "8020ae3c051d1c9ec7b7a872e226f9720547649b" PN:class-devupstream = "linux-yocto-upstream" KBRANCH:class-devupstream = "v5.15/base" @@ -38,7 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.15;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.15.68" +LINUX_VERSION ?= "5.15.103" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/lttng/babeltrace_1.5.8.bb b/poky/meta/recipes-kernel/lttng/babeltrace_1.5.11.bb index 19601e7d1b..8e2fe4164d 100644 --- a/poky/meta/recipes-kernel/lttng/babeltrace_1.5.8.bb +++ b/poky/meta/recipes-kernel/lttng/babeltrace_1.5.11.bb @@ -10,7 +10,7 @@ DEPENDS = "glib-2.0 util-linux popt bison-native flex-native" SRC_URI = "git://git.efficios.com/babeltrace.git;branch=stable-1.5 \ file://run-ptest \ " -SRCREV = "054a54ae10b01a271afc4f19496c041b10fb414c" +SRCREV = "91c00f70884887ff5c4849a8e3d47e311a22ba9d" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>1(\.\d+)+)$" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-adjust-range-v5.10.137-in-block-probe.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-adjust-range-v5.10.137-in-block-probe.patch deleted file mode 100644 index 1c3918be5c..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-adjust-range-v5.10.137-in-block-probe.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 5dab3d515b6f5c5ac80c8e7674628495e3bf4ac6 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Mon, 22 Aug 2022 14:16:27 -0400 -Subject: [PATCH] fix: adjust range v5.10.137 in block probe - -See upstream commit, backported in v5.10.137 : - -commit 1cb3032406423b25aa984854b4d78e0100d292dd -Author: Christoph Hellwig <hch@lst.de> -Date: Thu Dec 3 17:21:39 2020 +0100 - - block: remove the request_queue to argument request based tracepoints - - [ Upstream commit a54895fa057c67700270777f7661d8d3c7fda88a ] - - The request_queue can trivially be derived from the request. - -Change-Id: I01f96a437641421faf993b4b031171c372bd0374 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> - -Upstream-Status: Backport [https://github.com/lttng/lttng-modules/commit/5dab3d515b6f5c5ac80c8e7674628495e3bf4ac6] -Signed-off-by: Steve Sakoman <steve@sakoman.com> - ---- - include/instrumentation/events/block.h | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/include/instrumentation/events/block.h b/include/instrumentation/events/block.h -index 882e6e08..d4821c12 100644 ---- a/include/instrumentation/events/block.h -+++ b/include/instrumentation/events/block.h -@@ -366,7 +366,8 @@ LTTNG_TRACEPOINT_EVENT(block_rq_requeue, - lttng_req_op(rq), lttng_req_rw(rq), blk_rq_bytes(rq)) - ) - ) --#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - /** - * block_rq_requeue - place block IO request back on a queue - * @rq: block IO operation request -@@ -611,7 +612,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS(block_rq, - ctf_array_text(char, comm, current->comm, TASK_COMM_LEN) - ) - ) --#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - LTTNG_TRACEPOINT_EVENT_CLASS(block_rq, - - TP_PROTO(struct request *rq), -@@ -746,7 +748,8 @@ LTTNG_TRACEPOINT_EVENT_CLASS_CODE(block_rq, - ) - #endif /* #else #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(4,11,0)) */ - --#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - /** - * block_rq_insert - insert block operation request into queue - * @rq: block IO operation request -@@ -781,7 +784,8 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(block_rq, block_rq_insert, - ) - #endif - --#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - /** - * block_rq_issue - issue pending block IO request operation to device driver - * @rq: block IO operation operation request -@@ -812,7 +816,8 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(block_rq, block_rq_issue, - ) - #endif - --#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - /** - * block_rq_merge - merge request with another one in the elevator - * @rq: block IO operation operation request -@@ -1632,7 +1637,8 @@ LTTNG_TRACEPOINT_EVENT(block_rq_remap, - lttng_req_op(rq), lttng_req_rw(rq), blk_rq_bytes(rq)) - ) - ) --#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0) \ -+ || LTTNG_KERNEL_RANGE(5,10,137, 5,11,0)) - /** - * block_rq_remap - map request for a block operation request - * @rq: block IO operation request diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch deleted file mode 100644 index 21e27ffc5e..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 8e42c4821fb5f5cb816b6ddf73d9a13ba3298a63 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Wed, 10 Aug 2022 11:07:14 -0400 -Subject: [PATCH] fix: tie compaction probe build to CONFIG_COMPACTION - -The definition of 'struct compact_control' in 'mm/internal.h' depends on -CONFIG_COMPACTION being defined. Only build the compaction probe when -this configuration option is enabled. - -Thanks to Bruce Ashfield <bruce.ashfield@gmail.com> for reporting this -issue. - -Upstream-Status: Backport [https://review.lttng.org/c/lttng-modules/+/8660] - -Change-Id: I81e77aa9c1bf10452c152d432fe5224df0db42c9 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> ---- - src/probes/Kbuild | 34 ++++++++++++++++++---------------- - 1 file changed, 18 insertions(+), 16 deletions(-) - -diff --git a/src/probes/Kbuild b/src/probes/Kbuild -index 2908cf75..3e556b8e 100644 ---- a/src/probes/Kbuild -+++ b/src/probes/Kbuild -@@ -167,22 +167,24 @@ ifneq ($(CONFIG_BTRFS_FS),) - endif # $(wildcard $(btrfs_dep)) - endif # CONFIG_BTRFS_FS - --# A dependency on internal header 'mm/internal.h' was introduced in v5.18 --compaction_dep = $(srctree)/mm/internal.h --compaction_dep_wildcard = $(wildcard $(compaction_dep)) --compaction_dep_check = $(shell \ --if [ \( $(VERSION) -ge 6 \ -- -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) -a \ -- -z "$(compaction_dep_wildcard)" ] ; then \ -- echo "warn" ; \ --else \ -- echo "ok" ; \ --fi ;) --ifeq ($(compaction_dep_check),ok) -- obj-$(CONFIG_LTTNG) += lttng-probe-compaction.o --else -- $(warning Files $(compaction_dep) not found. Probe "compaction" is disabled. Use full kernel source tree to enable it.) --endif # $(wildcard $(compaction_dep)) -+ifneq ($(CONFIG_COMPACTION),) -+ # A dependency on internal header 'mm/internal.h' was introduced in v5.18 -+ compaction_dep = $(srctree)/mm/internal.h -+ compaction_dep_wildcard = $(wildcard $(compaction_dep)) -+ compaction_dep_check = $(shell \ -+ if [ \( $(VERSION) -ge 6 \ -+ -o \( $(VERSION) -eq 5 -a $(PATCHLEVEL) -ge 18 \) \) -a \ -+ -z "$(compaction_dep_wildcard)" ] ; then \ -+ echo "warn" ; \ -+ else \ -+ echo "ok" ; \ -+ fi ;) -+ ifeq ($(compaction_dep_check),ok) -+ obj-$(CONFIG_LTTNG) += lttng-probe-compaction.o -+ else -+ $(warning Files $(compaction_dep) not found. Probe "compaction" is disabled. Use full kernel source tree to enable it.) -+ endif # $(wildcard $(compaction_dep)) -+endif # CONFIG_COMPACTION - - ifneq ($(CONFIG_EXT4_FS),) - ext4_dep = $(srctree)/fs/ext4/*.h --- -2.34.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch deleted file mode 100644 index 62376806c8..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 8d5da4d2a3d7d9173208f4e8dc7a709f0bfc9820 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Wed, 8 Jun 2022 12:56:36 -0400 -Subject: [PATCH 1/3] fix: mm/page_alloc: fix tracepoint - mm_page_alloc_zone_locked() (v5.19) - -See upstream commit : - - commit 10e0f7530205799e7e971aba699a7cb3a47456de - Author: Wonhyuk Yang <vvghjk1234@gmail.com> - Date: Thu May 19 14:08:54 2022 -0700 - - mm/page_alloc: fix tracepoint mm_page_alloc_zone_locked() - - Currently, trace point mm_page_alloc_zone_locked() doesn't show correct - information. - - First, when alloc_flag has ALLOC_HARDER/ALLOC_CMA, page can be allocated - from MIGRATE_HIGHATOMIC/MIGRATE_CMA. Nevertheless, tracepoint use - requested migration type not MIGRATE_HIGHATOMIC and MIGRATE_CMA. - - Second, after commit 44042b4498728 ("mm/page_alloc: allow high-order pages - to be stored on the per-cpu lists") percpu-list can store high order - pages. But trace point determine whether it is a refiil of percpu-list by - comparing requested order and 0. - - To handle these problems, make mm_page_alloc_zone_locked() only be called - by __rmqueue_smallest with correct migration type. With a new argument - called percpu_refill, it can show roughly whether it is a refill of - percpu-list. - -Upstream-Status: Backport - -Change-Id: I2e4a57393757f12b9c5a4566c4d1102ee2474a09 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> ---- - include/instrumentation/events/kmem.h | 45 +++++++++++++++++++++++++++ - 1 file changed, 45 insertions(+) - -diff --git a/include/instrumentation/events/kmem.h b/include/instrumentation/events/kmem.h -index 29c0fb7f..8c19e962 100644 ---- a/include/instrumentation/events/kmem.h -+++ b/include/instrumentation/events/kmem.h -@@ -218,6 +218,50 @@ LTTNG_TRACEPOINT_EVENT_MAP(mm_page_alloc, kmem_mm_page_alloc, - ) - ) - -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,19,0)) -+LTTNG_TRACEPOINT_EVENT_CLASS(kmem_mm_page, -+ -+ TP_PROTO(struct page *page, unsigned int order, int migratetype, -+ int percpu_refill), -+ -+ TP_ARGS(page, order, migratetype, percpu_refill), -+ -+ TP_FIELDS( -+ ctf_integer_hex(struct page *, page, page) -+ ctf_integer(unsigned long, pfn, -+ page ? page_to_pfn(page) : -1UL) -+ ctf_integer(unsigned int, order, order) -+ ctf_integer(int, migratetype, migratetype) -+ ctf_integer(int, percpu_refill, percpu_refill) -+ ) -+) -+ -+LTTNG_TRACEPOINT_EVENT_INSTANCE_MAP(kmem_mm_page, mm_page_alloc_zone_locked, -+ -+ kmem_mm_page_alloc_zone_locked, -+ -+ TP_PROTO(struct page *page, unsigned int order, int migratetype, -+ int percpu_refill), -+ -+ TP_ARGS(page, order, migratetype, percpu_refill) -+) -+ -+LTTNG_TRACEPOINT_EVENT_MAP(mm_page_pcpu_drain, -+ -+ kmem_mm_page_pcpu_drain, -+ -+ TP_PROTO(struct page *page, unsigned int order, int migratetype), -+ -+ TP_ARGS(page, order, migratetype), -+ -+ TP_FIELDS( -+ ctf_integer(unsigned long, pfn, -+ page ? page_to_pfn(page) : -1UL) -+ ctf_integer(unsigned int, order, order) -+ ctf_integer(int, migratetype, migratetype) -+ ) -+) -+#else - LTTNG_TRACEPOINT_EVENT_CLASS(kmem_mm_page, - - TP_PROTO(struct page *page, unsigned int order, int migratetype), -@@ -250,6 +294,7 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE_MAP(kmem_mm_page, mm_page_pcpu_drain, - - TP_ARGS(page, order, migratetype) - ) -+#endif - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(3,19,2) \ - || LTTNG_KERNEL_RANGE(3,14,36, 3,15,0) \ --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch deleted file mode 100644 index ca6abea9c0..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d8254360c7f2ff9b3f945e9668d89c0b56b9bd91 Mon Sep 17 00:00:00 2001 -From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Date: Fri, 29 Jul 2022 15:37:43 -0400 -Subject: [PATCH] fix: net: skb: introduce kfree_skb_reason() (v5.15.58..v5.16) - -See upstream commit : - - commit c504e5c2f9648a1e5c2be01e8c3f59d394192bd3 - Author: Menglong Dong <imagedong@tencent.com> - Date: Sun Jan 9 14:36:26 2022 +0800 - - net: skb: introduce kfree_skb_reason() - - Introduce the interface kfree_skb_reason(), which is able to pass - the reason why the skb is dropped to 'kfree_skb' tracepoint. - - Add the 'reason' field to 'trace_kfree_skb', therefor user can get - more detail information about abnormal skb with 'drop_monitor' or - eBPF. - - All drop reasons are defined in the enum 'skb_drop_reason', and - they will be print as string in 'kfree_skb' tracepoint in format - of 'reason: XXX'. - - ( Maybe the reasons should be defined in a uapi header file, so that - user space can use them? ) - -Upstream-Status: Backport - -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> -Change-Id: Ib3c039207739dad10f097cf76474e0822e351273 ---- - include/instrumentation/events/skb.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/include/instrumentation/events/skb.h b/include/instrumentation/events/skb.h -index 237e54ad..186732ea 100644 ---- a/include/instrumentation/events/skb.h -+++ b/include/instrumentation/events/skb.h -@@ -13,7 +13,9 @@ - /* - * Tracepoint for free an sk_buff: - */ --#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,17,0)) -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,17,0) \ -+ || LTTNG_KERNEL_RANGE(5,15,58, 5,16,0)) -+ - LTTNG_TRACEPOINT_ENUM(skb_drop_reason, - TP_ENUM_VALUES( - ctf_enum_value("NOT_SPECIFIED", SKB_DROP_REASON_NOT_SPECIFIED) --- -2.17.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch deleted file mode 100644 index 84c97d5f90..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From b5d1c38665cd69d7d1c94231fe0609da5c8afbc3 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Wed, 8 Jun 2022 13:07:59 -0400 -Subject: [PATCH 2/3] fix: fs: Remove flags parameter from aops->write_begin - (v5.19) - -See upstream commit : - - commit 9d6b0cd7579844761ed68926eb3073bab1dca87b - Author: Matthew Wilcox (Oracle) <willy@infradead.org> - Date: Tue Feb 22 14:31:43 2022 -0500 - - fs: Remove flags parameter from aops->write_begin - - There are no more aop flags left, so remove the parameter. - -Upstream-Status: Backport - -Change-Id: I82725b93e13d749f52a631b2ac60df81a5e839f8 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> ---- - include/instrumentation/events/ext4.h | 30 +++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/include/instrumentation/events/ext4.h b/include/instrumentation/events/ext4.h -index 513762c0..222416ec 100644 ---- a/include/instrumentation/events/ext4.h -+++ b/include/instrumentation/events/ext4.h -@@ -122,6 +122,35 @@ LTTNG_TRACEPOINT_EVENT(ext4_begin_ordered_truncate, - ) - ) - -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,19,0)) -+LTTNG_TRACEPOINT_EVENT_CLASS(ext4__write_begin, -+ -+ TP_PROTO(struct inode *inode, loff_t pos, unsigned int len), -+ -+ TP_ARGS(inode, pos, len), -+ -+ TP_FIELDS( -+ ctf_integer(dev_t, dev, inode->i_sb->s_dev) -+ ctf_integer(ino_t, ino, inode->i_ino) -+ ctf_integer(loff_t, pos, pos) -+ ctf_integer(unsigned int, len, len) -+ ) -+) -+ -+LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__write_begin, ext4_write_begin, -+ -+ TP_PROTO(struct inode *inode, loff_t pos, unsigned int len), -+ -+ TP_ARGS(inode, pos, len) -+) -+ -+LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__write_begin, ext4_da_write_begin, -+ -+ TP_PROTO(struct inode *inode, loff_t pos, unsigned int len), -+ -+ TP_ARGS(inode, pos, len) -+) -+#else - LTTNG_TRACEPOINT_EVENT_CLASS(ext4__write_begin, - - TP_PROTO(struct inode *inode, loff_t pos, unsigned int len, -@@ -153,6 +182,7 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(ext4__write_begin, ext4_da_write_begin, - - TP_ARGS(inode, pos, len, flags) - ) -+#endif - - LTTNG_TRACEPOINT_EVENT_CLASS(ext4__write_end, - TP_PROTO(struct inode *inode, loff_t pos, unsigned int len, --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch deleted file mode 100644 index 63f9c40d92..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 526f13c844cd29f89bd3e924867d9ddfe3c40ade Mon Sep 17 00:00:00 2001 -From: Michael Jeanson <mjeanson@efficios.com> -Date: Wed, 15 Jun 2022 12:07:16 -0400 -Subject: [PATCH 3/3] fix: workqueue: Fix type of cpu in trace event (v5.19) - -See upstream commit : - - commit 873a400938b31a1e443c4d94b560b78300787540 - Author: Wonhyuk Yang <vvghjk1234@gmail.com> - Date: Wed May 4 11:32:03 2022 +0900 - - workqueue: Fix type of cpu in trace event - - The trace event "workqueue_queue_work" use unsigned int type for - req_cpu, cpu. This casue confusing cpu number like below log. - - $ cat /sys/kernel/debug/tracing/trace - cat-317 [001] ...: workqueue_queue_work: ... req_cpu=8192 cpu=4294967295 - - So, change unsigned type to signed type in the trace event. After - applying this patch, cpu number will be printed as -1 instead of - 4294967295 as folllows. - - $ cat /sys/kernel/debug/tracing/trace - cat-1338 [002] ...: workqueue_queue_work: ... req_cpu=8192 cpu=-1 - -Upstream-Status: Backport - -Change-Id: I478083c350b6ec314d87e9159dc5b342b96daed7 -Signed-off-by: Michael Jeanson <mjeanson@efficios.com> -Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> ---- - include/instrumentation/events/workqueue.h | 49 ++++++++++++++++++++-- - 1 file changed, 46 insertions(+), 3 deletions(-) - -diff --git a/include/instrumentation/events/workqueue.h b/include/instrumentation/events/workqueue.h -index 023b65a8..5693cf89 100644 ---- a/include/instrumentation/events/workqueue.h -+++ b/include/instrumentation/events/workqueue.h -@@ -28,10 +28,35 @@ LTTNG_TRACEPOINT_EVENT_CLASS(workqueue_work, - ) - ) - -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,19,0)) - /** - * workqueue_queue_work - called when a work gets queued - * @req_cpu: the requested cpu -- * @cwq: pointer to struct cpu_workqueue_struct -+ * @pwq: pointer to struct pool_workqueue -+ * @work: pointer to struct work_struct -+ * -+ * This event occurs when a work is queued immediately or once a -+ * delayed work is actually queued on a workqueue (ie: once the delay -+ * has been reached). -+ */ -+LTTNG_TRACEPOINT_EVENT(workqueue_queue_work, -+ -+ TP_PROTO(int req_cpu, struct pool_workqueue *pwq, -+ struct work_struct *work), -+ -+ TP_ARGS(req_cpu, pwq, work), -+ -+ TP_FIELDS( -+ ctf_integer_hex(void *, work, work) -+ ctf_integer_hex(void *, function, work->func) -+ ctf_integer(int, req_cpu, req_cpu) -+ ) -+) -+#elif (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(3,9,0)) -+/** -+ * workqueue_queue_work - called when a work gets queued -+ * @req_cpu: the requested cpu -+ * @pwq: pointer to struct pool_workqueue - * @work: pointer to struct work_struct - * - * This event occurs when a work is queued immediately or once a -@@ -40,17 +65,34 @@ LTTNG_TRACEPOINT_EVENT_CLASS(workqueue_work, - */ - LTTNG_TRACEPOINT_EVENT(workqueue_queue_work, - --#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(3,9,0)) - TP_PROTO(unsigned int req_cpu, struct pool_workqueue *pwq, - struct work_struct *work), - - TP_ARGS(req_cpu, pwq, work), -+ -+ TP_FIELDS( -+ ctf_integer_hex(void *, work, work) -+ ctf_integer_hex(void *, function, work->func) -+ ctf_integer(unsigned int, req_cpu, req_cpu) -+ ) -+) - #else -+/** -+ * workqueue_queue_work - called when a work gets queued -+ * @req_cpu: the requested cpu -+ * @cwq: pointer to struct cpu_workqueue_struct -+ * @work: pointer to struct work_struct -+ * -+ * This event occurs when a work is queued immediately or once a -+ * delayed work is actually queued on a workqueue (ie: once the delay -+ * has been reached). -+ */ -+LTTNG_TRACEPOINT_EVENT(workqueue_queue_work, -+ - TP_PROTO(unsigned int req_cpu, struct cpu_workqueue_struct *cwq, - struct work_struct *work), - - TP_ARGS(req_cpu, cwq, work), --#endif - - TP_FIELDS( - ctf_integer_hex(void *, work, work) -@@ -58,6 +100,7 @@ LTTNG_TRACEPOINT_EVENT(workqueue_queue_work, - ctf_integer(unsigned int, req_cpu, req_cpu) - ) - ) -+#endif - - /** - * workqueue_activate_work - called when a work gets activated --- -2.19.1 - diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb b/poky/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb index 80b9ceec3f..a08386b053 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-modules_2.13.4.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-modules_2.13.9.bb @@ -11,18 +11,12 @@ include lttng-platforms.inc SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0009-Rename-genhd-wrapper-to-blkdev.patch \ - file://0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch \ - file://0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch \ - file://0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch \ - file://0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch \ - file://0001-fix-compaction.patch \ - file://0001-fix-adjust-range-v5.10.137-in-block-probe.patch \ " # Use :append here so that the patch is applied also when using devupstream SRC_URI:append = " file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch" -SRC_URI[sha256sum] = "6159d00e4e1d59546eec8d4a67e1aa39c1084ceb5e5afeb666eab4b8a5b5a9ee" +SRC_URI[sha256sum] = "bf808b113544287cfe837a6382887fa66354ef5cc8216460cebbef3d27dc3581" export INSTALL_MOD_DIR="kernel/lttng-modules" diff --git a/poky/meta/recipes-kernel/lttng/lttng-tools/determinism.patch b/poky/meta/recipes-kernel/lttng/lttng-tools/determinism.patch deleted file mode 100644 index b2ab880bd6..0000000000 --- a/poky/meta/recipes-kernel/lttng/lttng-tools/determinism.patch +++ /dev/null @@ -1,64 +0,0 @@ -This is a bit ugly. Specifing abs_builddir as an RPATH is plain wrong when -cross compiling. Sadly, removing the rpath makes libtool/automake do -weird things and breaks the build as shared libs are no longer generated. - -We already try and delete the RPATH at do_install with chrpath however -that does leave the path in the string table so it doesn't help us -with reproducibility. - -Instead, hack in a bogus but harmless path, then delete it later in -our do_install. Ultimately we may want to pass a specific path to use -to configure if we really do need to set an RPATH at all. It is unclear -to me whether the tests need that or not. - -Fixes reproducibility issues for lttng-tools. - -Upstream-Status: Pending [needs discussion with upstream about the correct solution] -RP 2021/3/1 - -Index: lttng-tools-2.12.2/tests/regression/ust/ust-dl/Makefile.am -=================================================================== ---- lttng-tools-2.12.2.orig/tests/regression/ust/ust-dl/Makefile.am -+++ lttng-tools-2.12.2/tests/regression/ust/ust-dl/Makefile.am -@@ -27,16 +27,16 @@ noinst_LTLIBRARIES = libzzz.la libbar.la - - libzzz_la_SOURCES = libzzz.c libzzz.h - libzzz_la_LDFLAGS = -module -shared -avoid-version \ -- -rpath $(abs_builddir) -+ -rpath /usr/lib - - libbar_la_SOURCES = libbar.c libbar.h - libbar_la_LDFLAGS = -module -shared -avoid-version \ -- -rpath $(abs_builddir) -+ -rpath /usr/lib - libbar_la_LIBADD = libzzz.la - - libfoo_la_SOURCES = libfoo.c libfoo.h - libfoo_la_LDFLAGS = -module -shared -avoid-version \ -- -rpath $(abs_builddir) -+ -rpath /usr/lib - libfoo_la_LIBADD = libbar.la - - CLEANFILES = libfoo.so libfoo.so.debug libbar.so libbar.so.debug \ -@@ -44,7 +44,7 @@ CLEANFILES = libfoo.so libfoo.so.debug l - - libtp_la_SOURCES = libbar-tp.h libbar-tp.c libfoo-tp.h libfoo-tp.c \ - libzzz-tp.h libzzz-tp.c --libtp_la_LDFLAGS = -module -shared -rpath $(abs_builddir) -+libtp_la_LDFLAGS = -module -shared -rpath /usr/lib - - # Extract debug symbols - libfoo.so.debug: libfoo.la -Index: lttng-tools-2.12.2/tests/utils/testapp/userspace-probe-elf-binary/Makefile.am -=================================================================== ---- lttng-tools-2.12.2.orig/tests/utils/testapp/userspace-probe-elf-binary/Makefile.am -+++ lttng-tools-2.12.2/tests/utils/testapp/userspace-probe-elf-binary/Makefile.am -@@ -5,7 +5,7 @@ AM_CFLAGS += -O0 - noinst_LTLIBRARIES = libfoo.la - - libfoo_la_SOURCES = foo.c foo.h --libfoo_la_LDFLAGS = -shared -module -avoid-version -rpath $(abs_builddir)/.libs/ -+libfoo_la_LDFLAGS = -shared -module -avoid-version -rpath /usr/lib - - noinst_PROGRAMS = userspace-probe-elf-binary - userspace_probe_elf_binary_SOURCES = userspace-probe-elf-binary.c diff --git a/poky/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb b/poky/meta/recipes-kernel/lttng/lttng-tools_2.13.9.bb index 0ea4da05ce..1f6929e307 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-tools_2.13.4.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-tools_2.13.9.bb @@ -35,11 +35,10 @@ SRC_URI = "https://lttng.org/files/lttng-tools/lttng-tools-${PV}.tar.bz2 \ file://0001-tests-do-not-strip-a-helper-library.patch \ file://run-ptest \ file://lttng-sessiond.service \ - file://determinism.patch \ file://disable-tests.patch \ " -SRC_URI[sha256sum] = "565f3102410a53d484f4c8ff517978f1dc59f67f9d16f872f4357f3ca12200f6" +SRC_URI[sha256sum] = "8d94dc95b608cf70216b01203a3f8242b97a232db2e23421a2f43708da08f337" inherit autotools ptest pkgconfig useradd python3-dir manpages systemd @@ -113,7 +112,7 @@ do_install_ptest () { for f in $(find "${B}/tests/$d" -maxdepth 1 -executable -type f -printf '%P ') ; do cp ${B}/tests/$d/$f ${D}${PTEST_PATH}/tests/`dirname $d`/$f case $f in - *.so|userspace-probe-elf-binary) + *.so|userspace-probe-elf-*) install -d ${D}${PTEST_PATH}/tests/$d/ ln -s ../$f ${D}${PTEST_PATH}/tests/$d/$f # Remove any rpath/runpath to pass QA check. @@ -124,6 +123,7 @@ do_install_ptest () { done chrpath --delete ${D}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-binary/userspace-probe-elf-binary + chrpath --delete ${D}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-cxx-binary/userspace-probe-elf-cxx-binary chrpath --delete ${D}${PTEST_PATH}/tests/regression/ust/ust-dl/libbar.so chrpath --delete ${D}${PTEST_PATH}/tests/regression/ust/ust-dl/libfoo.so @@ -185,4 +185,10 @@ do_install_ptest () { INHIBIT_PACKAGE_STRIP_FILES = "\ ${PKGD}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-binary/userspace-probe-elf-binary \ ${PKGD}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-binary/.libs/userspace-probe-elf-binary \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-cxx-binary/userspace-probe-elf-cxx-binary \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/userspace-probe-elf-cxx-binary/.libs/userspace-probe-elf-cxx-binary \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/gen-syscall-events/gen-syscall-events \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/gen-syscall-events/.libs/gen-syscall-events \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/gen-syscall-events-callstack/gen-syscall-events-callstack \ + ${PKGD}${PTEST_PATH}/tests/utils/testapp/gen-syscall-events-callstack/.libs/gen-syscall-events-callstack \ " diff --git a/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.3.bb b/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb index cc88bf5b11..916408bff0 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.3.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-ust_2.13.5.bb @@ -34,7 +34,7 @@ SRC_URI = "https://lttng.org/files/lttng-ust/lttng-ust-${PV}.tar.bz2 \ file://0001-Makefile.am-update-rpath-link.patch \ " -SRC_URI[sha256sum] = "2cc42f51145050430ac4ab72b32d95fd78d5566ccbe44e14a8fcdd23c0ed8f6f" +SRC_URI[sha256sum] = "f1d7bb4984a3dc5dacd3b7bcb4c10c04b041b0eecd7cba1fef3d8f86aff02bd6" CVE_PRODUCT = "ust" diff --git a/poky/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb b/poky/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb index 0e420a25d9..f6f47cfff5 100644 --- a/poky/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb +++ b/poky/meta/recipes-kernel/make-mod-scripts/make-mod-scripts_1.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://www.yoctoproject.org/" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" -inherit kernel-arch +inherit kernel-arch linux-kernel-base inherit pkgconfig PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb index 772bc2dea1..a4ce3169d3 100644 --- a/poky/meta/recipes-kernel/perf/perf.bb +++ b/poky/meta/recipes-kernel/perf/perf.bb @@ -13,7 +13,7 @@ PR = "r9" PACKAGECONFIG ??= "scripting tui libunwind" PACKAGECONFIG[dwarf] = ",NO_DWARF=1" -PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3" +PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3 python3-setuptools-native" # gui support was added with kernel 3.6.35 # since 3.10 libnewt was replaced by slang # to cover a wide range of kernel we add both dependencies diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb index 357e79d7e1..ce60154f1e 100644 --- a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.08.12.bb +++ b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "59c8f7d17966db71b27f90e735ee8f5b42ca3527694a8c5e6e9b56bd379c3b84" +SRC_URI[sha256sum] = "fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73" inherit bin_package allarch diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch new file mode 100644 index 0000000000..23573bb6b3 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch @@ -0,0 +1,86 @@ +From ce25c03fb83395c0a8b5b8121182a486c4408dd4 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol <onemda@gmail.com> +Date: Sat, 12 Nov 2022 16:12:00 +0100 +Subject: [PATCH] avcodec/rpzaenc: stop accessing out of bounds frame + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/92f9b28ed84a77138105475beba16c146bdaf984] + +Signed-off-by: <narpat.mali@windriver.com> + +--- + libavcodec/rpzaenc.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +diff --git a/libavcodec/rpzaenc.c b/libavcodec/rpzaenc.c +index 337b1fa..3e97c87 100644 +--- a/libavcodec/rpzaenc.c ++++ b/libavcodec/rpzaenc.c +@@ -205,7 +205,7 @@ static void get_max_component_diff(BlockInfo *bi, uint16_t *block_ptr, + + // loop thru and compare pixels + for (y = 0; y < bi->block_height; y++) { +- for (x = 0; x < bi->block_width; x++){ ++ for (x = 0; x < bi->block_width; x++) { + // TODO: optimize + min_r = FFMIN(R(block_ptr[x]), min_r); + min_g = FFMIN(G(block_ptr[x]), min_g); +@@ -277,7 +277,7 @@ static int leastsquares(uint16_t *block_ptr, BlockInfo *bi, + return -1; + + for (i = 0; i < bi->block_height; i++) { +- for (j = 0; j < bi->block_width; j++){ ++ for (j = 0; j < bi->block_width; j++) { + x = GET_CHAN(block_ptr[j], xchannel); + y = GET_CHAN(block_ptr[j], ychannel); + sumx += x; +@@ -324,7 +324,7 @@ static int calc_lsq_max_fit_error(uint16_t *block_ptr, BlockInfo *bi, + int max_err = 0; + + for (i = 0; i < bi->block_height; i++) { +- for (j = 0; j < bi->block_width; j++){ ++ for (j = 0; j < bi->block_width; j++) { + int x_inc, lin_y, lin_x; + x = GET_CHAN(block_ptr[j], xchannel); + y = GET_CHAN(block_ptr[j], ychannel); +@@ -419,7 +419,9 @@ static void update_block_in_prev_frame(const uint16_t *src_pixels, + uint16_t *dest_pixels, + const BlockInfo *bi, int block_counter) + { +- for (int y = 0; y < 4; y++) { ++ const int y_size = FFMIN(4, bi->image_height - bi->row * 4); ++ ++ for (int y = 0; y < y_size; y++) { + memcpy(dest_pixels, src_pixels, 8); + dest_pixels += bi->rowstride; + src_pixels += bi->rowstride; +@@ -729,14 +731,15 @@ post_skip : + + if (err > s->sixteen_color_thresh) { // DO SIXTEEN COLOR BLOCK + uint16_t *row_ptr; +- int rgb555; ++ int y_size, rgb555; + + block_offset = get_block_info(&bi, block_counter); + + row_ptr = &src_pixels[block_offset]; ++ y_size = FFMIN(4, bi.image_height - bi.row * 4); + +- for (int y = 0; y < 4; y++) { +- for (int x = 0; x < 4; x++){ ++ for (int y = 0; y < y_size; y++) { ++ for (int x = 0; x < 4; x++) { + rgb555 = row_ptr[x] & ~0x8000; + + put_bits(&s->pb, 16, rgb555); +@@ -744,6 +747,11 @@ post_skip : + row_ptr += bi.rowstride; + } + ++ for (int y = y_size; y < 4; y++) { ++ for (int x = 0; x < 4; x++) ++ put_bits(&s->pb, 16, 0); ++ } ++ + block_counter++; + } else { // FOUR COLOR BLOCK + block_counter += encode_four_color_block(min_color, max_color, diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch new file mode 100644 index 0000000000..6e237fdd52 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch @@ -0,0 +1,105 @@ +From d2f31887df2c42948dba7446c475026fdbc69336 Mon Sep 17 00:00:00 2001 +From: Paul B Mahol <onemda@gmail.com> +Date: Sat, 12 Nov 2022 15:19:21 +0100 +Subject: [PATCH] avcodec/smcenc: stop accessing out of bounds frame + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/13c13109759090b7f7182480d075e13b36ed8edd] + +Signed-off-by: <narpat.mali@windriver.com> + +--- + libavcodec/smcenc.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/libavcodec/smcenc.c b/libavcodec/smcenc.c +index 52795ef..618dc4e 100644 +--- a/libavcodec/smcenc.c ++++ b/libavcodec/smcenc.c +@@ -61,6 +61,7 @@ typedef struct SMCContext { + { \ + row_ptr += stride * 4; \ + pixel_ptr = row_ptr; \ ++ cur_y += 4; \ + } \ + } \ + } +@@ -117,6 +118,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + const uint8_t *prev_pixels = (const uint8_t *)s->prev_frame->data[0]; + uint8_t *distinct_values = s->distinct_values; + const uint8_t *pixel_ptr, *row_ptr; ++ const int height = frame->height; + const int width = frame->width; + uint8_t block_values[16]; + int block_counter = 0; +@@ -125,13 +127,14 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + int color_octet_index = 0; + int color_table_index; /* indexes to color pair, quad, or octet tables */ + int total_blocks; ++ int cur_y = 0; + + memset(s->color_pairs, 0, sizeof(s->color_pairs)); + memset(s->color_quads, 0, sizeof(s->color_quads)); + memset(s->color_octets, 0, sizeof(s->color_octets)); + + /* Number of 4x4 blocks in frame. */ +- total_blocks = ((frame->width + 3) / 4) * ((frame->height + 3) / 4); ++ total_blocks = ((width + 3) / 4) * ((height + 3) / 4); + + pixel_ptr = row_ptr = src_pixels; + +@@ -145,11 +148,13 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + int cache_index; + int distinct = 0; + int blocks = 0; ++ int frame_y = cur_y; + + while (prev_pixels && s->key_frame == 0 && block_counter + inter_skip_blocks < total_blocks) { ++ const int y_size = FFMIN(4, height - cur_y); + int compare = 0; + +- for (int y = 0; y < 4; y++) { ++ for (int y = 0; y < y_size; y++) { + const ptrdiff_t offset = pixel_ptr - src_pixels; + const uint8_t *prev_pixel_ptr = prev_pixels + offset; + +@@ -170,8 +175,10 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + + pixel_ptr = xpixel_ptr; + row_ptr = xrow_ptr; ++ cur_y = frame_y; + + while (block_counter > 0 && block_counter + intra_skip_blocks < total_blocks) { ++ const int y_size = FFMIN(4, height - cur_y); + const ptrdiff_t offset = pixel_ptr - src_pixels; + const int sy = offset / stride; + const int sx = offset % stride; +@@ -180,7 +187,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + const uint8_t *old_pixel_ptr = src_pixels + nx + ny * stride; + int compare = 0; + +- for (int y = 0; y < 4; y++) { ++ for (int y = 0; y < y_size; y++) { + compare |= memcmp(old_pixel_ptr + y * stride, pixel_ptr + y * stride, 4); + if (compare) + break; +@@ -197,9 +204,11 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + + pixel_ptr = xpixel_ptr; + row_ptr = xrow_ptr; ++ cur_y = frame_y; + + while (block_counter + coded_blocks < total_blocks && coded_blocks < 256) { +- for (int y = 0; y < 4; y++) ++ const int y_size = FFMIN(4, height - cur_y); ++ for (int y = 0; y < y_size; y++) + memcpy(block_values + y * 4, pixel_ptr + y * stride, 4); + + qsort(block_values, 16, sizeof(block_values[0]), smc_cmp_values); +@@ -224,6 +233,7 @@ static void smc_encode_stream(SMCContext *s, const AVFrame *frame, + + pixel_ptr = xpixel_ptr; + row_ptr = xrow_ptr; ++ cur_y = frame_y; + + blocks = coded_blocks; + distinct = coded_distinct; diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch new file mode 100644 index 0000000000..dca7c827e3 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch @@ -0,0 +1,42 @@ +From ef748a8bd8720416b673e1743e5673a801e8279f Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Date: Tue, 15 Feb 2022 17:58:08 +0800 +Subject: [PATCH] avcodec/vp3: Add missing check for av_malloc + +Since the av_malloc() may fail and return NULL pointer, +it is needed that the 's->edge_emu_buffer' should be checked +whether the new allocation is success. + +Fixes: d14723861b ("VP3: fix decoding of videos with stride > 2048") +Reviewed-by: Peter Ross <pross@xvid.org> +Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> + +CVE: CVE-2022-3109 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/656cb0450aeb73b25d7d26980af342b37ac4c568] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> + +--- + libavcodec/vp3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c +index 5b9ba60..f1eccfe 100644 +--- a/libavcodec/vp3.c ++++ b/libavcodec/vp3.c +@@ -2677,8 +2677,13 @@ static int vp3_decode_frame(AVCodecContext *avctx, + if ((ret = ff_thread_get_buffer(avctx, &s->current_frame, AV_GET_BUFFER_FLAG_REF)) < 0) + goto error; + +- if (!s->edge_emu_buffer) ++ if (!s->edge_emu_buffer) { + s->edge_emu_buffer = av_malloc(9 * FFABS(s->current_frame.f->linesize[0])); ++ if (!s->edge_emu_buffer) { ++ ret = AVERROR(ENOMEM); ++ goto error; ++ } ++ } + + if (s->keyframe) { + if (!s->theora) { diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch new file mode 100644 index 0000000000..41d5884f88 --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch @@ -0,0 +1,67 @@ +From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang <jiasheng@iscas.ac.cn> +Date: Wed, 23 Feb 2022 10:31:59 +0800 +Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream + +Check for failure of avformat_new_stream() and propagate +the error code. + +Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> + +CVE: CVE-2022-3341 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + libavformat/nutdec.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c +index 0a8a700acf..f9ad2c0af1 100644 +--- a/libavformat/nutdec.c ++++ b/libavformat/nutdec.c +@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut) + ret = AVERROR(ENOMEM); + goto fail; + } +- for (i = 0; i < stream_count; i++) +- avformat_new_stream(s, NULL); ++ for (i = 0; i < stream_count; i++) { ++ if (!avformat_new_stream(s, NULL)) { ++ ret = AVERROR(ENOMEM); ++ goto fail; ++ } ++ } + + return 0; + fail: +@@ -800,19 +804,23 @@ static int nut_read_header(AVFormatContext *s) + NUTContext *nut = s->priv_data; + AVIOContext *bc = s->pb; + int64_t pos; +- int initialized_stream_count; ++ int initialized_stream_count, ret; + + nut->avf = s; + + /* main header */ + pos = 0; ++ ret = 0; + do { ++ if (ret == AVERROR(ENOMEM)) ++ return ret; ++ + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; + if (pos < 0 + 1) { + av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); + return AVERROR_INVALIDDATA; + } +- } while (decode_main_header(nut) < 0); ++ } while ((ret = decode_main_header(nut)) < 0); + + /* stream headers */ + pos = 0; +-- +2.34.1 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb index dd14f8df6f..4bcbda9976 100644 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb @@ -24,7 +24,12 @@ LIC_FILES_CHKSUM = "file://COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ + file://0001-avcodec-rpzaenc-stop-accessing-out-of-bounds-frame.patch \ + file://0001-avcodec-smcenc-stop-accessing-out-of-bounds-frame.patch \ + file://0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch \ + file://0001-avformat-nutdec-Add-check-for-avformat_new_stream.patch \ " + SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b" # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 diff --git a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.5.bb index c515e173c8..9db31c18e4 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.5.bb @@ -12,7 +12,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV} file://0001-connect-has-a-different-signature-on-musl.patch \ " -SRC_URI[sha256sum] = "bbbd45ead703367ea8f4be9b3c082d7b62bef47b240a39083f27844e28758c47" +SRC_URI[sha256sum] = "5684436121b8bae07fd00b74395f95e44b5f26323dce4fa045fa665676807bba" DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 gstreamer1.0-plugins-base" RRECOMMENDS:${PN} = "git" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.5.bb index e8da49af99..e5925c6510 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.5.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \ " SRC_URI = "https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz" -SRC_URI[sha256sum] = "3fedd10560fcdfaa1b6462cbf79a38c4e7b57d7f390359393fc0cef6dbf27dfe" +SRC_URI[sha256sum] = "b152e3cc49d014899f53c39d8a6224a44e1399b4cf76aa5f9a903fdf9793c3cc" S = "${WORKDIR}/gst-libav-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.20.5.bb index fb48562a2b..ec5efcd408 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-omx_1.20.5.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-omx/gst-omx-${PV}.tar.xz" -SRC_URI[sha256sum] = "8db48040bb41f09edf8d17ff6d16c54888d7777ba4501c2c69f0083350ea9a15" +SRC_URI[sha256sum] = "bcccbc02548cdc123fd49944dd44a4f1adc5d107e36f010d320eb526e2107806" S = "${WORKDIR}/gst-omx-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.5.bb index 05de217c34..80766b9166 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.5.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \ file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \ " -SRC_URI[sha256sum] = "7a11c13b55dd1d2386dd902219e41cbfcdda8e1e0aa3e738186c95074b35da4f" +SRC_URI[sha256sum] = "f431214b0754d7037adcde93c3195106196588973e5b32dcb24938805f866363" S = "${WORKDIR}/gst-plugins-bad-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.5.bb index 7eebbba949..c37b542c57 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.20.5.bb @@ -11,7 +11,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugins-ba file://0003-viv-fb-Make-sure-config.h-is-included.patch \ file://0002-ssaparse-enhance-SSA-text-lines-parsing.patch \ " -SRC_URI[sha256sum] = "7e30b3dd81a70380ff7554f998471d6996ff76bbe6fc5447096f851e24473c9f" +SRC_URI[sha256sum] = "11f911ef65f3095d7cf698a1ad1fc5242ac3ad6c9270465fb5c9e7f4f9c19b35" S = "${WORKDIR}/gst-plugins-base-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.5.bb index 0235935a4a..80aed01973 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good_1.20.5.bb @@ -8,7 +8,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-good/gst-plugins-go file://0001-qt-include-ext-qt-gstqtgl.h-instead-of-gst-gl-gstglf.patch \ " -SRC_URI[sha256sum] = "f8f3c206bf5cdabc00953920b47b3575af0ef15e9f871c0b6966f6d0aa5868b7" +SRC_URI[sha256sum] = "e83ab4d12ca24959489bbb0ec4fac9b90e32f741d49cda357cb554b2cb8b97f9" S = "${WORKDIR}/gst-plugins-good-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.20.5.bb index ad7b84b5ab..f765e626c9 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly_1.20.5.bb @@ -14,7 +14,7 @@ LICENSE_FLAGS = "commercial" SRC_URI = " \ https://gstreamer.freedesktop.org/src/gst-plugins-ugly/gst-plugins-ugly-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "8caa20789a09c304b49cf563d33cca9421b1875b84fcc187e4a385fa01d6aefd" +SRC_URI[sha256sum] = "af67d8ba7cab230f64d0594352112c2c443e2aa36a87c35f9f98a43d11430b87" S = "${WORKDIR}/gst-plugins-ugly-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.20.5.bb index 57026ba73b..05e9ace276 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.20.5.bb @@ -8,7 +8,7 @@ LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c34deae4e395ca07e725ab0076a5f740" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "db348120eae955b8cc4de3560a7ea06e36d6e1ddbaa99a7ad96b59846601cfdc" +SRC_URI[sha256sum] = "27487652318659cfd7dc42784b713c78d29cc7a7df4fb397134c8c125f65e3b2" DEPENDS = "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" RDEPENDS:${PN} += "gstreamer1.0 gstreamer1.0-plugins-base python3-pygobject" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.5.bb index fd4f82fcc3..c9cf42903d 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.20.5.bb @@ -10,7 +10,7 @@ PNREAL = "gst-rtsp-server" SRC_URI = "https://gstreamer.freedesktop.org/src/${PNREAL}/${PNREAL}-${PV}.tar.xz" -SRC_URI[sha256sum] = "ee402718be9b127f0e5e66ca4c1b4f42e4926ec93ba307b7ccca5dc6cc9794ca" +SRC_URI[sha256sum] = "ba398a7ddd559cce56ef4b91f448d174e0dccad98a493563d2d59c41a2ef39c5" S = "${WORKDIR}/${PNREAL}-${PV}" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.20.5.bb index 6e580f9f79..716f50ebe1 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0-vaapi_1.20.5.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "https://gstreamer.freedesktop.org/src/${REALPN}/${REALPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "6ee99eb316abdde9ad37002915bd8c3867918f6fdc74b7cf2ac4c1ae0d690b45" +SRC_URI[sha256sum] = "510c6fb4ff3f676d7946ce1800e04ccf5aabe5a586d4e164d1961808fab8c94b" S = "${WORKDIR}/${REALPN}-${PV}" DEPENDS = "libva gstreamer1.0 gstreamer1.0-plugins-base gstreamer1.0-plugins-bad" diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bin-Fix-race-conditions-in-tests.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bin-Fix-race-conditions-in-tests.patch new file mode 100644 index 0000000000..f1fac2df57 --- /dev/null +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bin-Fix-race-conditions-in-tests.patch @@ -0,0 +1,300 @@ +From e1e2d8d58c1e09e065849cdb1f6466c0537a7c51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com> +Date: Tue, 21 Jun 2022 11:51:35 +0300 +Subject: [PATCH] bin: Fix race conditions in tests + +The latency messages are non-deterministic and can arrive before/after +async-done or during state-changes as they are posted by e.g. sinks from +their streaming thread but bins are finishing asynchronous state changes +from a secondary helper thread. + +To solve this, expect latency messages at any time and assert that we +receive one at some point during the test. + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2643> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2643] +Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com> +--- + .../gstreamer/tests/check/gst/gstbin.c | 132 ++++++++++++------ + 1 file changed, 92 insertions(+), 40 deletions(-) + +diff --git a/subprojects/gstreamer/tests/check/gst/gstbin.c b/subprojects/gstreamer/tests/check/gst/gstbin.c +index e366d5fe20f..88ff44db0c3 100644 +--- a/subprojects/gstreamer/tests/check/gst/gstbin.c ++++ b/subprojects/gstreamer/tests/check/gst/gstbin.c +@@ -27,50 +27,95 @@ + #include <gst/base/gstbasesrc.h> + + static void +-pop_async_done (GstBus * bus) ++pop_async_done (GstBus * bus, gboolean * had_latency) + { + GstMessage *message; ++ GstMessageType types = GST_MESSAGE_ASYNC_DONE; ++ ++ if (!*had_latency) ++ types |= GST_MESSAGE_LATENCY; + + GST_DEBUG ("popping async-done message"); +- message = gst_bus_poll (bus, GST_MESSAGE_ASYNC_DONE, -1); + +- fail_unless (message && GST_MESSAGE_TYPE (message) +- == GST_MESSAGE_ASYNC_DONE, "did not get GST_MESSAGE_ASYNC_DONE"); ++ do { ++ message = gst_bus_poll (bus, types, -1); + +- gst_message_unref (message); +- GST_DEBUG ("popped message"); ++ fail_unless (message); ++ GST_DEBUG ("popped message %s", ++ gst_message_type_get_name (GST_MESSAGE_TYPE (message))); ++ ++ if (GST_MESSAGE_TYPE (message) == GST_MESSAGE_LATENCY) { ++ fail_unless (*had_latency == FALSE); ++ *had_latency = TRUE; ++ gst_clear_message (&message); ++ types &= ~GST_MESSAGE_LATENCY; ++ continue; ++ } ++ ++ fail_unless (GST_MESSAGE_TYPE (message) ++ == GST_MESSAGE_ASYNC_DONE, "did not get GST_MESSAGE_ASYNC_DONE"); ++ ++ gst_clear_message (&message); ++ break; ++ } while (TRUE); + } + + static void +-pop_latency (GstBus * bus) ++pop_latency (GstBus * bus, gboolean * had_latency) + { + GstMessage *message; + +- GST_DEBUG ("popping async-done message"); ++ if (*had_latency) ++ return; ++ ++ GST_DEBUG ("popping latency message"); + message = gst_bus_poll (bus, GST_MESSAGE_LATENCY, -1); + +- fail_unless (message && GST_MESSAGE_TYPE (message) ++ fail_unless (message); ++ fail_unless (GST_MESSAGE_TYPE (message) + == GST_MESSAGE_LATENCY, "did not get GST_MESSAGE_LATENCY"); + +- gst_message_unref (message); +- GST_DEBUG ("popped message"); ++ GST_DEBUG ("popped message %s", ++ gst_message_type_get_name (GST_MESSAGE_TYPE (message))); ++ gst_clear_message (&message); ++ ++ *had_latency = TRUE; + } + + static void +-pop_state_changed (GstBus * bus, int count) ++pop_state_changed (GstBus * bus, int count, gboolean * had_latency) + { + GstMessage *message; +- ++ GstMessageType types = GST_MESSAGE_STATE_CHANGED; + int i; + ++ if (!*had_latency) ++ types |= GST_MESSAGE_LATENCY; ++ + GST_DEBUG ("popping %d messages", count); + for (i = 0; i < count; ++i) { +- message = gst_bus_poll (bus, GST_MESSAGE_STATE_CHANGED, -1); +- +- fail_unless (message && GST_MESSAGE_TYPE (message) +- == GST_MESSAGE_STATE_CHANGED, "did not get GST_MESSAGE_STATE_CHANGED"); +- +- gst_message_unref (message); ++ do { ++ message = gst_bus_poll (bus, types, -1); ++ ++ fail_unless (message); ++ GST_DEBUG ("popped message %s", ++ gst_message_type_get_name (GST_MESSAGE_TYPE (message))); ++ ++ if (GST_MESSAGE_TYPE (message) == GST_MESSAGE_LATENCY) { ++ fail_unless (*had_latency == FALSE); ++ *had_latency = TRUE; ++ gst_clear_message (&message); ++ types &= ~GST_MESSAGE_LATENCY; ++ continue; ++ } ++ ++ fail_unless (GST_MESSAGE_TYPE (message) ++ == GST_MESSAGE_STATE_CHANGED, ++ "did not get GST_MESSAGE_STATE_CHANGED"); ++ ++ gst_message_unref (message); ++ break; ++ } while (TRUE); + } + GST_DEBUG ("popped %d messages", count); + } +@@ -538,6 +583,7 @@ GST_START_TEST (test_message_state_changed_children) + GstBus *bus; + GstStateChangeReturn ret; + GstState current, pending; ++ gboolean had_latency = FALSE; + + pipeline = GST_PIPELINE (gst_pipeline_new (NULL)); + fail_unless (pipeline != NULL, "Could not create pipeline"); +@@ -576,7 +622,7 @@ GST_START_TEST (test_message_state_changed_children) + ASSERT_OBJECT_REFCOUNT (sink, "sink", 2); + ASSERT_OBJECT_REFCOUNT (pipeline, "pipeline", 2); + +- pop_state_changed (bus, 3); ++ pop_state_changed (bus, 3, &had_latency); + fail_if (gst_bus_have_pending (bus), "unexpected pending messages"); + + ASSERT_OBJECT_REFCOUNT (bus, "bus", 2); +@@ -619,9 +665,9 @@ GST_START_TEST (test_message_state_changed_children) + * its state_change message */ + ASSERT_OBJECT_REFCOUNT_BETWEEN (pipeline, "pipeline", 3, 4); + +- pop_state_changed (bus, 3); +- pop_async_done (bus); +- pop_latency (bus); ++ pop_state_changed (bus, 3, &had_latency); ++ pop_async_done (bus, &had_latency); ++ pop_latency (bus, &had_latency); + fail_if ((gst_bus_pop (bus)) != NULL); + + ASSERT_OBJECT_REFCOUNT_BETWEEN (bus, "bus", 2, 3); +@@ -648,7 +694,7 @@ GST_START_TEST (test_message_state_changed_children) + ASSERT_OBJECT_REFCOUNT_BETWEEN (sink, "sink", 2, 4); + ASSERT_OBJECT_REFCOUNT (pipeline, "pipeline", 3); + +- pop_state_changed (bus, 3); ++ pop_state_changed (bus, 3, &had_latency); + fail_if ((gst_bus_pop (bus)) != NULL); + + ASSERT_OBJECT_REFCOUNT (bus, "bus", 2); +@@ -669,7 +715,7 @@ GST_START_TEST (test_message_state_changed_children) + ASSERT_OBJECT_REFCOUNT_BETWEEN (sink, "sink", 3, 4); + ASSERT_OBJECT_REFCOUNT (pipeline, "pipeline", 3); + +- pop_state_changed (bus, 6); ++ pop_state_changed (bus, 6, &had_latency); + fail_if ((gst_bus_pop (bus)) != NULL); + + ASSERT_OBJECT_REFCOUNT (src, "src", 1); +@@ -696,6 +742,7 @@ GST_START_TEST (test_watch_for_state_change) + GstElement *src, *sink, *bin; + GstBus *bus; + GstStateChangeReturn ret; ++ gboolean had_latency = FALSE; + + bin = gst_element_factory_make ("bin", NULL); + fail_unless (bin != NULL, "Could not create bin"); +@@ -722,9 +769,9 @@ GST_START_TEST (test_watch_for_state_change) + GST_CLOCK_TIME_NONE); + fail_unless (ret == GST_STATE_CHANGE_SUCCESS); + +- pop_state_changed (bus, 6); +- pop_async_done (bus); +- pop_latency (bus); ++ pop_state_changed (bus, 6, &had_latency); ++ pop_async_done (bus, &had_latency); ++ pop_latency (bus, &had_latency); + + fail_unless (gst_bus_have_pending (bus) == FALSE, + "Unexpected messages on bus"); +@@ -732,16 +779,17 @@ GST_START_TEST (test_watch_for_state_change) + ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_PLAYING); + fail_unless (ret == GST_STATE_CHANGE_SUCCESS); + +- pop_state_changed (bus, 3); ++ pop_state_changed (bus, 3, &had_latency); + ++ had_latency = FALSE; + /* this one might return either SUCCESS or ASYNC, likely SUCCESS */ + ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_PAUSED); + gst_element_get_state (GST_ELEMENT (bin), NULL, NULL, GST_CLOCK_TIME_NONE); + +- pop_state_changed (bus, 3); ++ pop_state_changed (bus, 3, &had_latency); + if (ret == GST_STATE_CHANGE_ASYNC) { +- pop_async_done (bus); +- pop_latency (bus); ++ pop_async_done (bus, &had_latency); ++ pop_latency (bus, &had_latency); + } + + fail_unless (gst_bus_have_pending (bus) == FALSE, +@@ -898,6 +946,7 @@ GST_START_TEST (test_children_state_change_order_flagged_sink) + GstStateChangeReturn ret; + GstState current, pending; + GstBus *bus; ++ gboolean had_latency = FALSE; + + pipeline = gst_pipeline_new (NULL); + fail_unless (pipeline != NULL, "Could not create pipeline"); +@@ -951,10 +1000,11 @@ GST_START_TEST (test_children_state_change_order_flagged_sink) + ASSERT_STATE_CHANGE_MSG (bus, sink, GST_STATE_READY, GST_STATE_PAUSED, 107); + #else + +- pop_state_changed (bus, 2); /* pop remaining ready => paused messages off the bus */ ++ pop_state_changed (bus, 2, &had_latency); /* pop remaining ready => paused messages off the bus */ + ASSERT_STATE_CHANGE_MSG (bus, pipeline, GST_STATE_READY, GST_STATE_PAUSED, + 108); +- pop_async_done (bus); ++ pop_async_done (bus, &had_latency); ++ pop_latency (bus, &had_latency); + #endif + /* PAUSED => PLAYING */ + GST_DEBUG ("popping PAUSED -> PLAYING messages"); +@@ -972,8 +1022,8 @@ GST_START_TEST (test_children_state_change_order_flagged_sink) + fail_if (ret != GST_STATE_CHANGE_SUCCESS, "State change to READY failed"); + + /* TODO: do we need to check downwards state change order as well? */ +- pop_state_changed (bus, 4); /* pop playing => paused messages off the bus */ +- pop_state_changed (bus, 4); /* pop paused => ready messages off the bus */ ++ pop_state_changed (bus, 4, &had_latency); /* pop playing => paused messages off the bus */ ++ pop_state_changed (bus, 4, &had_latency); /* pop paused => ready messages off the bus */ + + while (GST_OBJECT_REFCOUNT_VALUE (pipeline) > 1) + THREAD_SWITCH (); +@@ -1002,6 +1052,7 @@ GST_START_TEST (test_children_state_change_order_semi_sink) + GstStateChangeReturn ret; + GstState current, pending; + GstBus *bus; ++ gboolean had_latency = FALSE; + + /* (2) Now again, but check other code path where we don't have + * a proper sink correctly flagged as such, but a 'semi-sink' */ +@@ -1056,10 +1107,11 @@ GST_START_TEST (test_children_state_change_order_semi_sink) + ASSERT_STATE_CHANGE_MSG (bus, src, GST_STATE_READY, GST_STATE_PAUSED, 206); + ASSERT_STATE_CHANGE_MSG (bus, sink, GST_STATE_READY, GST_STATE_PAUSED, 207); + #else +- pop_state_changed (bus, 2); /* pop remaining ready => paused messages off the bus */ ++ pop_state_changed (bus, 2, &had_latency); /* pop remaining ready => paused messages off the bus */ + ASSERT_STATE_CHANGE_MSG (bus, pipeline, GST_STATE_READY, GST_STATE_PAUSED, + 208); +- pop_async_done (bus); ++ pop_async_done (bus, &had_latency); ++ pop_latency (bus, &had_latency); + + /* PAUSED => PLAYING */ + GST_DEBUG ("popping PAUSED -> PLAYING messages"); +@@ -1076,8 +1128,8 @@ GST_START_TEST (test_children_state_change_order_semi_sink) + fail_if (ret != GST_STATE_CHANGE_SUCCESS, "State change to READY failed"); + + /* TODO: do we need to check downwards state change order as well? */ +- pop_state_changed (bus, 4); /* pop playing => paused messages off the bus */ +- pop_state_changed (bus, 4); /* pop paused => ready messages off the bus */ ++ pop_state_changed (bus, 4, &had_latency); /* pop playing => paused messages off the bus */ ++ pop_state_changed (bus, 4, &had_latency); /* pop paused => ready messages off the bus */ + + GST_DEBUG ("waiting for pipeline to reach refcount 1"); + while (GST_OBJECT_REFCOUNT_VALUE (pipeline) > 1) +-- +GitLab + diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-tests-remove-gstbin-test_watch_for_state_change-test.patch b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-tests-remove-gstbin-test_watch_for_state_change-test.patch deleted file mode 100644 index f51df6d20b..0000000000 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-tests-remove-gstbin-test_watch_for_state_change-test.patch +++ /dev/null @@ -1,107 +0,0 @@ -From b935abba3d8fa3ea1ce384c08e650afd8c20b78a Mon Sep 17 00:00:00 2001 -From: Claudius Heine <ch@denx.de> -Date: Wed, 2 Feb 2022 13:47:02 +0100 -Subject: [PATCH] tests: remove gstbin:test_watch_for_state_change testcase - -This testcase seems to be flaky, and upstream marked it as such: -https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/778 - -This patch removes the testcase to avoid it interfering with out ptest. - -Signed-off-by: Claudius Heine <ch@denx.de> - -Upstream-Status: Inappropriate [needs proper upstream fix] ---- - tests/check/gst/gstbin.c | 69 ------------------- - 1 file changed, 69 deletions(-) - -diff --git a/tests/check/gst/gstbin.c b/tests/check/gst/gstbin.c -index e366d5fe20..ac29d81474 100644 ---- a/tests/check/gst/gstbin.c -+++ b/tests/check/gst/gstbin.c -@@ -691,74 +691,6 @@ GST_START_TEST (test_message_state_changed_children) - - GST_END_TEST; - --GST_START_TEST (test_watch_for_state_change) --{ -- GstElement *src, *sink, *bin; -- GstBus *bus; -- GstStateChangeReturn ret; -- -- bin = gst_element_factory_make ("bin", NULL); -- fail_unless (bin != NULL, "Could not create bin"); -- -- bus = g_object_new (gst_bus_get_type (), NULL); -- gst_object_ref_sink (bus); -- gst_element_set_bus (GST_ELEMENT_CAST (bin), bus); -- -- src = gst_element_factory_make ("fakesrc", NULL); -- fail_if (src == NULL, "Could not create fakesrc"); -- sink = gst_element_factory_make ("fakesink", NULL); -- fail_if (sink == NULL, "Could not create fakesink"); -- -- gst_bin_add (GST_BIN (bin), sink); -- gst_bin_add (GST_BIN (bin), src); -- -- fail_unless (gst_element_link (src, sink), "could not link src and sink"); -- -- /* change state, spawning two times three messages */ -- ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_PAUSED); -- fail_unless (ret == GST_STATE_CHANGE_ASYNC); -- ret = -- gst_element_get_state (GST_ELEMENT (bin), NULL, NULL, -- GST_CLOCK_TIME_NONE); -- fail_unless (ret == GST_STATE_CHANGE_SUCCESS); -- -- pop_state_changed (bus, 6); -- pop_async_done (bus); -- pop_latency (bus); -- -- fail_unless (gst_bus_have_pending (bus) == FALSE, -- "Unexpected messages on bus"); -- -- ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_PLAYING); -- fail_unless (ret == GST_STATE_CHANGE_SUCCESS); -- -- pop_state_changed (bus, 3); -- -- /* this one might return either SUCCESS or ASYNC, likely SUCCESS */ -- ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_PAUSED); -- gst_element_get_state (GST_ELEMENT (bin), NULL, NULL, GST_CLOCK_TIME_NONE); -- -- pop_state_changed (bus, 3); -- if (ret == GST_STATE_CHANGE_ASYNC) { -- pop_async_done (bus); -- pop_latency (bus); -- } -- -- fail_unless (gst_bus_have_pending (bus) == FALSE, -- "Unexpected messages on bus"); -- -- gst_bus_set_flushing (bus, TRUE); -- -- ret = gst_element_set_state (GST_ELEMENT (bin), GST_STATE_NULL); -- fail_unless (ret == GST_STATE_CHANGE_SUCCESS); -- -- /* clean up */ -- gst_object_unref (bus); -- gst_object_unref (bin); --} -- --GST_END_TEST; -- - GST_START_TEST (test_state_change_error_message) - { - GstElement *src, *sink, *bin; -@@ -1956,7 +1888,6 @@ gst_bin_suite (void) - tcase_add_test (tc_chain, test_message_state_changed); - tcase_add_test (tc_chain, test_message_state_changed_child); - tcase_add_test (tc_chain, test_message_state_changed_children); -- tcase_add_test (tc_chain, test_watch_for_state_change); - tcase_add_test (tc_chain, test_state_change_error_message); - tcase_add_test (tc_chain, test_add_linked); - tcase_add_test (tc_chain, test_add_self); --- -2.33.1 - diff --git a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.3.bb b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.5.bb index 1f4576c3e1..ce9c1c116f 100644 --- a/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.3.bb +++ b/poky/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.5.bb @@ -21,9 +21,9 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gstreamer/gstreamer-${PV}.tar.x file://0002-tests-add-support-for-install-the-tests.patch;striplevel=3 \ file://0003-tests-use-a-dictionaries-for-environment.patch;striplevel=3 \ file://0004-tests-add-helper-script-to-run-the-installed_tests.patch;striplevel=3 \ - file://0005-tests-remove-gstbin-test_watch_for_state_change-test.patch \ + file://0005-bin-Fix-race-conditions-in-tests.patch;striplevel=3 \ " -SRC_URI[sha256sum] = "607daf64bbbd5fb18af9d17e21c0d22c4d702fffe83b23cb22d1b1af2ca23a2a" +SRC_URI[sha256sum] = "5a19083faaf361d21fc391124f78ba6d609be55845a82fa8f658230e5fa03dff" PACKAGECONFIG ??= "${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)} \ check \ diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.38.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.39.bb index dc627203ef..d9dcf379e9 100644 --- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.38.bb +++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.39.bb @@ -11,7 +11,7 @@ DEPENDS = "zlib" LIBV = "16" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz" -SRC_URI[sha256sum] = "b3683e8b8111ebf6f1ac004ebb6b0c975cd310ec469d98364388e9cedbfa68be" +SRC_URI[sha256sum] = "1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937" MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/older-releases/" diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1/0001-flac-Fix-improper-buffer-reusing-732.patch b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/0001-flac-Fix-improper-buffer-reusing-732.patch new file mode 100644 index 0000000000..ede696180a --- /dev/null +++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/0001-flac-Fix-improper-buffer-reusing-732.patch @@ -0,0 +1,29 @@ +From 9e4e9224c39195bde8ec14d1295944f713adb79a Mon Sep 17 00:00:00 2001 +From: yuan <ssspeed00@gmail.com> +Date: Tue, 20 Apr 2021 16:16:32 +0800 +Subject: [PATCH] flac: Fix improper buffer reusing (#732) + +Upstream-Status: Backport [https://github.com/libsndfile/libsndfile/commit/ced91d7b971be6173b604154c39279ce90ad87cc] +CVE: CVE-2021-4156 + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + src/flac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/flac.c b/src/flac.c +index 64d0172e..e3320450 100644 +--- a/src/flac.c ++++ b/src/flac.c +@@ -948,7 +948,11 @@ flac_read_loop (SF_PRIVATE *psf, unsigned len) + /* Decode some more. */ + while (pflac->pos < pflac->len) + { if (FLAC__stream_decoder_process_single (pflac->fsd) == 0) ++ { psf_log_printf (psf, "FLAC__stream_decoder_process_single returned false\n") ; ++ /* Current frame is busted, so NULL the pointer. */ ++ pflac->frame = NULL ; + break ; ++ } ; + state = FLAC__stream_decoder_get_state (pflac->fsd) ; + if (state >= FLAC__STREAM_DECODER_END_OF_STREAM) + { psf_log_printf (psf, "FLAC__stream_decoder_get_state returned %s\n", FLAC__StreamDecoderStateString [state]) ; diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb index ea14fe29cb..f6ea585e34 100644 --- a/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb +++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb @@ -10,6 +10,7 @@ LICENSE = "LGPL-2.1-only" SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \ file://noopus.patch \ + file://0001-flac-Fix-improper-buffer-reusing-732.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/" diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch new file mode 100644 index 0000000000..17b37be041 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch @@ -0,0 +1,267 @@ +From f00484b9519df933723deb38fff943dc291a793d Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Tue, 30 Aug 2022 16:56:48 +0200 +Subject: [PATCH] Revised handling of TIFFTAG_INKNAMES and related + TIFFTAG_NUMBEROFINKS value + +In order to solve the buffer overflow issues related to TIFFTAG_INKNAMES and related TIFFTAG_NUMBEROFINKS value, a revised handling of those tags within LibTiff is proposed: + +Behaviour for writing: + `NumberOfInks` MUST fit to the number of inks in the `InkNames` string. + `NumberOfInks` is automatically set when `InkNames` is set. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +Behaviour for reading: + When reading `InkNames` from a TIFF file, the `NumberOfInks` will be set automatically to the number of inks in `InkNames` string. + If `NumberOfInks` is different to the number of inks within `InkNames` string, that will be corrected and a warning is issued. + If `NumberOfInks` is not equal to samplesperpixel only a warning will be issued. + +This allows the safe use of the NumberOfInks value to read out the InkNames without buffer overflow + +This MR will close the following issues: #149, #150, #152, #168 (to be checked), #250, #269, #398 and #456. + +It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue. + +CVE: CVE-2022-3599 CVE-2022-4645 +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246.patch] +Signed-off-by: Ross Burton <ross.burton@arm.com> +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +--- + libtiff/tif_dir.c | 119 ++++++++++++++++++++++++----------------- + libtiff/tif_dir.h | 2 + + libtiff/tif_dirinfo.c | 2 +- + libtiff/tif_dirwrite.c | 5 ++ + libtiff/tif_print.c | 4 ++ + 5 files changed, 82 insertions(+), 50 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 793e8a79..816f7756 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -136,32 +136,30 @@ setExtraSamples(TIFF* tif, va_list ap, uint32_t* v) + } + + /* +- * Confirm we have "samplesperpixel" ink names separated by \0. Returns ++ * Count ink names separated by \0. Returns + * zero if the ink names are not as expected. + */ +-static uint32_t +-checkInkNamesString(TIFF* tif, uint32_t slen, const char* s) ++static uint16_t ++countInkNamesString(TIFF *tif, uint32_t slen, const char *s) + { +- TIFFDirectory* td = &tif->tif_dir; +- uint16_t i = td->td_samplesperpixel; ++ uint16_t i = 0; ++ const char *ep = s + slen; ++ const char *cp = s; + + if (slen > 0) { +- const char* ep = s+slen; +- const char* cp = s; +- for (; i > 0; i--) { ++ do { + for (; cp < ep && *cp != '\0'; cp++) {} + if (cp >= ep) + goto bad; + cp++; /* skip \0 */ +- } +- return ((uint32_t)(cp - s)); ++ i++; ++ } while (cp < ep); ++ return (i); + } + bad: + TIFFErrorExt(tif->tif_clientdata, "TIFFSetField", +- "%s: Invalid InkNames value; expecting %"PRIu16" names, found %"PRIu16, +- tif->tif_name, +- td->td_samplesperpixel, +- (uint16_t)(td->td_samplesperpixel-i)); ++ "%s: Invalid InkNames value; no NUL at given buffer end location %"PRIu32", after %"PRIu16" ink", ++ tif->tif_name, slen, i); + return (0); + } + +@@ -478,13 +476,61 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); + break; + case TIFFTAG_INKNAMES: +- v = (uint16_t) va_arg(ap, uint16_vap); +- s = va_arg(ap, char*); +- v = checkInkNamesString(tif, v, s); +- status = v > 0; +- if( v > 0 ) { +- _TIFFsetNString(&td->td_inknames, s, v); +- td->td_inknameslen = v; ++ { ++ v = (uint16_t) va_arg(ap, uint16_vap); ++ s = va_arg(ap, char*); ++ uint16_t ninksinstring; ++ ninksinstring = countInkNamesString(tif, v, s); ++ status = ninksinstring > 0; ++ if(ninksinstring > 0 ) { ++ _TIFFsetNString(&td->td_inknames, s, v); ++ td->td_inknameslen = v; ++ /* Set NumberOfInks to the value ninksinstring */ ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (td->td_numberofinks != ninksinstring) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the number of inks %"PRIu16".\n -> NumberOfInks value adapted to %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, ninksinstring, ninksinstring); ++ td->td_numberofinks = ninksinstring; ++ } ++ } else { ++ td->td_numberofinks = ninksinstring; ++ TIFFSetFieldBit(tif, FIELD_NUMBEROFINKS); ++ } ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu16" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, td->td_numberofinks, td->td_samplesperpixel); ++ } ++ } ++ } ++ } ++ break; ++ case TIFFTAG_NUMBEROFINKS: ++ v = (uint16_t)va_arg(ap, uint16_vap); ++ /* If InkNames already set also NumberOfInks is set accordingly and should be equal */ ++ if (TIFFFieldSet(tif, FIELD_INKNAMES)) ++ { ++ if (v != td->td_numberofinks) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Error %s; Tag %s:\n It is not possible to set the value %"PRIu32" for NumberOfInks\n which is different from the number of inks in the InkNames tag (%"PRIu16")", ++ tif->tif_name, fip->field_name, v, td->td_numberofinks); ++ /* Do not set / overwrite number of inks already set by InkNames case accordingly. */ ++ status = 0; ++ } ++ } else { ++ td->td_numberofinks = (uint16_t)v; ++ if (TIFFFieldSet(tif, FIELD_SAMPLESPERPIXEL)) ++ { ++ if (td->td_numberofinks != td->td_samplesperpixel) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Warning %s; Tag %s:\n Value %"PRIu32" of NumberOfInks is different from the SamplesPerPixel value %"PRIu16"", ++ tif->tif_name, fip->field_name, v, td->td_samplesperpixel); ++ } ++ } + } + break; + case TIFFTAG_PERSAMPLE: +@@ -986,34 +1032,6 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + if (fip->field_bit == FIELD_CUSTOM) { + standard_tag = 0; + } +- +- if( standard_tag == TIFFTAG_NUMBEROFINKS ) +- { +- int i; +- for (i = 0; i < td->td_customValueCount; i++) { +- uint16_t val; +- TIFFTagValue *tv = td->td_customValues + i; +- if (tv->info->field_tag != standard_tag) +- continue; +- if( tv->value == NULL ) +- return 0; +- val = *(uint16_t *)tv->value; +- /* Truncate to SamplesPerPixel, since the */ +- /* setting code for INKNAMES assume that there are SamplesPerPixel */ +- /* inknames. */ +- /* Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2599 */ +- if( val > td->td_samplesperpixel ) +- { +- TIFFWarningExt(tif->tif_clientdata,"_TIFFVGetField", +- "Truncating NumberOfInks from %u to %"PRIu16, +- val, td->td_samplesperpixel); +- val = td->td_samplesperpixel; +- } +- *va_arg(ap, uint16_t*) = val; +- return 1; +- } +- return 0; +- } + + switch (standard_tag) { + case TIFFTAG_SUBFILETYPE: +@@ -1195,6 +1213,9 @@ _TIFFVGetField(TIFF* tif, uint32_t tag, va_list ap) + case TIFFTAG_INKNAMES: + *va_arg(ap, const char**) = td->td_inknames; + break; ++ case TIFFTAG_NUMBEROFINKS: ++ *va_arg(ap, uint16_t *) = td->td_numberofinks; ++ break; + default: + { + int i; +diff --git a/libtiff/tif_dir.h b/libtiff/tif_dir.h +index 09065648..0c251c9e 100644 +--- a/libtiff/tif_dir.h ++++ b/libtiff/tif_dir.h +@@ -117,6 +117,7 @@ typedef struct { + /* CMYK parameters */ + int td_inknameslen; + char* td_inknames; ++ uint16_t td_numberofinks; /* number of inks in InkNames string */ + + int td_customValueCount; + TIFFTagValue *td_customValues; +@@ -174,6 +175,7 @@ typedef struct { + #define FIELD_TRANSFERFUNCTION 44 + #define FIELD_INKNAMES 46 + #define FIELD_SUBIFD 49 ++#define FIELD_NUMBEROFINKS 50 + /* FIELD_CUSTOM (see tiffio.h) 65 */ + /* end of support for well-known tags; codec-private tags follow */ + #define FIELD_CODEC 66 /* base of codec-private tags */ +diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c +index 3371cb5c..3b4bcd33 100644 +--- a/libtiff/tif_dirinfo.c ++++ b/libtiff/tif_dirinfo.c +@@ -114,7 +114,7 @@ tiffFields[] = { + { TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", (TIFFFieldArray*) &tiffFieldArray }, + { TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL }, + { TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL }, +- { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "NumberOfInks", NULL }, ++ { TIFFTAG_NUMBEROFINKS, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_NUMBEROFINKS, 1, 0, "NumberOfInks", NULL }, + { TIFFTAG_DOTRANGE, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DotRange", NULL }, + { TIFFTAG_TARGETPRINTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "TargetPrinter", NULL }, + { TIFFTAG_EXTRASAMPLES, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_C16_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 1, "ExtraSamples", NULL }, +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 6c86fdca..062e4610 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -626,6 +626,11 @@ TIFFWriteDirectorySec(TIFF* tif, int isimage, int imagedone, uint64_t* pdiroff) + if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,TIFFTAG_INKNAMES,tif->tif_dir.td_inknameslen,tif->tif_dir.td_inknames)) + goto bad; + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) ++ { ++ if (!TIFFWriteDirectoryTagShort(tif, &ndir, dir, TIFFTAG_NUMBEROFINKS, tif->tif_dir.td_numberofinks)) ++ goto bad; ++ } + if (TIFFFieldSet(tif,FIELD_SUBIFD)) + { + if (!TIFFWriteDirectoryTagSubifd(tif,&ndir,dir)) +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 16ce5780..a91b9e7b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -397,6 +397,10 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + } + fputs("\n", fd); + } ++ if (TIFFFieldSet(tif, FIELD_NUMBEROFINKS)) { ++ fprintf(fd, " NumberOfInks: %d\n", ++ td->td_numberofinks); ++ } + if (TIFFFieldSet(tif,FIELD_THRESHHOLDING)) { + fprintf(fd, " Thresholding: "); + switch (td->td_threshholding) { +-- +2.34.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch index a28df6ed8c..a9dd42d755 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-fix-the-FPE-in-tiffcrop-415-427-and-428.patch @@ -1,4 +1,4 @@ -From 029da2cf70e8e38f10d62d4b0be440fb9d145af0 Mon Sep 17 00:00:00 2001 +From 6cfe933df4dbac5479801b2bd10103ef7db815ee Mon Sep 17 00:00:00 2001 From: 4ugustus <wangdw.augustus@qq.com> Date: Sat, 11 Jun 2022 09:31:43 +0000 Subject: [PATCH] fix the FPE in tiffcrop (#415, #427, and #428) diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch index f1a4ab4251..a4d8bebe8c 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tif_jbig.c-fix-crash-when-reading-a-file-with-multip.patch @@ -1,11 +1,12 @@ +From adfd6be615635705c2f4eb8dfe49e2f463786361 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple + CVE: CVE-2022-0865 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From 88da11ae3c4db527cb870fb1017456cc8fbac2e7 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Thu, 24 Feb 2022 22:26:02 +0100 -Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple IFD in memory-mapped mode and when bit reversal is needed (fixes #385) --- @@ -13,7 +14,7 @@ Subject: [PATCH 1/6] tif_jbig.c: fix crash when reading a file with multiple 1 file changed, 10 insertions(+) diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c -index 74086338..8bfa4cef 100644 +index 7408633..8bfa4ce 100644 --- a/libtiff/tif_jbig.c +++ b/libtiff/tif_jbig.c @@ -209,6 +209,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) @@ -33,6 +34,3 @@ index 74086338..8bfa4cef 100644 /* Setup the function pointers for encode, decode, and cleanup. */ tif->tif_setupdecode = JBIGSetupDecode; --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch new file mode 100644 index 0000000000..7c4feabc38 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch @@ -0,0 +1,607 @@ +From 0ab805f46f68500da3b49d6f89380bab169bf6bb Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 10 May 2022 20:03:17 +0000 +Subject: [PATCH] tiffcrop: Fix issue #330 and some more from 320 to 349 + +Upstream-Status: Backport +Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> +--- + tools/tiffcrop.c | 282 +++++++++++++++++++++++++++++++++++------------ + 1 file changed, 210 insertions(+), 72 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 99e4208..b596f9e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -63,20 +63,24 @@ + * units when sectioning image into columns x rows + * using the -S cols:rows option. + * -X # Horizontal dimension of region to extract expressed in current +- * units ++ * units, relative to the specified origin reference 'edge' left (default for X) or right. + * -Y # Vertical dimension of region to extract expressed in current +- * units ++ * units, relative to the specified origin reference 'edge' top (default for Y) or bottom. + * -O orient Orientation for output image, portrait, landscape, auto + * -P page Page size for output image segments, eg letter, legal, tabloid, + * etc. + * -S cols:rows Divide the image into equal sized segments using cols across + * and rows down +- * -E t|l|r|b Edge to use as origin ++ * -E t|l|r|b Edge to use as origin (i.e. 'side' of the image not 'corner') ++ * top = width from left, zones from top to bottom (default) ++ * bottom = width from left, zones from bottom to top ++ * left = zones from left to right, length from top ++ * right = zones from right to left, length from top + * -m #,#,#,# Margins from edges for selection: top, left, bottom, right + * (commas separated) + * -Z #:#,#:# Zones of the image designated as zone X of Y, + * eg 1:3 would be first of three equal portions measured +- * from reference edge ++ * from reference edge (i.e. 'side' not corner) + * -N odd|even|#,#-#,#|last + * Select sequences and/or ranges of images within file + * to process. The words odd or even may be used to specify +@@ -103,10 +107,13 @@ + * selects which functions dump data, with higher numbers selecting + * lower level, scanline level routines. Debug reports a limited set + * of messages to monitor progress without enabling dump logs. ++ * ++ * Note: The (-X|-Y), -Z and -z options are mutually exclusive. ++ * In no case should the options be applied to a given selection successively. + */ + +-static char tiffcrop_version_id[] = "2.4.1"; +-static char tiffcrop_rev_date[] = "03-03-2010"; ++static char tiffcrop_version_id[] = "2.5"; ++static char tiffcrop_rev_date[] = "02-09-2022"; + + #include "tif_config.h" + #include "libport.h" +@@ -774,6 +781,9 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" ++"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++" In no case should the options be applied to a given selection successively.\n" ++"\n" + ; + + /* This function could be modified to pass starting sample offset +@@ -2123,6 +2133,15 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ ++ char XY, Z, R; ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); ++ Z = (crop_data->crop_mode & CROP_ZONES); ++ R = (crop_data->crop_mode & CROP_REGIONS); ++ if ((XY && Z) || (XY && R) || (Z && R)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ exit(EXIT_FAILURE); ++ } + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +@@ -2748,7 +2767,7 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int i, bytes_per_sample, sindex; +- uint32_t col, dst_rowsize, bit_offset; ++ uint32_t col, dst_rowsize, bit_offset, numcols; + uint32_t src_byte /*, src_bit */; + uint8_t *src = in; + uint8_t *dst = out; +@@ -2759,6 +2778,10 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesBytes", +@@ -2771,6 +2794,9 @@ extractContigSamplesBytes (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + dst_rowsize = (bps * (end - start) * count) / 8; + +@@ -2814,7 +2840,7 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint8_t maskbits = 0, matchbits = 0; + uint8_t buff1 = 0, buff2 = 0; + uint8_t *src = in; +@@ -2826,6 +2852,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples8bits", +@@ -2838,7 +2868,10 @@ extractContigSamples8bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } +- ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } ++ + ready_bits = 0; + maskbits = (uint8_t)-1 >> (8 - bps); + buff1 = buff2 = 0; +@@ -2891,7 +2924,7 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint16_t maskbits = 0, matchbits = 0; + uint16_t buff1 = 0, buff2 = 0; + uint8_t bytebuff = 0; +@@ -2904,6 +2937,10 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples16bits", +@@ -2916,6 +2953,9 @@ extractContigSamples16bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = 0; + maskbits = (uint16_t)-1 >> (16 - bps); +@@ -2980,7 +3020,7 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t maskbits = 0, matchbits = 0; + uint32_t buff1 = 0, buff2 = 0; + uint8_t bytebuff1 = 0, bytebuff2 = 0; +@@ -2993,6 +3033,10 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples24bits", +@@ -3005,6 +3049,9 @@ extractContigSamples24bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = 0; + maskbits = (uint32_t)-1 >> (32 - bps); +@@ -3089,7 +3136,7 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + tsample_t count, uint32_t start, uint32_t end) + { + int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t longbuff1 = 0, longbuff2 = 0; + uint64_t maskbits = 0, matchbits = 0; + uint64_t buff1 = 0, buff2 = 0, buff3 = 0; +@@ -3104,6 +3151,10 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamples32bits", +@@ -3116,6 +3167,9 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + /* shift_width = ((bps + 7) / 8) + 1; */ + ready_bits = 0; +@@ -3195,7 +3249,7 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint8_t maskbits = 0, matchbits = 0; + uint8_t buff1 = 0, buff2 = 0; + uint8_t *src = in; +@@ -3207,6 +3261,10 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted8bits", +@@ -3219,6 +3277,9 @@ extractContigSamplesShifted8bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint8_t)-1 >> (8 - bps); +@@ -3275,7 +3336,7 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint16_t maskbits = 0, matchbits = 0; + uint16_t buff1 = 0, buff2 = 0; + uint8_t bytebuff = 0; +@@ -3288,6 +3349,10 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted16bits", +@@ -3300,6 +3365,9 @@ extractContigSamplesShifted16bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint16_t)-1 >> (16 - bps); +@@ -3365,7 +3433,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t maskbits = 0, matchbits = 0; + uint32_t buff1 = 0, buff2 = 0; + uint8_t bytebuff1 = 0, bytebuff2 = 0; +@@ -3378,6 +3446,16 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + return (1); + } + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ /*--- Remark, which is true for all those functions extractCongigSamplesXXX() -- ++ * The mitigation of the start/end test does not allways make sense, because the function is often called with e.g.: ++ * start = 31; end = 32; cols = 32 to extract the last column in a 32x32 sample image. ++ * If then, a worng parameter (e.g. cols = 10) is provided, the mitigated settings would be start=0; end=1. ++ * Therefore, an error message and no copy action might be the better reaction to wrong parameter configurations. ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted24bits", +@@ -3390,6 +3468,9 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + ready_bits = shift; + maskbits = (uint32_t)-1 >> (32 - bps); +@@ -3451,7 +3532,7 @@ extractContigSamplesShifted24bits (uint8_t *in, uint8_t *out, uint32_t cols, + buff2 = (buff2 << 8); + bytebuff2 = bytebuff1; + ready_bits -= 8; +- } ++ } + + return (0); + } /* end extractContigSamplesShifted24bits */ +@@ -3463,7 +3544,7 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + int shift) + { + int ready_bits = 0, sindex = 0 /*, shift_width = 0 */; +- uint32_t col, src_byte, src_bit, bit_offset; ++ uint32_t col, src_byte, src_bit, bit_offset, numcols; + uint32_t longbuff1 = 0, longbuff2 = 0; + uint64_t maskbits = 0, matchbits = 0; + uint64_t buff1 = 0, buff2 = 0, buff3 = 0; +@@ -3478,6 +3559,10 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + + ++ /* Number of extracted columns shall be kept as (end-start + 1). Otherwise buffer-overflow might occur. ++ * 'start' and 'col' count from 0 to (cols-1) but 'end' is to be set one after the index of the last column to be copied! ++ */ ++ numcols = abs(end - start); + if ((start > end) || (start > cols)) + { + TIFFError ("extractContigSamplesShifted32bits", +@@ -3490,6 +3575,9 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + "Invalid end column value %"PRIu32" ignored", end); + end = cols; + } ++ if (abs(end - start) > numcols) { ++ end = start + numcols; ++ } + + /* shift_width = ((bps + 7) / 8) + 1; */ + ready_bits = shift; +@@ -5431,7 +5519,7 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + { + struct offset offsets; + int i; +- int32_t test; ++ uint32_t uaux; + uint32_t seg, total, need_buff = 0; + uint32_t buffsize; + uint32_t zwidth, zlength; +@@ -5512,8 +5600,13 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + seg = crop->zonelist[j].position; + total = crop->zonelist[j].total; + +- /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ /* check for not allowed zone cases like 0:0; 4:3; or negative ones etc. and skip that input */ ++ if (crop->zonelist[j].position < 0 || crop->zonelist[j].total < 0) { ++ TIFFError("getCropOffsets", "Negative crop zone values %d:%d are not allowed, thus skipped.", crop->zonelist[j].position, crop->zonelist[j].total); ++ continue; ++ } + if (seg == 0 || total == 0 || seg > total) { ++ TIFFError("getCropOffsets", "Crop zone %d:%d is out of specification, thus skipped.", seg, total); + continue; + } + +@@ -5526,17 +5619,23 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + + crop->regionlist[i].x1 = offsets.startx + + (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); +- test = (int32_t)offsets.startx + +- (int32_t)(offsets.crop_width * 1.0 * seg / total); +- if (test < 1 ) +- crop->regionlist[i].x2 = 0; +- else +- { +- if (test > (int32_t)(image->width - 1)) ++ /* FAULT: IMHO in the old code here, the calculation of x2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ if (crop->regionlist[i].x1 > offsets.endx) { ++ crop->regionlist[i].x1 = offsets.endx; ++ } else if (crop->regionlist[i].x1 >= image->width) { ++ crop->regionlist[i].x1 = image->width - 1; ++ } ++ ++ crop->regionlist[i].x2 = offsets.startx + (uint32_t)(offsets.crop_width * 1.0 * seg / total); ++ if (crop->regionlist[i].x2 > 0) crop->regionlist[i].x2 = crop->regionlist[i].x2 - 1; ++ if (crop->regionlist[i].x2 < crop->regionlist[i].x1) { ++ crop->regionlist[i].x2 = crop->regionlist[i].x1; ++ } else if (crop->regionlist[i].x2 > offsets.endx) { ++ crop->regionlist[i].x2 = offsets.endx; ++ } else if (crop->regionlist[i].x2 >= image->width) { + crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = test - 1; +- } ++ } + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -5551,22 +5650,27 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->regionlist[i].x1 = offsets.startx; + crop->regionlist[i].x2 = offsets.endx; + +- test = offsets.endy - (uint32_t)(offsets.crop_length * 1.0 * seg / total); +- if (test < 1 ) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = test + 1; ++ /* FAULT: IMHO in the old code here, the calculation of y1/y2 was based on wrong assumtions. The whole image was assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ uaux = (uint32_t)(offsets.crop_length * 1.0 * seg / total); ++ if (uaux <= offsets.endy + 1) { ++ crop->regionlist[i].y1 = offsets.endy - uaux + 1; ++ } else { ++ crop->regionlist[i].y1 = 0; ++ } ++ if (crop->regionlist[i].y1 < offsets.starty) { ++ crop->regionlist[i].y1 = offsets.starty; ++ } + +- test = offsets.endy - (offsets.crop_length * 1.0 * (seg - 1) / total); +- if (test < 1 ) +- crop->regionlist[i].y2 = 0; +- else +- { +- if (test > (int32_t)(image->length - 1)) +- crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = test; +- } ++ uaux = (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); ++ if (uaux <= offsets.endy) { ++ crop->regionlist[i].y2 = offsets.endy - uaux; ++ } else { ++ crop->regionlist[i].y2 = 0; ++ } ++ if (crop->regionlist[i].y2 < offsets.starty) { ++ crop->regionlist[i].y2 = offsets.starty; ++ } + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -5577,32 +5681,42 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->combined_width = (uint32_t)zwidth; + break; + case EDGE_RIGHT: /* zones from right to left, length from top */ +- zlength = offsets.crop_length; +- crop->regionlist[i].y1 = offsets.starty; +- crop->regionlist[i].y2 = offsets.endy; +- +- crop->regionlist[i].x1 = offsets.startx + +- (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); +- test = offsets.startx + +- (offsets.crop_width * (total - seg + 1) * 1.0 / total); +- if (test < 1 ) +- crop->regionlist[i].x2 = 0; +- else +- { +- if (test > (int32_t)(image->width - 1)) +- crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = test - 1; +- } +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ zlength = offsets.crop_length; ++ crop->regionlist[i].y1 = offsets.starty; ++ crop->regionlist[i].y2 = offsets.endy; ++ ++ crop->regionlist[i].x1 = offsets.startx + ++ (uint32_t)(offsets.crop_width * (total - seg) * 1.0 / total); ++ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ uaux = (uint32_t)(offsets.crop_width * 1.0 * seg / total); ++ if (uaux <= offsets.endx + 1) { ++ crop->regionlist[i].x1 = offsets.endx - uaux + 1; ++ } else { ++ crop->regionlist[i].x1 = 0; ++ } ++ if (crop->regionlist[i].x1 < offsets.startx) { ++ crop->regionlist[i].x1 = offsets.startx; ++ } + +- /* This is passed to extractCropZone or extractCompositeZones */ +- crop->combined_length = (uint32_t)zlength; +- if (crop->exp_mode == COMPOSITE_IMAGES) +- crop->combined_width += (uint32_t)zwidth; +- else +- crop->combined_width = (uint32_t)zwidth; +- break; ++ uaux = (uint32_t)(offsets.crop_width * 1.0 * (seg - 1) / total); ++ if (uaux <= offsets.endx) { ++ crop->regionlist[i].x2 = offsets.endx - uaux; ++ } else { ++ crop->regionlist[i].x2 = 0; ++ } ++ if (crop->regionlist[i].x2 < offsets.startx) { ++ crop->regionlist[i].x2 = offsets.startx; ++ } ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ ++ /* This is passed to extractCropZone or extractCompositeZones */ ++ crop->combined_length = (uint32_t)zlength; ++ if (crop->exp_mode == COMPOSITE_IMAGES) ++ crop->combined_width += (uint32_t)zwidth; ++ else ++ crop->combined_width = (uint32_t)zwidth; ++ break; + case EDGE_TOP: /* width from left, zones from top to bottom */ + default: + zwidth = offsets.crop_width; +@@ -5610,6 +5724,14 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + crop->regionlist[i].x2 = offsets.endx; + + crop->regionlist[i].y1 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * (seg - 1) / total); ++ if (crop->regionlist[i].y1 > offsets.endy) { ++ crop->regionlist[i].y1 = offsets.endy; ++ } else if (crop->regionlist[i].y1 >= image->length) { ++ crop->regionlist[i].y1 = image->length - 1; ++ } ++ ++ /* FAULT: IMHO from here on, the calculation of y2 are based on wrong assumtions. The whole image is assumed and 'endy' and 'starty' are not respected anymore!*/ ++ /* OLD Code: + test = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); + if (test < 1 ) + crop->regionlist[i].y2 = 0; +@@ -5620,6 +5742,18 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->regionlist[i].y2 = test - 1; + } ++ */ ++ /* NEW PROPOSED Code: Assumption: offsets are within image with top left corner as origin (0,0) and 'start' <= 'end'. */ ++ crop->regionlist[i].y2 = offsets.starty + (uint32_t)(offsets.crop_length * 1.0 * seg / total); ++ if (crop->regionlist[i].y2 > 0)crop->regionlist[i].y2 = crop->regionlist[i].y2 - 1; ++ if (crop->regionlist[i].y2 < crop->regionlist[i].y1) { ++ crop->regionlist[i].y2 = crop->regionlist[i].y1; ++ } else if (crop->regionlist[i].y2 > offsets.endy) { ++ crop->regionlist[i].y2 = offsets.endy; ++ } else if (crop->regionlist[i].y2 >= image->length) { ++ crop->regionlist[i].y2 = image->length - 1; ++ } ++ + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + + /* This is passed to extractCropZone or extractCompositeZones */ +@@ -7543,7 +7677,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + total_width = total_length = 0; + for (i = 0; i < crop->selections; i++) + { +- cropsize = crop->bufftotal; ++ ++ cropsize = crop->bufftotal; + crop_buff = seg_buffs[i].buffer; + if (!crop_buff) + crop_buff = (unsigned char *)limitMalloc(cropsize); +@@ -7632,6 +7767,9 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + + if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */ + { ++ /* rotateImage() changes image->width, ->length, ->xres and ->yres, what it schouldn't do here, when more than one section is processed. ++ * ToDo: Therefore rotateImage() and its usage has to be reworked (e.g. like mirrorImage()) !! ++ */ + if (rotateImage(crop->rotation, image, &crop->regionlist[i].width, + &crop->regionlist[i].length, &crop_buff)) + { +@@ -7647,8 +7785,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8) + * image->spp) * crop->regionlist[i].length; + } +- } +- } ++ } /* for crop->selections loop */ ++ } /* Separated Images (else case) */ + return (0); + } /* end processCropSelections */ + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch new file mode 100644 index 0000000000..79b4ff3f6e --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-S-option-Make-decision-simpler.patch @@ -0,0 +1,36 @@ +From bad48e90b410df32172006c7876da449ba62cdba Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Sat, 20 Aug 2022 23:35:26 +0200 +Subject: [PATCH] tiffcrop -S option: Make decision simpler. + +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +--- + tools/tiffcrop.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index c3b758ec..8fd856dc 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2133,11 +2133,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + } + /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ + char XY, Z, R, S; +- XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); +- Z = (crop_data->crop_mode & CROP_ZONES); +- R = (crop_data->crop_mode & CROP_REGIONS); +- S = (page->mode & PAGE_MODE_ROWSCOLS); +- if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)) ? 1 : 0; ++ Z = (crop_data->crop_mode & CROP_ZONES) ? 1 : 0; ++ R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; ++ S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; ++ if (XY + Z + R + S > 1) { + TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } +-- +2.34.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch new file mode 100644 index 0000000000..6a62787648 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch @@ -0,0 +1,59 @@ +From 4746f16253b784287bc8a5003990c1c3b9a03a62 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Thu, 25 Aug 2022 16:11:41 +0200 +Subject: [PATCH] tiffcrop: disable incompatibility of -Z, -X, -Y, -z options + with any PAGE_MODE_x option (fixes #411 and #413) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +tiffcrop does not support –Z, -z, -X and –Y options together with any other PAGE_MODE_x options like -H, -V, -P, -J, -K or –S. + +Code analysis: + +With the options –Z, -z, the crop.selections are set to a value > 0. Within main(), this triggers the call of processCropSelections(), which copies the sections from the read_buff into seg_buffs[]. +In the following code in main(), the only supported step, where that seg_buffs are further handled are within an if-clause with if (page.mode == PAGE_MODE_NONE) . + +Execution of the else-clause often leads to buffer-overflows. + +Therefore, the above option combination is not supported and will be disabled to prevent those buffer-overflows. + +The MR solves issues #411 and #413. + +CVE: CVE-2022-3597 CVE-2022-3626 CVE-2022-3627 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + doc/tools/tiffcrop.rst | 8 ++++++++ + tools/tiffcrop.c | 32 +++++++++++++++++++++++++------- + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 8fd856dc..41a2ea36 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -2138,9 +2143,20 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + R = (crop_data->crop_mode & CROP_REGIONS) ? 1 : 0; + S = (page->mode & PAGE_MODE_ROWSCOLS) ? 1 : 0; + if (XY + Z + R + S > 1) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->exit"); + exit(EXIT_FAILURE); + } ++ ++ /* Check for not allowed combination: ++ * Any of the -X, -Y, -Z and -z options together with other PAGE_MODE_x options ++ * such as -H, -V, -P, -J or -K are not supported and may cause buffer overflows. ++. */ ++ if ((XY + Z + R > 0) && page->mode != PAGE_MODE_NONE) { ++ TIFFError("tiffcrop input error", ++ "Any of the crop options -X, -Y, -Z and -z together with other PAGE_MODE_x options such as - H, -V, -P, -J or -K is not supported and may cause buffer overflows..->exit"); ++ exit(EXIT_FAILURE); ++ } ++ + } /* end process_command_opts */ + + /* Start a new output file if one has not been previously opened or +-- +2.34.1 + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch new file mode 100644 index 0000000000..e10e37ccc9 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch @@ -0,0 +1,640 @@ +From 1e000b3484808f1ee7a68bd276220d1cd82dec73 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Thu, 13 Oct 2022 14:33:27 +0000 +Subject: [PATCH] tiffcrop subroutines require a larger buffer (fixes #271, + #381, #386, #388, #389, #435) + +CVE: CVE-2022-3570 CVE-2022-3598 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + tools/tiffcrop.c | 203 ++++++++++++++++++++++++++--------------------- + 1 file changed, 114 insertions(+), 89 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f96c7d60..adf0f849 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -210,6 +210,10 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + + #define TIFF_DIR_MAX 65534 + ++/* Some conversion subroutines require image buffers, which are at least 3 bytes ++ * larger than the necessary size for the image itself. */ ++#define NUM_BUFF_OVERSIZE_BYTES 3 ++ + /* Offsets into buffer for margins and fixed width and length segments */ + struct offset { + uint32_t tmargin; +@@ -231,7 +235,7 @@ struct offset { + */ + + struct buffinfo { +- uint32_t size; /* size of this buffer */ ++ size_t size; /* size of this buffer */ + unsigned char *buffer; /* address of the allocated buffer */ + }; + +@@ -805,8 +809,8 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + uint32_t dst_rowsize, shift_width; + uint32_t bytes_per_sample, bytes_per_pixel; + uint32_t trailing_bits, prev_trailing_bits; +- uint32_t tile_rowsize = TIFFTileRowSize(in); +- uint32_t src_offset, dst_offset; ++ tmsize_t tile_rowsize = TIFFTileRowSize(in); ++ tmsize_t src_offset, dst_offset; + uint32_t row_offset, col_offset; + uint8_t *bufp = (uint8_t*) buf; + unsigned char *src = NULL; +@@ -856,7 +860,7 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8_t* buf, + TIFFError("readContigTilesIntoBuffer", "Integer overflow when calculating buffer size."); + exit(EXIT_FAILURE); + } +- tilebuf = limitMalloc(tile_buffsize + 3); ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 0; + tilebuf[tile_buffsize] = 0; +@@ -1019,7 +1023,7 @@ static int readSeparateTilesIntoBuffer (TIFF* in, uint8_t *obuf, + for (sample = 0; (sample < spp) && (sample < MAX_SAMPLES); sample++) + { + srcbuffs[sample] = NULL; +- tbuff = (unsigned char *)limitMalloc(tilesize + 8); ++ tbuff = (unsigned char *)limitMalloc(tilesize + NUM_BUFF_OVERSIZE_BYTES); + if (!tbuff) + { + TIFFError ("readSeparateTilesIntoBuffer", +@@ -1213,7 +1217,8 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + rowstripsize = rowsperstrip * bytes_per_sample * (width + 1); + +- obuf = limitMalloc (rowstripsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ obuf = limitMalloc (rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (obuf == NULL) + return 1; + +@@ -1226,7 +1231,7 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + stripsize = TIFFVStripSize(out, nrows); + src = buf + (row * rowsize); + total_bytes += stripsize; +- memset (obuf, '\0', rowstripsize); ++ memset (obuf, '\0',rowstripsize + NUM_BUFF_OVERSIZE_BYTES); + if (extractContigSamplesToBuffer(obuf, src, nrows, width, s, spp, bps, dump)) + { + _TIFFfree(obuf); +@@ -1234,10 +1239,15 @@ writeBufferToSeparateStrips (TIFF* out, uint8_t* buf, + } + if ((dump->outfile != NULL) && (dump->level == 1)) + { +- dump_info(dump->outfile, dump->format,"", ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } ++ dump_info(dump->outfile, dump->format,"", + "Sample %2d, Strip: %2d, bytes: %4d, Row %4d, bytes: %4d, Input offset: %6d", +- s + 1, strip + 1, stripsize, row + 1, scanlinesize, src - buf); +- dump_buffer(dump->outfile, dump->format, nrows, scanlinesize, row, obuf); ++ s + 1, strip + 1, stripsize, row + 1, (uint32_t)scanlinesize, src - buf); ++ dump_buffer(dump->outfile, dump->format, nrows, (uint32_t)scanlinesize, row, obuf); + } + + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) +@@ -1264,7 +1274,7 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +- uint32_t tile_rowsize = TIFFTileRowSize(out); ++ tmsize_t tile_rowsize = TIFFTileRowSize(out); + uint8_t* bufp = (uint8_t*) buf; + tsize_t tile_buffsize = 0; + tsize_t tilesize = TIFFTileSize(out); +@@ -1307,9 +1317,11 @@ static int writeBufferToContigTiles (TIFF* out, uint8_t* buf, uint32_t imageleng + } + src_rowsize = ((imagewidth * spp * bps) + 7U) / 8; + +- tilebuf = limitMalloc(tile_buffsize); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tilebuf = limitMalloc(tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (tilebuf == 0) + return 1; ++ memset(tilebuf, 0, tile_buffsize + NUM_BUFF_OVERSIZE_BYTES); + for (row = 0; row < imagelength; row += tl) + { + nrow = (row + tl > imagelength) ? imagelength - row : tl; +@@ -1355,7 +1367,8 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + uint32_t imagewidth, tsample_t spp, + struct dump_opts * dump) + { +- tdata_t obuf = limitMalloc(TIFFTileSize(out)); ++ /* Add 3 padding bytes for extractContigSamples32bits */ ++ tdata_t obuf = limitMalloc(TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + uint32_t tl, tw; + uint32_t row, col, nrow, ncol; + uint32_t src_rowsize, col_offset; +@@ -1365,6 +1378,7 @@ static int writeBufferToSeparateTiles (TIFF* out, uint8_t* buf, uint32_t imagele + + if (obuf == NULL) + return 1; ++ memset(obuf, 0, TIFFTileSize(out) + NUM_BUFF_OVERSIZE_BYTES); + + if( !TIFFGetField(out, TIFFTAG_TILELENGTH, &tl) || + !TIFFGetField(out, TIFFTAG_TILEWIDTH, &tw) || +@@ -1790,14 +1804,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + + *opt_offset = '\0'; + /* convert option to lowercase */ +- end = strlen (opt_ptr); ++ end = (unsigned int)strlen (opt_ptr); + for (i = 0; i < end; i++) + *(opt_ptr + i) = tolower((int) *(opt_ptr + i)); + /* Look for dump format specification */ + if (strncmp(opt_ptr, "for", 3) == 0) + { + /* convert value to lowercase */ +- end = strlen (opt_offset + 1); ++ end = (unsigned int)strlen (opt_offset + 1); + for (i = 1; i <= end; i++) + *(opt_offset + i) = tolower((int) *(opt_offset + i)); + /* check dump format value */ +@@ -2270,6 +2284,8 @@ main(int argc, char* argv[]) + size_t length; + char temp_filename[PATH_MAX + 16]; /* Extra space keeps the compiler from complaining */ + ++ assert(NUM_BUFF_OVERSIZE_BYTES >= 3); ++ + little_endian = *((unsigned char *)&little_endian) & '1'; + + initImageData(&image); +@@ -3222,13 +3238,13 @@ extractContigSamples32bits (uint8_t *in, uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3637,13 +3653,13 @@ extractContigSamplesShifted32bits (uint8_t *in, uint8_t *out, uint32_t cols, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -3820,10 +3836,10 @@ extractContigSamplesToTileBuffer(uint8_t *out, uint8_t *in, uint32_t rows, uint3 + static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + { + uint8_t* bufp = buf; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint32_t strip, nstrips = TIFFNumberOfStrips(in); +- uint32_t stripsize = TIFFStripSize(in); +- uint32_t rows = 0; ++ tmsize_t stripsize = TIFFStripSize(in); ++ tmsize_t rows = 0; + uint32_t rps = TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rps); + tsize_t scanline_size = TIFFScanlineSize(in); + +@@ -3836,11 +3852,11 @@ static int readContigStripsIntoBuffer (TIFF* in, uint8_t* buf) + bytes_read = TIFFReadEncodedStrip (in, strip, bufp, -1); + rows = bytes_read / scanline_size; + if ((strip < (nstrips - 1)) && (bytes_read != (int32_t)stripsize)) +- TIFFError("", "Strip %"PRIu32": read %"PRId32" bytes, strip size %"PRIu32, ++ TIFFError("", "Strip %"PRIu32": read %"PRId64" bytes, strip size %"PRIu64, + strip + 1, bytes_read, stripsize); + + if (bytes_read < 0 && !ignore) { +- TIFFError("", "Error reading strip %"PRIu32" after %"PRIu32" rows", ++ TIFFError("", "Error reading strip %"PRIu32" after %"PRIu64" rows", + strip, rows); + return 0; + } +@@ -4305,13 +4321,13 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4354,10 +4370,10 @@ combineSeparateSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4830,13 +4846,13 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + /* If we have a full buffer's worth, write it out */ + if (ready_bits >= 32) + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -4879,10 +4895,10 @@ combineSeparateTileSamples32bits (uint8_t *in[], uint8_t *out, uint32_t cols, + "Row %3d, Col %3d, Src byte offset %3d bit offset %2d Dst offset %3d", + row + 1, col + 1, src_byte, src_bit, dst - out); + +- dump_long (dumpfile, format, "Match bits ", matchbits); ++ dump_wide (dumpfile, format, "Match bits ", matchbits); + dump_data (dumpfile, format, "Src bits ", src, 4); +- dump_long (dumpfile, format, "Buff1 bits ", buff1); +- dump_long (dumpfile, format, "Buff2 bits ", buff2); ++ dump_wide (dumpfile, format, "Buff1 bits ", buff1); ++ dump_wide (dumpfile, format, "Buff2 bits ", buff2); + dump_byte (dumpfile, format, "Write bits1", bytebuff1); + dump_byte (dumpfile, format, "Write bits2", bytebuff2); + dump_info (dumpfile, format, "", "Ready bits: %2d", ready_bits); +@@ -4905,7 +4921,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + { + int i, bytes_per_sample, bytes_per_pixel, shift_width, result = 1; + uint32_t j; +- int32_t bytes_read = 0; ++ tmsize_t bytes_read = 0; + uint16_t bps = 0, planar; + uint32_t nstrips; + uint32_t strips_per_sample; +@@ -4971,7 +4987,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++) + { + srcbuffs[s] = NULL; +- buff = limitMalloc(stripsize + 3); ++ buff = limitMalloc(stripsize + NUM_BUFF_OVERSIZE_BYTES); + if (!buff) + { + TIFFError ("readSeparateStripsIntoBuffer", +@@ -4994,7 +5010,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt + buff = srcbuffs[s]; + strip = (s * strips_per_sample) + j; + bytes_read = TIFFReadEncodedStrip (in, strip, buff, stripsize); +- rows_this_strip = bytes_read / src_rowsize; ++ rows_this_strip = (uint32_t)(bytes_read / src_rowsize); + if (bytes_read < 0 && !ignore) + { + TIFFError(TIFFFileName(in), +@@ -6047,13 +6063,14 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + uint16_t input_compression = 0, input_photometric = 0; + uint16_t subsampling_horiz, subsampling_vert; + uint32_t width = 0, length = 0; +- uint32_t stsize = 0, tlsize = 0, buffsize = 0, scanlinesize = 0; ++ tmsize_t stsize = 0, tlsize = 0, buffsize = 0; ++ tmsize_t scanlinesize = 0; + uint32_t tw = 0, tl = 0; /* Tile width and length */ +- uint32_t tile_rowsize = 0; ++ tmsize_t tile_rowsize = 0; + unsigned char *read_buff = NULL; + unsigned char *new_buff = NULL; + int readunit = 0; +- static uint32_t prev_readsize = 0; ++ static tmsize_t prev_readsize = 0; + + TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps); + TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp); +@@ -6355,7 +6372,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { +@@ -6366,11 +6383,11 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + TIFFError("loadImage", "Unable to allocate/reallocate read buffer"); + return (-1); + } +- new_buff = _TIFFrealloc(read_buff, buffsize+3); ++ new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (read_buff); +- read_buff = (unsigned char *)limitMalloc(buffsize+3); ++ read_buff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + read_buff = new_buff; +@@ -6443,8 +6460,13 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c + dump_info (dump->infile, dump->format, "", + "Bits per sample %"PRIu16", Samples per pixel %"PRIu16, bps, spp); + ++ if (scanlinesize > 0x0ffffffffULL) { ++ dump_info(dump->infile, dump->format, "loadImage", ++ "Attention: scanlinesize %"PRIu64" is larger than UINT32_MAX.\nFollowing dump might be wrong.", ++ scanlinesize); ++ } + for (i = 0; i < length; i++) +- dump_buffer(dump->infile, dump->format, 1, scanlinesize, ++ dump_buffer(dump->infile, dump->format, 1, (uint32_t)scanlinesize, + i, read_buff + (i * scanlinesize)); + } + return (0); +@@ -7464,13 +7486,13 @@ writeSingleSection(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -7533,23 +7555,23 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + + if (!sect_buff) + { +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!sect_buff) + { + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + { + if (prev_sectsize < sectsize) + { +- new_buff = _TIFFrealloc(sect_buff, sectsize); ++ new_buff = _TIFFrealloc(sect_buff, sectsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + _TIFFfree (sect_buff); +- sect_buff = (unsigned char *)limitMalloc(sectsize); ++ sect_buff = (unsigned char *)limitMalloc(sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + sect_buff = new_buff; +@@ -7559,7 +7581,7 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); + return (-1); + } +- _TIFFmemset(sect_buff, 0, sectsize); ++ _TIFFmemset(sect_buff, 0, sectsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -7590,17 +7612,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[0].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7613,7 +7635,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[0].buffer = crop_buff; + seg_buffs[0].size = cropsize; + +@@ -7693,17 +7715,17 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + cropsize = crop->bufftotal; + crop_buff = seg_buffs[i].buffer; + if (!crop_buff) +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { + prev_cropsize = seg_buffs[0].size; + if (prev_cropsize < cropsize) + { +- next_buff = _TIFFrealloc(crop_buff, cropsize); ++ next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (! next_buff) + { + _TIFFfree (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = next_buff; +@@ -7716,7 +7738,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop, + return (-1); + } + +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + seg_buffs[i].buffer = crop_buff; + seg_buffs[i].size = cropsize; + +@@ -7832,24 +7854,24 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + crop_buff = *crop_buff_ptr; + if (!crop_buff) + { +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!crop_buff) + { + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + prev_cropsize = cropsize; + } + else + { + if (prev_cropsize < cropsize) + { +- new_buff = _TIFFrealloc(crop_buff, cropsize); ++ new_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); + if (!new_buff) + { + free (crop_buff); +- crop_buff = (unsigned char *)limitMalloc(cropsize); ++ crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + else + crop_buff = new_buff; +@@ -7858,7 +7880,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); + return (-1); + } +- _TIFFmemset(crop_buff, 0, cropsize); ++ _TIFFmemset(crop_buff, 0, cropsize + NUM_BUFF_OVERSIZE_BYTES); + } + } + +@@ -8156,13 +8178,13 @@ writeCroppedImage(TIFF *in, TIFF *out, struct image_data *image, + if (TIFFGetField(in, TIFFTAG_NUMBEROFINKS, &ninks)) { + TIFFSetField(out, TIFFTAG_NUMBEROFINKS, ninks); + if (TIFFGetField(in, TIFFTAG_INKNAMES, &inknames)) { +- int inknameslen = strlen(inknames) + 1; ++ int inknameslen = (int)strlen(inknames) + 1; + const char* cp = inknames; + while (ninks > 1) { + cp = strchr(cp, '\0'); + if (cp) { + cp++; +- inknameslen += (strlen(cp) + 1); ++ inknameslen += ((int)strlen(cp) + 1); + } + ninks--; + } +@@ -8547,13 +8569,13 @@ rotateContigSamples32bits(uint16_t rotation, uint16_t spp, uint16_t bps, uint32_ + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -8622,12 +8644,13 @@ rotateImage(uint16_t rotation, struct image_data *image, uint32_t *img_width, + return (-1); + } + +- if (!(rbuff = (unsigned char *)limitMalloc(buffsize))) ++ /* Add 3 padding bytes for extractContigSamplesShifted32bits */ ++ if (!(rbuff = (unsigned char *)limitMalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES))) + { +- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize); ++ TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } +- _TIFFmemset(rbuff, '\0', buffsize); ++ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES); + + ibuff = *ibuff_ptr; + switch (rotation) +@@ -9155,13 +9178,13 @@ reverseSamples32bits (uint16_t spp, uint16_t bps, uint32_t width, + } + else /* If we have a full buffer's worth, write it out */ + { +- bytebuff1 = (buff2 >> 56); ++ bytebuff1 = (uint8_t)(buff2 >> 56); + *dst++ = bytebuff1; +- bytebuff2 = (buff2 >> 48); ++ bytebuff2 = (uint8_t)(buff2 >> 48); + *dst++ = bytebuff2; +- bytebuff3 = (buff2 >> 40); ++ bytebuff3 = (uint8_t)(buff2 >> 40); + *dst++ = bytebuff3; +- bytebuff4 = (buff2 >> 32); ++ bytebuff4 = (uint8_t)(buff2 >> 32); + *dst++ = bytebuff4; + ready_bits -= 32; + +@@ -9252,12 +9275,13 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + case MIRROR_BOTH: + case MIRROR_VERT: +- line_buff = (unsigned char *)limitMalloc(rowsize); ++ line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES); + if (line_buff == NULL) + { +- TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize); ++ TIFFError ("mirrorImage", "Unable to allocate mirror line buffer of %1u bytes", rowsize + NUM_BUFF_OVERSIZE_BYTES); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + + dst = ibuff + (rowsize * (length - 1)); + for (row = 0; row < length / 2; row++) +@@ -9289,11 +9313,12 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + } + else + { /* non 8 bit per sample data */ +- if (!(line_buff = (unsigned char *)limitMalloc(rowsize + 1))) ++ if (!(line_buff = (unsigned char *)limitMalloc(rowsize + NUM_BUFF_OVERSIZE_BYTES))) + { + TIFFError("mirrorImage", "Unable to allocate mirror line buffer"); + return (-1); + } ++ _TIFFmemset(line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + bytes_per_sample = (bps + 7) / 8; + bytes_per_pixel = ((bps * spp) + 7) / 8; + if (bytes_per_pixel < (bytes_per_sample + 1)) +@@ -9305,7 +9330,7 @@ mirrorImage(uint16_t spp, uint16_t bps, uint16_t mirror, uint32_t width, uint32_ + { + row_offset = row * rowsize; + src = ibuff + row_offset; +- _TIFFmemset (line_buff, '\0', rowsize); ++ _TIFFmemset (line_buff, '\0', rowsize + NUM_BUFF_OVERSIZE_BYTES); + switch (shift_width) + { + case 1: if (reverseSamples16bits(spp, bps, width, src, line_buff)) diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch index 72776f09ba..e79964de55 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch @@ -1,11 +1,12 @@ +From bc71e64b6f4477ed69064802b1252bab904a89b4 Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Tue, 25 Jan 2022 16:25:28 +0000 +Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where + CVE: CVE-2022-22844 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From b12a0326e6064b6e0b051d1184a219877472f69b Mon Sep 17 00:00:00 2001 -From: 4ugustus <wangdw.augustus@qq.com> -Date: Tue, 25 Jan 2022 16:25:28 +0000 -Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where count is required (fixes #355) --- @@ -13,7 +14,7 @@ Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tools/tiffset.c b/tools/tiffset.c -index 8c9e23c5..e7a88c09 100644 +index 8c9e23c..e7a88c0 100644 --- a/tools/tiffset.c +++ b/tools/tiffset.c @@ -146,9 +146,19 @@ main(int argc, char* argv[]) @@ -39,5 +40,3 @@ index 8c9e23c5..e7a88c09 100644 } else if (TIFFFieldWriteCount(fip) > 0 || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) { int ret = 1; --- -2.25.1 diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch index 812ffb232d..2becf53806 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0002-tiffcrop-fix-issue-380-and-382-heap-buffer-overflow-.patch @@ -1,12 +1,13 @@ +From 9b2645d830b4ad004824cf28d81f3b974faf0037 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 8 Mar 2022 17:02:44 +0000 +Subject: [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in + CVE: CVE-2022-0891 CVE: CVE-2022-1056 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From e46b49e60fddb2e924302fb1751f79eb9cfb2253 Mon Sep 17 00:00:00 2001 -From: Su Laus <sulau@freenet.de> -Date: Tue, 8 Mar 2022 17:02:44 +0000 -Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in extractImageSection --- @@ -14,7 +15,7 @@ Subject: [PATCH 2/6] tiffcrop: fix issue #380 and #382 heap buffer overflow in 1 file changed, 36 insertions(+), 56 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index b85c2ce7..302a7e91 100644 +index b85c2ce..302a7e9 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -105,8 +105,8 @@ @@ -214,6 +215,3 @@ index b85c2ce7..302a7e91 100644 /* allocate a buffer if we don't have one already */ if (createImageSection(sectsize, sect_buff_ptr)) { --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch index a0b856b9e1..b48a3df1a9 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0003-add-checks-for-return-value-of-limitMalloc-392.patch @@ -1,18 +1,18 @@ +From b4743cc69d2f506e1f1c4db9adc8e58d75805e4d Mon Sep 17 00:00:00 2001 +From: Augustus <wangdw.augustus@qq.com> +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH] add checks for return value of limitMalloc (#392) + CVE: CVE-2022-0907 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From a139191cc86f4dc44c74a0f22928e0fb38ed2485 Mon Sep 17 00:00:00 2001 -From: Augustus <wangdw.augustus@qq.com> -Date: Mon, 7 Mar 2022 18:21:49 +0800 -Subject: [PATCH 3/6] add checks for return value of limitMalloc (#392) - --- tools/tiffcrop.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c -index 302a7e91..e407bf51 100644 +index 302a7e9..e407bf5 100644 --- a/tools/tiffcrop.c +++ b/tools/tiffcrop.c @@ -7357,7 +7357,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) @@ -88,6 +88,3 @@ index 302a7e91..e407bf51 100644 * End: */ + --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch index 719dabaecc..6f2df44bd5 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0004-TIFFFetchNormalTag-avoid-calling-memcpy-with-a-null-.patch @@ -1,11 +1,12 @@ +From 0343619094bfc7b8e23814f672411b008db2aa66 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null + CVE: CVE-2022-0908 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From ef5a0bf271823df168642444d051528a68205cb0 Mon Sep 17 00:00:00 2001 -From: Even Rouault <even.rouault@spatialys.com> -Date: Thu, 17 Feb 2022 15:28:43 +0100 -Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null source pointer and size of zero (fixes #383) --- @@ -13,10 +14,10 @@ Subject: [PATCH 4/6] TIFFFetchNormalTag(): avoid calling memcpy() with a null 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index d84147a0..4e8ce729 100644 +index d654a1c..a31109a 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c -@@ -5079,7 +5079,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) +@@ -5080,7 +5080,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) _TIFFfree(data); return(0); } @@ -28,6 +29,3 @@ index d84147a0..4e8ce729 100644 o[(uint32_t)dp->tdir_count]=0; if (data!=0) _TIFFfree(data); --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch index 64dbe9ef92..21dc552036 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0005-fix-the-FPE-in-tiffcrop-393.patch @@ -1,18 +1,18 @@ +From e56d66a033b533f26872a20cb2052473962a0f2e Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#393) + CVE: CVE-2022-0909 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From 4768355a074d562177e0a8b551c561d1af7eb74a Mon Sep 17 00:00:00 2001 -From: 4ugustus <wangdw.augustus@qq.com> -Date: Tue, 8 Mar 2022 16:22:04 +0000 -Subject: [PATCH 5/6] fix the FPE in tiffcrop (#393) - --- libtiff/tif_dir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c -index a6c254fc..77da6ea4 100644 +index a6c254f..77da6ea 100644 --- a/libtiff/tif_dir.c +++ b/libtiff/tif_dir.c @@ -335,13 +335,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) @@ -31,6 +31,3 @@ index a6c254fc..77da6ea4 100644 goto badvaluedouble; td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); break; --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch b/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch index afd5e59960..337b84d992 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/0006-fix-heap-buffer-overflow-in-tiffcp-278.patch @@ -1,18 +1,18 @@ +From 2dd282a54e5fccf9b501973e6da5f83ebde8e980 Mon Sep 17 00:00:00 2001 +From: 4ugustus <wangdw.augustus@qq.com> +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) + CVE: CVE-2022-0924 Upstream-Status: Backport Signed-off-by: Ross Burton <ross.burton@arm.com> -From 1074b9691322b1e3671cd8ea0b6b3509d08978fb Mon Sep 17 00:00:00 2001 -From: 4ugustus <wangdw.augustus@qq.com> -Date: Thu, 10 Mar 2022 08:48:00 +0000 -Subject: [PATCH 6/6] fix heap buffer overflow in tiffcp (#278) - --- tools/tiffcp.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index 1f889516..552d8fad 100644 +index 1f88951..552d8fa 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -1661,12 +1661,27 @@ DECLAREwriteFunc(writeBufferToSeparateStrips) @@ -52,6 +52,3 @@ index 1f889516..552d8fad 100644 if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { TIFFError(TIFFFileName(out), "Error, can't write strip %"PRIu32, --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch b/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch index 0b41dde606..e5b34fd258 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/561599c99f987dc32ae110370cfdd7df7975586b.patch @@ -1,4 +1,4 @@ -From 561599c99f987dc32ae110370cfdd7df7975586b Mon Sep 17 00:00:00 2001 +From 7b91458541769f3d7eddc55a39d01730af2489fc Mon Sep 17 00:00:00 2001 From: Even Rouault <even.rouault@spatialys.com> Date: Sat, 5 Feb 2022 20:36:41 +0100 Subject: [PATCH] TIFFReadDirectory(): avoid calling memcpy() with a null @@ -12,10 +12,10 @@ CVE: CVE-2022-0562 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 2bbc4585..23194ced 100644 +index d84147a..ae52ad4 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c -@@ -4177,7 +4177,8 @@ TIFFReadDirectory(TIFF* tif) +@@ -4173,7 +4173,8 @@ TIFFReadDirectory(TIFF* tif) goto bad; } @@ -25,6 +25,3 @@ index 2bbc4585..23194ced 100644 _TIFFsetShortArray(&tif->tif_dir.td_sampleinfo, new_sampleinfo, tif->tif_dir.td_extrasamples); _TIFFfree(new_sampleinfo); } --- -GitLab - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch index 71b85cac10..989ccbfa50 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1354.patch @@ -1,4 +1,4 @@ -From 87881e093691a35c60b91cafed058ba2dd5d9807 Mon Sep 17 00:00:00 2001 +From 281fa3cf0e0e8a44b93478c63d90dbfb64359e88 Mon Sep 17 00:00:00 2001 From: Even Rouault <even.rouault@spatialys.com> Date: Sun, 5 Dec 2021 14:37:46 +0100 Subject: [PATCH] TIFFReadDirectory: fix OJPEG hack (fixes #319) @@ -16,12 +16,13 @@ Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> + --- libtiff/tif_dirread.c | 162 ++++++++++++++++++++++-------------------- 1 file changed, 83 insertions(+), 79 deletions(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 8f434ef5..14c031d1 100644 +index a31109a..d7cccbe 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c @@ -3794,50 +3794,7 @@ TIFFReadDirectory(TIFF* tif) @@ -207,6 +208,3 @@ index 8f434ef5..14c031d1 100644 /* * Make sure all non-color channels are extrasamples. * If it's not the case, define them as such. --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch index e59f5aad55..19ce68dfbc 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-1355.patch @@ -1,4 +1,4 @@ -From fb1db384959698edd6caeea84e28253d272a0f96 Mon Sep 17 00:00:00 2001 +From 19d775e058bf6bb0b0e9c56f406b775f9e725355 Mon Sep 17 00:00:00 2001 From: Su_Laus <sulau@freenet.de> Date: Sat, 2 Apr 2022 22:33:31 +0200 Subject: [PATCH] tiffcp: avoid buffer overflow in "mode" string (fixes #400) @@ -9,12 +9,13 @@ Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> + --- tools/tiffcp.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/tools/tiffcp.c b/tools/tiffcp.c -index fd129bb7..8d944ff6 100644 +index 552d8fa..57eef90 100644 --- a/tools/tiffcp.c +++ b/tools/tiffcp.c @@ -274,19 +274,34 @@ main(int argc, char* argv[]) @@ -57,6 +58,3 @@ index fd129bb7..8d944ff6 100644 break; case 'x': pageInSeq = 1; --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch new file mode 100644 index 0000000000..73905acb17 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch @@ -0,0 +1,129 @@ +From cca32f0d4f3dd2bd73d044bd6991ab3c764fc718 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Sun, 6 Feb 2022 17:53:53 +0100 +Subject: [PATCH] tiffcrop.c: This update fixes also issues #350 and #351. + + Issue 350 is fixed by checking for not allowed zone input cases like -Z 0:0 + in getCropOffsets(). + +CVE: CVE-2022-2867 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> + +--- + tools/tiffcrop.c | 58 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 40 insertions(+), 18 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 4a4ace8..0ef5bb2 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5194,20 +5194,33 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- /* region needs to be within image sizes 0.. width-1; 0..length-1 +- * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ++ /* a) Region needs to be within image sizes 0.. width-1; 0..length-1 ++ * b) Corners are expected to be submitted as top-left to bottom-right. ++ * Therefore, check that and reorder input. ++ * (be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ) + */ +- if (x1 > image->width - 1) ++ uint32_t aux; ++ if (x1 > x2) { ++ aux = x1; ++ x1 = x2; ++ x2 = aux; ++ } ++ if (y1 > y2) { ++ aux = y1; ++ y1 = y2; ++ y2 = aux; ++ } ++ if (x1 > image->width - 1) + crop->regionlist[i].x1 = image->width - 1; +- else if (x1 > 0) +- crop->regionlist[i].x1 = (uint32_t) (x1 - 1); ++ else if (x1 > 0) ++ crop->regionlist[i].x1 = (uint32_t)(x1 - 1); + +- if (x2 > image->width - 1) +- crop->regionlist[i].x2 = image->width - 1; +- else if (x2 > 0) +- crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ if (x2 > image->width - 1) ++ crop->regionlist[i].x2 = image->width - 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); + +- zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + + if (y1 > image->length - 1) + crop->regionlist[i].y1 = image->length - 1; +@@ -5219,8 +5232,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + else if (y2 > 0) + crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + +- zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; +- ++ zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + if (zwidth > max_width) + max_width = zwidth; + if (zlength > max_length) +@@ -5250,7 +5262,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + } + } + return (0); +- } ++ } /* crop_mode == CROP_REGIONS */ + + /* Convert crop margins into offsets into image + * Margins are expressed as pixel rows and columns, not bytes +@@ -5286,7 +5298,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + bmargin = (uint32_t) 0; + return (-1); + } +- } ++ } /* crop_mode == CROP_MARGINS */ + else + { /* no margins requested */ + tmargin = (uint32_t) 0; +@@ -5494,10 +5506,17 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + else + crop->selections = crop->zones; + +- for (i = 0; i < crop->zones; i++) ++ /* Initialize regions iterator i */ ++ i = 0; ++ for (int j = 0; j < crop->zones; j++) + { +- seg = crop->zonelist[i].position; +- total = crop->zonelist[i].total; ++ seg = crop->zonelist[j].position; ++ total = crop->zonelist[j].total; ++ ++ /* check for not allowed zone cases like 0:0; 4:3; etc. and skip that input */ ++ if (seg == 0 || total == 0 || seg > total) { ++ continue; ++ } + + switch (crop->edge_ref) + { +@@ -5626,8 +5645,11 @@ getCropOffsets(struct image_data *image, struct crop_mask *crop, struct dump_opt + i + 1, zwidth, zlength, + crop->regionlist[i].x1, crop->regionlist[i].x2, + crop->regionlist[i].y1, crop->regionlist[i].y2); ++ /* increment regions iterator */ ++ i++; + } +- ++ /* set number of generated regions out of given zones */ ++ crop->selections = i; + return (0); + } /* end getCropOffsets */ + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch new file mode 100644 index 0000000000..bda3427c0f --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch @@ -0,0 +1,84 @@ +From b4cf40182c865db554c6e67034afa6ea12c5554d Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Sun, 6 Feb 2022 10:53:45 +0100 +Subject: [PATCH] tiffcrop.c: Fix issue #352 heap-buffer-overflow by correcting + + uint32_t underflow. + +CVE: CVE-2022-2869 + +Upstream-Status: Backport +[https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> + +--- + tools/tiffcrop.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b9b13d8..4a4ace8 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5194,26 +5194,30 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + y1 = _TIFFClampDoubleToUInt32(crop->corners[i].Y1); + y2 = _TIFFClampDoubleToUInt32(crop->corners[i].Y2); + } +- if (x1 < 1) +- crop->regionlist[i].x1 = 0; +- else ++ /* region needs to be within image sizes 0.. width-1; 0..length-1 ++ * - be aware x,y are already casted to (uint32_t) and avoid (0 - 1) ++ */ ++ if (x1 > image->width - 1) ++ crop->regionlist[i].x1 = image->width - 1; ++ else if (x1 > 0) + crop->regionlist[i].x1 = (uint32_t) (x1 - 1); + +- if (x2 > image->width - 1) +- crop->regionlist[i].x2 = image->width - 1; +- else +- crop->regionlist[i].x2 = (uint32_t) (x2 - 1); ++ if (x2 > image->width - 1) ++ crop->regionlist[i].x2 = image->width - 1; ++ else if (x2 > 0) ++ crop->regionlist[i].x2 = (uint32_t)(x2 - 1); ++ + zwidth = crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; + +- if (y1 < 1) +- crop->regionlist[i].y1 = 0; +- else +- crop->regionlist[i].y1 = (uint32_t) (y1 - 1); ++ if (y1 > image->length - 1) ++ crop->regionlist[i].y1 = image->length - 1; ++ else if (y1 > 0) ++ crop->regionlist[i].y1 = (uint32_t)(y1 - 1); + + if (y2 > image->length - 1) + crop->regionlist[i].y2 = image->length - 1; +- else +- crop->regionlist[i].y2 = (uint32_t) (y2 - 1); ++ else if (y2 > 0) ++ crop->regionlist[i].y2 = (uint32_t)(y2 - 1); + + zlength = crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; + +@@ -5376,7 +5380,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + crop_width = endx - startx + 1; + crop_length = endy - starty + 1; + +- if (crop_width <= 0) ++ if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); +@@ -5385,7 +5389,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + if (crop_width > image->width) + crop_width = image->width; + +- if (crop_length <= 0) ++ if (endy + 1 <= starty) + { + TIFFError("computeInputPixelOffsets", + "Invalid top/bottom margins and /or image crop length requested"); diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch new file mode 100644 index 0000000000..92906521b0 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-2953.patch @@ -0,0 +1,87 @@ +From 05ef5e05a0b8d18ab075e09b1ea349acc0035e67 Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Mon, 15 Aug 2022 22:11:03 +0200 +Subject: [PATCH] tiffcrop: disable incompatibility of -S + +CVE: CVE-2022-2953 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> +Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> + +According to Richard Nolde +https://gitlab.com/libtiff/libtiff/-/issues/401#note_877637400 the +tiffcrop option "-S" is also mutually exclusive to the other crop +options (-X|-Y), -Z and -z. + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is now checked and ends tiffcrop if those arguments are not mutually exclusive. + +This MR will fix the following tiffcrop issues: #349, #414, #422, #423, #424 + +--- + tools/tiffcrop.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index b596f9e..8af85c9 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -173,12 +173,12 @@ static char tiffcrop_rev_date[] = "02-09-2022"; + #define ROTATECW_270 32 + #define ROTATE_ANY (ROTATECW_90 | ROTATECW_180 | ROTATECW_270) + +-#define CROP_NONE 0 +-#define CROP_MARGINS 1 +-#define CROP_WIDTH 2 +-#define CROP_LENGTH 4 +-#define CROP_ZONES 8 +-#define CROP_REGIONS 16 ++#define CROP_NONE 0 /* "-S" -> Page_MODE_ROWSCOLS and page->rows/->cols != 0 */ ++#define CROP_MARGINS 1 /* "-m" */ ++#define CROP_WIDTH 2 /* "-X" */ ++#define CROP_LENGTH 4 /* "-Y" */ ++#define CROP_ZONES 8 /* "-Z" */ ++#define CROP_REGIONS 16 /* "-z" */ + #define CROP_ROTATE 32 + #define CROP_MIRROR 64 + #define CROP_INVERT 128 +@@ -316,7 +316,7 @@ struct crop_mask { + #define PAGE_MODE_RESOLUTION 1 + #define PAGE_MODE_PAPERSIZE 2 + #define PAGE_MODE_MARGINS 4 +-#define PAGE_MODE_ROWSCOLS 8 ++#define PAGE_MODE_ROWSCOLS 8 /* for -S option */ + + #define INVERT_DATA_ONLY 10 + #define INVERT_DATA_AND_TAG 11 +@@ -781,7 +781,7 @@ static const char usage_info[] = + " The four debug/dump options are independent, though it makes little sense to\n" + " specify a dump file without specifying a detail level.\n" + "\n" +-"Note: The (-X|-Y), -Z and -z options are mutually exclusive.\n" ++"Note: The (-X|-Y), -Z, -z and -S options are mutually exclusive.\n" + " In no case should the options be applied to a given selection successively.\n" + "\n" + ; +@@ -2133,13 +2133,14 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32 + /*NOTREACHED*/ + } + } +- /*-- Check for not allowed combinations (e.g. -X, -Y and -Z and -z are mutually exclusive) --*/ +- char XY, Z, R; ++ /*-- Check for not allowed combinations (e.g. -X, -Y and -Z, -z and -S are mutually exclusive) --*/ ++ char XY, Z, R, S; + XY = ((crop_data->crop_mode & CROP_WIDTH) || (crop_data->crop_mode & CROP_LENGTH)); + Z = (crop_data->crop_mode & CROP_ZONES); + R = (crop_data->crop_mode & CROP_REGIONS); +- if ((XY && Z) || (XY && R) || (Z && R)) { +- TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z and -z are mutually exclusive.->Exit"); ++ S = (page->mode & PAGE_MODE_ROWSCOLS); ++ if ((XY && Z) || (XY && R) || (XY && S) || (Z && R) || (Z && S) || (R && S)) { ++ TIFFError("tiffcrop input error", "The crop options(-X|-Y), -Z, -z and -S are mutually exclusive.->Exit"); + exit(EXIT_FAILURE); + } + } /* end process_command_opts */ diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch index 48ca56982f..f3f8121735 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-34526.patch @@ -1,4 +1,4 @@ -From 3fc1fdda0068981340cc7ae136173731275e2c5e Mon Sep 17 00:00:00 2001 +From 786a8b6fd1384c6e20c17729822d1f61ed569320 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati <hprajapati@mvista.com> Date: Thu, 18 Aug 2022 10:46:30 +0530 Subject: [PATCH] CVE-2022-34526 @@ -6,6 +6,7 @@ Subject: [PATCH] CVE-2022-34526 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990] CVE: CVE-2022-34526 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + --- libtiff/tif_dirinfo.c | 3 +++ 1 file changed, 3 insertions(+) @@ -24,6 +25,3 @@ index 8565dfb..0f722a5 100644 /* Check if codec specific tags are allowed for the current * compression scheme (codec) */ switch (tif->tif_dir.td_compression) { --- -2.25.1 - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch new file mode 100644 index 0000000000..3779ebf646 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-3970.patch @@ -0,0 +1,38 @@ +From 11c8026913e190b02266c1247e7a770e488d925e Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 8 Nov 2022 15:16:58 +0100 +Subject: [PATCH] TIFFReadRGBATileExt(): fix (unsigned) integer overflow on + strips/tiles > 2 GB + +Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 +Upstream-Status: Accepted + +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + libtiff/tif_getimage.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c +index a1b6570b..9a2e0c59 100644 +--- a/libtiff/tif_getimage.c ++++ b/libtiff/tif_getimage.c +@@ -3058,15 +3058,15 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t col, uint32_t row, uint32_t * raster, in + return( ok ); + + for( i_row = 0; i_row < read_ysize; i_row++ ) { +- memmove( raster + (tile_ysize - i_row - 1) * tile_xsize, +- raster + (read_ysize - i_row - 1) * read_xsize, ++ memmove( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, ++ raster + (size_t)(read_ysize - i_row - 1) * read_xsize, + read_xsize * sizeof(uint32_t) ); +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize+read_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize+read_xsize, + 0, sizeof(uint32_t) * (tile_xsize - read_xsize) ); + } + + for( i_row = read_ysize; i_row < tile_ysize; i_row++ ) { +- _TIFFmemset( raster + (tile_ysize - i_row - 1) * tile_xsize, ++ _TIFFmemset( raster + (size_t)(tile_ysize - i_row - 1) * tile_xsize, + 0, sizeof(uint32_t) * tile_xsize ); + } + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch new file mode 100644 index 0000000000..4f8dc35251 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2022-48281.patch @@ -0,0 +1,26 @@ +From 97d65859bc29ee334012e9c73022d8a8e55ed586 Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Sat, 21 Jan 2023 15:58:10 +0000 +Subject: [PATCH] tiffcrop: Correct simple copy paste error. Fix #488. + + +Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.2.0-1+deb11u4.debian.tar.xz] +CVE: CVE-2022-48281 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + tools/tiffcrop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: tiff-4.2.0/tools/tiffcrop.c +=================================================================== +--- tiff-4.2.0.orig/tools/tiffcrop.c ++++ tiff-4.2.0/tools/tiffcrop.c +@@ -7516,7 +7516,7 @@ processCropSelections(struct image_data + crop_buff = (unsigned char *)limitMalloc(cropsize + NUM_BUFF_OVERSIZE_BYTES); + else + { +- prev_cropsize = seg_buffs[0].size; ++ prev_cropsize = seg_buffs[1].size; + if (prev_cropsize < cropsize) + { + next_buff = _TIFFrealloc(crop_buff, cropsize + NUM_BUFF_OVERSIZE_BYTES); diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch new file mode 100644 index 0000000000..8372bc35f2 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/CVE-2023-0800_0801_0802_0803_0804.patch @@ -0,0 +1,128 @@ +From 82a7fbb1fa7228499ffeb3a57a1d106a9626d57c Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Sun, 5 Feb 2023 15:53:15 +0000 +Subject: [PATCH] tiffcrop: added check for assumption on composite images + (fixes #496) + +tiffcrop: For composite images with more than one region, the combined_length or combined_width always needs to be equal, respectively. Otherwise, even the first section/region copy action might cause buffer overrun. This is now checked before the first copy action. + +Closes #496, #497, #498, #500, #501. + +Upstream-Status: Backport [import from fedora https://src.fedoraproject.org/rpms/libtiff/c/91856895aadf3cce6353f40c2feef9bf0b486440 ] +CVE: CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + tools/tiffcrop.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 66 insertions(+), 2 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 84e26ac6..480b927c 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5329,18 +5329,39 @@ + + crop->regionlist[i].buffsize = buffsize; + crop->bufftotal += buffsize; ++ /* For composite images with more than one region, the ++ * combined_length or combined_width always needs to be equal, ++ * respectively. ++ * Otherwise, even the first section/region copy ++ * action might cause buffer overrun. */ + if (crop->img_mode == COMPOSITE_IMAGES) + { + switch (crop->edge_ref) + { + case EDGE_LEFT: + case EDGE_RIGHT: ++ if (i > 0 && zlength != crop->combined_length) ++ { ++ TIFFError( ++ "computeInputPixelOffsets", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (-1); ++ } + crop->combined_length = zlength; + crop->combined_width += zwidth; + break; + case EDGE_BOTTOM: + case EDGE_TOP: /* width from left, length from top */ + default: ++ if (i > 0 && zwidth != crop->combined_width) ++ { ++ TIFFError("computeInputPixelOffsets", ++ "Only equal width regions can be " ++ "combined for -E " ++ "top or bottom"); ++ return (-1); ++ } + crop->combined_width = zwidth; + crop->combined_length += zlength; + break; +@@ -6546,6 +6567,46 @@ + crop->combined_width = 0; + crop->combined_length = 0; + ++ /* If there is more than one region, check beforehand whether all the width ++ * and length values of the regions are the same, respectively. */ ++ switch (crop->edge_ref) ++ { ++ default: ++ case EDGE_TOP: ++ case EDGE_BOTTOM: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_width0 = ++ crop->regionlist[i - 1].x2 - crop->regionlist[i - 1].x1 + 1; ++ uint32_t crop_width1 = ++ crop->regionlist[i].x2 - crop->regionlist[i].x1 + 1; ++ if (crop_width0 != crop_width1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal width regions can be combined for -E " ++ "top or bottom"); ++ return (1); ++ } ++ } ++ break; ++ case EDGE_LEFT: ++ case EDGE_RIGHT: ++ for (i = 1; i < crop->selections; i++) ++ { ++ uint32_t crop_length0 = ++ crop->regionlist[i - 1].y2 - crop->regionlist[i - 1].y1 + 1; ++ uint32_t crop_length1 = ++ crop->regionlist[i].y2 - crop->regionlist[i].y1 + 1; ++ if (crop_length0 != crop_length1) ++ { ++ TIFFError("extractCompositeRegions", ++ "Only equal length regions can be combined for " ++ "-E left or right"); ++ return (1); ++ } ++ } ++ } ++ + for (i = 0; i < crop->selections; i++) + { + /* rows, columns, width, length are expressed in pixels */ +@@ -6570,7 +6631,8 @@ + default: + case EDGE_TOP: + case EDGE_BOTTOM: +- if ((i > 0) && (crop_width != crop->regionlist[i - 1].width)) ++ if ((crop->selections > i + 1) && ++ (crop_width != crop->regionlist[i + 1].width)) + { + TIFFError ("extractCompositeRegions", + "Only equal width regions can be combined for -E top or bottom"); +@@ -6651,7 +6713,8 @@ + break; + case EDGE_LEFT: /* splice the pieces of each row together, side by side */ + case EDGE_RIGHT: +- if ((i > 0) && (crop_length != crop->regionlist[i - 1].length)) ++ if ((crop->selections > i + 1) && ++ (crop_length != crop->regionlist[i + 1].length)) + { + TIFFError ("extractCompositeRegions", + "Only equal length regions can be combined for -E left or right"); diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch b/poky/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch new file mode 100644 index 0000000000..83d5db7fc6 --- /dev/null +++ b/poky/meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch @@ -0,0 +1,46 @@ +From fb89eab3ed46bbb0276bdee05b570455f6a27d2f Mon Sep 17 00:00:00 2001 +From: Su_Laus <sulau@freenet.de> +Date: Sun, 6 Feb 2022 19:52:17 +0100 +Subject: [PATCH] Move the crop_width and crop_length computation after the + sanity check to avoid warnings when built with + -fsanitize=unsigned-integer-overflow. + +Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903?merge_request_iid=294] + +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> + +CVE: CVE-2022-2868 + +--- + tools/tiffcrop.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index 0ef5bb2..99e4208 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -5389,15 +5389,13 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + off->endx = endx; + off->endy = endy; + +- crop_width = endx - startx + 1; +- crop_length = endy - starty + 1; +- + if (endx + 1 <= startx) + { + TIFFError("computeInputPixelOffsets", + "Invalid left/right margins and /or image crop width requested"); + return (-1); + } ++ crop_width = endx - startx + 1; + if (crop_width > image->width) + crop_width = image->width; + +@@ -5407,6 +5405,7 @@ computeInputPixelOffsets(struct crop_mask *crop, struct image_data *image, + "Invalid top/bottom margins and /or image crop length requested"); + return (-1); + } ++ crop_length = endy - starty + 1; + if (crop_length > image->length) + crop_length = image->length; + diff --git a/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch b/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch index 74f9649fdf..5a84491711 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch +++ b/poky/meta/recipes-multimedia/libtiff/tiff/eecb0712f4c3a5b449f70c57988260a667ddbdef.patch @@ -1,4 +1,4 @@ -From eecb0712f4c3a5b449f70c57988260a667ddbdef Mon Sep 17 00:00:00 2001 +From 895867b72bd6c46da79de1a07d0993cd104e92cd Mon Sep 17 00:00:00 2001 From: Even Rouault <even.rouault@spatialys.com> Date: Sun, 6 Feb 2022 13:08:38 +0100 Subject: [PATCH] TIFFFetchStripThing(): avoid calling memcpy() with a null @@ -12,10 +12,10 @@ CVE: CVE-2022-0561 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c -index 23194ced..50ebf8ac 100644 +index ae52ad4..d654a1c 100644 --- a/libtiff/tif_dirread.c +++ b/libtiff/tif_dirread.c -@@ -5777,8 +5777,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l +@@ -5766,8 +5766,9 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEntry* dir, uint32_t nstrips, uint64_t** l _TIFFfree(data); return(0); } @@ -27,6 +27,3 @@ index 23194ced..50ebf8ac 100644 _TIFFfree(data); data=resizeddata; } --- -GitLab - diff --git a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index b5ccd859f3..4bd485a10a 100644 --- a/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/poky/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -22,6 +22,18 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2022-1354.patch \ file://CVE-2022-1355.patch \ file://CVE-2022-34526.patch \ + file://CVE-2022-2869.patch \ + file://CVE-2022-2867.patch \ + file://b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch \ + file://0001-tiffcrop-Fix-issue-330-and-some-more-from-320-to-349.patch \ + file://CVE-2022-2953.patch \ + file://CVE-2022-3970.patch \ + file://0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch \ + file://0001-tiffcrop-S-option-Make-decision-simpler.patch \ + file://0001-tiffcrop-disable-incompatibility-of-Z-X-Y-z-options-.patch \ + file://0001-tiffcrop-subroutines-require-a-larger-buffer-fixes-2.patch \ + file://CVE-2022-48281.patch \ + file://CVE-2023-0800_0801_0802_0803_0804.patch \ " SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8" @@ -35,7 +47,6 @@ CVE_CHECK_IGNORE += "CVE-2015-7313" # These issues only affect libtiff post-4.3.0 but before 4.4.0, # caused by 3079627e and fixed by b4e79bfa. CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623" - # Issue is in jbig which we don't enable CVE_CHECK_IGNORE += "CVE-2022-1210" @@ -51,6 +62,7 @@ PACKAGECONFIG[jbig] = "--enable-jbig,--disable-jbig,jbig," PACKAGECONFIG[jpeg] = "--enable-jpeg,--disable-jpeg,jpeg," PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib," PACKAGECONFIG[lzma] = "--enable-lzma,--disable-lzma,xz," +PACKAGECONFIG[webp] = "--enable-webp,--disable-webp,libwebp," # Convert single-strip uncompressed images to multiple strips of specified # size (default: 8192) to reduce memory usage diff --git a/poky/meta/recipes-sato/webkit/webkitgtk_2.36.7.bb b/poky/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 026e24ae39..7b2c5c6e36 100644 --- a/poky/meta/recipes-sato/webkit/webkitgtk_2.36.7.bb +++ b/poky/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb @@ -9,14 +9,14 @@ LIC_FILES_CHKSUM = "file://Source/JavaScriptCore/COPYING.LIB;md5=d0c6d6397a5d842 file://Source/WebCore/LICENSE-LGPL-2.1;md5=a778a33ef338abbaf8b8a7c36b6eec80 \ " -SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ +SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \ file://0001-FindGObjectIntrospection.cmake-prefix-variables-obta.patch \ file://0001-Tweak-gtkdoc-settings-so-that-gtkdoc-generation-work.patch \ file://0001-Fix-build-without-opengl-or-es.patch \ file://reproducibility.patch \ file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \ " -SRC_URI[sha256sum] = "0c260cf2b32f0481d017670dfed1b61e554967cd067195606c9f9eb5fe731743" +SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437" inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gtk-doc diff --git a/poky/meta/recipes-sato/webkit/wpebackend-fdo_1.12.1.bb b/poky/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb index 5f776c13e6..708201043b 100644 --- a/poky/meta/recipes-sato/webkit/wpebackend-fdo_1.12.1.bb +++ b/poky/meta/recipes-sato/webkit/wpebackend-fdo_1.14.0.bb @@ -13,7 +13,7 @@ inherit meson features_check pkgconfig REQUIRED_DISTRO_FEATURES = "opengl" SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "45aa833c44ec292f31fa943b01b8cc75e54eb623ad7ba6a66fc2f118fe69e629" +SRC_URI[sha256sum] = "e75b0cb2c7145448416e8696013d8883f675c66c11ed750e06865efec5809155" # Especially helps compiling with clang which enable this as error when # using c++11 diff --git a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch b/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch deleted file mode 100644 index 6f27876a7f..0000000000 --- a/poky/meta/recipes-support/apr/apr-util/0001-Fix-error-handling-in-gdbm.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 6b638fa9afbeb54dfa19378e391465a5284ce1ad Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Wed, 12 Sep 2018 17:16:36 +0800 -Subject: [PATCH] Fix error handling in gdbm - -Only check for gdbm_errno if the return value of the called gdbm_* -function says so. This fixes apr-util with gdbm 1.14, which does not -seem to always reset gdbm_errno. - -Also make the gdbm driver return error codes starting with -APR_OS_START_USEERR instead of always returning APR_EGENERAL. This is -what the berkleydb driver already does. - -Also ensure that dsize is 0 if dptr == NULL. - -Upstream-Status: Backport [https://svn.apache.org/viewvc?view=revision&revision=1825311] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - dbm/apr_dbm_gdbm.c | 47 +++++++++++++++++++++++++++++------------------ - 1 file changed, 29 insertions(+), 18 deletions(-) - -diff --git a/dbm/apr_dbm_gdbm.c b/dbm/apr_dbm_gdbm.c -index 749447a..1c86327 100644 ---- a/dbm/apr_dbm_gdbm.c -+++ b/dbm/apr_dbm_gdbm.c -@@ -36,13 +36,25 @@ - static apr_status_t g2s(int gerr) - { - if (gerr == -1) { -- /* ### need to fix this */ -- return APR_EGENERAL; -+ if (gdbm_errno == GDBM_NO_ERROR) -+ return APR_SUCCESS; -+ return APR_OS_START_USEERR + gdbm_errno; - } - - return APR_SUCCESS; - } - -+static apr_status_t gdat2s(datum d) -+{ -+ if (d.dptr == NULL) { -+ if (gdbm_errno == GDBM_NO_ERROR || gdbm_errno == GDBM_ITEM_NOT_FOUND) -+ return APR_SUCCESS; -+ return APR_OS_START_USEERR + gdbm_errno; -+ } -+ -+ return APR_SUCCESS; -+} -+ - static apr_status_t datum_cleanup(void *dptr) - { - if (dptr) -@@ -53,22 +65,15 @@ static apr_status_t datum_cleanup(void *dptr) - - static apr_status_t set_error(apr_dbm_t *dbm, apr_status_t dbm_said) - { -- apr_status_t rv = APR_SUCCESS; - -- /* ### ignore whatever the DBM said (dbm_said); ask it explicitly */ -+ dbm->errcode = dbm_said; - -- if ((dbm->errcode = gdbm_errno) == GDBM_NO_ERROR) { -+ if (dbm_said == APR_SUCCESS) - dbm->errmsg = NULL; -- } -- else { -- dbm->errmsg = gdbm_strerror(gdbm_errno); -- rv = APR_EGENERAL; /* ### need something better */ -- } -- -- /* captured it. clear it now. */ -- gdbm_errno = GDBM_NO_ERROR; -+ else -+ dbm->errmsg = gdbm_strerror(dbm_said - APR_OS_START_USEERR); - -- return rv; -+ return dbm_said; - } - - /* -------------------------------------------------------------------------- -@@ -107,7 +112,7 @@ static apr_status_t vt_gdbm_open(apr_dbm_t **pdb, const char *pathname, - NULL); - - if (file == NULL) -- return APR_EGENERAL; /* ### need a better error */ -+ return APR_OS_START_USEERR + gdbm_errno; /* ### need a better error */ - - /* we have an open database... return it */ - *pdb = apr_pcalloc(pool, sizeof(**pdb)); -@@ -141,10 +146,12 @@ static apr_status_t vt_gdbm_fetch(apr_dbm_t *dbm, apr_datum_t key, - if (pvalue->dptr) - apr_pool_cleanup_register(dbm->pool, pvalue->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pvalue->dsize = 0; - - /* store the error info into DBM, and return a status code. Also, note - that *pvalue should have been cleared on error. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static apr_status_t vt_gdbm_store(apr_dbm_t *dbm, apr_datum_t key, -@@ -201,9 +208,11 @@ static apr_status_t vt_gdbm_firstkey(apr_dbm_t *dbm, apr_datum_t *pkey) - if (pkey->dptr) - apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pkey->dsize = 0; - - /* store any error info into DBM, and return a status code. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) -@@ -221,9 +230,11 @@ static apr_status_t vt_gdbm_nextkey(apr_dbm_t *dbm, apr_datum_t *pkey) - if (pkey->dptr) - apr_pool_cleanup_register(dbm->pool, pkey->dptr, datum_cleanup, - apr_pool_cleanup_null); -+ else -+ pkey->dsize = 0; - - /* store any error info into DBM, and return a status code. */ -- return set_error(dbm, APR_SUCCESS); -+ return set_error(dbm, gdat2s(rd)); - } - - static void vt_gdbm_freedatum(apr_dbm_t *dbm, apr_datum_t data) --- -2.7.4 - diff --git a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb b/poky/meta/recipes-support/apr/apr-util_1.6.3.bb index b851d46351..7c6fcc699b 100644 --- a/poky/meta/recipes-support/apr/apr-util_1.6.1.bb +++ b/poky/meta/recipes-support/apr/apr-util_1.6.3.bb @@ -13,11 +13,9 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.gz \ file://configfix.patch \ file://configure_fixes.patch \ file://run-ptest \ - file://0001-Fix-error-handling-in-gdbm.patch \ -" + " -SRC_URI[md5sum] = "bd502b9a8670a8012c4d90c31a84955f" -SRC_URI[sha256sum] = "b65e40713da57d004123b6319828be7f1273fbc6490e145874ee1177e112c459" +SRC_URI[sha256sum] = "2b74d8932703826862ca305b094eef2983c27b39d5c9414442e9976a9acf1983" EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ --without-odbc \ diff --git a/poky/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch b/poky/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch index abff4e9331..a274f3a16e 100644 --- a/poky/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch +++ b/poky/meta/recipes-support/apr/apr/0001-Add-option-to-disable-timed-dependant-tests.patch @@ -1,14 +1,15 @@ -From 2bbe20b4f69e84e7a18bc79d382486953f479328 Mon Sep 17 00:00:00 2001 +From 225abf37cd0b49960664b59f08e515a4c4ea5ad0 Mon Sep 17 00:00:00 2001 From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Thu, 26 Mar 2020 18:30:36 +0000 Subject: [PATCH] Add option to disable timed dependant tests -The disabled tests rely on timing to pass correctly. On a virtualized +The disabled tests rely on timing to pass correctly. On a virtualized system under heavy load, these tests randomly fail because they miss a timer or other timing related issues. Upstream-Status: Pending Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> + --- configure.in | 6 ++++++ include/apr.h.in | 1 + @@ -16,10 +17,10 @@ Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in -index d9f32d6..f0c5661 100644 +index bfd488b..3663220 100644 --- a/configure.in +++ b/configure.in -@@ -2886,6 +2886,12 @@ AC_ARG_ENABLE(timedlocks, +@@ -3023,6 +3023,12 @@ AC_ARG_ENABLE(timedlocks, ) AC_SUBST(apr_has_timedlocks) @@ -45,10 +46,10 @@ index ee99def..c46a5f4 100644 #define APR_PROCATTR_USER_SET_REQUIRES_PASSWORD @apr_procattr_user_set_requires_password@ diff --git a/test/testlock.c b/test/testlock.c -index a43f477..6233d0b 100644 +index e3437c1..04e01b9 100644 --- a/test/testlock.c +++ b/test/testlock.c -@@ -396,13 +396,13 @@ abts_suite *testlock(abts_suite *suite) +@@ -535,7 +535,7 @@ abts_suite *testlock(abts_suite *suite) abts_run_test(suite, threads_not_impl, NULL); #else abts_run_test(suite, test_thread_mutex, NULL); @@ -56,6 +57,8 @@ index a43f477..6233d0b 100644 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS abts_run_test(suite, test_thread_timedmutex, NULL); #endif + abts_run_test(suite, test_thread_nestedmutex, NULL); +@@ -543,7 +543,7 @@ abts_suite *testlock(abts_suite *suite) abts_run_test(suite, test_thread_rwlock, NULL); abts_run_test(suite, test_cond, NULL); abts_run_test(suite, test_timeoutcond, NULL); @@ -63,7 +66,4 @@ index a43f477..6233d0b 100644 +#if APR_HAS_TIMEDLOCKS && APR_HAVE_TIME_DEPENDANT_TESTS abts_run_test(suite, test_timeoutmutex, NULL); #endif - #endif --- -2.23.0 - + #ifdef WIN32 diff --git a/poky/meta/recipes-support/apr/apr/0001-add-AC_CACHE_CHECK-for-strerror_r-return-type.patch b/poky/meta/recipes-support/apr/apr/0001-add-AC_CACHE_CHECK-for-strerror_r-return-type.patch deleted file mode 100644 index d0a9bd9129..0000000000 --- a/poky/meta/recipes-support/apr/apr/0001-add-AC_CACHE_CHECK-for-strerror_r-return-type.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 8ca3c3306f1a149e51a3be6a4b1e47e9aee88262 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 23 Aug 2022 22:42:03 -0700 -Subject: [PATCH] add AC_CACHE_CHECK for strerror_r return type - -APR's configure script uses AC_TRY_RUN to detect whether the return type -of strerror_r is int. When cross-compiling this defaults to no. - -This commit adds an AC_CACHE_CHECK so users who cross-compile APR may -influence the outcome with a configure variable. - -Upstream-Status: Backport [https://svn.apache.org/viewvc?view=revision&revision=1875065] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - build/apr_common.m4 | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/build/apr_common.m4 b/build/apr_common.m4 -index cbf2a4c..42e75cf 100644 ---- a/build/apr_common.m4 -+++ b/build/apr_common.m4 -@@ -525,8 +525,9 @@ dnl string. - dnl - dnl - AC_DEFUN([APR_CHECK_STRERROR_R_RC], [ --AC_MSG_CHECKING(for type of return code from strerror_r) --AC_TRY_RUN([ -+AC_CACHE_CHECK([whether return code from strerror_r has type int], -+[ac_cv_strerror_r_rc_int], -+[AC_TRY_RUN([ - #include <errno.h> - #include <string.h> - #include <stdio.h> -@@ -542,14 +543,10 @@ main() - }], [ - ac_cv_strerror_r_rc_int=yes ], [ - ac_cv_strerror_r_rc_int=no ], [ -- ac_cv_strerror_r_rc_int=no ] ) -+ ac_cv_strerror_r_rc_int=no ] ) ] ) - if test "x$ac_cv_strerror_r_rc_int" = xyes; then - AC_DEFINE(STRERROR_R_RC_INT, 1, [Define if strerror returns int]) -- msg="int" --else -- msg="pointer" - fi --AC_MSG_RESULT([$msg]) - ] ) - - dnl --- -2.37.2 - diff --git a/poky/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/poky/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch index fa6202da79..a78b16284f 100644 --- a/poky/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch +++ b/poky/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch @@ -1,4 +1,4 @@ -From ee728971fd9d2da39356f1574d58d5daa3b24520 Mon Sep 17 00:00:00 2001 +From 316b81c462f065927d7fec56aadd5c8cb94d1cf0 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Fri, 26 Aug 2022 00:28:08 -0700 Subject: [PATCH] configure: Remove runtime test for mmap that can map @@ -10,24 +10,25 @@ mutexes Upstream-Status: Inappropriate [Cross-compile specific] Signed-off-by: Khem Raj <raj.khem@gmail.com> + --- - configure.in | 32 -------------------------------- - 1 file changed, 32 deletions(-) + configure.in | 30 ------------------------------ + 1 file changed, 30 deletions(-) diff --git a/configure.in b/configure.in -index a99049d..f1f55c7 100644 +index 3663220..dce9789 100644 --- a/configure.in +++ b/configure.in -@@ -1182,38 +1182,6 @@ AC_CHECK_FUNCS([mmap munmap shm_open shm_unlink shmget shmat shmdt shmctl \ +@@ -1303,36 +1303,6 @@ AC_CHECK_FUNCS([mmap munmap shm_open shm_unlink shmget shmat shmdt shmctl \ APR_CHECK_DEFINE(MAP_ANON, sys/mman.h) AC_CHECK_FILE(/dev/zero) -# Not all systems can mmap /dev/zero (such as HP-UX). Check for that. -if test "$ac_cv_func_mmap" = "yes" && -- test "$ac_cv_file__dev_zero" = "yes"; then -- AC_MSG_CHECKING(for mmap that can map /dev/zero) -- AC_TRY_RUN([ --#include <sys/types.h> +- test "$ac_cv_file__dev_zero" = "yes"; then +- AC_CACHE_CHECK([for mmap that can map /dev/zero], +- [ac_cv_mmap__dev_zero], +- [AC_TRY_RUN([#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#ifdef HAVE_SYS_MMAN_H @@ -49,14 +50,9 @@ index a99049d..f1f55c7 100644 - return 3; - } - return 0; -- }], [], [ac_cv_file__dev_zero=no], [ac_cv_file__dev_zero=no]) -- -- AC_MSG_RESULT($ac_cv_file__dev_zero) +- }], [], [ac_cv_file__dev_zero=no], [ac_cv_file__dev_zero=no])]) -fi - # Now we determine which one is our anonymous shmem preference. haveshmgetanon="0" havemmapzero="0" --- -2.37.2 - diff --git a/poky/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch b/poky/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch index 72e706f966..d63423f3a1 100644 --- a/poky/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch +++ b/poky/meta/recipes-support/apr/apr/0002-apr-Remove-workdir-path-references-from-installed-ap.patch @@ -1,8 +1,7 @@ -From 5925b20da8bbc34d9bf5a5dca123ef38864d43c6 Mon Sep 17 00:00:00 2001 +From 689a8db96a6d1e1cae9cbfb35d05ac82140a6555 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Tue, 30 Jan 2018 09:39:06 +0800 -Subject: [PATCH 2/7] apr: Remove workdir path references from installed apr - files +Subject: [PATCH] apr: Remove workdir path references from installed apr files Upstream-Status: Inappropriate [configuration] @@ -14,20 +13,23 @@ packages at target run time, the workdir path caused confusion. Rebase to 1.6.3 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + --- - apr-config.in | 26 ++------------------------ - 1 file changed, 2 insertions(+), 24 deletions(-) + apr-config.in | 32 ++------------------------------ + 1 file changed, 2 insertions(+), 30 deletions(-) diff --git a/apr-config.in b/apr-config.in -index 84b4073..bbbf651 100644 +index bed47ca..47874e5 100644 --- a/apr-config.in +++ b/apr-config.in -@@ -152,14 +152,7 @@ while test $# -gt 0; do +@@ -164,16 +164,7 @@ while test $# -gt 0; do flags="$flags $LDFLAGS" ;; --includes) - if test "$location" = "installed"; then flags="$flags -I$includedir $EXTRA_INCLUDES" +- elif test "$location" = "crosscompile"; then +- flags="$flags -I$APR_TARGET_DIR/$includedir $EXTRA_INCLUDES" - elif test "$location" = "source"; then - flags="$flags -I$APR_SOURCE_DIR/include $EXTRA_INCLUDES" - else @@ -37,13 +39,15 @@ index 84b4073..bbbf651 100644 ;; --srcdir) echo $APR_SOURCE_DIR -@@ -181,29 +174,14 @@ while test $# -gt 0; do +@@ -197,33 +188,14 @@ while test $# -gt 0; do exit 0 ;; --link-ld) - if test "$location" = "installed"; then - ### avoid using -L if libdir is a "standard" location like /usr/lib - flags="$flags -L$libdir -l${APR_LIBNAME}" +- elif test "$location" = "crosscompile"; then +- flags="$flags -L$APR_TARGET_DIR/$libdir -l${APR_LIBNAME}" - else - ### this surely can't work since the library is in .libs? - flags="$flags -L$APR_BUILD_DIR -l${APR_LIBNAME}" @@ -62,6 +66,8 @@ index 84b4073..bbbf651 100644 - # Since the user is specifying they are linking with libtool, we - # *know* that -R will be recognized by libtool. - flags="$flags -L$libdir -R$libdir -l${APR_LIBNAME}" +- elif test "$location" = "crosscompile"; then +- flags="$flags -L${APR_TARGET_DIR}/$libdir -l${APR_LIBNAME}" - else - flags="$flags $LA_FILE" - fi @@ -69,6 +75,3 @@ index 84b4073..bbbf651 100644 ;; --shlib-path-var) echo "$SHLIBPATH_VAR" --- -1.8.3.1 - diff --git a/poky/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch b/poky/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch deleted file mode 100644 index 4dd53bd8eb..0000000000 --- a/poky/meta/recipes-support/apr/apr/0003-Makefile.in-configure.in-support-cross-compiling.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d5028c10f156c224475b340cfb1ba025d6797243 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Fri, 2 Feb 2018 15:51:42 +0800 -Subject: [PATCH 3/7] Makefile.in/configure.in: support cross compiling - -While cross compiling, the tools/gen_test_char could not -be executed at build time, use AX_PROG_CC_FOR_BUILD to -build native tools/gen_test_char - -Upstream-Status: Submitted [https://github.com/apache/apr/pull/8] - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - Makefile.in | 10 +++------- - configure.in | 3 +++ - 2 files changed, 6 insertions(+), 7 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 5fb760e..8675f90 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -46,7 +46,7 @@ LT_VERSION = @LT_VERSION@ - - CLEAN_TARGETS = apr-config.out apr.exp exports.c export_vars.c .make.dirs \ - build/apr_rules.out tools/gen_test_char@EXEEXT@ \ -- tools/gen_test_char.o tools/gen_test_char.lo \ -+ tools/gen_test_char.o \ - include/private/apr_escape_test_char.h - DISTCLEAN_TARGETS = config.cache config.log config.status \ - include/apr.h include/arch/unix/apr_private.h \ -@@ -131,13 +131,9 @@ check: $(TARGET_LIB) - etags: - etags `find . -name '*.[ch]'` - --OBJECTS_gen_test_char = tools/gen_test_char.lo $(LOCAL_LIBS) --tools/gen_test_char.lo: tools/gen_test_char.c -+tools/gen_test_char@EXEEXT@: tools/gen_test_char.c - $(APR_MKDIR) tools -- $(LT_COMPILE) -- --tools/gen_test_char@EXEEXT@: $(OBJECTS_gen_test_char) -- $(LINK_PROG) $(OBJECTS_gen_test_char) $(ALL_LIBS) -+ $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $< -o $@ - - include/private/apr_escape_test_char.h: tools/gen_test_char@EXEEXT@ - $(APR_MKDIR) include/private -diff --git a/configure.in b/configure.in -index 719f331..361120f 100644 ---- a/configure.in -+++ b/configure.in -@@ -183,6 +183,9 @@ dnl can only be used once within a configure script, so this prevents a - dnl preload section from invoking the macro to get compiler info. - AC_PROG_CC - -+dnl Check build CC for gen_test_char compiling which is executed at build time. -+AX_PROG_CC_FOR_BUILD -+ - dnl AC_PROG_SED is only avaliable in recent autoconf versions. - dnl Use AC_CHECK_PROG instead if AC_PROG_SED is not present. - ifdef([AC_PROG_SED], --- -1.8.3.1 - diff --git a/poky/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch b/poky/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch deleted file mode 100644 index d1a2ebe881..0000000000 --- a/poky/meta/recipes-support/apr/apr/0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 49661ea3858cf8494926cccf57d3e8c6dcb47117 Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Wed, 14 Dec 2016 18:13:08 +0800 -Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross - compiling - -In configure.in, it contains the following: - - APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8) - -the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4, -it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross -compiling enable. - -So it was hardcoded for cross compiling, we should detect it dynamic based on -the sysroot's glibc. We change it to the following: - - AC_CHECK_SIZEOF(off_t) - -The same for the following hardcoded types for cross compiling: - - pid_t 8 - ssize_t 8 - size_t 8 - off_t 8 - -Change the above correspondingly. - -Signed-off-by: Dengke Du <dengke.du@windriver.com> - -Upstream-Status: Pending - ---- - configure.in | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/configure.in b/configure.in -index 27b8539..fb408d1 100644 ---- a/configure.in -+++ b/configure.in -@@ -1801,7 +1801,7 @@ else - socklen_t_value="int" - fi - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], pid_t, 8) -+AC_CHECK_SIZEOF(pid_t) - - if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then - pid_t_fmt='#define APR_PID_T_FMT "hd"' -@@ -1873,7 +1873,7 @@ APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned long, lu, [size_t_fmt="lu"], [ - APR_CHECK_TYPES_FMT_COMPATIBLE(size_t, unsigned int, u, [size_t_fmt="u"]) - ]) - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], ssize_t, 8) -+AC_CHECK_SIZEOF(ssize_t) - - dnl the else cases below should no longer occur; - AC_MSG_CHECKING([which format to use for apr_ssize_t]) -@@ -1891,7 +1891,7 @@ fi - - ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\"" - --APR_CHECK_SIZEOF_EXTENDED([#include <stddef.h>], size_t, 8) -+AC_CHECK_SIZEOF(size_t) - - # else cases below should no longer occur; - AC_MSG_CHECKING([which format to use for apr_size_t]) -@@ -1909,7 +1909,7 @@ fi - - size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\"" - --APR_CHECK_SIZEOF_EXTENDED([#include <sys/types.h>], off_t, 8) -+AC_CHECK_SIZEOF(off_t) - - if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then - # Enable LFS diff --git a/poky/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/poky/meta/recipes-support/apr/apr/CVE-2021-35940.patch deleted file mode 100644 index 00befdacee..0000000000 --- a/poky/meta/recipes-support/apr/apr/CVE-2021-35940.patch +++ /dev/null @@ -1,58 +0,0 @@ - -SECURITY: CVE-2021-35940 (cve.mitre.org) - -Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though -was addressed in 1.6.x in 1.6.3 and later via r1807976. - -The fix was merged back to 1.7.x in r1891198. - -Since this was a regression in 1.7.0, a new CVE name has been assigned -to track this, CVE-2021-35940. - -Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue. - -https://svn.apache.org/viewvc?view=revision&revision=1891198 - -Upstream-Status: Backport -CVE: CVE-2021-35940 -Signed-off-by: Armin Kuster <akuster@mvista.com> - - -Index: time/unix/time.c -=================================================================== ---- a/time/unix/time.c (revision 1891197) -+++ b/time/unix/time.c (revision 1891198) -@@ -142,6 +142,9 @@ - static const int dayoffset[12] = - {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; - -+ if (xt->tm_mon < 0 || xt->tm_mon >= 12) -+ return APR_EBADDATE; -+ - /* shift new year to 1st March in order to make leap year calc easy */ - - if (xt->tm_mon < 2) -Index: time/win32/time.c -=================================================================== ---- a/time/win32/time.c (revision 1891197) -+++ b/time/win32/time.c (revision 1891198) -@@ -54,6 +54,9 @@ - static const int dayoffset[12] = - {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; - -+ if (tm->wMonth < 1 || tm->wMonth > 12) -+ return APR_EBADDATE; -+ - /* Note; the caller is responsible for filling in detailed tm_usec, - * tm_gmtoff and tm_isdst data when applicable. - */ -@@ -228,6 +231,9 @@ - static const int dayoffset[12] = - {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; - -+ if (xt->tm_mon < 0 || xt->tm_mon >= 12) -+ return APR_EBADDATE; -+ - /* shift new year to 1st March in order to make leap year calc easy */ - - if (xt->tm_mon < 2) diff --git a/poky/meta/recipes-support/apr/apr/autoconf270.patch b/poky/meta/recipes-support/apr/apr/autoconf270.patch deleted file mode 100644 index 9f7b5c624c..0000000000 --- a/poky/meta/recipes-support/apr/apr/autoconf270.patch +++ /dev/null @@ -1,22 +0,0 @@ -With autoconf 2.70 confdefs.h is already included. Including it twice generates -compiler warnings and since this macros is to error on warnings, it breaks. - -Fix by not including the file. - -Upstream-Status: Pending -RP - 2021/1/28 - -Index: apr-1.7.0/build/apr_common.m4 -=================================================================== ---- apr-1.7.0.orig/build/apr_common.m4 -+++ apr-1.7.0/build/apr_common.m4 -@@ -505,8 +505,7 @@ AC_DEFUN([APR_TRY_COMPILE_NO_WARNING], - fi - AC_COMPILE_IFELSE( - [AC_LANG_SOURCE( -- [#include "confdefs.h" -- ] -+ [] - [[$1]] - [int main(int argc, const char *const *argv) {] - [[$2]] diff --git a/poky/meta/recipes-support/apr/apr/libtoolize_check.patch b/poky/meta/recipes-support/apr/apr/libtoolize_check.patch index 740792e6b0..80ce43caa4 100644 --- a/poky/meta/recipes-support/apr/apr/libtoolize_check.patch +++ b/poky/meta/recipes-support/apr/apr/libtoolize_check.patch @@ -1,6 +1,7 @@ +From 17835709bc55657b7af1f7c99b3f572b819cf97e Mon Sep 17 00:00:00 2001 From: Helmut Grohne <helmut@subdivi.de> -Subject: check for libtoolize rather than libtool -Last-Update: 2014-09-19 +Date: Tue, 7 Feb 2023 07:04:00 +0000 +Subject: [PATCH] check for libtoolize rather than libtool libtool is now in package libtool-bin, but apr only needs libtoolize. @@ -8,14 +9,22 @@ Upstream-Status: Pending [ from debian: https://sources.debian.org/data/main/a/a Signed-off-by: Robert Yang <liezhi.yang@windriver.com> ---- apr.orig/build/buildcheck.sh -+++ apr/build/buildcheck.sh -@@ -39,11 +39,11 @@ fi +--- + build/buildcheck.sh | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/build/buildcheck.sh b/build/buildcheck.sh +index 44921b5..08bc8a8 100755 +--- a/build/buildcheck.sh ++++ b/build/buildcheck.sh +@@ -39,13 +39,11 @@ fi # ltmain.sh (GNU libtool 1.1361 2004/01/02 23:10:52) 1.5a # output is multiline from 1.5 onwards -# Require libtool 1.4 or newer --libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` +-if test -z "$libtool"; then +- libtool=`build/PrintPath glibtool1 glibtool libtool libtool15 libtool14` +-fi -lt_pversion=`$libtool --version 2>/dev/null|sed -e 's/([^)]*)//g;s/^[^0-9]*//;s/[- ].*//g;q'` +# Require libtoolize 1.4 or newer +libtoolize=`build/PrintPath glibtoolize1 glibtoolize libtoolize libtoolize15 libtoolize14` diff --git a/poky/meta/recipes-support/apr/apr_1.7.0.bb b/poky/meta/recipes-support/apr/apr_1.7.2.bb index cb4bb936d7..c9059c9921 100644 --- a/poky/meta/recipes-support/apr/apr_1.7.0.bb +++ b/poky/meta/recipes-support/apr/apr_1.7.2.bb @@ -16,21 +16,15 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://run-ptest \ file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \ - file://0003-Makefile.in-configure.in-support-cross-compiling.patch \ file://0004-Fix-packet-discards-HTTP-redirect.patch \ file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \ - file://0006-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \ file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \ file://libtoolize_check.patch \ file://0001-Add-option-to-disable-timed-dependant-tests.patch \ - file://autoconf270.patch \ - file://0001-add-AC_CACHE_CHECK-for-strerror_r-return-type.patch \ file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \ - file://CVE-2021-35940.patch \ " -SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7" -SRC_URI[sha256sum] = "e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea" +SRC_URI[sha256sum] = "75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e" inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script diff --git a/poky/meta/recipes-support/bmap-tools/bmap-tools_git.bb b/poky/meta/recipes-support/bmap-tools/bmap-tools_git.bb index 78c51e7731..89b7bf2b93 100644 --- a/poky/meta/recipes-support/bmap-tools/bmap-tools_git.bb +++ b/poky/meta/recipes-support/bmap-tools/bmap-tools_git.bb @@ -9,7 +9,7 @@ SECTION = "console/utils" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/intel/${BPN};branch=master;protocol=https" +SRC_URI = "git://github.com/intel/${BPN};branch=main;protocol=https" SRCREV = "c0673962a8ec1624b5189dc1d24f33fe4f06785a" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-32221.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-32221.patch new file mode 100644 index 0000000000..b78b2ce1a8 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-32221.patch @@ -0,0 +1,28 @@ +From a64e3e59938abd7d667e4470a18072a24d7e9de9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 15 Sep 2022 09:22:45 +0200 +Subject: [PATCH] setopt: when POST is set, reset the 'upload' field + +Reported-by: RobBotic1 on github +Fixes #9507 +Closes #9511 + +CVE: CVE-2022-32221 +Upstream-Status: Backport [https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9] +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + lib/setopt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 03c4efdbf1e58..7289a4e78bdd0 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -700,6 +700,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + } + else + data->set.method = HTTPREQ_GET; ++ data->set.upload = FALSE; + break; + + case CURLOPT_HTTPPOST: diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-42915.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-42915.patch new file mode 100644 index 0000000000..0f37a80e09 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-42915.patch @@ -0,0 +1,53 @@ +From 55e1875729f9d9fc7315cec611bffbd2c817ad89 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 6 Oct 2022 14:13:36 +0200 +Subject: [PATCH] http_proxy: restore the protocol pointer on error + +Reported-by: Trail of Bits + +Closes #9790 + +CVE: CVE-2022-42915 +Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315cec611bffbd2c817ad89] +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + lib/http_proxy.c | 6 ++---- + lib/url.c | 9 --------- + 2 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/lib/http_proxy.c b/lib/http_proxy.c +index 1f87f6c62aa40..cc20b3a801941 100644 +--- a/lib/http_proxy.c ++++ b/lib/http_proxy.c +@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data) + Curl_dyn_free(&s->rcvbuf); + Curl_dyn_free(&s->req); + +- /* restore the protocol pointer, if not already done */ +- if(s->prot_save) +- data->req.p.http = s->prot_save; +- s->prot_save = NULL; ++ /* restore the protocol pointer */ ++ data->req.p.http = s->prot_save; + data->info.httpcode = 0; /* clear it as it might've been used for the + proxy */ + data->req.ignorebody = FALSE; +diff --git a/lib/url.c b/lib/url.c +index 690c53c81a3c1..be5ffca2d8b20 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -751,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) + DEBUGASSERT(data); + infof(data, "Closing connection %ld", conn->connection_id); + +-#ifndef USE_HYPER +- if(conn->connect_state && conn->connect_state->prot_save) { +- /* If this was closed with a CONNECT in progress, cleanup this temporary +- struct arrangement */ +- data->req.p.http = NULL; +- Curl_safefree(conn->connect_state->prot_save); +- } +-#endif +- + /* possible left-overs from the async name resolvers */ + Curl_resolver_cancel(data); diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-42916.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-42916.patch new file mode 100644 index 0000000000..fbc592280a --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-42916.patch @@ -0,0 +1,136 @@ +From 53bcf55b4538067e6dc36242168866becb987bb7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 12 Oct 2022 10:47:59 +0200 +Subject: [PATCH] url: use IDN decoded names for HSTS checks + +Reported-by: Hiroki Kurosawa + +Closes #9791 + +CVE: CVE-2022-42916 +Upstream-Status: Backport [https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7] +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +Comments: Refreshed hunk +--- + lib/url.c | 91 ++++++++++++++++++++++++++++--------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a3be56bced9de..690c53c81a3c1 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2012,10 +2012,56 @@ + if(!strcasecompare("file", data->state.up.scheme)) + return CURLE_OUT_OF_MEMORY; + } ++ hostname = data->state.up.hostname; ++ ++ if(hostname && hostname[0] == '[') { ++ /* This looks like an IPv6 address literal. See if there is an address ++ scope. */ ++ size_t hlen; ++ conn->bits.ipv6_ip = TRUE; ++ /* cut off the brackets! */ ++ hostname++; ++ hlen = strlen(hostname); ++ hostname[hlen - 1] = 0; ++ ++ zonefrom_url(uh, data, conn); ++ } ++ ++ /* make sure the connect struct gets its own copy of the host name */ ++ conn->host.rawalloc = strdup(hostname ? hostname : ""); ++ if(!conn->host.rawalloc) ++ return CURLE_OUT_OF_MEMORY; ++ conn->host.name = conn->host.rawalloc; ++ ++ /************************************************************* ++ * IDN-convert the hostnames ++ *************************************************************/ ++ result = Curl_idnconvert_hostname(data, &conn->host); ++ if(result) ++ return result; ++ if(conn->bits.conn_to_host) { ++ result = Curl_idnconvert_hostname(data, &conn->conn_to_host); ++ if(result) ++ return result; ++ } ++#ifndef CURL_DISABLE_PROXY ++ if(conn->bits.httpproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); ++ if(result) ++ return result; ++ } ++ if(conn->bits.socksproxy) { ++ result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); ++ if(result) ++ return result; ++ } ++#endif + + #ifndef CURL_DISABLE_HSTS ++ /* HSTS upgrade */ + if(data->hsts && strcasecompare("http", data->state.up.scheme)) { +- if(Curl_hsts(data->hsts, data->state.up.hostname, TRUE)) { ++ /* This MUST use the IDN decoded name */ ++ if(Curl_hsts(data->hsts, conn->host.name, TRUE)) { + char *url; + Curl_safefree(data->state.up.scheme); + uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0); +@@ -2145,26 +2191,6 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, + + (void)curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query, 0); + +- hostname = data->state.up.hostname; +- if(hostname && hostname[0] == '[') { +- /* This looks like an IPv6 address literal. See if there is an address +- scope. */ +- size_t hlen; +- conn->bits.ipv6_ip = TRUE; +- /* cut off the brackets! */ +- hostname++; +- hlen = strlen(hostname); +- hostname[hlen - 1] = 0; +- +- zonefrom_url(uh, data, conn); +- } +- +- /* make sure the connect struct gets its own copy of the host name */ +- conn->host.rawalloc = strdup(hostname ? hostname : ""); +- if(!conn->host.rawalloc) +- return CURLE_OUT_OF_MEMORY; +- conn->host.name = conn->host.rawalloc; +- + #ifdef ENABLE_IPV6 + if(data->set.scope_id) + /* Override any scope that was set above. */ +@@ -3713,29 +3739,6 @@ static CURLcode create_conn(struct Curl_easy *data, + if(result) + goto out; + +- /************************************************************* +- * IDN-convert the hostnames +- *************************************************************/ +- result = Curl_idnconvert_hostname(data, &conn->host); +- if(result) +- goto out; +- if(conn->bits.conn_to_host) { +- result = Curl_idnconvert_hostname(data, &conn->conn_to_host); +- if(result) +- goto out; +- } +-#ifndef CURL_DISABLE_PROXY +- if(conn->bits.httpproxy) { +- result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); +- if(result) +- goto out; +- } +- if(conn->bits.socksproxy) { +- result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); +- if(result) +- goto out; +- } +-#endif + + /************************************************************* + * Check whether the host and the "connect to host" are equal. diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-43551.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-43551.patch new file mode 100644 index 0000000000..e1ec7bf72e --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-43551.patch @@ -0,0 +1,35 @@ +From 9e71901634e276dd050481c4320f046bebb1bc28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 19 Dec 2022 08:36:55 +0100 +Subject: [PATCH] http: use the IDN decoded name in HSTS checks + +Otherwise it stores the info HSTS into the persistent cache for the IDN +name which will not match when the HSTS status is later checked for +using the decoded name. + +Reported-by: Hiroki Kurosawa + +Closes #10111 + +CVE: CVE-2022-43551 +Upstream-Status: Backport [https://github.com/curl/curl/commit/9e71901634e276dd050481c4320f046bebb1bc28] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> +Comments: Hunk refresh to remove patch-fuzz warning + +--- + lib/http.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/http.c b/lib/http.c +index 85528a2218eee..a784745a8d505 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3652,7 +3652,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, + else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && + (conn->handler->flags & PROTOPT_SSL)) { + CURLcode check = +- Curl_hsts_parse(data->hsts, data->state.up.hostname, ++ Curl_hsts_parse(data->hsts, conn->host.name, + headp + strlen("Strict-Transport-Security:")); + if(check) + infof(data, "Illegal STS header skipped"); diff --git a/poky/meta/recipes-support/curl/curl/CVE-2022-43552.patch b/poky/meta/recipes-support/curl/curl/CVE-2022-43552.patch new file mode 100644 index 0000000000..dfe6d8c6d5 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2022-43552.patch @@ -0,0 +1,80 @@ +From 4f20188ac644afe174be6005ef4f6ffba232b8b2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 19 Dec 2022 08:38:37 +0100 +Subject: [PATCH] smb/telnet: do not free the protocol struct in *_done() + +It is managed by the generic layer. + +Reported-by: Trail of Bits + +Closes #10112 + +CVE: CVE-2022-43552 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + lib/smb.c | 14 ++------------ + lib/telnet.c | 3 --- + 2 files changed, 2 insertions(+), 15 deletions(-) + +diff --git a/lib/smb.c b/lib/smb.c +index 2cfe041dff072..48d5a2fe006d5 100644 +--- a/lib/smb.c ++++ b/lib/smb.c +@@ -58,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); + static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); + static CURLcode smb_do(struct Curl_easy *data, bool *done); + static CURLcode smb_request_state(struct Curl_easy *data, bool *done); +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature); + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead); + static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, +@@ -74,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { + "SMB", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -101,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { + "SMBS", /* scheme */ + smb_setup_connection, /* setup_connection */ + smb_do, /* do_it */ +- smb_done, /* done */ ++ ZERO_NULL, /* done */ + ZERO_NULL, /* do_more */ + smb_connect, /* connect_it */ + smb_connection_state, /* connecting */ +@@ -936,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) + return CURLE_OK; + } + +-static CURLcode smb_done(struct Curl_easy *data, CURLcode status, +- bool premature) +-{ +- (void) premature; +- Curl_safefree(data->req.p.smb); +- return status; +-} +- + static CURLcode smb_disconnect(struct Curl_easy *data, + struct connectdata *conn, bool dead) + { +diff --git a/lib/telnet.c b/lib/telnet.c +index 24d3f1efb14c8..22bc81e755222 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, + + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +- +- Curl_safefree(data->req.p.telnet); +- + return CURLE_OK; + } + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch new file mode 100644 index 0000000000..d357cee76c --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-1.patch @@ -0,0 +1,280 @@ +From 076a2f629119222aeeb50f5a03bf9f9052fabb9a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Dec 2022 11:50:20 +0100 +Subject: [PATCH] share: add sharing of HSTS cache among handles + +Closes #10138 + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/commit/076a2f629119222aeeb50f5a03bf9f9052fabb9a] +Comment: Refreshed hunk from hsts.c and urldata.h +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + include/curl/curl.h | 1 + + lib/hsts.c | 15 +++++++++ + lib/hsts.h | 2 ++ + lib/setopt.c | 48 ++++++++++++++++++++++++----- + lib/share.c | 32 +++++++++++++++++-- + lib/share.h | 6 +++- + lib/transfer.c | 3 ++ + lib/url.c | 6 +++- + lib/urldata.h | 2 ++ + 9 files changed, 109 insertions(+), 11 deletions(-) + +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2953,6 +2953,7 @@ typedef enum { + CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_DATA_CONNECT, + CURL_LOCK_DATA_PSL, ++ CURL_LOCK_DATA_HSTS, + CURL_LOCK_DATA_LAST + } curl_lock_data; + +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -37,6 +37,7 @@ + #include "parsedate.h" + #include "rand.h" + #include "rename.h" ++#include "share.h" + #include "strtoofft.h" + + /* The last 3 #include files should be in this order */ +@@ -561,4 +562,18 @@ + return CURLE_OK; + } + ++void Curl_hsts_loadfiles(struct Curl_easy *data) ++{ ++ struct curl_slist *l = data->set.hstslist; ++ if(l) { ++ Curl_share_lock(data, CURL_LOCK_DATA_HSTS, CURL_LOCK_ACCESS_SINGLE); ++ ++ while(l) { ++ (void)Curl_hsts_loadfile(data, data->hsts, l->data); ++ l = l->next; ++ } ++ Curl_share_unlock(data, CURL_LOCK_DATA_HSTS); ++ } ++} ++ + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ +--- a/lib/hsts.h ++++ b/lib/hsts.h +@@ -59,9 +59,11 @@ CURLcode Curl_hsts_loadfile(struct Curl_ + struct hsts *h, const char *file); + CURLcode Curl_hsts_loadcb(struct Curl_easy *data, + struct hsts *h); ++void Curl_hsts_loadfiles(struct Curl_easy *data); + #else + #define Curl_hsts_cleanup(x) + #define Curl_hsts_loadcb(x,y) CURLE_OK + #define Curl_hsts_save(x,y,z) ++#define Curl_hsts_loadfiles(x) + #endif /* CURL_DISABLE_HTTP || CURL_DISABLE_HSTS */ + #endif /* HEADER_CURL_HSTS_H */ +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2260,9 +2260,14 @@ CURLcode Curl_vsetopt(struct Curl_easy * + data->cookies = NULL; + #endif + ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts == data->hsts) ++ data->hsts = NULL; ++#endif ++#ifdef USE_SSL + if(data->share->sslsession == data->state.session) + data->state.session = NULL; +- ++#endif + #ifdef USE_LIBPSL + if(data->psl == &data->share->psl) + data->psl = data->multi? &data->multi->psl: NULL; +@@ -2296,10 +2301,19 @@ CURLcode Curl_vsetopt(struct Curl_easy * + data->cookies = data->share->cookies; + } + #endif /* CURL_DISABLE_HTTP */ ++#ifndef CURL_DISABLE_HSTS ++ if(data->share->hsts) { ++ /* first free the private one if any */ ++ Curl_hsts_cleanup(&data->hsts); ++ data->hsts = data->share->hsts; ++ } ++#endif /* CURL_DISABLE_HTTP */ ++#ifdef USE_SSL + if(data->share->sslsession) { + data->set.general_ssl.max_ssl_sessions = data->share->max_ssl_sessions; + data->state.session = data->share->sslsession; + } ++#endif + #ifdef USE_LIBPSL + if(data->share->specifier & (1 << CURL_LOCK_DATA_PSL)) + data->psl = &data->share->psl; +@@ -3049,19 +3063,39 @@ CURLcode Curl_vsetopt(struct Curl_easy * + case CURLOPT_HSTSWRITEDATA: + data->set.hsts_write_userp = va_arg(param, void *); + break; +- case CURLOPT_HSTS: ++ case CURLOPT_HSTS: { ++ struct curl_slist *h; + if(!data->hsts) { + data->hsts = Curl_hsts_init(); + if(!data->hsts) + return CURLE_OUT_OF_MEMORY; + } + argptr = va_arg(param, char *); +- result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); +- if(result) +- return result; +- if(argptr) +- (void)Curl_hsts_loadfile(data, data->hsts, argptr); ++ if(argptr) { ++ result = Curl_setstropt(&data->set.str[STRING_HSTS], argptr); ++ if(result) ++ return result; ++ /* this needs to build a list of file names to read from, so that it can ++ read them later, as we might get a shared HSTS handle to load them ++ into */ ++ h = curl_slist_append(data->set.hstslist, argptr); ++ if(!h) { ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ return CURLE_OUT_OF_MEMORY; ++ } ++ data->set.hstslist = h; /* store the list for later use */ ++ } ++ else { ++ /* clear the list of HSTS files */ ++ curl_slist_free_all(data->set.hstslist); ++ data->set.hstslist = NULL; ++ if(!data->share || !data->share->hsts) ++ /* throw away the HSTS cache unless shared */ ++ Curl_hsts_cleanup(&data->hsts); ++ } + break; ++ } + case CURLOPT_HSTS_CTRL: + arg = va_arg(param, long); + if(arg & CURLHSTS_ENABLE) { +--- a/lib/share.c ++++ b/lib/share.c +@@ -29,9 +29,11 @@ + #include "share.h" + #include "psl.h" + #include "vtls/vtls.h" +-#include "curl_memory.h" ++#include "hsts.h" + +-/* The last #include file should be: */ ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" + #include "memdebug.h" + + struct Curl_share * +@@ -89,6 +91,18 @@ curl_share_setopt(struct Curl_share *sha + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(!share->hsts) { ++ share->hsts = Curl_hsts_init(); ++ if(!share->hsts) ++ res = CURLSHE_NOMEM; ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + if(!share->sslsession) { +@@ -141,6 +155,16 @@ curl_share_setopt(struct Curl_share *sha + #endif + break; + ++ case CURL_LOCK_DATA_HSTS: ++#ifndef CURL_DISABLE_HSTS ++ if(share->hsts) { ++ Curl_hsts_cleanup(&share->hsts); ++ } ++#else /* CURL_DISABLE_HSTS */ ++ res = CURLSHE_NOT_BUILT_IN; ++#endif ++ break; ++ + case CURL_LOCK_DATA_SSL_SESSION: + #ifdef USE_SSL + Curl_safefree(share->sslsession); +@@ -207,6 +231,10 @@ curl_share_cleanup(struct Curl_share *sh + Curl_cookie_cleanup(share->cookies); + #endif + ++#ifndef CURL_DISABLE_HSTS ++ Curl_hsts_cleanup(&share->hsts); ++#endif ++ + #ifdef USE_SSL + if(share->sslsession) { + size_t i; +--- a/lib/share.h ++++ b/lib/share.h +@@ -59,10 +59,14 @@ struct Curl_share { + #ifdef USE_LIBPSL + struct PslCache psl; + #endif +- ++#ifndef CURL_DISABLE_HSTS ++ struct hsts *hsts; ++#endif ++#ifdef USE_SSL + struct Curl_ssl_session *sslsession; + size_t max_ssl_sessions; + long sessionage; ++#endif + }; + + CURLSHcode Curl_share_lock(struct Curl_easy *, curl_lock_data, +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1398,6 +1398,9 @@ CURLcode Curl_pretransfer(struct Curl_ea + if(data->state.resolve) + result = Curl_loadhostpairs(data); + ++ /* If there is a list of hsts files to read */ ++ Curl_hsts_loadfiles(data); ++ + if(!result) { + /* Allow data->set.use_port to set which port to use. This needs to be + * disabled for example when we follow Location: headers to URLs using +--- a/lib/url.c ++++ b/lib/url.c +@@ -434,7 +434,11 @@ CURLcode Curl_close(struct Curl_easy **d + Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]); + Curl_altsvc_cleanup(&data->asi); + Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]); +- Curl_hsts_cleanup(&data->hsts); ++#ifndef CURL_DISABLE_HSTS ++ if(!data->share || !data->share->hsts) ++ Curl_hsts_cleanup(&data->hsts); ++ curl_slist_free_all(data->set.hstslist); /* clean up list */ ++#endif + #if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) + Curl_http_auth_cleanup_digest(data); + #endif +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1670,6 +1670,8 @@ + + void *seek_client; /* pointer to pass to the seek callback */ + #ifndef CURL_DISABLE_HSTS ++ struct curl_slist *hstslist; /* list of HSTS files set by ++ curl_easy_setopt(HSTS) calls */ + curl_hstsread_callback hsts_read; + void *hsts_read_userp; + curl_hstswrite_callback hsts_write; diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch new file mode 100644 index 0000000000..668972cb3f --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-2.patch @@ -0,0 +1,23 @@ +From 0bf8b796a0ea98395b390c7807187982215f5c11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] tool_operate: share HSTS between handles + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/ca17cfed2df001356cfe2841f166569bac0f5e8c] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/tool_operate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -2722,6 +2722,7 @@ CURLcode operate(struct GlobalConfig *gl + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_SSL_SESSION); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_CONNECT); + curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_PSL); ++ curl_share_setopt(share, CURLSHOPT_SHARE, CURL_LOCK_DATA_HSTS); + + /* Get the required arguments for each operation */ + do { diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch new file mode 100644 index 0000000000..4422b26834 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-3.patch @@ -0,0 +1,45 @@ +From ca02a77f05bd5cef20618c8f741aa48b7be0a648 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] hsts: handle adding the same host name again + +It will then use the largest expire time of the two entries. + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/e077b30a42272d964d76e5b815a0af7dc65d8360] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/hsts.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 339237be1c621..8d6723ee587d2 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -426,14 +426,23 @@ static CURLcode hsts_add(struct hsts *h, char *line) + if(2 == rc) { + time_t expires = strcmp(date, UNLIMITED) ? Curl_getdate_capped(date) : + TIME_T_MAX; +- CURLcode result; ++ CURLcode result = CURLE_OK; + char *p = host; + bool subdomain = FALSE; ++ struct stsentry *e; + if(p[0] == '.') { + p++; + subdomain = TRUE; + } +- result = hsts_create(h, p, subdomain, expires); ++ /* only add it if not already present */ ++ e = Curl_hsts(h, p, subdomain); ++ if(!e) ++ result = hsts_create(h, p, subdomain, expires); ++ else { ++ /* the same host name, use the largest expire time */ ++ if(expires > e->expires) ++ e->expires = expires; ++ } + if(result) + return result; + } diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch new file mode 100644 index 0000000000..865b3f93a5 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-4.patch @@ -0,0 +1,48 @@ +From dc0725244a3163f1e2d5f51165db3a1a430f3ba0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] runtests: support crlf="yes" for verify/proxy + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/fd7e1a557e414dd803c9225e37a2ca84e1df2269] +Comment: Refreshed hunk from FILEFORMAT.md +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/FILEFORMAT.md | 4 ++-- + tests/runtests.pl | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +--- a/tests/FILEFORMAT.md ++++ b/tests/FILEFORMAT.md +@@ -540,14 +540,14 @@ + One perl op per line that operates on the protocol dump. This is pretty + advanced. Example: `s/^EPRT .*/EPRT stripped/`. + +-### `<protocol [nonewline="yes"]>` ++### `<protocol [nonewline="yes"][crlf="yes"]>` + + the protocol dump curl should transmit, if 'nonewline' is set, we will cut off + the trailing newline of this given data before comparing with the one actually + sent by the client The `<strip>` and `<strippart>` rules are applied before + comparisons are made. + +-### `<proxy [nonewline="yes"]>` ++### `<proxy [nonewline="yes"][crlf="yes"]>` + + The protocol dump curl should transmit to a HTTP proxy (when the http-proxy + server is used), if 'nonewline' is set, we will cut off the trailing newline +--- a/tests/runtests.pl ++++ b/tests/runtests.pl +@@ -4744,6 +4744,11 @@ sub singletest { + } + } + ++ if($hash{'crlf'} || ++ ($has_hyper && ($keywords{"HTTP"} || $keywords{"HTTPS"}))) { ++ map subNewlines(0, \$_), @protstrip; ++ } ++ + $res = compare($testnum, $testname, "proxy", \@out, \@protstrip); + if($res) { + return $errorreturncode; diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch new file mode 100644 index 0000000000..1a363f0b4b --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23914_5-5.patch @@ -0,0 +1,118 @@ +From ea5aaaa5ede53819f8bc7ae767fc2d13d3704d37 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 27 Dec 2022 11:50:23 +0100 +Subject: [PATCH] test446: verify hsts with two URLs + +CVE: CVE-2023-23914 CVE-2023-23915 +Upstream-Status: Backport [https://github.com/curl/curl/pull/10138/commits/7e89dfd463597701dd1defcad7be54f7d3c9d55d] +Comment: Refreshed hunk from Makefile.inc +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + tests/data/Makefile.inc | 2 +- + tests/data/test446 | 84 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 85 insertions(+), 1 deletion(-) + create mode 100644 tests/data/test446 + +diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc +index 3a6356bd122bc..fe1bb1c74c2ab 100644 +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -72,6 +72,7 @@ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ ++test446 \ + test490 test491 test492 test493 test494 \ + \ + test500 test501 test502 test503 test504 test505 test506 test507 test508 \ +diff --git a/tests/data/test446 b/tests/data/test446 +new file mode 100644 +index 0000000000000..0e2dfdcfe33b6 +--- /dev/null ++++ b/tests/data/test446 +@@ -0,0 +1,84 @@ ++<?xml version="1.0" encoding="ISO-8859-1"?> ++<testcase> ++<info> ++<keywords> ++HTTP ++HTTP proxy ++HSTS ++trailing-dot ++</keywords> ++</info> ++ ++<reply> ++ ++# we use this as response to a CONNECT ++<connect nocheck="yes"> ++HTTP/1.1 200 OK ++ ++</connect> ++<data crlf="yes"> ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=604800 ++ ++-foo- ++</data> ++<data2 crlf="yes"> ++HTTP/1.1 200 OK ++Content-Length: 6 ++Strict-Transport-Security: max-age=6048000 ++ ++-baa- ++</data2> ++</reply> ++ ++<client> ++<server> ++https ++http-proxy ++</server> ++<features> ++HSTS ++proxy ++https ++debug ++</features> ++<setenv> ++CURL_HSTS_HTTP=yes ++CURL_TIME=2000000000 ++</setenv> ++ ++<name> ++HSTS with two URLs ++</name> ++<command> ++-x http://%HOSTIP:%PROXYPORT --hsts log/hsts%TESTNUMBER http://this.hsts.example./%TESTNUMBER http://another.example.com/%TESTNUMBER0002 ++</command> ++</client> ++ ++<verify> ++# we let it CONNECT to the server to confirm HSTS but deny from there ++<proxy crlf="yes"> ++GET http://this.hsts.example./%TESTNUMBER HTTP/1.1 ++Host: this.hsts.example. ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://another.example.com/%TESTNUMBER0002 HTTP/1.1 ++Host: another.example.com ++User-Agent: curl/%VERSION ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++</proxy> ++ ++<file name="log/hsts%TESTNUMBER" mode="text"> ++# Your HSTS cache. https://curl.se/docs/hsts.html ++# This file was generated by libcurl! Edit at your own risk. ++this.hsts.example "20330525 03:33:20" ++another.example.com "20330727 03:33:20" ++</file> ++ ++</verify> ++</testcase> diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-23916.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-23916.patch new file mode 100644 index 0000000000..a57d275902 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-23916.patch @@ -0,0 +1,219 @@ +From 119fb187192a9ea13dc90d9d20c215fc82799ab9 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat <patrick@monnerat.net> +Date: Mon, 13 Feb 2023 08:33:09 +0100 +Subject: [PATCH] content_encoding: do not reset stage counter for each header + +Test 418 verifies + +Closes #10492 + +CVE: CVE-2023-23916 +Upstream-Status: Backport [https://github.com/curl/curl/commit/119fb187192a9ea13dc.patch] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +--- + lib/content_encoding.c | 7 +- + lib/urldata.h | 1 + + tests/data/Makefile.inc | 2 +- + tests/data/test387 | 2 +- + tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 158 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test418 + +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1037,7 +1037,6 @@ CURLcode Curl_build_unencoding_stack(str + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; +- int counter = 0; + + do { + const char *name; +@@ -1072,9 +1071,9 @@ CURLcode Curl_build_unencoding_stack(str + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + +- if(++counter >= MAX_ENCODE_STACK) { +- failf(data, "Reject response due to %u content encodings", +- counter); ++ if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to more than %u content encodings", ++ MAX_ENCODE_STACK); + return CURLE_BAD_CONTENT_ENCODING; + } + /* Stack the unencoding stage. */ +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -682,6 +682,7 @@ struct SingleRequest { + struct dohdata *doh; /* DoH specific data for this request */ + #endif + unsigned char setcookies; ++ unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -69,6 +69,7 @@ + \ + test400 test401 test402 test403 test404 test405 test406 test407 test408 \ + test409 test410 \ ++test418 \ + \ + test430 test431 test432 test433 test434 test435 test436 \ + \ +--- /dev/null ++++ b/tests/data/test418 +@@ -0,0 +1,152 @@ ++<testcase> ++<info> ++<keywords> ++HTTP ++gzip ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<data nocheck="yes"> ++HTTP/1.1 200 OK ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++Transfer-Encoding: gzip ++ ++-foo- ++</data> ++</reply> ++ ++# ++# Client-side ++<client> ++<server> ++http ++</server> ++ <name> ++Response with multiple Transfer-Encoding headers ++ </name> ++ <command> ++http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS ++</command> ++</client> ++ ++# ++# Verify data after the test has been "shot" ++<verify> ++<protocol crlf="yes"> ++GET /%TESTNUMBER HTTP/1.1 ++Host: %HOSTIP:%HTTPPORT ++User-Agent: curl/%VERSION ++Accept: */* ++ ++</protocol> ++ ++# CURLE_BAD_CONTENT_ENCODING is 61 ++<errorcode> ++61 ++</errorcode> ++<stderr mode="text"> ++curl: (61) Reject response due to more than 5 content encodings ++</stderr> ++</verify> ++</testcase> diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27533.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27533.patch new file mode 100644 index 0000000000..b69b20c85a --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27533.patch @@ -0,0 +1,208 @@ +From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 6 Mar 2023 12:07:33 +0100 +Subject: [PATCH] telnet: parse telnet options without sscanf & only accept option arguments in ascii + +To avoid embedded telnet negotiation commands etc. + +Reported-by: Harry Sintonen +Closes #10728 + +CVE: CVE-2023-27533 +Upstream-Status: Backport [https://github.com/curl/curl/commit/0c28ba2faae2d7da780a66d2446045a560192cdc && https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/telnet.c | 149 +++++++++++++++++++++++++++++++-------------------- + 1 file changed, 91 insertions(+), 58 deletions(-) + +diff --git a/lib/telnet.c b/lib/telnet.c +index e709973..3ecd680 100644 +--- a/lib/telnet.c ++++ b/lib/telnet.c +@@ -768,22 +768,32 @@ static void printsub(struct Curl_easy *data, + } + } + ++static bool str_is_nonascii(const char *str) ++{ ++ size_t len = strlen(str); ++ while(len--) { ++ if(*str & 0x80) ++ return TRUE; ++ str++; ++ } ++ return FALSE; ++} ++ + static CURLcode check_telnet_options(struct Curl_easy *data) + { + struct curl_slist *head; + struct curl_slist *beg; +- char option_keyword[128] = ""; +- char option_arg[256] = ""; + struct TELNET *tn = data->req.p.telnet; +- struct connectdata *conn = data->conn; + CURLcode result = CURLE_OK; +- int binary_option; + + /* Add the user name as an environment variable if it + was given on the command line */ + if(data->state.aptr.user) { +- msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); +- beg = curl_slist_append(tn->telnet_vars, option_arg); ++ char buffer[256]; ++ if(str_is_nonascii(data->conn->user)) ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ msnprintf(buffer, sizeof(buffer), "USER,%s", data->conn->user); ++ beg = curl_slist_append(tn->telnet_vars, buffer); + if(!beg) { + curl_slist_free_all(tn->telnet_vars); + tn->telnet_vars = NULL; +@@ -793,68 +803,91 @@ static CURLcode check_telnet_options(struct Curl_easy *data) + tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; + } + +- for(head = data->set.telnet_options; head; head = head->next) { +- if(sscanf(head->data, "%127[^= ]%*[ =]%255s", +- option_keyword, option_arg) == 2) { +- +- /* Terminal type */ +- if(strcasecompare(option_keyword, "TTYPE")) { +- strncpy(tn->subopt_ttype, option_arg, 31); +- tn->subopt_ttype[31] = 0; /* String termination */ +- tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; ++ for(head = data->set.telnet_options; head && !result; head = head->next) { ++ size_t olen; ++ char *option = head->data; ++ char *arg; ++ char *sep = strchr(option, '='); ++ if(sep) { ++ olen = sep - option; ++ arg = ++sep; ++ if(str_is_nonascii(arg)) + continue; +- } ++ switch(olen) { ++ case 5: ++ /* Terminal type */ ++ if(strncasecompare(option, "TTYPE", 5)) { ++ strncpy(tn->subopt_ttype, arg, 31); ++ tn->subopt_ttype[31] = 0; /* String termination */ ++ tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES; ++ } ++ else ++ result = CURLE_UNKNOWN_OPTION; ++ break; + +- /* Display variable */ +- if(strcasecompare(option_keyword, "XDISPLOC")) { +- strncpy(tn->subopt_xdisploc, option_arg, 127); +- tn->subopt_xdisploc[127] = 0; /* String termination */ +- tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; +- continue; +- } ++ case 8: ++ /* Display variable */ ++ if(strncasecompare(option, "XDISPLOC", 8)) { ++ strncpy(tn->subopt_xdisploc, arg, 127); ++ tn->subopt_xdisploc[127] = 0; /* String termination */ ++ tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES; ++ } ++ else ++ result = CURLE_UNKNOWN_OPTION; ++ break; + +- /* Environment variable */ +- if(strcasecompare(option_keyword, "NEW_ENV")) { +- beg = curl_slist_append(tn->telnet_vars, option_arg); +- if(!beg) { +- result = CURLE_OUT_OF_MEMORY; +- break; ++ case 7: ++ /* Environment variable */ ++ if(strncasecompare(option, "NEW_ENV", 7)) { ++ beg = curl_slist_append(tn->telnet_vars, arg); ++ if(!beg) { ++ result = CURLE_OUT_OF_MEMORY; ++ break; ++ } ++ tn->telnet_vars = beg; ++ tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; + } +- tn->telnet_vars = beg; +- tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES; +- continue; +- } ++ else ++ result = CURLE_UNKNOWN_OPTION; ++ break; + +- /* Window Size */ +- if(strcasecompare(option_keyword, "WS")) { +- if(sscanf(option_arg, "%hu%*[xX]%hu", +- &tn->subopt_wsx, &tn->subopt_wsy) == 2) +- tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; +- else { +- failf(data, "Syntax error in telnet option: %s", head->data); +- result = CURLE_SETOPT_OPTION_SYNTAX; +- break; ++ case 2: ++ /* Window Size */ ++ if(strncasecompare(option, "WS", 2)) { ++ if(sscanf(arg, "%hu%*[xX]%hu", ++ &tn->subopt_wsx, &tn->subopt_wsy) == 2) ++ tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES; ++ else { ++ failf(data, "Syntax error in telnet option: %s", head->data); ++ result = CURLE_SETOPT_OPTION_SYNTAX; ++ } + } +- continue; +- } ++ else ++ result = CURLE_UNKNOWN_OPTION; ++ break; + +- /* To take care or not of the 8th bit in data exchange */ +- if(strcasecompare(option_keyword, "BINARY")) { +- binary_option = atoi(option_arg); +- if(binary_option != 1) { +- tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; +- tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; ++ case 6: ++ /* To take care or not of the 8th bit in data exchange */ ++ if(strncasecompare(option, "BINARY", 6)) { ++ int binary_option = atoi(arg); ++ if(binary_option != 1) { ++ tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO; ++ tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO; ++ } + } +- continue; ++ else ++ result = CURLE_UNKNOWN_OPTION; ++ break; ++ default: ++ failf(data, "Unknown telnet option %s", head->data); ++ result = CURLE_UNKNOWN_OPTION; ++ break; + } +- +- failf(data, "Unknown telnet option %s", head->data); +- result = CURLE_UNKNOWN_OPTION; +- break; + } +- failf(data, "Syntax error in telnet option: %s", head->data); +- result = CURLE_SETOPT_OPTION_SYNTAX; +- break; ++ else { ++ failf(data, "Syntax error in telnet option: %s", head->data); ++ result = CURLE_SETOPT_OPTION_SYNTAX; ++ } + } + + if(result) { +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..9109faaf88 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -0,0 +1,122 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +CVE: CVE-2023-27534 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- + 1 file changed, 35 insertions(+), 36 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index a1669d1..b9c470f 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,66 +30,65 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct Curl_easy *data, + char *homedir, /* when SFTP is used */ + char **path) /* returns the allocated + real path to work with */ + { +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data->state.up.path, 0, &working_path, + &working_path_len, REJECT_ZERO); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(data->conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(data->conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; +- if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(!real_path) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.25.1 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch new file mode 100644 index 0000000000..57e1cb9e13 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch @@ -0,0 +1,196 @@ +From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 6 Oct 2022 00:49:10 +0200 +Subject: [PATCH] strcase: add and use Curl_timestrcmp + +This is a strcmp() alternative function for comparing "secrets", +designed to take the same time no matter the content to not leak +match/non-match info to observers based on how fast it is. + +The time this function takes is only a function of the shortest input +string. + +Reported-by: Trail of Bits + +Closes #9658 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878] +Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp. +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/netrc.c | 6 +++--- + lib/strcase.c | 22 ++++++++++++++++++++++ + lib/strcase.h | 1 + + lib/url.c | 33 +++++++++++++-------------------- + lib/vauth/digest_sspi.c | 4 ++-- + lib/vtls/vtls.c | 4 ++-- + 6 files changed, 43 insertions(+), 27 deletions(-) + +diff --git a/lib/netrc.c b/lib/netrc.c +index 0a4ae2c..b771b60 100644 +--- a/lib/netrc.c ++++ b/lib/netrc.c +@@ -140,9 +140,9 @@ static int parsenetrc(const char *host, + /* we are now parsing sub-keywords concerning "our" host */ + if(state_login) { + if(specific_login) { +- state_our_login = strcasecompare(login, tok); ++ state_our_login = !Curl_timestrcmp(login, tok); + } +- else if(!login || strcmp(login, tok)) { ++ else if(!login || Curl_timestrcmp(login, tok)) { + if(login_alloc) { + free(login); + login_alloc = FALSE; +@@ -158,7 +158,7 @@ static int parsenetrc(const char *host, + } + else if(state_password) { + if((state_our_login || !specific_login) +- && (!password || strcmp(password, tok))) { ++ && (!password || Curl_timestrcmp(password, tok))) { + if(password_alloc) { + free(password); + password_alloc = FALSE; +diff --git a/lib/strcase.c b/lib/strcase.c +index 692a3f1..be085b3 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b) + return !a && !b; + } + ++/* ++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this ++ * function spends is a function of the shortest string, not of the contents. ++ */ ++int Curl_timestrcmp(const char *a, const char *b) ++{ ++ int match = 0; ++ int i = 0; ++ ++ if(a && b) { ++ while(1) { ++ match |= a[i]^b[i]; ++ if(!a[i] || !b[i]) ++ break; ++ i++; ++ } ++ } ++ else ++ return a || b; ++ return match; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index 382b80a..c6979da 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + + bool Curl_safecmp(char *a, char *b); ++int Curl_timestrcmp(const char *first, const char *second); + + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index df4377d..c397b57 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data, + /* the user information is case-sensitive + or at least it is not defined as case-insensitive + see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */ +- if(!data->user != !needle->user) +- return FALSE; +- /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->user && +- needle->user && +- strcmp(data->user, needle->user) != 0) +- return FALSE; +- if(!data->passwd != !needle->passwd) +- return FALSE; ++ + /* curl_strequal does a case insentive comparison, so do not use it here! */ +- if(data->passwd && +- needle->passwd && +- strcmp(data->passwd, needle->passwd) != 0) ++ if(Curl_timestrcmp(data->user, needle->user) || ++ Curl_timestrcmp(data->passwd, needle->passwd)) + return FALSE; + return TRUE; + } +@@ -1341,10 +1332,10 @@ ConnectionExists(struct Curl_easy *data, + if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) { + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd) || +- !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || +- !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd) || ++ Curl_timestrcmp(needle->sasl_authzid, check->sasl_authzid) || ++ Curl_timestrcmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -1420,8 +1411,8 @@ ConnectionExists(struct Curl_easy *data, + possible. (Especially we must not reuse the same connection if + partway through a handshake!) */ + if(wantNTLMhttp) { +- if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ if(Curl_timestrcmp(needle->user, check->user) || ++ Curl_timestrcmp(needle->passwd, check->passwd)) { + + /* we prefer a credential match, but this is at least a connection + that can be reused and "upgraded" to NTLM */ +@@ -1443,8 +1434,10 @@ ConnectionExists(struct Curl_easy *data, + if(!check->http_proxy.user || !check->http_proxy.passwd) + continue; + +- if(strcmp(needle->http_proxy.user, check->http_proxy.user) || +- strcmp(needle->http_proxy.passwd, check->http_proxy.passwd)) ++ if(Curl_timestrcmp(needle->http_proxy.user, ++ check->http_proxy.user) || ++ Curl_timestrcmp(needle->http_proxy.passwd, ++ check->http_proxy.passwd)) + continue; + } + else if(check->proxy_ntlm_state != NTLMSTATE_NONE) { +diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c +index 94f8f8c..a413419 100644 +--- a/lib/vauth/digest_sspi.c ++++ b/lib/vauth/digest_sspi.c +@@ -429,8 +429,8 @@ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, + has changed then delete that context. */ + if((userp && !digest->user) || (!userp && digest->user) || + (passwdp && !digest->passwd) || (!passwdp && digest->passwd) || +- (userp && digest->user && strcmp(userp, digest->user)) || +- (passwdp && digest->passwd && strcmp(passwdp, digest->passwd))) { ++ (userp && digest->user && Curl_timestrcmp(userp, digest->user)) || ++ (passwdp && digest->passwd && Curl_timestrcmp(passwdp, digest->passwd))) { + if(digest->http_context) { + s_pSecFn->DeleteSecurityContext(digest->http_context); + Curl_safefree(digest->http_context); +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e2d3438..881c8d2 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -146,8 +146,8 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && + #ifdef USE_TLS_SRP +- Curl_safecmp(data->username, needle->username) && +- Curl_safecmp(data->password, needle->password) && ++ !Curl_timestrcmp(data->username, needle->username) && ++ !Curl_timestrcmp(data->password, needle->password) && + (data->authtype == needle->authtype) && + #endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && +-- +2.35.7 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch new file mode 100644 index 0000000000..4e701edfff --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch @@ -0,0 +1,170 @@ +From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Mar 2023 17:47:06 +0100 +Subject: [PATCH] ftp: add more conditions for connection reuse + +Reported-by: Harry Sintonen +Closes #10730 + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1, https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] +Comment: Backport for CVE-2023-27535 also fixes CVE-2023-27538 in the file "lib/url.c". +CVE: CVE-2023-27535, CVE-2023-27538 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/ftp.c | 28 ++++++++++++++++++++++++++-- + lib/ftp.h | 5 +++++ + lib/setopt.c | 2 +- + lib/url.c | 19 ++++++++++++++++--- + lib/urldata.h | 4 ++-- + 5 files changed, 50 insertions(+), 8 deletions(-) + +diff --git a/lib/ftp.c b/lib/ftp.c +index c6efaed..93bbaeb 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -4097,6 +4097,8 @@ static CURLcode ftp_disconnect(struct Curl_easy *data, + } + + freedirs(ftpc); ++ Curl_safefree(ftpc->account); ++ Curl_safefree(ftpc->alternative_to_user); + Curl_safefree(ftpc->prevpath); + Curl_safefree(ftpc->server_os); + Curl_pp_disconnect(pp); +@@ -4364,11 +4366,31 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + { + char *type; + struct FTP *ftp; ++ struct ftp_conn *ftpc = &conn->proto.ftpc; + +- data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); ++ ftp = calloc(sizeof(struct FTP), 1); + if(!ftp) + return CURLE_OUT_OF_MEMORY; + ++ /* clone connection related data that is FTP specific */ ++ if(data->set.str[STRING_FTP_ACCOUNT]) { ++ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]); ++ if(!ftpc->account) { ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) { ++ ftpc->alternative_to_user = ++ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]); ++ if(!ftpc->alternative_to_user) { ++ Curl_safefree(ftpc->account); ++ free(ftp); ++ return CURLE_OUT_OF_MEMORY; ++ } ++ } ++ data->req.p.ftp = ftp; ++ + ftp->path = &data->state.up.path[1]; /* don't include the initial slash */ + + /* FTP URLs support an extension like ";type=<typecode>" that +@@ -4403,7 +4425,9 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, + /* get some initial data into the ftp struct */ + ftp->transfer = PPTRANSFER_BODY; + ftp->downloadsize = 0; +- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ ++ ftpc->known_filesize = -1; /* unknown size for now */ ++ ftpc->use_ssl = data->set.use_ssl; ++ ftpc->ccc = data->set.ftp_ccc; + + return CURLE_OK; + } +diff --git a/lib/ftp.h b/lib/ftp.h +index 1cfdac0..afca25b 100644 +--- a/lib/ftp.h ++++ b/lib/ftp.h +@@ -115,6 +115,8 @@ struct FTP { + struct */ + struct ftp_conn { + struct pingpong pp; ++ char *account; ++ char *alternative_to_user; + char *entrypath; /* the PWD reply when we logged on */ + char *file; /* url-decoded file name (or path) */ + char **dirs; /* realloc()ed array for path components */ +@@ -144,6 +146,9 @@ struct ftp_conn { + ftpstate state; /* always use ftp.c:state() to change state! */ + ftpstate state_saved; /* transfer type saved to be reloaded after + data connection is established */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ ++ unsigned char ccc; /* ccc level for this connection */ + curl_off_t retr_size_saved; /* Size of retrieved file saved */ + char *server_os; /* The target server operating system. */ + curl_off_t known_filesize; /* file size is different from -1, if wildcard +diff --git a/lib/setopt.c b/lib/setopt.c +index 29a78a4..89d0150 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2304,7 +2304,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg >= CURLUSESSL_LAST)) + return CURLE_BAD_FUNCTION_ARGUMENT; +- data->set.use_ssl = (curl_usessl)arg; ++ data->set.use_ssl = (unsigned char)arg; + break; + + case CURLOPT_SSL_OPTIONS: +diff --git a/lib/url.c b/lib/url.c +index c397b57..280171c 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1347,11 +1347,24 @@ ConnectionExists(struct Curl_easy *data, + (check->httpversion >= 20) && + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; +- +- if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { +- if(!ssh_config_matches(needle, check)) ++#ifdef USE_SSH ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) + continue; + } ++#endif ++#ifndef CURL_DISABLE_FTP ++ else if(get_protocol_family(needle->handler) & PROTO_FAMILY_FTP) { ++ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */ ++ if(Curl_timestrcmp(needle->proto.ftpc.account, ++ check->proto.ftpc.account) || ++ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user, ++ check->proto.ftpc.alternative_to_user) || ++ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) || ++ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc)) ++ continue; ++ } ++#endif + + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY +diff --git a/lib/urldata.h b/lib/urldata.h +index 69eb2ee..6e6122a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1748,8 +1748,6 @@ struct UserDefined { + enum CURL_NETRC_OPTION + use_netrc; /* defined in include/curl.h */ + #endif +- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or +- IMAP or POP3 or others! */ + long new_file_perms; /* Permissions to use when creating remote files */ + long new_directory_perms; /* Permissions to use when creating remote dirs */ + long ssh_auth_types; /* allowed SSH auth types */ +@@ -1877,6 +1875,8 @@ struct UserDefined { + BIT(http09_allowed); /* allow HTTP/0.9 responses */ + BIT(mail_rcpt_allowfails); /* allow RCPT TO command to fail for some + recipients */ ++ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or ++ IMAP or POP3 or others! (type: curl_usessl)*/ + }; + + struct Names { +-- +2.35.7 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27536.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27536.patch new file mode 100644 index 0000000000..fb3ee6a14d --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27536.patch @@ -0,0 +1,52 @@ +From cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Mar 2023 09:22:43 +0100 +Subject: [PATCH] url: only reuse connections with same GSS delegation + +Upstream-Status: Backport from [https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb] +CVE: CVE-2023-27536 +Signed-off-by: Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/url.c | 6 ++++++ + lib/urldata.h | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/lib/url.c b/lib/url.c +index 280171c..c6413a1 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1341,6 +1341,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ /* GSS delegation differences do not actually affect every connection ++ and auth method, but this check takes precaution before efficiency */ ++ if(needle->gssapi_delegation != check->gssapi_delegation) ++ continue; ++ + /* If multiplexing isn't enabled on the h2 connection and h1 is + explicitly requested, handle it: */ + if((needle->handler->protocol & PROTO_FAMILY_HTTP) && +@@ -1813,6 +1818,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->fclosesocket = data->set.fclosesocket; + conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ ++ conn->gssapi_delegation = data->set.gssapi_delegation; + + return conn; + error: +diff --git a/lib/urldata.h b/lib/urldata.h +index 6e6122a..602c735 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1131,6 +1131,7 @@ struct connectdata { + int socks5_gssapi_enctype; + #endif + unsigned short localport; ++ long gssapi_delegation; /* inherited from set.gssapi_delegation */ + }; + + /* The end of connectdata. */ +-- +2.35.7 diff --git a/poky/meta/recipes-support/curl/curl_7.82.0.bb b/poky/meta/recipes-support/curl/curl_7.82.0.bb index 5368c91f5c..70ceb9f370 100644 --- a/poky/meta/recipes-support/curl/curl_7.82.0.bb +++ b/poky/meta/recipes-support/curl/curl_7.82.0.bb @@ -6,7 +6,7 @@ HTTP post, SSL connections, proxy support, FTP uploads, and more!" HOMEPAGE = "https://curl.se/" BUGTRACKER = "https://github.com/curl/curl/issues" SECTION = "console/network" -LICENSE = "MIT-open-group" +LICENSE = "curl" LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" SRC_URI = "https://curl.se/download/${BP}.tar.xz \ @@ -29,6 +29,22 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \ file://CVE-2022-32207.patch \ file://CVE-2022-32208.patch \ file://CVE-2022-35252.patch \ + file://CVE-2022-32221.patch \ + file://CVE-2022-42916.patch \ + file://CVE-2022-42915.patch \ + file://CVE-2022-43551.patch \ + file://CVE-2022-43552.patch \ + file://CVE-2023-23914_5-1.patch \ + file://CVE-2023-23914_5-2.patch \ + file://CVE-2023-23914_5-3.patch \ + file://CVE-2023-23914_5-4.patch \ + file://CVE-2023-23914_5-5.patch \ + file://CVE-2023-23916.patch \ + file://CVE-2023-27533.patch \ + file://CVE-2023-27534.patch \ + file://CVE-2023-27535-pre1.patch \ + file://CVE-2023-27535_and_CVE-2023-27538.patch \ + file://CVE-2023-27536.patch \ " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" @@ -54,8 +70,8 @@ PACKAGECONFIG[gopher] = "--enable-gopher,--disable-gopher," PACKAGECONFIG[imap] = "--enable-imap,--disable-imap," PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," PACKAGECONFIG[krb5] = "--with-gssapi,--without-gssapi,krb5" -PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap," -PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps," +PACKAGECONFIG[ldap] = "--enable-ldap,--disable-ldap,openldap" +PACKAGECONFIG[ldaps] = "--enable-ldaps,--disable-ldaps,openldap" PACKAGECONFIG[libgsasl] = "--with-libgsasl,--without-libgsasl,libgsasl" PACKAGECONFIG[libidn] = "--with-libidn2,--without-libidn2,libidn2" PACKAGECONFIG[libssh2] = "--with-libssh2,--without-libssh2,libssh2" diff --git a/poky/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch b/poky/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch new file mode 100644 index 0000000000..943f4ca704 --- /dev/null +++ b/poky/meta/recipes-support/gnutls/gnutls/CVE-2023-0361.patch @@ -0,0 +1,85 @@ +From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001 +From: Alexander Sosedkin <asosedkin@redhat.com> +Date: Tue, 9 Aug 2022 16:05:53 +0200 +Subject: [PATCH] auth/rsa: side-step potential side-channel + +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com> +Signed-off-by: Hubert Kario <hkario@redhat.com> +Tested-by: Hubert Kario <hkario@redhat.com> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a + https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558] +CVE: CVE-2023-0361 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + lib/auth/rsa.c | 30 +++--------------------------- + 1 file changed, 3 insertions(+), 27 deletions(-) + +diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c +index 8108ee8..858701f 100644 +--- a/lib/auth/rsa.c ++++ b/lib/auth/rsa.c +@@ -155,13 +155,10 @@ static int + proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + size_t _data_size) + { +- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; + gnutls_datum_t ciphertext; + int ret, dsize; + ssize_t data_size = _data_size; + volatile uint8_t ver_maj, ver_min; +- volatile uint8_t check_ver_min; +- volatile uint32_t ok; + + #ifdef ENABLE_SSL3 + if (get_num_version(session) == GNUTLS_SSL3) { +@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + + ver_maj = _gnutls_get_adv_version_major(session); + ver_min = _gnutls_get_adv_version_minor(session); +- check_ver_min = (session->internals.allow_wrong_pms == 0); + + session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); + if (session->key.key.data == NULL) { +@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + return ret; + } + +- ret = +- gnutls_privkey_decrypt_data2(session->internals.selected_key, +- 0, &ciphertext, session->key.key.data, +- session->key.key.size); ++ gnutls_privkey_decrypt_data2(session->internals.selected_key, ++ 0, &ciphertext, session->key.key.data, ++ session->key.key.size); + /* After this point, any conditional on failure that cause differences + * in execution may create a timing or cache access pattern side + * channel that can be used as an oracle, so treat very carefully */ +@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, + * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. + */ + +- /* ok is 0 in case of error and 1 in case of success. */ +- +- /* if ret < 0 */ +- ok = CONSTCHECK_EQUAL(ret, 0); +- /* session->key.key.data[0] must equal ver_maj */ +- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); +- /* if check_ver_min then session->key.key.data[1] must equal ver_min */ +- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & +- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); +- +- if (ok) { +- /* call logging function unconditionally so all branches are +- * indistinguishable for timing and cache access when debug +- * logging is disabled */ +- _gnutls_no_log("%s", attack_error); +- } else { +- _gnutls_debug_log("%s", attack_error); +- } +- + /* This is here to avoid the version check attack + * discussed above. + */ +-- +2.25.1 + diff --git a/poky/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/poky/meta/recipes-support/gnutls/gnutls_3.7.4.bb index 94e7f0d58e..fcd9af05dc 100644 --- a/poky/meta/recipes-support/gnutls/gnutls_3.7.4.bb +++ b/poky/meta/recipes-support/gnutls/gnutls_3.7.4.bb @@ -8,7 +8,7 @@ LICENSE = "GPL-3.0-or-later & LGPL-2.1-or-later" LICENSE:${PN} = "LGPL-2.1-or-later" LICENSE:${PN}-xx = "LGPL-2.1-or-later" LICENSE:${PN}-bin = "GPL-3.0-or-later" -LICENSE:${PN}-OpenSSL = "GPL-3.0-or-later" +LICENSE:${PN}-openssl = "GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE;md5=71391c8e0c1cfe68077e7fce3b586283 \ file://doc/COPYING;md5=c678957b0c8e964aa6c70fd77641a71e \ @@ -22,6 +22,7 @@ SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}" SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \ file://arm_eabi.patch \ file://CVE-2022-2509.patch \ + file://CVE-2023-0361.patch \ " SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f" diff --git a/poky/meta/recipes-support/iso-codes/iso-codes_4.11.0.bb b/poky/meta/recipes-support/iso-codes/iso-codes_4.13.0.bb index be573981b0..f3ead5e8c1 100644 --- a/poky/meta/recipes-support/iso-codes/iso-codes_4.11.0.bb +++ b/poky/meta/recipes-support/iso-codes/iso-codes_4.13.0.bb @@ -9,7 +9,7 @@ LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;" -SRCREV = "2651d7fe65582263c57385a852b0c6d8a49f6985" +SRCREV = "ab6b01d5b56af7da9f0d2d1619a3cf84e43ed76a" # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which # are inhibited by allarch diff --git a/poky/meta/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch b/poky/meta/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch index 3f4c7e57ae..8bd2050ea5 100644 --- a/poky/meta/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch +++ b/poky/meta/recipes-support/libcap/files/0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch @@ -1,4 +1,4 @@ -From 1c234bc39446eb9b23896e85dd67b02976d46c3d Mon Sep 17 00:00:00 2001 +From a3196f3a06e7bbfde30d143c92a4325be323b3d0 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Thu, 14 Oct 2021 15:57:36 +0800 Subject: [PATCH] nativesdk-libcap: Raise the size of arrays containing dl diff --git a/poky/meta/recipes-support/libcap/libcap_2.65.bb b/poky/meta/recipes-support/libcap/libcap_2.66.bb index 8013d40769..c50e9d8cc7 100644 --- a/poky/meta/recipes-support/libcap/libcap_2.65.bb +++ b/poky/meta/recipes-support/libcap/libcap_2.66.bb @@ -20,7 +20,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${ SRC_URI:append:class-nativesdk = " \ file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \ " -SRC_URI[sha256sum] = "73e350020cc31fe15360879d19384ffa3395a825f065fcf6bda3a5cdf965bebd" +SRC_URI[sha256sum] = "15c40ededb3003d70a283fe587a36b7d19c8b3b554e33f86129c059a4bb466b2" UPSTREAM_CHECK_URI = "https://www.kernel.org/pub/linux/libs/security/linux-privs/${BPN}2/" diff --git a/poky/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch b/poky/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch index 5e529d1ce7..3ffcb3e128 100644 --- a/poky/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch +++ b/poky/meta/recipes-support/libffi/libffi/0001-arm-sysv-reverted-clang-VFP-mitigation.patch @@ -1,4 +1,4 @@ -From 501a6b55853af549fae72723e74271f2a4ec7cf6 Mon Sep 17 00:00:00 2001 +From 000f1500b693a84880d2da49b77b1113f98dde35 Mon Sep 17 00:00:00 2001 From: Brett Warren <brett.warren@arm.com> Date: Fri, 27 Nov 2020 15:28:42 +0000 Subject: [PATCH] arm/sysv: reverted clang VFP mitigation @@ -11,8 +11,9 @@ https://github.com/libffi/libffi/issues/607. Now that clang supports the LDC and SDC instructions, this mitigation has been reverted. -Upstream-Status: Pending +Upstream-Status: Submitted [https://github.com/libffi/libffi/pull/747] Signed-off-by: Brett Warren <brett.warren@arm.com> + --- src/arm/sysv.S | 33 --------------------------------- 1 file changed, 33 deletions(-) @@ -99,6 +100,3 @@ index fb36213..e4272a1 100644 b call_epilogue E(ARM_TYPE_INT64) ldr r1, [r2, #4] --- -2.25.1 - diff --git a/poky/meta/recipes-support/libffi/libffi/not-win32.patch b/poky/meta/recipes-support/libffi/libffi/not-win32.patch index 62daaf4b38..38f9b0025c 100644 --- a/poky/meta/recipes-support/libffi/libffi/not-win32.patch +++ b/poky/meta/recipes-support/libffi/libffi/not-win32.patch @@ -1,4 +1,4 @@ -From 306719369a0d3608b4ff2737de74ae284788a14b Mon Sep 17 00:00:00 2001 +From 20bc4e03442e15965ae3907013e9a177878f0323 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Thu, 4 Feb 2016 16:22:50 +0000 Subject: [PATCH] libffi: ensure sysroot paths are not in libffi.pc @@ -21,11 +21,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index b764368..d51ce91 100644 +index 7e8cd98..cf37e88 100644 --- a/configure.ac +++ b/configure.ac -@@ -354,7 +354,7 @@ AC_ARG_ENABLE(multi-os-directory, - +@@ -405,7 +405,7 @@ AC_ARG_ENABLE(multi-os-directory, + # These variables are only ever used when we cross-build to X86_WIN32. # And we only support this with GCC, so... -if test "x$GCC" = "xyes"; then diff --git a/poky/meta/recipes-support/libffi/libffi_3.4.2.bb b/poky/meta/recipes-support/libffi/libffi_3.4.4.bb index 71d9518baf..4ceee6f3cc 100644 --- a/poky/meta/recipes-support/libffi/libffi_3.4.2.bb +++ b/poky/meta/recipes-support/libffi/libffi_3.4.4.bb @@ -8,13 +8,13 @@ library really only provides the lowest, machine dependent layer of a fully feat A layer must exist above `libffi' that handles type conversions for values passed between the two languages." LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=679b5c9bdc79a2b93ee574e193e7a7bc" +LIC_FILES_CHKSUM = "file://LICENSE;md5=32c0d09a0641daf4903e5d61cc8f23a8" SRC_URI = "https://github.com/libffi/libffi/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ file://not-win32.patch \ file://0001-arm-sysv-reverted-clang-VFP-mitigation.patch \ " -SRC_URI[sha256sum] = "540fb721619a6aba3bdeef7d940d8e9e0e6d2c193595bc243241b77ff9e93620" +SRC_URI[sha256sum] = "d66c56ad259a82cf2a9dfc408b32bf5da52371500b84745f7fb8b645712df676" UPSTREAM_CHECK_URI = "https://github.com/libffi/libffi/releases/" UPSTREAM_CHECK_REGEX = "libffi-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-support/libgit2/libgit2_1.4.3.bb b/poky/meta/recipes-support/libgit2/libgit2_1.4.5.bb index 7e27b5b018..aadfe4ad02 100644 --- a/poky/meta/recipes-support/libgit2/libgit2_1.4.3.bb +++ b/poky/meta/recipes-support/libgit2/libgit2_1.4.5.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d" DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2" SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https" -SRCREV = "465bbf88ea939a965fbcbade72870c61f815e457" +SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-support/libical/libical_3.0.14.bb b/poky/meta/recipes-support/libical/libical_3.0.16.bb index 58baf3f32f..c53b7ca375 100644 --- a/poky/meta/recipes-support/libical/libical_3.0.14.bb +++ b/poky/meta/recipes-support/libical/libical_3.0.16.bb @@ -15,7 +15,7 @@ SECTION = "libs" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BP}.tar.gz \ file://0001-cmake-Do-not-export-CC-into-gir-compiler.patch \ " -SRC_URI[sha256sum] = "4284b780356f1dc6a01f16083e7b836e63d3815e27ed0eaaad684712357ccc8f" +SRC_URI[sha256sum] = "b44705dd71ca4538c86fb16248483ab4b48978524fb1da5097bd76aa2e0f0c33" UPSTREAM_CHECK_URI = "https://github.com/libical/libical/releases" inherit cmake pkgconfig gobject-introspection vala diff --git a/poky/meta/recipes-support/libksba/libksba/ksba-add-pkgconfig-support.patch b/poky/meta/recipes-support/libksba/libksba/ksba-add-pkgconfig-support.patch index af96bd57cd..bdb80ff34d 100644 --- a/poky/meta/recipes-support/libksba/libksba/ksba-add-pkgconfig-support.patch +++ b/poky/meta/recipes-support/libksba/libksba/ksba-add-pkgconfig-support.patch @@ -1,4 +1,4 @@ -From 6081640895b6d566fa21123e2de7d111eeab5c4c Mon Sep 17 00:00:00 2001 +From ca8174aa81d7bf364b33f7254a9e887735c4996d Mon Sep 17 00:00:00 2001 From: Chen Qi <Qi.Chen@windriver.com> Date: Mon, 3 Dec 2012 18:17:31 +0800 Subject: [PATCH] libksba: add pkgconfig support @@ -16,7 +16,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com> 1 file changed, 4 insertions(+), 86 deletions(-) diff --git a/src/ksba.m4 b/src/ksba.m4 -index 6b55bb8..6e7336f 100644 +index 452c245..aa96255 100644 --- a/src/ksba.m4 +++ b/src/ksba.m4 @@ -23,37 +23,6 @@ dnl with a changed API. @@ -44,7 +44,7 @@ index 6b55bb8..6e7336f 100644 - fi - - use_gpgrt_config="" -- if test x"$KSBA_CONFIG" = x -a x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then +- if test x"$GPGRT_CONFIG" != x -a "$GPGRT_CONFIG" != "no"; then - if $GPGRT_CONFIG ksba --exists; then - KSBA_CONFIG="$GPGRT_CONFIG ksba" - AC_MSG_NOTICE([Use gpgrt-config as ksba-config]) diff --git a/poky/meta/recipes-support/libksba/libksba_1.6.0.bb b/poky/meta/recipes-support/libksba/libksba_1.6.3.bb index f9e83681dd..dc39693be4 100644 --- a/poky/meta/recipes-support/libksba/libksba_1.6.0.bb +++ b/poky/meta/recipes-support/libksba/libksba_1.6.3.bb @@ -24,7 +24,7 @@ UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html" SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ file://ksba-add-pkgconfig-support.patch" -SRC_URI[sha256sum] = "dad683e6f2d915d880aa4bed5cea9a115690b8935b78a1bbe01669189307a48b" +SRC_URI[sha256sum] = "3f72c68db30971ebbf14367527719423f0a4d5f8103fc9f4a1c01a9fa440de5c" do_configure:prepend () { # Else these could be used in preference to those in aclocal-copy diff --git a/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.75.bb b/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb index 9c99af7c91..ad3c34ab9e 100644 --- a/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.75.bb +++ b/poky/meta/recipes-support/libmicrohttpd/libmicrohttpd_0.9.76.bb @@ -7,7 +7,7 @@ SECTION = "net" DEPENDS = "file" SRC_URI = "${GNU_MIRROR}/libmicrohttpd/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "9278907a6f571b391aab9644fd646a5108ed97311ec66f6359cebbedb0a4e3bb" +SRC_URI[sha256sum] = "f0b1547b5a42a6c0f724e8e1c1cb5ce9c4c35fb495e7d780b9930d35011ceb4c" inherit autotools lib_package pkgconfig gettext diff --git a/poky/meta/recipes-support/libseccomp/files/run-ptest b/poky/meta/recipes-support/libseccomp/files/run-ptest index 54b4a63cd2..63c79f09c4 100644 --- a/poky/meta/recipes-support/libseccomp/files/run-ptest +++ b/poky/meta/recipes-support/libseccomp/files/run-ptest @@ -1,4 +1,7 @@ #!/bin/sh cd tests +sed -i 's/SUCCESS/PASS/g; s/FAILURE/FAIL/g; s/SKIPPED/SKIP/g' regression +sed -i 's/"Test %s result: %s\\n" "$1" "$2"/"%s: %s\\n" "$2" "$1"/g' regression +sed -i 's/"Test %s result: %s %s\\n" "$1" "$2" "$3"/"%s: %s %s\\n" "$2" "$1" "$3"/g' regression ./regression -a diff --git a/poky/meta/recipes-support/libseccomp/libseccomp_2.5.3.bb b/poky/meta/recipes-support/libseccomp/libseccomp_2.5.3.bb index 4c0fb1d7b3..1f43686ade 100644 --- a/poky/meta/recipes-support/libseccomp/libseccomp_2.5.3.bb +++ b/poky/meta/recipes-support/libseccomp/libseccomp_2.5.3.bb @@ -1,5 +1,5 @@ SUMMARY = "interface to seccomp filtering mechanism" -DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." +DESCRIPTION = "The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp." HOMEPAGE = "https://github.com/seccomp/libseccomp" SECTION = "security" LICENSE = "LGPL-2.1-only" diff --git a/poky/meta/recipes-support/libssh2/files/0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch b/poky/meta/recipes-support/libssh2/files/0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch deleted file mode 100644 index b1204e49eb..0000000000 --- a/poky/meta/recipes-support/libssh2/files/0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f6abce5ba41a412a247250dcd80e387e53474466 Mon Sep 17 00:00:00 2001 -From: Your Name <you@example.com> -Date: Mon, 28 Dec 2020 02:08:03 +0000 -Subject: [PATCH] Don't let host enviroment to decide if a test is build - -test ssh2.sh need sshd, for cross compile, we need it on target, so -don't use SSHD on host to decide weither to build a test - -Upstream-Status: Inappropriate[oe specific] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - ---- - tests/Makefile.am | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/tests/Makefile.am b/tests/Makefile.am -index dc0922f..6cbc35d 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -1,16 +1,12 @@ - AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/include -I$(top_builddir)/src - LDADD = ../src/libssh2.la - --if SSHD - noinst_PROGRAMS = ssh2 - ssh2_SOURCES = ssh2.c --endif - - ctests = simple$(EXEEXT) - TESTS = $(ctests) mansyntax.sh --if SSHD - TESTS += ssh2.sh --endif - check_PROGRAMS = $(ctests) - - TESTS_ENVIRONMENT = SSHD=$(SSHD) EXEEXT=$(EXEEXT) -@@ -38,4 +34,4 @@ if OPENSSL - # EXTRA_DIST += test_public_key_auth_succeeds_with_correct_encrypted_ed25519_key.c - # EXTRA_DIST += test_public_key_auth_succeeds_with_correct_ed25519_key_from_mem.c - EXTRA_DIST += test_public_key_auth_succeeds_with_correct_rsa_openssh_key.c --endif -\ No newline at end of file -+endif diff --git a/poky/meta/recipes-support/libssh2/libssh2/fix-ssh2-test.patch b/poky/meta/recipes-support/libssh2/libssh2/fix-ssh2-test.patch new file mode 100644 index 0000000000..ee916c42d4 --- /dev/null +++ b/poky/meta/recipes-support/libssh2/libssh2/fix-ssh2-test.patch @@ -0,0 +1,23 @@ +In 8.8 OpenSSH disabled sha1 rsa-sha keys out of the box, +so we need to re-enable them as a workaround for the test +suite until upstream updates the tests. + +See: https://github.com/libssh2/libssh2/issues/630 + +Upstream-Status: Backport [alternative fixes merged upstream] + +Patch taken from https://github.com/mirror-rpm/libssh2/commit/47f7114f7d0780f3075bad51a71881f45cc933c5 + +--- a/tests/ssh2.sh ++++ b/tests/ssh2.sh +@@ -25,7 +25,8 @@ $SSHD -f /dev/null -h "$srcdir"/etc/host + -o 'Port 4711' \ + -o 'Protocol 2' \ + -o "AuthorizedKeysFile $srcdir/etc/user.pub" \ +- -o 'UsePrivilegeSeparation no' \ ++ -o 'HostKeyAlgorithms +ssh-rsa' \ ++ -o 'PubkeyAcceptedAlgorithms +ssh-rsa' \ + -o 'StrictModes no' \ + -D \ + $libssh2_sshd_params & + diff --git a/poky/meta/recipes-support/libssh2/files/run-ptest b/poky/meta/recipes-support/libssh2/libssh2/run-ptest index 9e2fce2d24..5e7426f79d 100644 --- a/poky/meta/recipes-support/libssh2/files/run-ptest +++ b/poky/meta/recipes-support/libssh2/libssh2/run-ptest @@ -2,8 +2,7 @@ ptestdir=$(dirname "$(readlink -f "$0")") cd tests -# omit ssh2.sh until https://github.com/libssh2/libssh2/issues/630 is fixed -for test in simple mansyntax.sh +for test in simple mansyntax.sh ssh2.sh do ./../test-driver --test-name $test --log-file ../$test.log --trs-file ../$test.trs --color-tests no --enable-hard-errors yes --expect-failure no -- ./$test done diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb index 072d6819c0..d5513373b0 100644 --- a/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb +++ b/poky/meta/recipes-support/libssh2/libssh2_1.10.0.bb @@ -8,11 +8,10 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=3e089ad0cf27edf1e7f261dfcd06acc7" SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ + file://fix-ssh2-test.patch \ file://run-ptest \ " -SRC_URI:append:ptest = " file://0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch" - SRC_URI[sha256sum] = "2d64e90f3ded394b91d3a2e774ca203a4179f69aebee03003e5a6fa621e41d51" inherit autotools pkgconfig ptest diff --git a/poky/meta/recipes-support/libusb/libusb1/0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch b/poky/meta/recipes-support/libusb/libusb1/0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch new file mode 100644 index 0000000000..3c223e0822 --- /dev/null +++ b/poky/meta/recipes-support/libusb/libusb1/0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch @@ -0,0 +1,46 @@ +From 95e601ce116dd46ea7915c171976b85ea0905d58 Mon Sep 17 00:00:00 2001 +From: Lonnie Abelbeck <lonnie@abelbeck.com> +Date: Sun, 8 May 2022 14:05:56 -0500 +Subject: [PATCH] configure.ac: Link with -latomic only if no atomic builtins + +Follow-up to 561dbda, a check of GCC atomic builtins needs to be done +first. + +I'm no autoconf guru, but using this: +https://github.com/mesa3d/mesa/blob/0df485c285b73c34ba9062f0c27e55c3c702930d/configure.ac#L469 +as inspiration, I created a pre-check before calling AC_SEARCH_LIBS(...) + +Fixes #1135 +Closes #1139 +Upstream-Status: Backport [https://github.com/kraj/libusb/commit/95e601ce116dd46ea7915c171976b85ea0905d58] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.ac | 16 +++++++++++++++- + libusb/version_nano.h | 2 +- + 2 files changed, 16 insertions(+), 2 deletions(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -153,7 +153,21 @@ if test "x$platform" = xposix; then + AC_SEARCH_LIBS([pthread_create], [pthread], + [test "x$ac_cv_search_pthread_create" != "xnone required" && AC_SUBST(THREAD_LIBS, [-lpthread])], + [], []) +- AC_SEARCH_LIBS([__atomic_fetch_add_4], [atomic]) ++ dnl Check for new-style atomic builtins. We first check without linking to -latomic. ++ AC_MSG_CHECKING(whether __atomic_load_n is supported) ++ AC_LINK_IFELSE([AC_LANG_SOURCE([[ ++ #include <stdint.h> ++ int main() { ++ struct { ++ uint64_t *v; ++ } x; ++ return (int)__atomic_load_n(x.v, __ATOMIC_ACQUIRE) & ++ (int)__atomic_add_fetch(x.v, (uint64_t)1, __ATOMIC_ACQ_REL); ++ }]])], GCC_ATOMIC_BUILTINS_SUPPORTED=yes, GCC_ATOMIC_BUILTINS_SUPPORTED=no) ++ AC_MSG_RESULT($GCC_ATOMIC_BUILTINS_SUPPORTED) ++ if test "x$GCC_ATOMIC_BUILTINS_SUPPORTED" != xyes; then ++ AC_SEARCH_LIBS([__atomic_fetch_add_4], [atomic]) ++ fi + elif test "x$platform" = xwindows; then + AC_DEFINE([PLATFORM_WINDOWS], [1], [Define to 1 if compiling for a Windows platform.]) + else diff --git a/poky/meta/recipes-support/libusb/libusb1_1.0.26.bb b/poky/meta/recipes-support/libusb/libusb1_1.0.26.bb index fd63e7adc2..18ab612d13 100644 --- a/poky/meta/recipes-support/libusb/libusb1_1.0.26.bb +++ b/poky/meta/recipes-support/libusb/libusb1_1.0.26.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" BBCLASSEXTEND = "native nativesdk" SRC_URI = "https://github.com/libusb/libusb/releases/download/v${PV}/libusb-${PV}.tar.bz2 \ + file://0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch \ file://run-ptest \ " @@ -34,12 +35,12 @@ do_install:append() { fi } -do_compile_ptest() { - oe_runmake -C tests stress -} - -do_install_ptest() { - install -m 755 ${B}/tests/.libs/stress ${D}${PTEST_PATH} +do_compile_ptest() { + oe_runmake -C tests stress +} + +do_install_ptest() { + install -m 755 ${B}/tests/.libs/stress ${D}${PTEST_PATH} } FILES:${PN} += "${base_libdir}/*.so.*" diff --git a/poky/meta/recipes-support/mpfr/mpfr_4.1.0.bb b/poky/meta/recipes-support/mpfr/mpfr_4.1.1.bb index 2121dad57c..f531a88961 100644 --- a/poky/meta/recipes-support/mpfr/mpfr_4.1.0.bb +++ b/poky/meta/recipes-support/mpfr/mpfr_4.1.1.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1ebbd3e34237af26da5dc08a4e440464 \ DEPENDS = "gmp autoconf-archive" SRC_URI = "https://www.mpfr.org/mpfr-${PV}/mpfr-${PV}.tar.xz" -SRC_URI[sha256sum] = "0c98a3f1732ff6ca4ea690552079da9c597872d30e96ec28414ee23c95558a7f" +SRC_URI[sha256sum] = "ffd195bd567dbaffc3b98b23fd00aad0537680c9896171e44fe3ff79e28ac33d" UPSTREAM_CHECK_URI = "http://www.mpfr.org/mpfr-current/" diff --git a/poky/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/poky/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb index 58ce08084d..becacd4502 100644 --- a/poky/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb +++ b/poky/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb @@ -19,6 +19,10 @@ PACKAGECONFIG[manpages] = "" # first place EXTRA_OECMAKE = "-DENABLE_EXAMPLES=OFF -DENABLE_APP=OFF -DENABLE_HPACK_TOOLS=OFF" +# Do not let configure try to decide this. +# +EXTRA_OECMAKE += "-DENABLE_PYTHON_BINDINGS=OFF" + PACKAGES =+ "lib${BPN} ${PN}-client ${PN}-proxy ${PN}-server" RDEPENDS:${PN} = "${PN}-client (>= ${PV}) ${PN}-proxy (>= ${PV}) ${PN}-server (>= ${PV})" diff --git a/poky/meta/recipes-support/numactl/numactl/Fix-the-test-output-format.patch b/poky/meta/recipes-support/numactl/numactl/Fix-the-test-output-format.patch index 9812ecc8b3..a7bc8d322e 100644 --- a/poky/meta/recipes-support/numactl/numactl/Fix-the-test-output-format.patch +++ b/poky/meta/recipes-support/numactl/numactl/Fix-the-test-output-format.patch @@ -7,6 +7,7 @@ Upstream-Status: Pending Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> --- test/regress | 6 +++--- test/regress2 | 11 +++++------ @@ -20,7 +21,7 @@ index 2ce1705..d086a47 100755 if [ $numnodes -lt 2 ] ; then echo "need at least two nodes with at least $NEEDPAGES each of" echo "free memory for mempolicy regression tests" -+ echo "FAIL: numa regress" ++ echo "SKIP: numa regress" exit 77 # Skip test fi } diff --git a/poky/meta/recipes-support/numactl/numactl/run-ptest b/poky/meta/recipes-support/numactl/numactl/run-ptest index bf269da755..e019b0d364 100755 --- a/poky/meta/recipes-support/numactl/numactl/run-ptest +++ b/poky/meta/recipes-support/numactl/numactl/run-ptest @@ -8,7 +8,11 @@ if ! numactl -s | grep -q "No NUMA support available on this system."; then if numademo -t -e 10M; then echo "PASS: numademo" else - echo "FAIL: numademo" + if [ "$?" = 77 ] ; then + echo "SKIP: numademo" + else + echo "FAIL: numademo" + fi fi else echo "SKIP: ./../test/bind_range" diff --git a/poky/meta/recipes-support/numactl/numactl_git.bb b/poky/meta/recipes-support/numactl/numactl_git.bb index 93547ea239..23be0a3b4f 100644 --- a/poky/meta/recipes-support/numactl/numactl_git.bb +++ b/poky/meta/recipes-support/numactl/numactl_git.bb @@ -8,10 +8,10 @@ SECTION = "apps" inherit autotools-brokensep ptest -LIC_FILES_CHKSUM = "file://README.md;beginline=19;endline=32;md5=f8ff2391624f28e481299f3f677b21bb" +LIC_FILES_CHKSUM = "file://README.md;beginline=19;endline=32;md5=9f34c3af4ed6f3f5df0da5f3c0835a43" -SRCREV = "dd6de072c92c892a86e18c0fd0dfa1ba57a9a05d" -PV = "2.0.14" +SRCREV = "10285f1a1bad49306839b2c463936460b604e3ea" +PV = "2.0.16" SRC_URI = "git://github.com/numactl/numactl;branch=master;protocol=https \ file://Fix-the-test-output-format.patch \ diff --git a/poky/meta/recipes-support/sqlite/files/CVE-2022-46908.patch b/poky/meta/recipes-support/sqlite/files/CVE-2022-46908.patch new file mode 100644 index 0000000000..38bd544838 --- /dev/null +++ b/poky/meta/recipes-support/sqlite/files/CVE-2022-46908.patch @@ -0,0 +1,39 @@ +From 1b779afa3ed2f35a110e460fc6ed13cba744db85 2022-12-05 02:52:37 UTC +From: larrybr <larrybr@sqlite.org> +Date: 2022-12-05 02:52:37 UTC +Subject: [PATCH] Fix safe mode authorizer callback to reject disallowed UDFs + +Fix safe mode authorizer callback to reject disallowed UDFs. Reported at Forum post 07beac8056151b2f. + +Upstream-Status: Backport [https://sqlite.org/src/info/cefc032473ac5ad2] +CVE-2022-46908 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + shell.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shell.c b/shell.c +index d104768..0200c0a 100644 +--- a/shell.c ++++ b/shell.c +@@ -12894,7 +12894,7 @@ static int safeModeAuth( + "zipfile", + "zipfile_cds", + }; +- UNUSED_PARAMETER(zA2); ++ UNUSED_PARAMETER(zA1); + UNUSED_PARAMETER(zA3); + UNUSED_PARAMETER(zA4); + switch( op ){ +@@ -12905,7 +12905,7 @@ static int safeModeAuth( + case SQLITE_FUNCTION: { + int i; + for(i=0; i<ArraySize(azProhibitedFunctions); i++){ +- if( sqlite3_stricmp(zA1, azProhibitedFunctions[i])==0 ){ ++ if( sqlite3_stricmp(zA2, azProhibitedFunctions[i])==0 ){ + failIfSafeMode(p, "cannot use the %s() function in safe mode", + azProhibitedFunctions[i]); + } +-- +2.30.2 + diff --git a/poky/meta/recipes-support/sqlite/sqlite3_3.38.5.bb b/poky/meta/recipes-support/sqlite/sqlite3_3.38.5.bb index 628f630657..313c15dff4 100644 --- a/poky/meta/recipes-support/sqlite/sqlite3_3.38.5.bb +++ b/poky/meta/recipes-support/sqlite/sqlite3_3.38.5.bb @@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch \ + file://CVE-2022-46908.patch \ " SRC_URI[sha256sum] = "5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c" diff --git a/poky/meta/recipes-support/vim/vim.inc b/poky/meta/recipes-support/vim/vim.inc index cbc370100b..1e27415288 100644 --- a/poky/meta/recipes-support/vim/vim.inc +++ b/poky/meta/recipes-support/vim/vim.inc @@ -10,8 +10,7 @@ DEPENDS = "ncurses gettext-native" RSUGGESTS:${PN} = "diffutils" LICENSE = "Vim" -LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99 \ - file://runtime/doc/uganda.txt;md5=001ef779f422a0e9106d428c84495b4d" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99" SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://disable_acl_header_check.patch \ @@ -20,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://no-path-adjust.patch \ " -PV .= ".0598" -SRCREV = "8279af514ca7e5fd3c31cf13b0864163d1a0bfeb" +PV .= ".1429" +SRCREV = "1a08a3e2a584889f19b84a27672134649b73da58" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" @@ -33,7 +32,7 @@ S = "${WORKDIR}/git" VIMDIR = "vim${@d.getVar('PV').split('.')[0]}${@d.getVar('PV').split('.')[1]}" -inherit autotools-brokensep update-alternatives mime-xdg +inherit autotools-brokensep update-alternatives mime-xdg pkgconfig CLEANBROKEN = "1" @@ -82,6 +81,7 @@ EXTRA_OECONF = " \ --disable-netbeans \ --disable-desktop-database-update \ --with-tlib=ncurses \ + --with-modified-by='${MAINTAINER}' \ ac_cv_small_wchar_t=no \ ac_cv_path_GLIB_COMPILE_RESOURCES=no \ vim_cv_getcwd_broken=no \ |