From 6d0370f674eb3a66474517d976b205f08ecd2e8c Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sat, 6 Mar 2021 10:58:33 +0000 Subject: [PATCH 01/29] bitbake: runqueue: Fix rare task racing issue In rare cases a setscene task may get marked as covered before it's parents are handled leading to strange failures as dependent tasks execute instead of being skipped. Ensure 'covered' tasks are only marked as such when the parent dependencies have been processed. (Bitbake rev: 3a3869f2bdc312591d24b189948d49c9f6c6ddec) Signed-off-by: Richard Purdie --- bitbake/lib/bb/runqueue.py | 38 ++++++++------------------------------ 1 file changed, 8 insertions(+), 30 deletions(-) diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py index 6c41fe6d43..ba800fc4df 100644 --- a/bitbake/lib/bb/runqueue.py +++ b/bitbake/lib/bb/runqueue.py @@ -1750,7 +1750,6 @@ def __init__(self, rq): self.scenequeue_covered = set() # List of tasks which are covered (including setscene ones) self.tasks_covered = set() - self.tasks_scenequeue_done = set() self.scenequeue_notcovered = set() self.tasks_notcovered = set() self.scenequeue_notneeded = set() @@ -1981,9 +1980,6 @@ def summarise_scenequeue_errors(self): if x not in self.tasks_covered and x not in self.tasks_notcovered: logger.error("Task %s was never moved from the setscene queue" % x) err = True - if x not in self.tasks_scenequeue_done: - logger.error("Task %s was never processed by the setscene code" % x) - err = True if len(self.rqdata.runtaskentries[x].depends) == 0 and x not in self.runq_buildable: logger.error("Task %s was never marked as buildable by the setscene code" % x) err = True @@ -2253,13 +2249,17 @@ def update_holdofftasks(self): for tid in self.scenequeue_notcovered: notcovered |= self.sqdata.sq_covered_tasks[tid] notcovered |= self.sqdata.unskippable.difference(self.rqdata.runq_setscene_tids) - notcovered.intersection_update(self.tasks_scenequeue_done) - covered = set(self.scenequeue_covered) + covered = set() for tid in self.scenequeue_covered: - covered |= self.sqdata.sq_covered_tasks[tid] + if self.sqdata.sq_revdeps[tid].issubset(self.scenequeue_notcovered | self.scenequeue_covered): + covered.add(tid) + covered |= self.sqdata.sq_covered_tasks[tid] covered.difference_update(notcovered) - covered.intersection_update(self.tasks_scenequeue_done) + + # Need to remove any covered_tasks from covered that haven't run yet + for tid in self.rqdata.runq_setscene_tids.difference(self.scenequeue_notcovered | self.scenequeue_covered): + covered.difference_update(self.sqdata.sq_covered_tasks[tid]) for tid in notcovered | covered: if len(self.rqdata.runtaskentries[tid].depends) == 0: @@ -2393,8 +2393,6 @@ def process_possible_migrations(self): self.pending_migrations.remove(tid) changed = True - if tid in self.tasks_scenequeue_done: - self.tasks_scenequeue_done.remove(tid) for dep in self.sqdata.sq_covered_tasks[tid]: if dep in self.runq_complete and dep not in self.runq_tasksrun: bb.error("Task %s marked as completed but now needing to rerun? Aborting build." % dep) @@ -2402,10 +2400,6 @@ def process_possible_migrations(self): self.rq.state = runQueueCleanUp return - if dep not in self.runq_complete: - if dep in self.tasks_scenequeue_done and dep not in self.sqdata.unskippable: - self.tasks_scenequeue_done.remove(dep) - if tid in self.sq_buildable: self.sq_buildable.remove(tid) if tid in self.sq_running: @@ -2471,20 +2465,6 @@ def scenequeue_updatecounters(self, task, fail=False): if dep not in self.sq_buildable: self.sq_buildable.add(dep) - next = set([task]) - while next: - new = set() - for t in sorted(next): - self.tasks_scenequeue_done.add(t) - # Look down the dependency chain for non-setscene things which this task depends on - # and mark as 'done' - for dep in self.rqdata.runtaskentries[t].depends: - if dep in self.rqdata.runq_setscene_tids or dep in self.tasks_scenequeue_done: - continue - if self.rqdata.runtaskentries[dep].revdeps.issubset(self.tasks_scenequeue_done): - new.add(dep) - next = new - self.holdoff_need_update = True def sq_task_completeoutright(self, task): @@ -2704,8 +2684,6 @@ def process_endpoints(endpoints): if sqdata.unskippable != orig: new = True - sqrq.tasks_scenequeue_done |= sqdata.unskippable.difference(rqdata.runq_setscene_tids) - rqdata.init_progress_reporter.next_stage(len(rqdata.runtaskentries)) # Sanity check all dependencies could be changed to setscene task references From da1d4b01782f62760c6c6a2fa1ec300ae980fb18 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Mon, 8 Mar 2021 17:36:00 +0000 Subject: [PATCH 02/29] bitbake: Revert "runqueue: Fix rare task racing issue" This reverts commit bcb15f46421281a4ab16b165b8b68e0d5315935c. Signed-off-by: Richard Purdie --- bitbake/lib/bb/runqueue.py | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py index ba800fc4df..6c41fe6d43 100644 --- a/bitbake/lib/bb/runqueue.py +++ b/bitbake/lib/bb/runqueue.py @@ -1750,6 +1750,7 @@ def __init__(self, rq): self.scenequeue_covered = set() # List of tasks which are covered (including setscene ones) self.tasks_covered = set() + self.tasks_scenequeue_done = set() self.scenequeue_notcovered = set() self.tasks_notcovered = set() self.scenequeue_notneeded = set() @@ -1980,6 +1981,9 @@ def summarise_scenequeue_errors(self): if x not in self.tasks_covered and x not in self.tasks_notcovered: logger.error("Task %s was never moved from the setscene queue" % x) err = True + if x not in self.tasks_scenequeue_done: + logger.error("Task %s was never processed by the setscene code" % x) + err = True if len(self.rqdata.runtaskentries[x].depends) == 0 and x not in self.runq_buildable: logger.error("Task %s was never marked as buildable by the setscene code" % x) err = True @@ -2249,17 +2253,13 @@ def update_holdofftasks(self): for tid in self.scenequeue_notcovered: notcovered |= self.sqdata.sq_covered_tasks[tid] notcovered |= self.sqdata.unskippable.difference(self.rqdata.runq_setscene_tids) + notcovered.intersection_update(self.tasks_scenequeue_done) - covered = set() + covered = set(self.scenequeue_covered) for tid in self.scenequeue_covered: - if self.sqdata.sq_revdeps[tid].issubset(self.scenequeue_notcovered | self.scenequeue_covered): - covered.add(tid) - covered |= self.sqdata.sq_covered_tasks[tid] + covered |= self.sqdata.sq_covered_tasks[tid] covered.difference_update(notcovered) - - # Need to remove any covered_tasks from covered that haven't run yet - for tid in self.rqdata.runq_setscene_tids.difference(self.scenequeue_notcovered | self.scenequeue_covered): - covered.difference_update(self.sqdata.sq_covered_tasks[tid]) + covered.intersection_update(self.tasks_scenequeue_done) for tid in notcovered | covered: if len(self.rqdata.runtaskentries[tid].depends) == 0: @@ -2393,6 +2393,8 @@ def process_possible_migrations(self): self.pending_migrations.remove(tid) changed = True + if tid in self.tasks_scenequeue_done: + self.tasks_scenequeue_done.remove(tid) for dep in self.sqdata.sq_covered_tasks[tid]: if dep in self.runq_complete and dep not in self.runq_tasksrun: bb.error("Task %s marked as completed but now needing to rerun? Aborting build." % dep) @@ -2400,6 +2402,10 @@ def process_possible_migrations(self): self.rq.state = runQueueCleanUp return + if dep not in self.runq_complete: + if dep in self.tasks_scenequeue_done and dep not in self.sqdata.unskippable: + self.tasks_scenequeue_done.remove(dep) + if tid in self.sq_buildable: self.sq_buildable.remove(tid) if tid in self.sq_running: @@ -2465,6 +2471,20 @@ def scenequeue_updatecounters(self, task, fail=False): if dep not in self.sq_buildable: self.sq_buildable.add(dep) + next = set([task]) + while next: + new = set() + for t in sorted(next): + self.tasks_scenequeue_done.add(t) + # Look down the dependency chain for non-setscene things which this task depends on + # and mark as 'done' + for dep in self.rqdata.runtaskentries[t].depends: + if dep in self.rqdata.runq_setscene_tids or dep in self.tasks_scenequeue_done: + continue + if self.rqdata.runtaskentries[dep].revdeps.issubset(self.tasks_scenequeue_done): + new.add(dep) + next = new + self.holdoff_need_update = True def sq_task_completeoutright(self, task): @@ -2684,6 +2704,8 @@ def process_endpoints(endpoints): if sqdata.unskippable != orig: new = True + sqrq.tasks_scenequeue_done |= sqdata.unskippable.difference(rqdata.runq_setscene_tids) + rqdata.init_progress_reporter.next_stage(len(rqdata.runtaskentries)) # Sanity check all dependencies could be changed to setscene task references From 18acc8a8ce078c3eef2488903c804c666b54cdd0 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sun, 4 Apr 2021 11:24:23 +0100 Subject: [PATCH 03/29] bitbake: server/process: Add debug output at server delays of 10s (Bitbake rev: 5fd89ad94dad4b45e902489a74182db19fb0c291) Signed-off-by: Richard Purdie --- bitbake/lib/bb/server/process.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py index 3e99bcef8f..4db176f9d7 100644 --- a/bitbake/lib/bb/server/process.py +++ b/bitbake/lib/bb/server/process.py @@ -392,6 +392,11 @@ def __init__(self, connection, recv): def runCommand(self, command): self.connection.send(command) + if not self.recv.poll(10): + logger.info("No reply from server in 10s") + poutput = subprocess.check_output("ps ax", stderr=subprocess.STDOUT, shell=True) + logger.info("Processes:\n%s\n" % poutput.decode("utf-8")) + raise ProcessTimeout("Timeout while waiting for a reply from the bitbake server (10s)") if not self.recv.poll(30): logger.info("No reply from server in 30s") if not self.recv.poll(30): From c622ea3025302bc773dcc09ca47926b38397a27b Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Mon, 5 Apr 2021 00:02:20 +0100 Subject: [PATCH 04/29] bitbake: Revert "server/process: Add debug output at server delays of 10s" This reverts commit 26add3b6f510c53ebbbe9f5d984bd0e9e4a40704. Signed-off-by: Richard Purdie --- bitbake/lib/bb/server/process.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/bitbake/lib/bb/server/process.py b/bitbake/lib/bb/server/process.py index 4db176f9d7..3e99bcef8f 100644 --- a/bitbake/lib/bb/server/process.py +++ b/bitbake/lib/bb/server/process.py @@ -392,11 +392,6 @@ def __init__(self, connection, recv): def runCommand(self, command): self.connection.send(command) - if not self.recv.poll(10): - logger.info("No reply from server in 10s") - poutput = subprocess.check_output("ps ax", stderr=subprocess.STDOUT, shell=True) - logger.info("Processes:\n%s\n" % poutput.decode("utf-8")) - raise ProcessTimeout("Timeout while waiting for a reply from the bitbake server (10s)") if not self.recv.poll(30): logger.info("No reply from server in 30s") if not self.recv.poll(30): From e77405e97ddefc0aeac2be7a4ca066b84355df2c Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Thu, 6 May 2021 15:01:05 +0100 Subject: [PATCH 05/29] bitbake: runqueue: Improve multiconfig deferred task issues The previous patches have exposed new issues with this code path, the issues being around what should happen when the hash of a task changes and the task is or is not on the deferred task list. Rather than rebuilding the deferred task list during each rehash event, build it once at the start of a build. This avoids the problem of tasks being added back after they have run and also avoids problems of always ensuring the same task is deferred. It also allows the 'outrightfail' codepath to be handled separately as the conditions are subtly differnt. One significant win for the new approch is the build is not continually printing out lists of deferred tasks, that list remains fairly static from the start of the build. Logic is added in to ensure a rehashed task with a hash matching other deferred tasks is deferred along with them as a small optimization. An interesting test case for this code was reported by Mark Hatle with four multiconfigs, each the same apart from TMPDIR and running a build of: bitbake buildtools-tarball mc:{one,two,three,four}:core-image-minimal which is interesting in that the build of buildtools partially overlaps core-image-minimal and the build has a rehash event for qemuwrapper-cross even without any external hash equivalence server or preexisting data. (Bitbake rev: 4b3326c7f08fdb74f6848a4b28e54f085f8fe966) Signed-off-by: Richard Purdie --- bitbake/lib/bb/runqueue.py | 56 ++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py index 6c41fe6d43..88983eba1a 100644 --- a/bitbake/lib/bb/runqueue.py +++ b/bitbake/lib/bb/runqueue.py @@ -2443,6 +2443,11 @@ def process_possible_migrations(self): if update_tasks: self.sqdone = False + for tid in [t[0] for t in update_tasks]: + h = pending_hash_index(tid, self.rqdata) + if h in self.sqdata.hashes and tid != self.sqdata.hashes[h]: + self.sq_deferred[tid] = self.sqdata.hashes[h] + bb.note("Deferring %s after %s" % (tid, self.sqdata.hashes[h])) update_scenequeue_data([t[0] for t in update_tasks], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False) for (tid, harddepfail, origvalid) in update_tasks: @@ -2786,6 +2791,19 @@ def process_endpoints(endpoints): sqdata.stamppresent = set() sqdata.valid = set() + sqdata.hashes = {} + sqrq.sq_deferred = {} + for mc in sorted(sqdata.multiconfigs): + for tid in sorted(sqdata.sq_revdeps): + if mc_from_tid(tid) != mc: + continue + h = pending_hash_index(tid, rqdata) + if h not in sqdata.hashes: + sqdata.hashes[h] = tid + else: + sqrq.sq_deferred[tid] = sqdata.hashes[h] + bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h])) + update_scenequeue_data(sqdata.sq_revdeps, sqdata, rqdata, rq, cooker, stampcache, sqrq, summary=True) # Compute a list of 'stale' sstate tasks where the current hash does not match the one @@ -2850,32 +2868,18 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary) - sqdata.hashes = {} - sqrq.sq_deferred = {} - for mc in sorted(sqdata.multiconfigs): - for tid in sorted(sqdata.sq_revdeps): - if mc_from_tid(tid) != mc: - continue - if tid in sqdata.stamppresent: - continue - if tid in sqdata.valid: - continue - if tid in sqdata.noexec: - continue - if tid in sqrq.scenequeue_notcovered: - continue - if tid in sqrq.scenequeue_covered: - continue - - h = pending_hash_index(tid, rqdata) - if h not in sqdata.hashes: - if tid in tids: - sqdata.outrightfail.add(tid) - sqdata.hashes[h] = tid - else: - sqrq.sq_deferred[tid] = sqdata.hashes[h] - bb.note("Deferring %s after %s" % (tid, sqdata.hashes[h])) - + for tid in tids: + if tid in sqdata.stamppresent: + continue + if tid in sqdata.valid: + continue + if tid in sqdata.noexec: + continue + if tid in sqrq.scenequeue_covered: + continue + if tid in sqrq.sq_deferred: + continue + sqdata.outrightfail.add(tid) class TaskFailure(Exception): """ From 5f46538f3bda4b5b3a5394212174220b59c287ee Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sun, 9 May 2021 17:21:13 +0100 Subject: [PATCH 06/29] bitbake: runqueue: fixup? (Bitbake rev: 398dad3c461924d257d414397c1c91fcc02af22b) Signed-off-by: Richard Purdie --- bitbake/lib/bb/runqueue.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bitbake/lib/bb/runqueue.py b/bitbake/lib/bb/runqueue.py index 88983eba1a..25e012125c 100644 --- a/bitbake/lib/bb/runqueue.py +++ b/bitbake/lib/bb/runqueue.py @@ -2877,6 +2877,8 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s continue if tid in sqrq.scenequeue_covered: continue + if tid in sqrq.scenequeue_notcovered: + continue if tid in sqrq.sq_deferred: continue sqdata.outrightfail.add(tid) From 6c312a12e982d3b43221ef42416105936b1e2d8f Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 5 May 2021 17:17:54 +0200 Subject: [PATCH 07/29] u-boot: upgrade 2021.01 -> 2021.04 (From OE-Core rev: d75dd9a03065c80d4ee7493552fc29ffd5f7f4ed) Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie --- .../files/0001-add-valid-fdt-check.patch | 36 -- .../u-boot/files/CVE-2021-27097-1.patch | 71 --- .../u-boot/files/CVE-2021-27097-2.patch | 419 ------------------ .../u-boot/files/CVE-2021-27097-3.patch | 105 ----- .../u-boot/files/CVE-2021-27097-4.patch | 73 --- .../u-boot/files/CVE-2021-27138-1.patch | 245 ---------- .../u-boot/files/CVE-2021-27138-2.patch | 109 ----- meta/recipes-bsp/u-boot/u-boot-common.inc | 9 +- ...ols_2021.01.bb => u-boot-tools_2021.04.bb} | 0 .../{u-boot_2021.01.bb => u-boot_2021.04.bb} | 0 10 files changed, 1 insertion(+), 1066 deletions(-) delete mode 100644 meta/recipes-bsp/u-boot/files/0001-add-valid-fdt-check.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27097-2.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27097-4.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27138-1.patch delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch rename meta/recipes-bsp/u-boot/{u-boot-tools_2021.01.bb => u-boot-tools_2021.04.bb} (100%) rename meta/recipes-bsp/u-boot/{u-boot_2021.01.bb => u-boot_2021.04.bb} (100%) diff --git a/meta/recipes-bsp/u-boot/files/0001-add-valid-fdt-check.patch b/meta/recipes-bsp/u-boot/files/0001-add-valid-fdt-check.patch deleted file mode 100644 index d4ac9e2ed9..0000000000 --- a/meta/recipes-bsp/u-boot/files/0001-add-valid-fdt-check.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ea1a9ec5f430359720d9a0621ed1acfbba6a142a Mon Sep 17 00:00:00 2001 -From: Heinrich Schuchardt -Date: Wed, 13 Jan 2021 02:09:12 +0100 -Subject: [PATCH] image-fit: fit_check_format check for valid FDT - -fit_check_format() must check that the buffer contains a flattened device -tree before calling any device tree library functions. - -Failure to do may cause segmentation faults. - -Signed-off-by: Heinrich Schuchardt - -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/ea1a9ec5f430359720d9a0621ed1acfbba6a142a] -Signed-off-by: Scott Murray - ---- - common/image-fit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/common/image-fit.c b/common/image-fit.c -index 6a8787ca0a..21c44bdf69 100644 ---- a/common/image-fit.c -+++ b/common/image-fit.c -@@ -1553,6 +1553,12 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) - */ - int fit_check_format(const void *fit) - { -+ /* A FIT image must be a valid FDT */ -+ if (fdt_check_header(fit)) { -+ debug("Wrong FIT format: not a flattened device tree\n"); -+ return 0; -+ } -+ - /* mandatory / node 'description' property */ - if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) { - debug("Wrong FIT format: no description\n"); diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch deleted file mode 100644 index 98ec2c709d..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-1.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 8a7d4cf9820ea16fabd25a6379351b4dc291204b Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:05 -0700 -Subject: [PATCH] fdt_region: Check for a single root node of the correct name - -At present fdt_find_regions() assumes that the FIT is a valid devicetree. -If the FIT has two root nodes this is currently not detected in this -function, nor does libfdt's fdt_check_full() notice. Also it is possible -for the root node to have a name even though it should not. - -Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is -detected. - -CVE-2021-27097 - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27097 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a7d4cf9820ea16fabd25a6379351b4dc291204b] -Signed-off-by: Scott Murray - ---- - common/fdt_region.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/common/fdt_region.c b/common/fdt_region.c -index ff12c518e9..e4ef0ca770 100644 ---- a/common/fdt_region.c -+++ b/common/fdt_region.c -@@ -43,6 +43,7 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, - int depth = -1; - int want = 0; - int base = fdt_off_dt_struct(fdt); -+ bool expect_end = false; - - end = path; - *end = '\0'; -@@ -59,6 +60,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, - tag = fdt_next_tag(fdt, offset, &nextoffset); - stop_at = nextoffset; - -+ /* If we see two root nodes, something is wrong */ -+ if (expect_end && tag != FDT_END) -+ return -FDT_ERR_BADLAYOUT; -+ - switch (tag) { - case FDT_PROP: - include = want >= 2; -@@ -81,6 +86,10 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, - if (depth == FDT_MAX_DEPTH) - return -FDT_ERR_BADSTRUCTURE; - name = fdt_get_name(fdt, offset, &len); -+ -+ /* The root node must have an empty name */ -+ if (!depth && *name) -+ return -FDT_ERR_BADLAYOUT; - if (end - path + 2 + len >= path_len) - return -FDT_ERR_NOSPACE; - if (end != path + 1) -@@ -108,6 +117,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, - while (end > path && *--end != '/') - ; - *end = '\0'; -+ if (depth == -1) -+ expect_end = true; - break; - - case FDT_END: diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-2.patch deleted file mode 100644 index b13c44e787..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-2.patch +++ /dev/null @@ -1,419 +0,0 @@ -From c5819701a3de61e2ba2ef7ad0b616565b32305e5 Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:09 -0700 -Subject: [PATCH] image: Adjust the workings of fit_check_format() - -At present this function does not accept a size for the FIT. This means -that it must be read from the FIT itself, introducing potential security -risk. Update the function to include a size parameter, which can be -invalid, in which case fit_check_format() calculates it. - -For now no callers pass the size, but this can be updated later. - -Also adjust the return value to an error code so that all the different -types of problems can be distinguished by the user. - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27097 CVE-2021-27138 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/c5819701a3de61e2ba2ef7ad0b616565b32305e5] -Signed-off-by: Scott Murray - ---- - arch/arm/cpu/armv8/sec_firmware.c | 2 +- - cmd/bootm.c | 6 ++--- - cmd/disk.c | 2 +- - cmd/fpga.c | 2 +- - cmd/nand.c | 2 +- - cmd/source.c | 2 +- - cmd/ximg.c | 2 +- - common/image-fdt.c | 2 +- - common/image-fit.c | 46 +++++++++++++++++--------------------- - common/splash_source.c | 6 ++--- - common/update.c | 4 ++-- - drivers/fpga/socfpga_arria10.c | 6 ++--- - drivers/net/fsl-mc/mc.c | 2 +- - drivers/net/pfe_eth/pfe_firmware.c | 2 +- - include/image.h | 21 ++++++++++++++++- - tools/fit_common.c | 3 ++- - tools/fit_image.c | 2 +- - tools/mkimage.h | 2 ++ - 18 files changed, 65 insertions(+), 49 deletions(-) - -diff --git a/arch/arm/cpu/armv8/sec_firmware.c b/arch/arm/cpu/armv8/sec_firmware.c -index bfc0fac3ef..0561f5efd1 100644 ---- a/arch/arm/cpu/armv8/sec_firmware.c -+++ b/arch/arm/cpu/armv8/sec_firmware.c -@@ -316,7 +316,7 @@ __weak bool sec_firmware_is_valid(const void *sec_firmware_img) - return false; - } - -- if (!fit_check_format(sec_firmware_img)) { -+ if (fit_check_format(sec_firmware_img, IMAGE_SIZE_INVAL)) { - printf("SEC Firmware: Bad firmware image (bad FIT header)\n"); - return false; - } -diff --git a/cmd/bootm.c b/cmd/bootm.c -index e6b0e04413..a0f823f968 100644 ---- a/cmd/bootm.c -+++ b/cmd/bootm.c -@@ -291,7 +291,7 @@ static int image_info(ulong addr) - case IMAGE_FORMAT_FIT: - puts(" FIT image found\n"); - -- if (!fit_check_format(hdr)) { -+ if (fit_check_format(hdr, IMAGE_SIZE_INVAL)) { - puts("Bad FIT image format!\n"); - unmap_sysmem(hdr); - return 1; -@@ -368,7 +368,7 @@ static int do_imls_nor(void) - #endif - #if defined(CONFIG_FIT) - case IMAGE_FORMAT_FIT: -- if (!fit_check_format(hdr)) -+ if (fit_check_format(hdr, IMAGE_SIZE_INVAL)) - goto next_sector; - - printf("FIT Image at %08lX:\n", (ulong)hdr); -@@ -448,7 +448,7 @@ static int nand_imls_fitimage(struct mtd_info *mtd, int nand_dev, loff_t off, - return ret; - } - -- if (!fit_check_format(imgdata)) { -+ if (fit_check_format(imgdata, IMAGE_SIZE_INVAL)) { - free(imgdata); - return 0; - } -diff --git a/cmd/disk.c b/cmd/disk.c -index 8060e753eb..3195db9127 100644 ---- a/cmd/disk.c -+++ b/cmd/disk.c -@@ -114,7 +114,7 @@ int common_diskboot(struct cmd_tbl *cmdtp, const char *intf, int argc, - /* This cannot be done earlier, - * we need complete FIT image in RAM first */ - if (genimg_get_format((void *) addr) == IMAGE_FORMAT_FIT) { -- if (!fit_check_format(fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - bootstage_error(BOOTSTAGE_ID_IDE_FIT_READ); - puts("** Bad FIT image format\n"); - return 1; -diff --git a/cmd/fpga.c b/cmd/fpga.c -index 8ae1c936fb..51410a8e42 100644 ---- a/cmd/fpga.c -+++ b/cmd/fpga.c -@@ -330,7 +330,7 @@ static int do_fpga_loadmk(struct cmd_tbl *cmdtp, int flag, int argc, - return CMD_RET_FAILURE; - } - -- if (!fit_check_format(fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - puts("Bad FIT image format\n"); - return CMD_RET_FAILURE; - } -diff --git a/cmd/nand.c b/cmd/nand.c -index 92d039af8f..97e117a979 100644 ---- a/cmd/nand.c -+++ b/cmd/nand.c -@@ -917,7 +917,7 @@ static int nand_load_image(struct cmd_tbl *cmdtp, struct mtd_info *mtd, - #if defined(CONFIG_FIT) - /* This cannot be done earlier, we need complete FIT image in RAM first */ - if (genimg_get_format ((void *)addr) == IMAGE_FORMAT_FIT) { -- if (!fit_check_format (fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - bootstage_error(BOOTSTAGE_ID_NAND_FIT_READ); - puts ("** Bad FIT image format\n"); - return 1; -diff --git a/cmd/source.c b/cmd/source.c -index b6c709a3d2..71f71528ad 100644 ---- a/cmd/source.c -+++ b/cmd/source.c -@@ -107,7 +107,7 @@ int image_source_script(ulong addr, const char *fit_uname) - #if defined(CONFIG_FIT) - case IMAGE_FORMAT_FIT: - fit_hdr = buf; -- if (!fit_check_format (fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - puts ("Bad FIT image format\n"); - return 1; - } -diff --git a/cmd/ximg.c b/cmd/ximg.c -index 159ba51648..ef738ebfa2 100644 ---- a/cmd/ximg.c -+++ b/cmd/ximg.c -@@ -136,7 +136,7 @@ do_imgextract(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) - "at %08lx ...\n", uname, addr); - - fit_hdr = (const void *)addr; -- if (!fit_check_format(fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - puts("Bad FIT image format\n"); - return 1; - } -diff --git a/common/image-fdt.c b/common/image-fdt.c -index 327a8c4c39..4105259212 100644 ---- a/common/image-fdt.c -+++ b/common/image-fdt.c -@@ -399,7 +399,7 @@ int boot_get_fdt(int flag, int argc, char *const argv[], uint8_t arch, - */ - #if CONFIG_IS_ENABLED(FIT) - /* check FDT blob vs FIT blob */ -- if (fit_check_format(buf)) { -+ if (!fit_check_format(buf, IMAGE_SIZE_INVAL)) { - ulong load, len; - - fdt_noffset = boot_get_fdt_fit(images, -diff --git a/common/image-fit.c b/common/image-fit.c -index 9637d747fb..402f08fc9d 100644 ---- a/common/image-fit.c -+++ b/common/image-fit.c -@@ -8,6 +8,8 @@ - * Wolfgang Denk, DENX Software Engineering, wd@denx.de. - */ - -+#define LOG_CATEGORY LOGC_BOOT -+ - #ifdef USE_HOSTCC - #include "mkimage.h" - #include -@@ -1550,49 +1552,41 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) - return (comp == image_comp); - } - --/** -- * fit_check_format - sanity check FIT image format -- * @fit: pointer to the FIT format image header -- * -- * fit_check_format() runs a basic sanity FIT image verification. -- * Routine checks for mandatory properties, nodes, etc. -- * -- * returns: -- * 1, on success -- * 0, on failure -- */ --int fit_check_format(const void *fit) -+int fit_check_format(const void *fit, ulong size) - { -+ int ret; -+ - /* A FIT image must be a valid FDT */ -- if (fdt_check_header(fit)) { -- debug("Wrong FIT format: not a flattened device tree\n"); -- return 0; -+ ret = fdt_check_header(fit); -+ if (ret) { -+ log_debug("Wrong FIT format: not a flattened device tree (err=%d)\n", -+ ret); -+ return -ENOEXEC; - } - - /* mandatory / node 'description' property */ -- if (fdt_getprop(fit, 0, FIT_DESC_PROP, NULL) == NULL) { -- debug("Wrong FIT format: no description\n"); -- return 0; -+ if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { -+ log_debug("Wrong FIT format: no description\n"); -+ return -ENOMSG; - } - - if (IMAGE_ENABLE_TIMESTAMP) { - /* mandatory / node 'timestamp' property */ -- if (fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL) == NULL) { -- debug("Wrong FIT format: no timestamp\n"); -- return 0; -+ if (!fdt_getprop(fit, 0, FIT_TIMESTAMP_PROP, NULL)) { -+ log_debug("Wrong FIT format: no timestamp\n"); -+ return -ENODATA; - } - } - - /* mandatory subimages parent '/images' node */ - if (fdt_path_offset(fit, FIT_IMAGES_PATH) < 0) { -- debug("Wrong FIT format: no images parent node\n"); -- return 0; -+ log_debug("Wrong FIT format: no images parent node\n"); -+ return -ENOENT; - } - -- return 1; -+ return 0; - } - -- - /** - * fit_conf_find_compat - * @fit: pointer to the FIT format image header -@@ -1929,7 +1923,7 @@ int fit_image_load(bootm_headers_t *images, ulong addr, - printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr); - - bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT); -- if (!fit_check_format(fit)) { -+ if (fit_check_format(fit, IMAGE_SIZE_INVAL)) { - printf("Bad FIT %s image format!\n", prop_name); - bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT); - return -ENOEXEC; -diff --git a/common/splash_source.c b/common/splash_source.c -index f51ca5ddf3..bad9a7790a 100644 ---- a/common/splash_source.c -+++ b/common/splash_source.c -@@ -336,10 +336,10 @@ static int splash_load_fit(struct splash_location *location, u32 bmp_load_addr) - if (res < 0) - return res; - -- res = fit_check_format(fit_header); -- if (!res) { -+ res = fit_check_format(fit_header, IMAGE_SIZE_INVAL); -+ if (res) { - debug("Could not find valid FIT image\n"); -- return -EINVAL; -+ return res; - } - - /* Get the splash image node */ -diff --git a/common/update.c b/common/update.c -index a5879cb52c..f0848954e5 100644 ---- a/common/update.c -+++ b/common/update.c -@@ -286,7 +286,7 @@ int update_tftp(ulong addr, char *interface, char *devstring) - got_update_file: - fit = map_sysmem(addr, 0); - -- if (!fit_check_format((void *)fit)) { -+ if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) { - printf("Bad FIT format of the update file, aborting " - "auto-update\n"); - return 1; -@@ -363,7 +363,7 @@ int fit_update(const void *fit) - if (!fit) - return -EINVAL; - -- if (!fit_check_format((void *)fit)) { -+ if (fit_check_format((void *)fit, IMAGE_SIZE_INVAL)) { - printf("Bad FIT format of the update file, aborting auto-update\n"); - return -EINVAL; - } -diff --git a/drivers/fpga/socfpga_arria10.c b/drivers/fpga/socfpga_arria10.c -index 44e1ac54c3..18f99676d2 100644 ---- a/drivers/fpga/socfpga_arria10.c -+++ b/drivers/fpga/socfpga_arria10.c -@@ -565,10 +565,10 @@ static int first_loading_rbf_to_buffer(struct udevice *dev, - if (ret < 0) - return ret; - -- ret = fit_check_format(buffer_p); -- if (!ret) { -+ ret = fit_check_format(buffer_p, IMAGE_SIZE_INVAL); -+ if (ret) { - debug("FPGA: No valid FIT image was found.\n"); -- return -EBADF; -+ return ret; - } - - confs_noffset = fdt_path_offset(buffer_p, FIT_CONFS_PATH); -diff --git a/drivers/net/fsl-mc/mc.c b/drivers/net/fsl-mc/mc.c -index 84db6be624..81265ee356 100644 ---- a/drivers/net/fsl-mc/mc.c -+++ b/drivers/net/fsl-mc/mc.c -@@ -141,7 +141,7 @@ int parse_mc_firmware_fit_image(u64 mc_fw_addr, - return -EINVAL; - } - -- if (!fit_check_format(fit_hdr)) { -+ if (fit_check_format(fit_hdr, IMAGE_SIZE_INVAL)) { - printf("fsl-mc: ERR: Bad firmware image (bad FIT header)\n"); - return -EINVAL; - } -diff --git a/drivers/net/pfe_eth/pfe_firmware.c b/drivers/net/pfe_eth/pfe_firmware.c -index 41999e176d..eee70a2e73 100644 ---- a/drivers/net/pfe_eth/pfe_firmware.c -+++ b/drivers/net/pfe_eth/pfe_firmware.c -@@ -160,7 +160,7 @@ static int pfe_fit_check(void) - return ret; - } - -- if (!fit_check_format(pfe_fit_addr)) { -+ if (fit_check_format(pfe_fit_addr, IMAGE_SIZE_INVAL)) { - printf("PFE Firmware: Bad firmware image (bad FIT header)\n"); - ret = -1; - return ret; -diff --git a/include/image.h b/include/image.h -index 41473dbb9c..8c152c5c5f 100644 ---- a/include/image.h -+++ b/include/image.h -@@ -134,6 +134,9 @@ extern ulong image_load_addr; /* Default Load Address */ - extern ulong image_save_addr; /* Default Save Address */ - extern ulong image_save_size; /* Default Save Size */ - -+/* An invalid size, meaning that the image size is not known */ -+#define IMAGE_SIZE_INVAL (-1UL) -+ - enum ih_category { - IH_ARCH, - IH_COMP, -@@ -1141,7 +1144,23 @@ int fit_image_check_os(const void *fit, int noffset, uint8_t os); - int fit_image_check_arch(const void *fit, int noffset, uint8_t arch); - int fit_image_check_type(const void *fit, int noffset, uint8_t type); - int fit_image_check_comp(const void *fit, int noffset, uint8_t comp); --int fit_check_format(const void *fit); -+ -+/** -+ * fit_check_format() - Check that the FIT is valid -+ * -+ * This performs various checks on the FIT to make sure it is suitable for -+ * use, looking for mandatory properties, nodes, etc. -+ * -+ * If FIT_FULL_CHECK is enabled, it also runs it through libfdt to make -+ * sure that there are no strange tags or broken nodes in the FIT. -+ * -+ * @fit: pointer to the FIT format image header -+ * @return 0 if OK, -ENOEXEC if not an FDT file, -EINVAL if the full FDT check -+ * failed (e.g. due to bad structure), -ENOMSG if the description is -+ * missing, -ENODATA if the timestamp is missing, -ENOENT if the /images -+ * path is missing -+ */ -+int fit_check_format(const void *fit, ulong size); - - int fit_conf_find_compat(const void *fit, const void *fdt); - -diff --git a/tools/fit_common.c b/tools/fit_common.c -index cdf987d3c1..52b63296f8 100644 ---- a/tools/fit_common.c -+++ b/tools/fit_common.c -@@ -26,7 +26,8 @@ - int fit_verify_header(unsigned char *ptr, int image_size, - struct image_tool_params *params) - { -- if (fdt_check_header(ptr) != EXIT_SUCCESS || !fit_check_format(ptr)) -+ if (fdt_check_header(ptr) != EXIT_SUCCESS || -+ fit_check_format(ptr, IMAGE_SIZE_INVAL)) - return EXIT_FAILURE; - - return EXIT_SUCCESS; -diff --git a/tools/fit_image.c b/tools/fit_image.c -index 06faeda7c2..d440d143c6 100644 ---- a/tools/fit_image.c -+++ b/tools/fit_image.c -@@ -883,7 +883,7 @@ static int fit_extract_contents(void *ptr, struct image_tool_params *params) - /* Indent string is defined in header image.h */ - p = IMAGE_INDENT_STRING; - -- if (!fit_check_format(fit)) { -+ if (fit_check_format(fit, IMAGE_SIZE_INVAL)) { - printf("Bad FIT image format\n"); - return -1; - } -diff --git a/tools/mkimage.h b/tools/mkimage.h -index 5b096a545b..0d3148444c 100644 ---- a/tools/mkimage.h -+++ b/tools/mkimage.h -@@ -29,6 +29,8 @@ - #define debug(fmt,args...) - #endif /* MKIMAGE_DEBUG */ - -+#define log_debug(fmt, args...) debug(fmt, ##args) -+ - static inline void *map_sysmem(ulong paddr, unsigned long len) - { - return (void *)(uintptr_t)paddr; diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch deleted file mode 100644 index 86f7e8ce55..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-3.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:10 -0700 -Subject: [PATCH] image: Add an option to do a full check of the FIT - -Some strange modifications of the FIT can introduce security risks. Add an -option to check it thoroughly, using libfdt's fdt_check_full() function. - -Enable this by default if signature verification is enabled. - -CVE-2021-27097 - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27097 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] -Signed-off-by: Scott Murray - ---- - common/Kconfig.boot | 20 ++++++++++++++++++++ - common/image-fit.c | 16 ++++++++++++++++ - 2 files changed, 36 insertions(+) - -diff --git a/common/Kconfig.boot b/common/Kconfig.boot -index 5eaabdfc27..7532e55edb 100644 ---- a/common/Kconfig.boot -+++ b/common/Kconfig.boot -@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT - SHA512 checksum is a 512-bit (64-byte) hash value used to check that - the image contents have not been corrupted. - -+config FIT_FULL_CHECK -+ bool "Do a full check of the FIT before using it" -+ default y -+ help -+ Enable this do a full check of the FIT to make sure it is valid. This -+ helps to protect against carefully crafted FITs which take advantage -+ of bugs or omissions in the code. This includes a bad structure, -+ multiple root nodes and the like. -+ - config FIT_SIGNATURE - bool "Enable signature verification of FIT uImages" - depends on DM -@@ -70,6 +79,7 @@ config FIT_SIGNATURE - select RSA - select RSA_VERIFY - select IMAGE_SIGN_INFO -+ select FIT_FULL_CHECK - help - This option enables signature verification of FIT uImages, - using a hash signed and verified using RSA. If -@@ -159,6 +169,15 @@ config SPL_FIT_PRINT - help - Support printing the content of the fitImage in a verbose manner in SPL. - -+config SPL_FIT_FULL_CHECK -+ bool "Do a full check of the FIT before using it" -+ help -+ Enable this do a full check of the FIT to make sure it is valid. This -+ helps to protect against carefully crafted FITs which take advantage -+ of bugs or omissions in the code. This includes a bad structure, -+ multiple root nodes and the like. -+ -+ - config SPL_FIT_SIGNATURE - bool "Enable signature verification of FIT firmware within SPL" - depends on SPL_DM -@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE - select SPL_RSA - select SPL_RSA_VERIFY - select SPL_IMAGE_SIGN_INFO -+ select SPL_FIT_FULL_CHECK - - config SPL_LOAD_FIT - bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" -diff --git a/common/image-fit.c b/common/image-fit.c -index f6c0428a96..bcf395f6a1 100644 ---- a/common/image-fit.c -+++ b/common/image-fit.c -@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size) - return -ENOEXEC; - } - -+ if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) { -+ /* -+ * If we are not given the size, make do wtih calculating it. -+ * This is not as secure, so we should consider a flag to -+ * control this. -+ */ -+ if (size == IMAGE_SIZE_INVAL) -+ size = fdt_totalsize(fit); -+ ret = fdt_check_full(fit, size); -+ -+ if (ret) { -+ log_debug("FIT check error %d\n", ret); -+ return -EINVAL; -+ } -+ } -+ - /* mandatory / node 'description' property */ - if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { - log_debug("Wrong FIT format: no description\n"); diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-4.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27097-4.patch deleted file mode 100644 index 060cac1cf6..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27097-4.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 124c255731c76a2b09587378b2bcce561bcd3f2d Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:11 -0700 -Subject: [PATCH] libfdt: Check for multiple/invalid root nodes - -It is possible to construct a devicetree blob with multiple root nodes. -Update fdt_check_full() to check for this, along with a root node with an -invalid name. - -CVE-2021-27097 - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27097 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/124c255731c76a2b09587378b2bcce561bcd3f2d] -Signed-off-by: Scott Murray - ---- - scripts/dtc/libfdt/fdt_ro.c | 17 +++++++++++++++++ - test/py/tests/test_vboot.py | 3 ++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/scripts/dtc/libfdt/fdt_ro.c b/scripts/dtc/libfdt/fdt_ro.c -index d984bab036..efe7efe921 100644 ---- a/scripts/dtc/libfdt/fdt_ro.c -+++ b/scripts/dtc/libfdt/fdt_ro.c -@@ -867,6 +867,7 @@ int fdt_check_full(const void *fdt, size_t bufsize) - unsigned depth = 0; - const void *prop; - const char *propname; -+ bool expect_end = false; - - if (bufsize < FDT_V1_SIZE) - return -FDT_ERR_TRUNCATED; -@@ -887,6 +888,10 @@ int fdt_check_full(const void *fdt, size_t bufsize) - if (nextoffset < 0) - return nextoffset; - -+ /* If we see two root nodes, something is wrong */ -+ if (expect_end && tag != FDT_END) -+ return -FDT_ERR_BADLAYOUT; -+ - switch (tag) { - case FDT_NOP: - break; -@@ -900,12 +905,24 @@ int fdt_check_full(const void *fdt, size_t bufsize) - depth++; - if (depth > INT_MAX) - return -FDT_ERR_BADSTRUCTURE; -+ -+ /* The root node must have an empty name */ -+ if (depth == 1) { -+ const char *name; -+ int len; -+ -+ name = fdt_get_name(fdt, offset, &len); -+ if (*name || len) -+ return -FDT_ERR_BADLAYOUT; -+ } - break; - - case FDT_END_NODE: - if (depth == 0) - return -FDT_ERR_BADSTRUCTURE; - depth--; -+ if (depth == 0) -+ expect_end = true; - break; - - case FDT_PROP: diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-1.patch deleted file mode 100644 index 562f8151bb..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-1.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4 Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:06 -0700 -Subject: [PATCH] fit: Don't allow verification of images with @ nodes - -When searching for a node called 'fred', any unit address appended to the -name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This -means that we cannot be sure that the node originally intended is the one -that is used. - -Disallow use of nodes with unit addresses. - -Update the forge test also, since it uses @ addresses. - -CVE-2021-27138 - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27138 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4] -Signed-off-by: Scott Murray - ---- - common/image-fit-sig.c | 22 ++++++++++++++++++++-- - common/image-fit.c | 20 +++++++++++++++----- - test/py/tests/test_fit.py | 24 ++++++++++++------------ - test/py/tests/vboot_forge.py | 12 ++++++------ - 4 files changed, 53 insertions(+), 25 deletions(-) - -diff --git a/common/image-fit-sig.c b/common/image-fit-sig.c -index 897e04c7a3..34ebb8edfe 100644 ---- a/common/image-fit-sig.c -+++ b/common/image-fit-sig.c -@@ -149,6 +149,14 @@ static int fit_image_verify_sig(const void *fit, int image_noffset, - fdt_for_each_subnode(noffset, fit, image_noffset) { - const char *name = fit_get_name(fit, noffset, NULL); - -+ /* -+ * We don't support this since libfdt considers names with the -+ * name root but different @ suffix to be equal -+ */ -+ if (strchr(name, '@')) { -+ err_msg = "Node name contains @"; -+ goto error; -+ } - if (!strncmp(name, FIT_SIG_NODENAME, - strlen(FIT_SIG_NODENAME))) { - ret = fit_image_check_sig(fit, noffset, data, -@@ -398,9 +406,10 @@ error: - return -EPERM; - } - --int fit_config_verify_required_sigs(const void *fit, int conf_noffset, -- const void *sig_blob) -+static int fit_config_verify_required_sigs(const void *fit, int conf_noffset, -+ const void *sig_blob) - { -+ const char *name = fit_get_name(fit, conf_noffset, NULL); - int noffset; - int sig_node; - int verified = 0; -@@ -408,6 +417,15 @@ int fit_config_verify_required_sigs(const void *fit, int conf_noffset, - bool reqd_policy_all = true; - const char *reqd_mode; - -+ /* -+ * We don't support this since libfdt considers names with the -+ * name root but different @ suffix to be equal -+ */ -+ if (strchr(name, '@')) { -+ printf("Configuration node '%s' contains '@'\n", name); -+ return -EPERM; -+ } -+ - /* Work out what we need to verify */ - sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME); - if (sig_node < 0) { -diff --git a/common/image-fit.c b/common/image-fit.c -index adc3e551de..c3dc814115 100644 ---- a/common/image-fit.c -+++ b/common/image-fit.c -@@ -1369,21 +1369,31 @@ error: - */ - int fit_image_verify(const void *fit, int image_noffset) - { -+ const char *name = fit_get_name(fit, image_noffset, NULL); - const void *data; - size_t size; -- int noffset = 0; - char *err_msg = ""; - -+ if (strchr(name, '@')) { -+ /* -+ * We don't support this since libfdt considers names with the -+ * name root but different @ suffix to be equal -+ */ -+ err_msg = "Node name contains @"; -+ goto err; -+ } - /* Get image data and data length */ - if (fit_image_get_data_and_size(fit, image_noffset, &data, &size)) { - err_msg = "Can't get image data/size"; -- printf("error!\n%s for '%s' hash node in '%s' image node\n", -- err_msg, fit_get_name(fit, noffset, NULL), -- fit_get_name(fit, image_noffset, NULL)); -- return 0; -+ goto err; - } - - return fit_image_verify_with_data(fit, image_noffset, data, size); -+ -+err: -+ printf("error!\n%s in '%s' image node\n", err_msg, -+ fit_get_name(fit, image_noffset, NULL)); -+ return 0; - } - - /** -diff --git a/test/py/tests/test_fit.py b/test/py/tests/test_fit.py -index 84b3f95850..6d5b43c3ba 100755 ---- a/test/py/tests/test_fit.py -+++ b/test/py/tests/test_fit.py -@@ -17,7 +17,7 @@ base_its = ''' - #address-cells = <1>; - - images { -- kernel@1 { -+ kernel-1 { - data = /incbin/("%(kernel)s"); - type = "kernel"; - arch = "sandbox"; -@@ -26,7 +26,7 @@ base_its = ''' - load = <0x40000>; - entry = <0x8>; - }; -- kernel@2 { -+ kernel-2 { - data = /incbin/("%(loadables1)s"); - type = "kernel"; - arch = "sandbox"; -@@ -35,19 +35,19 @@ base_its = ''' - %(loadables1_load)s - entry = <0x0>; - }; -- fdt@1 { -+ fdt-1 { - description = "snow"; - data = /incbin/("%(fdt)s"); - type = "flat_dt"; - arch = "sandbox"; - %(fdt_load)s - compression = "%(compression)s"; -- signature@1 { -+ signature-1 { - algo = "sha1,rsa2048"; - key-name-hint = "dev"; - }; - }; -- ramdisk@1 { -+ ramdisk-1 { - description = "snow"; - data = /incbin/("%(ramdisk)s"); - type = "ramdisk"; -@@ -56,7 +56,7 @@ base_its = ''' - %(ramdisk_load)s - compression = "%(compression)s"; - }; -- ramdisk@2 { -+ ramdisk-2 { - description = "snow"; - data = /incbin/("%(loadables2)s"); - type = "ramdisk"; -@@ -67,10 +67,10 @@ base_its = ''' - }; - }; - configurations { -- default = "conf@1"; -- conf@1 { -- kernel = "kernel@1"; -- fdt = "fdt@1"; -+ default = "conf-1"; -+ conf-1 { -+ kernel = "kernel-1"; -+ fdt = "fdt-1"; - %(ramdisk_config)s - %(loadables_config)s - }; -@@ -410,7 +410,7 @@ def test_fit(u_boot_console): - - # Try a ramdisk - with cons.log.section('Kernel + FDT + Ramdisk load'): -- params['ramdisk_config'] = 'ramdisk = "ramdisk@1";' -+ params['ramdisk_config'] = 'ramdisk = "ramdisk-1";' - params['ramdisk_load'] = 'load = <%#x>;' % params['ramdisk_addr'] - fit = make_fit(mkimage, params) - cons.restart_uboot() -@@ -419,7 +419,7 @@ def test_fit(u_boot_console): - - # Configuration with some Loadables - with cons.log.section('Kernel + FDT + Ramdisk load + Loadables'): -- params['loadables_config'] = 'loadables = "kernel@2", "ramdisk@2";' -+ params['loadables_config'] = 'loadables = "kernel-2", "ramdisk-2";' - params['loadables1_load'] = ('load = <%#x>;' % - params['loadables1_addr']) - params['loadables2_load'] = ('load = <%#x>;' % -diff --git a/test/py/tests/vboot_forge.py b/test/py/tests/vboot_forge.py -index 0fb7ef4024..b41105bd0e 100644 ---- a/test/py/tests/vboot_forge.py -+++ b/test/py/tests/vboot_forge.py -@@ -376,12 +376,12 @@ def manipulate(root, strblock): - """ - Maliciously manipulates the structure to create a crafted FIT file - """ -- # locate /images/kernel@1 (frankly, it just expects it to be the first one) -+ # locate /images/kernel-1 (frankly, it just expects it to be the first one) - kernel_node = root[0][0] - # clone it to save time filling all the properties - fake_kernel = kernel_node.clone() - # rename the node -- fake_kernel.name = b'kernel@2' -+ fake_kernel.name = b'kernel-2' - # get rid of signatures/hashes - fake_kernel.children = [] - # NOTE: this simply replaces the first prop... either description or data -@@ -391,13 +391,13 @@ def manipulate(root, strblock): - root[0].children.append(fake_kernel) - - # modify the default configuration -- root[1].props[0].value = b'conf@2\x00' -+ root[1].props[0].value = b'conf-2\x00' - # clone the first (only?) configuration - fake_conf = root[1][0].clone() - # rename and change kernel and fdt properties to select the crafted kernel -- fake_conf.name = b'conf@2' -- fake_conf.props[0].value = b'kernel@2\x00' -- fake_conf.props[1].value = b'fdt@1\x00' -+ fake_conf.name = b'conf-2' -+ fake_conf.props[0].value = b'kernel-2\x00' -+ fake_conf.props[1].value = b'fdt-1\x00' - # insert the new configuration under /configurations - root[1].children.append(fake_conf) - diff --git a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch deleted file mode 100644 index 946196c378..0000000000 --- a/meta/recipes-bsp/u-boot/files/CVE-2021-27138-2.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 3f04db891a353f4b127ed57279279f851c6b4917 Mon Sep 17 00:00:00 2001 -From: Simon Glass -Date: Mon, 15 Feb 2021 17:08:12 -0700 -Subject: [PATCH] image: Check for unit addresses in FITs - -Using unit addresses in a FIT is a security risk. Add a check for this -and disallow it. - -CVE-2021-27138 - -Signed-off-by: Simon Glass -Reported-by: Bruce Monroe -Reported-by: Arie Haenel -Reported-by: Julien Lenoir - -CVE: CVE-2021-27138 -Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917] -Signed-off-by: Scott Murray - ---- - common/image-fit.c | 56 +++++++++++++++++++++++++++++++++++++++++---- - test/py/tests/test_vboot.py | 9 ++++---- - 2 files changed, 57 insertions(+), 8 deletions(-) - -diff --git a/common/image-fit.c b/common/image-fit.c -index bcf395f6a1..28b3d2b191 100644 ---- a/common/image-fit.c -+++ b/common/image-fit.c -@@ -1568,6 +1568,34 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) - return (comp == image_comp); - } - -+/** -+ * fdt_check_no_at() - Check for nodes whose names contain '@' -+ * -+ * This checks the parent node and all subnodes recursively -+ * -+ * @fit: FIT to check -+ * @parent: Parent node to check -+ * @return 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@' -+ */ -+static int fdt_check_no_at(const void *fit, int parent) -+{ -+ const char *name; -+ int node; -+ int ret; -+ -+ name = fdt_get_name(fit, parent, NULL); -+ if (!name || strchr(name, '@')) -+ return -EADDRNOTAVAIL; -+ -+ fdt_for_each_subnode(node, fit, parent) { -+ ret = fdt_check_no_at(fit, node); -+ if (ret) -+ return ret; -+ } -+ -+ return 0; -+} -+ - int fit_check_format(const void *fit, ulong size) - { - int ret; -@@ -1589,10 +1617,27 @@ int fit_check_format(const void *fit, ulong size) - if (size == IMAGE_SIZE_INVAL) - size = fdt_totalsize(fit); - ret = fdt_check_full(fit, size); -+ if (ret) -+ ret = -EINVAL; -+ -+ /* -+ * U-Boot stopped using unit addressed in 2017. Since libfdt -+ * can match nodes ignoring any unit address, signature -+ * verification can see the wrong node if one is inserted with -+ * the same name as a valid node but with a unit address -+ * attached. Protect against this by disallowing unit addresses. -+ */ -+ if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) { -+ ret = fdt_check_no_at(fit, 0); - -+ if (ret) { -+ log_debug("FIT check error %d\n", ret); -+ return ret; -+ } -+ } - if (ret) { - log_debug("FIT check error %d\n", ret); -- return -EINVAL; -+ return ret; - } - } - -@@ -1955,10 +2000,13 @@ int fit_image_load(bootm_headers_t *images, ulong addr, - printf("## Loading %s from FIT Image at %08lx ...\n", prop_name, addr); - - bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT); -- if (fit_check_format(fit, IMAGE_SIZE_INVAL)) { -- printf("Bad FIT %s image format!\n", prop_name); -+ ret = fit_check_format(fit, IMAGE_SIZE_INVAL); -+ if (ret) { -+ printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret); -+ if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL) -+ printf("Signature checking prevents use of unit addresses (@) in nodes\n"); - bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT); -- return -ENOEXEC; -+ return ret; - } - bootstage_mark(bootstage_id + BOOTSTAGE_SUB_FORMAT_OK); - if (fit_uname) { diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc index 993478a73b..dbbb9ff145 100644 --- a/meta/recipes-bsp/u-boot/u-boot-common.inc +++ b/meta/recipes-bsp/u-boot/u-boot-common.inc @@ -12,16 +12,9 @@ PE = "1" # We use the revision in order to avoid having to fetch it from the # repo during parse -SRCREV = "c4fddedc48f336eabc4ce3f74940e6aa372de18c" +SRCREV = "b46dd116ce03e235f2a7d4843c6278e1da44b5e1" SRC_URI = "git://git.denx.de/u-boot.git \ - file://0001-add-valid-fdt-check.patch \ - file://CVE-2021-27097-1.patch \ - file://CVE-2021-27097-2.patch \ - file://CVE-2021-27097-3.patch \ - file://CVE-2021-27097-4.patch \ - file://CVE-2021-27138-1.patch \ - file://CVE-2021-27138-2.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2021.01.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2021.04.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot-tools_2021.01.bb rename to meta/recipes-bsp/u-boot/u-boot-tools_2021.04.bb diff --git a/meta/recipes-bsp/u-boot/u-boot_2021.01.bb b/meta/recipes-bsp/u-boot/u-boot_2021.04.bb similarity index 100% rename from meta/recipes-bsp/u-boot/u-boot_2021.01.bb rename to meta/recipes-bsp/u-boot/u-boot_2021.04.bb From 226e55c802e7e9455134a92f9e231267b6cf4d9b Mon Sep 17 00:00:00 2001 From: Steve Sakoman Date: Thu, 6 May 2021 07:12:32 -1000 Subject: [PATCH 08/29] cve-extra-exclusions.inc: add exclusion list for intractable CVE's The preferred methods for CVE resolution are: 1. Version upgrades where possible 2. Patches where not possible 3. Database updates where version info is incorrect 4. Exclusion from checking where it is determined that the CVE does not apply to our environment In some cases none of these methods are possible. For example the CVE may be decades old with no apparent resolution, and with broken links that make further research impractical. This patch creates a mechanism for users to remove this type of CVE from the cve-check results via an optional include file. (From OE-Core rev: 5ce709b5d7db4dcbd1001272c5d652d9189812e5) Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- .../distro/include/cve-extra-exclusions.inc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 meta/conf/distro/include/cve-extra-exclusions.inc diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc new file mode 100644 index 0000000000..956b3a9a3c --- /dev/null +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -0,0 +1,18 @@ +# This file contains a list of CVE's where resolution has proven to be impractical. +# It contains all the information we are aware of about an issue and analysis about +# why we believe it can't be fixed/handled. Additional information is welcome through +# patches to the file. +# +# Include this file in your local.conf or distro.conf to exclude these CVE's +# from the cve-check results + +# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 +# CVE is more than 20 years old with no resolution evident +# broken links in CVE database references make resolution impractical +CVE_CHECK_WHITELIST += "CVE-2000-0006" + +# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 +# CVE is more than 20 years old with no resolution evident +# broken links in CVE database references make resolution impractical +CVE_CHECK_WHITELIST += "CVE-2000-0803" + From 45930910dbaeba3dc88ffb1c9dde8829354e48ec Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Mon, 10 May 2021 11:30:17 +0100 Subject: [PATCH 09/29] cve-extra-exclusions: Update/add CVE-2000-0803, CVE-2005-0238, CVE-2019-14865 Update a CVE status with the data sent upstream to the database, document another as unifxable by us and add the status of another sent upstream for a database entry change. cve-extra-exclusions.inc: Document status of ongoing qemu CVE This CVE is being thought about but there is no correct patch available at this time. cve-extra-exclusions.inc: Document a qemu CVE and exclude a glibc CVE A qemu CVE has a pending CPE change, add a note. Exclude a glibc CVE entry since it is for a specific corner case in ftp servers which are unlikely to apply for us and upstream have no plans to change it. (From OE-Core rev: e614c5d6aa8692fd4df3cb5b640a9d21c05022be) Signed-off-by: Richard Purdie --- .../distro/include/cve-extra-exclusions.inc | 91 ++++++++++++++++++- 1 file changed, 88 insertions(+), 3 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 956b3a9a3c..b6daa263ec 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -11,8 +11,93 @@ # broken links in CVE database references make resolution impractical CVE_CHECK_WHITELIST += "CVE-2000-0006" +# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 +# The issue here is spoofing of domain names using characters from other character sets. +# There has been much discussion amongst the epiphany and webkit developers and +# whilst there are improvements about how domains are handled and displayed to the user +# there is unlikely ever to be a single fix to webkit or epiphany which addresses this +# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further +# we can seem to take. +CVE_CHECK_WHITELIST += "CVE-2005-0238" + +# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 +# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server +# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 +# Upstream don't see it as a security issue, ftp servers shouldn't be passing +# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar +CVE_CHECK_WHITELIST += "CVE-2010-4756" + +# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 +# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 +# The encoding/xml package in go can potentially be used for security exploits if not used correctly +# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything +# exposing this interface in an exploitable way +CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511" + + + +#### Upstream still working on #### + +# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 +# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html +# however qemu maintainers are sure the patch is incorrect and should not be applied. + +# flex:flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293 +# Upstream bug, still open: https://github.com/westes/flex/issues/414 +# Causes memory exhaustion so potential DoS but no buffer overflow, low priority + +# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 +# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html +# No response upstream as of 2021/5/12 + +# bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25215 +# Fix not in upstream release yet as of 2021/5/12 + + + + +#### CPE update pending #### + # groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 -# CVE is more than 20 years old with no resolution evident -# broken links in CVE database references make resolution impractical -CVE_CHECK_WHITELIST += "CVE-2000-0803" +# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 +# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10. +#CVE_CHECK_WHITELIST += "CVE-2000-0803" + +# grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865 +# Looks like grub-set-bootflag is patched in by Fedora/RHEL: +# https://src.fedoraproject.org/rpms/grub2/blob/498ea7003b4dd8079fc075fad7e19e0b190d0f97/f/0133-Add-grub-set-bootflag-utility.patch +# Does not exist in upstream grub2: +# https://git.savannah.gnu.org/cgit/grub.git/tree/util +# Reported to the database for update by RP 2021/5/9 Update accepted 2021/5/12 +#CVE_CHECK_WHITELIST += "CVE-2019-14865" + +#qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4539 +# Fixed in https://git.qemu.org/?p=qemu.git;a=commit;h=65d35a09979e63541afc5bfc595b9f1b1b4ae069 +# which was in 0.10.0. Reported to the database for update by RP 2021/5/10 +#CVE_CHECK_WHITELIST += "CVE-2008-4539" Update accepted 2021/5/11 + +# coreutils:coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0221 +# coreutils:coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0222 +# coreutils:coreutils-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0223 +# Patch with issues is SUSE/RHEL specific. RP has suggested a CPE update to the database 2021/5/10 Update accepted 2021/5/11 +#CVE_CHECK_WHITELIST += "CVE-2013-0221 CVE-2013-0222 CVE-2013-0223" + +# libgit2 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9390 +# Only applies to libgit2 versions up to 0.12.2. RP requested CPE entry update. Update accepted 2021/5/12 +#CVE_CHECK_WHITELIST += "CVE-2014-9390" + +# bind https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3139 +# https://bugzilla.redhat.com/show_bug.cgi?id=1447743 +# "This issue did not affect any upstream versions of BIND." +# RP sent CPE entry change request as RHEL only Update accepted 2021/5/12 +#CVE_CHECK_WHITELIST += "CVE-2017-3139" + +# libexif https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6328 +# Ross sent CPE change upstream to database +#CVE_CHECK_WHITELIST += "CVE-2016-6328" + + + + + From 81051afc029182583f71d22132ee673100eb34a8 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Tue, 11 May 2021 12:52:44 +0100 Subject: [PATCH 10/29] tar: Exclude CVE-2007-4476 from cve-check CPE lists only SUSE for all versions of tar. https://bugzilla.redhat.com/show_bug.cgi?id=280961 shows issue affects paxutils included in tar or cpio http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 was the fix which included in tar 1.19 and later. (From OE-Core rev: 1cef51a0c321695399564714d8a153bfa1fc0bc9) Signed-off-by: Richard Purdie --- meta/recipes-extended/tar/tar_1.34.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb index af04919c41..8dd0af2566 100644 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ b/meta/recipes-extended/tar/tar_1.34.bb @@ -10,6 +10,11 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2" SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" +# https://bugzilla.redhat.com/show_bug.cgi?id=280961 - issue affects paxutils included in tar +# http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 was the fix +# included in tar 1.19 and later +CVE_CHECK_WHITELIST += "CVE-2007-4476" + inherit autotools gettext texinfo PACKAGECONFIG ??= "" From 03b4465569cf147e0dab4d3a22039cb4f06f2320 Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 07:44:58 +0800 Subject: [PATCH 11/29] python3-attrs: upgrade 20.3.0 -> 21.2.0 (From OE-Core rev: f3b5c0e21a2666131738af5c9ffcfed040cffad0) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- .../{python3-attrs_20.3.0.bb => python3-attrs_21.2.0.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3-attrs_20.3.0.bb => python3-attrs_21.2.0.bb} (74%) diff --git a/meta/recipes-devtools/python/python3-attrs_20.3.0.bb b/meta/recipes-devtools/python/python3-attrs_21.2.0.bb similarity index 74% rename from meta/recipes-devtools/python/python3-attrs_20.3.0.bb rename to meta/recipes-devtools/python/python3-attrs_21.2.0.bb index 55cfda7180..f8ae2d2b98 100644 --- a/meta/recipes-devtools/python/python3-attrs_20.3.0.bb +++ b/meta/recipes-devtools/python/python3-attrs_21.2.0.bb @@ -3,8 +3,8 @@ HOMEPAGE = "http://www.attrs.org/" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=d4ab25949a73fe7d4fdee93bcbdbf8ff" -SRC_URI[sha256sum] = "832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700" -SRC_URI[md5sum] = "4fe38f89297b2b446d83190fce189f29" +SRC_URI[sha256sum] = "ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" +SRC_URI[md5sum] = "06af884070d9180694becdb106e5cd65" inherit pypi setuptools3 From 6d79ccb5da140620f1737dcab32d1c78eb24487b Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 07:44:59 +0800 Subject: [PATCH 12/29] python3-six: upgrade 1.15.0 -> 1.16.0 (From OE-Core rev: 3e84b3d978def1c99358dfe742570ee434ef5638) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- meta/recipes-devtools/python/python3-six_1.15.0.bb | 5 ----- meta/recipes-devtools/python/python3-six_1.16.0.bb | 5 +++++ 2 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 meta/recipes-devtools/python/python3-six_1.15.0.bb create mode 100644 meta/recipes-devtools/python/python3-six_1.16.0.bb diff --git a/meta/recipes-devtools/python/python3-six_1.15.0.bb b/meta/recipes-devtools/python/python3-six_1.15.0.bb deleted file mode 100644 index 6c6f3f9629..0000000000 --- a/meta/recipes-devtools/python/python3-six_1.15.0.bb +++ /dev/null @@ -1,5 +0,0 @@ -inherit setuptools3 -require python-six.inc - -SRC_URI[md5sum] = "9f90a0eaa0ea7747fda01ca79d21ebcb" -SRC_URI[sha256sum] = "30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259" diff --git a/meta/recipes-devtools/python/python3-six_1.16.0.bb b/meta/recipes-devtools/python/python3-six_1.16.0.bb new file mode 100644 index 0000000000..ce5b10c42e --- /dev/null +++ b/meta/recipes-devtools/python/python3-six_1.16.0.bb @@ -0,0 +1,5 @@ +inherit setuptools3 +require python-six.inc + +SRC_URI[md5sum] = "a7c927740e4964dd29b72cebfc1429bb" +SRC_URI[sha256sum] = "1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926" From 13e1e3d5a5f563321e49fa6762b2357d30b568f3 Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 09:28:37 +0800 Subject: [PATCH 13/29] vulkan-samples: update to latest revision (From OE-Core rev: 9fc8adbd8bb07875033ff66e18407560a69a4c23) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- meta/recipes-graphics/vulkan/vulkan-samples_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/vulkan/vulkan-samples_git.bb b/meta/recipes-graphics/vulkan/vulkan-samples_git.bb index 32502a1f7a..e89f75baac 100644 --- a/meta/recipes-graphics/vulkan/vulkan-samples_git.bb +++ b/meta/recipes-graphics/vulkan/vulkan-samples_git.bb @@ -11,7 +11,7 @@ SRC_URI = "gitsm://github.com/KhronosGroup/Vulkan-Samples.git \ " UPSTREAM_CHECK_COMMITS = "1" -SRCREV = "a2c02a074ba3f71ea89a53fb2e2d189c87cc4af8" +SRCREV = "5646820bdd46365183adc2b326556c5bf7d8db76" UPSTREAM_CHECK_GITTAGREGEX = "These are not the releases you're looking for" S = "${WORKDIR}/git" From 0f8cc1bf9e313f5083bac81a411643262228fb70 Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 09:28:38 +0800 Subject: [PATCH 14/29] vulkan-headers: upgrade 1.2.170.0 -> 1.2.176.0 (From OE-Core rev: 4064de595d5acbdf0fd8d2a92cdde093ba28bdd8) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- ...{vulkan-headers_1.2.170.0.bb => vulkan-headers_1.2.176.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-graphics/vulkan/{vulkan-headers_1.2.170.0.bb => vulkan-headers_1.2.176.0.bb} (93%) diff --git a/meta/recipes-graphics/vulkan/vulkan-headers_1.2.170.0.bb b/meta/recipes-graphics/vulkan/vulkan-headers_1.2.176.0.bb similarity index 93% rename from meta/recipes-graphics/vulkan/vulkan-headers_1.2.170.0.bb rename to meta/recipes-graphics/vulkan/vulkan-headers_1.2.176.0.bb index 4c9c94f3d2..cff654a06c 100644 --- a/meta/recipes-graphics/vulkan/vulkan-headers_1.2.170.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-headers_1.2.176.0.bb @@ -11,7 +11,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" SRC_URI = "git://github.com/KhronosGroup/Vulkan-Headers.git;branch=master" -SRCREV = "1d99b835ec3cd5a7fb2f2a2dd9a615ee2d1f0101" +SRCREV = "074fa3055cfee530992bcbfa0fcb23106a82c1ab" S = "${WORKDIR}/git" From 60cda40924b8b7c1cbf9fee959161a6a83cc0994 Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 09:28:40 +0800 Subject: [PATCH 15/29] vulkan-tools: upgrade 1.2.170.0 -> 1.2.176.0 (From OE-Core rev: 8d9736e5512f544a7a85be23c3878a77f7144bb1) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- .../{vulkan-tools_1.2.170.0.bb => vulkan-tools_1.2.176.0.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-graphics/vulkan/{vulkan-tools_1.2.170.0.bb => vulkan-tools_1.2.176.0.bb} (94%) diff --git a/meta/recipes-graphics/vulkan/vulkan-tools_1.2.170.0.bb b/meta/recipes-graphics/vulkan/vulkan-tools_1.2.176.0.bb similarity index 94% rename from meta/recipes-graphics/vulkan/vulkan-tools_1.2.170.0.bb rename to meta/recipes-graphics/vulkan/vulkan-tools_1.2.176.0.bb index 0c8bcaa085..10fa0fdb3a 100644 --- a/meta/recipes-graphics/vulkan/vulkan-tools_1.2.170.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-tools_1.2.176.0.bb @@ -6,8 +6,8 @@ SECTION = "libs" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.2.170" -SRCREV = "88ea55de928a08ba5c5f65a93d1e7c8f666fc43f" +SRC_URI = "git://github.com/KhronosGroup/Vulkan-Tools.git;branch=sdk-1.2.176" +SRCREV = "eb3d67bd17ee433e2b0a8e56a7249bd83908812e" S = "${WORKDIR}/git" From c3346d2d8b738b984b39ba4c4cae3b652fb3d4b1 Mon Sep 17 00:00:00 2001 From: wangmy Date: Fri, 14 May 2021 09:28:39 +0800 Subject: [PATCH 16/29] vulkan-loader: upgrade 1.2.170.0 -> 1.2.176.0 (From OE-Core rev: c33b265591711e24fb1248cc432c0fd6556fa39e) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie --- .../{vulkan-loader_1.2.170.0.bb => vulkan-loader_1.2.176.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-graphics/vulkan/{vulkan-loader_1.2.170.0.bb => vulkan-loader_1.2.176.0.bb} (96%) diff --git a/meta/recipes-graphics/vulkan/vulkan-loader_1.2.170.0.bb b/meta/recipes-graphics/vulkan/vulkan-loader_1.2.176.0.bb similarity index 96% rename from meta/recipes-graphics/vulkan/vulkan-loader_1.2.170.0.bb rename to meta/recipes-graphics/vulkan/vulkan-loader_1.2.176.0.bb index 6b6ed06dbb..e241a2f156 100644 --- a/meta/recipes-graphics/vulkan/vulkan-loader_1.2.170.0.bb +++ b/meta/recipes-graphics/vulkan/vulkan-loader_1.2.176.0.bb @@ -11,7 +11,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=7dbefed23242760aa3475ee42801c5ac" SRC_URI = "git://github.com/KhronosGroup/Vulkan-Loader.git \ " -SRCREV = "c5678a03db383fd0dc5bfb8e9a383043bdbcb57b" +SRCREV = "eb6d6f95dff809d66e95b903105da6424e75862f" S = "${WORKDIR}/git" From 700bd81ddbb7a98a2382cd39a91a65fd56687d89 Mon Sep 17 00:00:00 2001 From: zhengruoqin Date: Fri, 14 May 2021 10:11:43 +0800 Subject: [PATCH 17/29] rng-tools: upgrade 6.11 -> 6.12 (From OE-Core rev: 16e242050efcb8a57c80456c1c00e6c578197b5d) Signed-off-by: Zheng Ruoqin Signed-off-by: Richard Purdie --- .../rng-tools/{rng-tools_6.11.bb => rng-tools_6.12.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-support/rng-tools/{rng-tools_6.11.bb => rng-tools_6.12.bb} (97%) diff --git a/meta/recipes-support/rng-tools/rng-tools_6.11.bb b/meta/recipes-support/rng-tools/rng-tools_6.12.bb similarity index 97% rename from meta/recipes-support/rng-tools/rng-tools_6.11.bb rename to meta/recipes-support/rng-tools/rng-tools_6.12.bb index 61a0cef2e0..9673700981 100644 --- a/meta/recipes-support/rng-tools/rng-tools_6.11.bb +++ b/meta/recipes-support/rng-tools/rng-tools_6.12.bb @@ -14,7 +14,7 @@ SRC_URI = "\ file://default \ file://rngd.service \ " -SRCREV = "2ea13473fd5bfea3c861dc0e23bd65e2afe8007b" +SRCREV = "a2cd12bc253a014328b87137559fd4e1ab296d9b" S = "${WORKDIR}/git" From c41fc2c910ce320c11a8a3e61b6383fce8761908 Mon Sep 17 00:00:00 2001 From: zhengruoqin Date: Fri, 14 May 2021 10:12:28 +0800 Subject: [PATCH 18/29] rpcbind: upgrade 1.2.5 -> 1.2.6 refresh rpcbind_add_option_to_fix_port_number.patch (From OE-Core rev: 95e7e42ec30f99f5d51d675bffa10f4ed323f847) Signed-off-by: Zheng Ruoqin Signed-off-by: Richard Purdie --- ...pcbind_add_option_to_fix_port_number.patch | 58 +++++++++---------- .../{rpcbind_1.2.5.bb => rpcbind_1.2.6.bb} | 4 +- 2 files changed, 31 insertions(+), 31 deletions(-) rename meta/recipes-extended/rpcbind/{rpcbind_1.2.5.bb => rpcbind_1.2.6.bb} (93%) diff --git a/meta/recipes-extended/rpcbind/rpcbind/rpcbind_add_option_to_fix_port_number.patch b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_add_option_to_fix_port_number.patch index 434b6b1c4c..535f9ce20d 100644 --- a/meta/recipes-extended/rpcbind/rpcbind/rpcbind_add_option_to_fix_port_number.patch +++ b/meta/recipes-extended/rpcbind/rpcbind/rpcbind_add_option_to_fix_port_number.patch @@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/man/rpcbind.8 b/man/rpcbind.8 -index af6200f..2e6146b 100644 +index fbf0ace..66f7c08 100644 --- a/man/rpcbind.8 +++ b/man/rpcbind.8 @@ -11,7 +11,7 @@ @@ -27,17 +27,17 @@ index af6200f..2e6146b 100644 .Sh DESCRIPTION The .Nm -@@ -107,6 +107,8 @@ will automatically add +@@ -96,6 +96,8 @@ will automatically add and if IPv6 is enabled, .Li ::1 to the list. +.It Fl p +Bind for fixed UDP port number - .It Fl i - .Dq Insecure - mode. + If no + .Fl h + option is specified, diff --git a/src/rpcb_svc_com.c b/src/rpcb_svc_com.c -index 8aef9e5..c2632a4 100644 +index 1743dad..07a1c75 100644 --- a/src/rpcb_svc_com.c +++ b/src/rpcb_svc_com.c @@ -48,6 +48,7 @@ @@ -60,8 +60,8 @@ index 8aef9e5..c2632a4 100644 int fd; struct rmtcallfd_list *rmt; SVCXPRT *xprt; -+ struct __rpc_sockinfo si; -+ struct t_bind taddr; ++ struct __rpc_sockinfo si; ++ struct t_bind taddr; if ((fd = __rpc_nconf2fd(nconf)) == -1) { if (debugging) @@ -70,23 +70,23 @@ index 8aef9e5..c2632a4 100644 return (-1); } + -+ if (fixed_port) { -+ __rpc_fd2sockinfo(fd, &si); -+ memset(&taddr, 0, sizeof(taddr)); -+ taddr.addr.maxlen = taddr.addr.len = si.si_alen; -+ taddr.addr.buf = malloc(si.si_alen); -+ if (taddr.addr.buf == NULL) { -+ return -1; -+ } -+ *(unsigned short *)(&(taddr.addr.buf[0])) = si.si_af; -+ *(unsigned short *)(&(taddr.addr.buf[2])) = htons(fixed_port); -+ xprt = svc_tli_create(fd, nconf, &taddr, RPC_MAXDATASIZE, RPC_MAXDATASIZE); -+ } else ++ if (fixed_port) { ++ __rpc_fd2sockinfo(fd, &si); ++ memset(&taddr, 0, sizeof(taddr)); ++ taddr.addr.maxlen = taddr.addr.len = si.si_alen; ++ taddr.addr.buf = malloc(si.si_alen); ++ if (taddr.addr.buf == NULL) { ++ return -1; ++ } ++ *(unsigned short *)(&(taddr.addr.buf[0])) = si.si_af; ++ *(unsigned short *)(&(taddr.addr.buf[2])) = htons(fixed_port); ++ xprt = svc_tli_create(fd, nconf, &taddr, RPC_MAXDATASIZE, RPC_MAXDATASIZE); ++ } else xprt = svc_tli_create(fd, 0, (struct t_bind *) 0, 0, 0); if (xprt == NULL) { if (debugging) diff --git a/src/rpcbind.c b/src/rpcbind.c -index 137011b..dc3d2d6 100644 +index 25d8a90..36a95b9 100644 --- a/src/rpcbind.c +++ b/src/rpcbind.c @@ -111,6 +111,7 @@ int runasdaemon = 0; @@ -97,7 +97,7 @@ index 137011b..dc3d2d6 100644 char **hosts = NULL; int nhosts = 0; -@@ -869,7 +870,7 @@ parseargs(int argc, char *argv[]) +@@ -884,7 +885,7 @@ parseargs(int argc, char *argv[]) { int c; oldstyle_local = 1; @@ -106,25 +106,25 @@ index 137011b..dc3d2d6 100644 switch (c) { case 'a': doabort = 1; /* when debugging, do an abort on */ -@@ -887,6 +888,9 @@ parseargs(int argc, char *argv[]) +@@ -902,6 +903,9 @@ parseargs(int argc, char *argv[]) if (hosts[nhosts - 1] == NULL) errx(1, "Out of memory"); break; -+ case 'p': -+ fixed_port = atoi(optarg); -+ break; ++ case 'p': ++ fixed_port = atoi(optarg); ++ break; case 'i': insecure = 1; break; -@@ -905,7 +909,7 @@ parseargs(int argc, char *argv[]) +@@ -920,7 +924,7 @@ parseargs(int argc, char *argv[]) break; #endif default: /* error */ - fprintf(stderr, "usage: rpcbind [-adhilswf]\n"); -+ fprintf(stderr, "usage: rpcbind [-adhpilswf]\n"); ++ fprintf(stderr, "usage: rpcbind [-adhpilswf]\n"); exit (1); } } -- -1.9.1 +2.25.1 diff --git a/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb b/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb similarity index 93% rename from meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb rename to meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb index ec8f9e48b2..7784ef51e2 100644 --- a/meta/recipes-extended/rpcbind/rpcbind_1.2.5.bb +++ b/meta/recipes-extended/rpcbind/rpcbind_1.2.6.bb @@ -16,8 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/rpcbind/rpcbind-${PV}.tar.bz2 \ file://rpcbind_add_option_to_fix_port_number.patch \ file://0001-systemd-use-EnvironmentFile.patch \ " -SRC_URI[md5sum] = "ed46f09b9c0fa2d49015f6431bc5ea7b" -SRC_URI[sha256sum] = "2ce360683963b35c19c43f0ee2c7f18aa5b81ef41c3fdbd15ffcb00b8bffda7a" +SRC_URI[md5sum] = "2d84ebbb7d6fb1fc3566d2d4b37f214b" +SRC_URI[sha256sum] = "5613746489cae5ae23a443bb85c05a11741a5f12c8f55d2bb5e83b9defeee8de" inherit autotools update-rc.d systemd pkgconfig update-alternatives From 1772a225b67258fc42f78e3c8c772c2d8314c77a Mon Sep 17 00:00:00 2001 From: zhengruoqin Date: Fri, 14 May 2021 10:12:43 +0800 Subject: [PATCH 19/29] sysklogd: upgrade 2.2.2 -> 2.2.3 (From OE-Core rev: 4018e9a35b5e1b33c23c1307e51768f67133e990) Signed-off-by: Zheng Ruoqin Signed-off-by: Richard Purdie --- .../sysklogd/{sysklogd_2.2.2.bb => sysklogd_2.2.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/sysklogd/{sysklogd_2.2.2.bb => sysklogd_2.2.3.bb} (96%) diff --git a/meta/recipes-extended/sysklogd/sysklogd_2.2.2.bb b/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb similarity index 96% rename from meta/recipes-extended/sysklogd/sysklogd_2.2.2.bb rename to meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb index 5dfeca5326..be34ec7b38 100644 --- a/meta/recipes-extended/sysklogd/sysklogd_2.2.2.bb +++ b/meta/recipes-extended/sysklogd/sysklogd_2.2.3.bb @@ -14,7 +14,7 @@ SRC_URI = "git://github.com/troglobit/sysklogd.git;nobranch=1 \ file://sysklogd \ " -SRCREV = "f507ed8ff3f1e9d71bb6f85acbf5d14b2fa4e5f7" +SRCREV = "17b68ca89ab814bb623b615c4e7088d619ed8829" S = "${WORKDIR}/git" From 2da90478a55e9a17fb996f02333ab7cada720277 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Fri, 14 May 2021 18:06:56 +0100 Subject: [PATCH 20/29] sstate: Handle manifest 'corruption' issue Under certain build patterns, warnings about missing manifests can appear. These are real issues where the manifest was removed and shouldn't have been. Martin Jansa was able to find a reproducer of: MACHINE=qemux86 bitbake zlib-native echo 'PR = "r1"' >> meta/recipes-core/zlib/zlib_1.2.11.bb MACHINE=qemux86-64 bitbake zlib-native MACHINE=qemux86 bitbake zlib-native The code maintains a per machine list of stamps but a per PACAGE_ARCH list of stamp/manifest/workdir mappings. The latter is only appended to for speed with the assumption that once stamps are gone, the code wouldn't trigger. The code only ever appends to the mapping list (for speed/efficency under lock) meaning that multiple entries can result where the stamp/workdir differs due to version changes but the manifest remains the same. By switching MACHINE part way through the build, the older stamp is referenced and the manifest is incorrectly removed as it matches an now obsolete entry in the mapping file. There are two possible fixes, one is to rewrite the mapping file every time which means adding regexs, iterating and generally complicating that code. The second option is to only use the last mapping entry in the file for a given manifest and ignore any earlier ones. This patch implments the latter. Also drop the stale entries if we are rewriting it. (From OE-Core rev: ca7d878667abdece7d76a8e8f06b400fcaf6a000) Signed-off-by: Richard Purdie --- meta/classes/sstate.bbclass | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index b1c608dcb1..1a6e9962f9 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass @@ -319,6 +319,8 @@ def sstate_install(ss, d): if os.path.exists(i): with open(i, "r") as f: manifests = f.readlines() + # We append new entries, we don't remove older entries which may have the same + # manifest name but different versions from stamp/workdir. See below. if filedata not in manifests: with open(i, "a+") as f: f.write(filedata) @@ -1183,11 +1185,21 @@ python sstate_eventhandler_reachablestamps() { i = d.expand("${SSTATE_MANIFESTS}/index-" + a) if not os.path.exists(i): continue + manseen = set() + ignore = [] with open(i, "r") as f: lines = f.readlines() - for l in lines: + for l in reversed(lines): try: (stamp, manifest, workdir) = l.split() + # The index may have multiple entries for the same manifest as the code above only appends + # new entries and there may be an entry with matching manifest but differing version in stamp/workdir. + # The last entry in the list is the valid one, any earlier entries with matching manifests + # should be ignored. + if manifest in manseen: + ignore.append(l) + continue + manseen.add(manifest) if stamp not in stamps and stamp not in preservestamps and stamp in machineindex: toremove.append(l) if stamp not in seen: @@ -1218,6 +1230,8 @@ python sstate_eventhandler_reachablestamps() { with open(i, "w") as f: for l in lines: + if l in ignore: + continue f.write(l) machineindex |= set(stamps) with open(mi, "w") as f: From d641921192d9149a9cd96b912f2ad95c91423838 Mon Sep 17 00:00:00 2001 From: Mike Crowe Date: Fri, 14 May 2021 11:38:00 +0100 Subject: [PATCH 21/29] libnotify: Make gtk+3 dependency optional libnotify only requires gtk+3 for its tests. Let's disable them by default and only enable them if "tests" is in PACKAGECONFIG. If gtk+3 is not available then we need to declare the dependency on gdk-pixbuf explicitly. It looks like the tests genuinely do need some sort of desktop environment to run, so let's maintain the ANY_OF_DISTRO_FEATURES check added back in 3edf08b38b0af93cef0933b061349264dc86d54c. (From OE-Core rev: 2dda982e197b6c8a55b038ff5559ecac9a77d89e) Signed-off-by: Mike Crowe Cc: Khem Raj Cc: Alexander Kanavin Signed-off-by: Richard Purdie --- meta/recipes-gnome/libnotify/libnotify_0.7.9.bb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb index bbbd72193e..d2be715ce5 100644 --- a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb +++ b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb @@ -9,15 +9,18 @@ SECTION = "libs" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34" -DEPENDS = "dbus gtk+3 glib-2.0" +DEPENDS = "dbus glib-2.0 gdk-pixbuf" + +PACKAGECONFIG ?= "" +PACKAGECONFIG[tests] = "-Dtests=true,-Dtests=false,gtk+3" GNOMEBASEBUILDCLASS = "meson" GTKDOC_MESON_OPTION = "gtk_doc" GIR_MESON_ENABLE_FLAG = "enabled" GIR_MESON_DISABLE_FLAG = "disabled" inherit gnomebase gtk-doc features_check gobject-introspection -# depends on gtk+3 -ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" +# depends on gtk+3 if tests are enabled +ANY_OF_DISTRO_FEATURES = "${@bb.utils.contains('PACKAGECONFIG', 'tests', '${GTK3DISTROFEATURES}', '', d)}" SRC_URI[archive.md5sum] = "ccd9c53364174cc8d13e18a1988faa76" SRC_URI[archive.sha256sum] = "66c0517ed16df7af258e83208faaf5069727dfd66995c4bbc51c16954d674761" From 4beaa9cee590be77adca525d3bf46d3fb5c489fd Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sat, 15 May 2021 15:57:03 +0100 Subject: [PATCH 22/29] qemu: 5.2.0 -> 6.0.0 (From OE-Core rev: 4c3095643cb70e67ff7f0a428c9bdea42b1ed808) Signed-off-by: Richard Purdie --- meta/conf/distro/include/tcmode-default.inc | 2 +- ...u-native_5.2.0.bb => qemu-native_6.0.0.bb} | 2 +- ...e_5.2.0.bb => qemu-system-native_6.0.0.bb} | 2 +- meta/recipes-devtools/qemu/qemu.inc | 35 +- .../qemu/0001-Add-enable-disable-udev.patch | 10 +- ...igure-fix-detection-of-gdbus-codegen.patch | 31 +- ...emu-Add-missing-wacom-HID-descriptor.patch | 6 +- ...mu-Do-not-include-file-if-not-exists.patch | 10 +- ...d-use-relative-path-to-refer-to-file.patch | 15 +- ...n-environment-space-to-boot-loader-q.patch | 12 +- .../qemu/0004-qemu-disable-Valgrind.patch | 8 +- ...-connect-socket-to-a-spawned-command.patch | 32 +- .../0007-apic-fixup-fallthrough-to-PIC.patch | 8 +- ...dd-pkg-config-handling-for-libgcrypt.patch | 12 +- .../qemu/qemu/CVE-2020-27821.patch | 143 --------- .../qemu/qemu/CVE-2020-29443.patch | 107 ------- .../qemu/qemu/CVE-2020-35517_1.patch | 153 --------- .../qemu/qemu/CVE-2020-35517_2.patch | 117 ------- .../qemu/qemu/CVE-2020-35517_3.patch | 303 ------------------ .../qemu/qemu/CVE-2021-20181.patch | 81 ----- .../qemu/qemu/CVE-2021-20203.patch | 73 ----- .../qemu/qemu/CVE-2021-20221.patch | 70 ---- .../qemu/qemu/CVE-2021-20257.patch | 55 ---- .../qemu/qemu/CVE-2021-20263.patch | 214 ------------- .../qemu/qemu/CVE-2021-3392.patch | 89 ----- .../qemu/qemu/CVE-2021-3409_1.patch | 56 ---- .../qemu/qemu/CVE-2021-3409_2.patch | 92 ------ .../qemu/qemu/CVE-2021-3409_3.patch | 109 ------- .../qemu/qemu/CVE-2021-3409_4.patch | 75 ----- .../qemu/qemu/CVE-2021-3409_5.patch | 56 ---- .../qemu/qemu/CVE-2021-3409_6.patch | 99 ------ .../qemu/qemu/CVE-2021-3416_1.patch | 177 ---------- .../qemu/qemu/CVE-2021-3416_10.patch | 44 --- .../qemu/qemu/CVE-2021-3416_2.patch | 42 --- .../qemu/qemu/CVE-2021-3416_3.patch | 43 --- .../qemu/qemu/CVE-2021-3416_4.patch | 43 --- .../qemu/qemu/CVE-2021-3416_5.patch | 45 --- .../qemu/qemu/CVE-2021-3416_6.patch | 43 --- .../qemu/qemu/CVE-2021-3416_7.patch | 45 --- .../qemu/qemu/CVE-2021-3416_8.patch | 44 --- .../qemu/qemu/CVE-2021-3416_9.patch | 46 --- meta/recipes-devtools/qemu/qemu/cross.patch | 12 +- .../qemu/qemu/determinism.patch | 29 +- .../recipes-devtools/qemu/qemu/mingwfix.patch | 21 -- meta/recipes-devtools/qemu/qemu/mmap.patch | 29 -- meta/recipes-devtools/qemu/qemu/mmap2.patch | 25 +- .../qemu/{qemu_5.2.0.bb => qemu_6.0.0.bb} | 4 +- 47 files changed, 99 insertions(+), 2670 deletions(-) rename meta/recipes-devtools/qemu/{qemu-native_5.2.0.bb => qemu-native_6.0.0.bb} (89%) rename meta/recipes-devtools/qemu/{qemu-system-native_5.2.0.bb => qemu-system-native_6.0.0.bb} (96%) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/mingwfix.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/mmap.patch rename meta/recipes-devtools/qemu/{qemu_5.2.0.bb => qemu_6.0.0.bb} (93%) diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc index a0c35eed09..c6e5ac61d7 100644 --- a/meta/conf/distro/include/tcmode-default.inc +++ b/meta/conf/distro/include/tcmode-default.inc @@ -22,7 +22,7 @@ BINUVERSION ?= "2.36%" GDBVERSION ?= "10.%" GLIBCVERSION ?= "2.33" LINUXLIBCVERSION ?= "5.10%" -QEMUVERSION ?= "5.2%" +QEMUVERSION ?= "6.0%" GOVERSION ?= "1.16%" # This can not use wildcards like 8.0.% since it is also used in mesa to denote # llvm version being used, so always bump it with llvm recipe version bump diff --git a/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb b/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb similarity index 89% rename from meta/recipes-devtools/qemu/qemu-native_5.2.0.bb rename to meta/recipes-devtools/qemu/qemu-native_6.0.0.bb index c8acff8e19..d23d7a8ada 100644 --- a/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb @@ -6,4 +6,4 @@ require qemu-native.inc EXTRA_OECONF_append = " --target-list=${@get_qemu_usermode_target_list(d)} --disable-tools --disable-blobs --disable-guest-agent" -PACKAGECONFIG ??= "" +PACKAGECONFIG ??= "pie" diff --git a/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb similarity index 96% rename from meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb rename to meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb index 390dadea48..9d7d0cdceb 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb @@ -11,7 +11,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native" EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" -PACKAGECONFIG ??= "fdt alsa kvm \ +PACKAGECONFIG ??= "fdt alsa kvm pie \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 74c53c6309..0cbd66301e 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -25,43 +25,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ file://0001-Add-enable-disable-udev.patch \ file://0001-qemu-Do-not-include-file-if-not-exists.patch \ - file://mingwfix.patch \ - file://mmap.patch \ file://mmap2.patch \ file://determinism.patch \ file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ - file://CVE-2021-20203.patch \ - file://CVE-2020-35517_1.patch \ - file://CVE-2020-35517_2.patch \ - file://CVE-2020-35517_3.patch \ - file://CVE-2021-20181.patch \ - file://CVE-2020-29443.patch \ - file://CVE-2021-20221.patch \ - file://CVE-2021-3409_1.patch \ - file://CVE-2021-3409_2.patch \ - file://CVE-2021-3409_3.patch \ - file://CVE-2021-3409_4.patch \ - file://CVE-2021-3409_5.patch \ - file://CVE-2021-3409_6.patch \ - file://CVE-2021-3416_1.patch \ - file://CVE-2021-3416_2.patch \ - file://CVE-2021-3416_3.patch \ - file://CVE-2021-3416_4.patch \ - file://CVE-2021-3416_5.patch \ - file://CVE-2021-3416_6.patch \ - file://CVE-2021-3416_7.patch \ - file://CVE-2021-3416_8.patch \ - file://CVE-2021-3416_9.patch \ - file://CVE-2021-3416_10.patch \ - file://CVE-2021-20257.patch \ - file://CVE-2020-27821.patch \ - file://CVE-2021-20263.patch \ - file://CVE-2021-3392.patch \ file://0001-configure-fix-detection-of-gdbus-codegen.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" -SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc" +SRC_URI[sha256sum] = "87bc1a471ca24b97e7005711066007d443423d19aacda3d442558ae032fa30b9" SRC_URI_append_class-target = " file://cross.patch" SRC_URI_append_class-nativesdk = " file://cross.patch" @@ -94,8 +65,6 @@ do_install_ptest() { find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcodp]" | xargs -i rm -rf {} # Don't check the file genreated by configure - sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ - ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh # Strip the paths from the QEMU variable, we can use PATH @@ -122,7 +91,7 @@ EXTRA_OECONF = " \ --extra-cflags='${CFLAGS}' \ --extra-ldflags='${LDFLAGS}' \ --with-git=/bin/false \ - --disable-git-update \ + --with-git-submodules=ignore \ --meson=meson \ ${PACKAGECONFIG_CONFARGS} \ " diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch index c99adee8a9..4b37967e7a 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch @@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal configure | 4 ++++ 1 file changed, 4 insertions(+) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -1525,6 +1525,10 @@ for opt do +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -1565,6 +1565,10 @@ for opt do ;; - --disable-libdaxctl) libdaxctl=no + --disable-gio) gio=no ;; + --enable-libudev) libudev="yes" + ;; diff --git a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch b/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch index 1f20077883..8bffc31293 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch @@ -26,20 +26,20 @@ Signed-off-by: Alexander Kanavin configure | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -diff --git a/configure b/configure -index 18c26e0389..4c36e221d3 100755 ---- a/configure -+++ b/configure -@@ -3496,7 +3496,7 @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then - gio_cflags=$($pkg_config --cflags gio-2.0) - gio_libs=$($pkg_config --libs gio-2.0) - gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) -- if [ ! -x "$gdbus_codegen" ]; then -+ if ! has "$gdbus_codegen"; then - gdbus_codegen= - fi - # Check that the libraries actually work -- Ubuntu 18.04 ships -@@ -6172,6 +6172,8 @@ if test "$gio" = "yes" ; then +Index: qemu-6.0.0/configure +=================================================================== +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -3366,7 +3366,7 @@ if ! test "$gio" = "no"; then + gio_cflags=$($pkg_config --cflags gio-2.0) + gio_libs=$($pkg_config --libs gio-2.0) + gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) +- if [ ! -x "$gdbus_codegen" ]; then ++ if ! has "$gdbus_codegen"; then + gdbus_codegen= + fi + # Check that the libraries actually work -- Ubuntu 18.04 ships +@@ -5704,6 +5704,8 @@ if test "$gio" = "yes" ; then echo "CONFIG_GIO=y" >> $config_host_mak echo "GIO_CFLAGS=$gio_cflags" >> $config_host_mak echo "GIO_LIBS=$gio_libs" >> $config_host_mak @@ -48,6 +48,3 @@ index 18c26e0389..4c36e221d3 100755 echo "GDBUS_CODEGEN=$gdbus_codegen" >> $config_host_mak fi echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak --- -2.24.0 - diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index 8ce12bdb43..2f2d19f536 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch @@ -20,10 +20,10 @@ Signed-off-by: Sakib Sajal hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) -Index: qemu-5.2.0/hw/usb/dev-wacom.c +Index: qemu-6.0.0/hw/usb/dev-wacom.c =================================================================== ---- qemu-5.2.0.orig/hw/usb/dev-wacom.c -+++ qemu-5.2.0/hw/usb/dev-wacom.c +--- qemu-6.0.0.orig/hw/usb/dev-wacom.c ++++ qemu-6.0.0/hw/usb/dev-wacom.c @@ -69,6 +69,89 @@ static const USBDescStrings desc_strings [STR_SERIALNUMBER] = "1", }; diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch index 3fe9aa6eb5..b8d288d3a2 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch @@ -15,11 +15,11 @@ Signed-off-by: Sakib Sajal linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) -Index: qemu-5.2.0/linux-user/syscall.c +Index: qemu-6.0.0/linux-user/syscall.c =================================================================== ---- qemu-5.2.0.orig/linux-user/syscall.c -+++ qemu-5.2.0/linux-user/syscall.c -@@ -109,7 +109,9 @@ +--- qemu-6.0.0.orig/linux-user/syscall.c ++++ qemu-6.0.0/linux-user/syscall.c +@@ -113,7 +113,9 @@ #include #include #include @@ -28,4 +28,4 @@ Index: qemu-5.2.0/linux-user/syscall.c +#endif #include #include - #ifdef CONFIG_BTRFS + #ifdef HAVE_BTRFS_H diff --git a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch index 5cb5757c37..d5e1ab4d51 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch @@ -16,19 +16,16 @@ Signed-off-by: Changqing Li tests/meson.build | 2 +- 1 files changed, 1 insertions(+), 1 deletion(-) -diff --git a/tests/meson.build b/tests/meson.build -index afeb6be..54684b5 100644 ---- a/tests/meson.build -+++ b/tests/meson.build -@@ -113,7 +113,7 @@ tests = { +Index: qemu-6.0.0/tests/unit/meson.build +=================================================================== +--- qemu-6.0.0.orig/tests/unit/meson.build ++++ qemu-6.0.0/tests/unit/meson.build +@@ -42,7 +42,7 @@ tests = { 'test-keyval': [testqapi], 'test-logging': [], 'test-uuid': [], - 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'], -+ 'ptimer-test': ['ptimer-test-stubs.c', '../hw/core/ptimer.c'], ++ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'], 'test-qapi-util': [], } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index fd54f96b03..733789be29 100644 --- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -18,13 +18,13 @@ Signed-off-by: Roy Li hw/mips/malta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-5.2.0/hw/mips/malta.c +Index: qemu-6.0.0/hw/mips/malta.c =================================================================== ---- qemu-5.2.0.orig/hw/mips/malta.c -+++ qemu-5.2.0/hw/mips/malta.c -@@ -62,7 +62,7 @@ - - #define ENVP_ADDR 0x80002000l +--- qemu-6.0.0.orig/hw/mips/malta.c ++++ qemu-6.0.0/hw/mips/malta.c +@@ -65,7 +65,7 @@ + #define ENVP_PADDR 0x2000 + #define ENVP_VADDR cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR) #define ENVP_NB_ENTRIES 16 -#define ENVP_ENTRY_SIZE 256 +#define ENVP_ENTRY_SIZE 1024 diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index a0bd1c5ebc..330bcaef0a 100644 --- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch @@ -12,11 +12,11 @@ Signed-off-by: Ross Burton configure | 9 --------- 1 file changed, 9 deletions(-) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -5001,15 +5001,6 @@ fi +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -4648,15 +4648,6 @@ fi # check if we have valgrind/valgrind.h valgrind_h=no diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 201125c1f4..05dc849dad 100644 --- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch @@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly qapi/char.json | 5 +++ 3 files changed, 109 insertions(+) -Index: qemu-5.2.0/chardev/char-socket.c +Index: qemu-6.0.0/chardev/char-socket.c =================================================================== ---- qemu-5.2.0.orig/chardev/char-socket.c -+++ qemu-5.2.0/chardev/char-socket.c -@@ -1308,6 +1308,67 @@ static bool qmp_chardev_validate_socket( +--- qemu-6.0.0.orig/chardev/char-socket.c ++++ qemu-6.0.0/chardev/char-socket.c +@@ -1362,6 +1362,67 @@ static bool qmp_chardev_validate_socket( return true; } @@ -123,7 +123,7 @@ Index: qemu-5.2.0/chardev/char-socket.c static void qmp_chardev_open_socket(Chardev *chr, ChardevBackend *backend, -@@ -1316,6 +1377,9 @@ static void qmp_chardev_open_socket(Char +@@ -1370,6 +1431,9 @@ static void qmp_chardev_open_socket(Char { SocketChardev *s = SOCKET_CHARDEV(chr); ChardevSocket *sock = backend->u.socket.data; @@ -133,7 +133,7 @@ Index: qemu-5.2.0/chardev/char-socket.c bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; bool is_listen = sock->has_server ? sock->server : true; bool is_telnet = sock->has_telnet ? sock->telnet : false; -@@ -1381,6 +1445,14 @@ static void qmp_chardev_open_socket(Char +@@ -1446,6 +1510,14 @@ static void qmp_chardev_open_socket(Char update_disconnected_filename(s); @@ -148,7 +148,7 @@ Index: qemu-5.2.0/chardev/char-socket.c if (s->is_listen) { if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, is_waitconnect, errp) < 0) { -@@ -1400,6 +1472,9 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1465,6 +1537,9 @@ static void qemu_chr_parse_socket(QemuOp const char *host = qemu_opt_get(opts, "host"); const char *port = qemu_opt_get(opts, "port"); const char *fd = qemu_opt_get(opts, "fd"); @@ -158,7 +158,7 @@ Index: qemu-5.2.0/chardev/char-socket.c #ifdef CONFIG_LINUX bool tight = qemu_opt_get_bool(opts, "tight", true); bool abstract = qemu_opt_get_bool(opts, "abstract", false); -@@ -1407,6 +1482,20 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1472,6 +1547,20 @@ static void qemu_chr_parse_socket(QemuOp SocketAddressLegacy *addr; ChardevSocket *sock; @@ -179,7 +179,7 @@ Index: qemu-5.2.0/chardev/char-socket.c if ((!!path + !!fd + !!host) != 1) { error_setg(errp, "Exactly one of 'path', 'fd' or 'host' required"); -@@ -1448,13 +1537,24 @@ static void qemu_chr_parse_socket(QemuOp +@@ -1522,13 +1611,24 @@ static void qemu_chr_parse_socket(QemuOp sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds")); sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); @@ -204,11 +204,11 @@ Index: qemu-5.2.0/chardev/char-socket.c #ifdef CONFIG_LINUX q_unix->has_tight = true; q_unix->tight = tight; -Index: qemu-5.2.0/chardev/char.c +Index: qemu-6.0.0/chardev/char.c =================================================================== ---- qemu-5.2.0.orig/chardev/char.c -+++ qemu-5.2.0/chardev/char.c -@@ -839,6 +839,9 @@ QemuOptsList qemu_chardev_opts = { +--- qemu-6.0.0.orig/chardev/char.c ++++ qemu-6.0.0/chardev/char.c +@@ -840,6 +840,9 @@ QemuOptsList qemu_chardev_opts = { .name = "path", .type = QEMU_OPT_STRING, },{ @@ -218,10 +218,10 @@ Index: qemu-5.2.0/chardev/char.c .name = "host", .type = QEMU_OPT_STRING, },{ -Index: qemu-5.2.0/qapi/char.json +Index: qemu-6.0.0/qapi/char.json =================================================================== ---- qemu-5.2.0.orig/qapi/char.json -+++ qemu-5.2.0/qapi/char.json +--- qemu-6.0.0.orig/qapi/char.json ++++ qemu-6.0.0/qapi/char.json @@ -250,6 +250,10 @@ # # @addr: socket address to listen on (server=true) diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 294cf5129f..3491fa8a53 100644 --- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch @@ -29,11 +29,11 @@ Signed-off-by: He Zhe hw/intc/apic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: qemu-5.2.0/hw/intc/apic.c +Index: qemu-6.0.0/hw/intc/apic.c =================================================================== ---- qemu-5.2.0.orig/hw/intc/apic.c -+++ qemu-5.2.0/hw/intc/apic.c -@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *de +--- qemu-6.0.0.orig/hw/intc/apic.c ++++ qemu-6.0.0/hw/intc/apic.c +@@ -606,7 +606,7 @@ int apic_accept_pic_intr(DeviceState *de APICCommonState *s = APIC(dev); uint32_t lvt0; diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch index c5d206b91b..cc6a5fe754 100644 --- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -14,11 +14,11 @@ Signed-off-by: He Zhe configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -2956,6 +2956,30 @@ has_libgcrypt() { +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -2847,6 +2847,30 @@ has_libgcrypt() { return 0 } @@ -49,7 +49,7 @@ Index: qemu-5.2.0/configure if test "$nettle" != "no"; then pass="no" -@@ -2994,7 +3018,14 @@ fi +@@ -2885,7 +2909,14 @@ fi if test "$gcrypt" != "no"; then pass="no" @@ -65,7 +65,7 @@ Index: qemu-5.2.0/configure gcrypt_cflags=$(libgcrypt-config --cflags) gcrypt_libs=$(libgcrypt-config --libs) # Debian has removed -lgpg-error from libgcrypt-config -@@ -3004,12 +3035,12 @@ if test "$gcrypt" != "no"; then +@@ -2895,12 +2926,12 @@ if test "$gcrypt" != "no"; then then gcrypt_libs="$gcrypt_libs -lgpg-error" fi diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch deleted file mode 100644 index 58622f0487..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 1 Dec 2020 09:29:56 -0500 -Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an - MMIO region - -In using the address_space_translate_internal API, address_space_cache_init -forgot one piece of advice that can be found in the code for -address_space_translate_internal: - - /* MMIO registers can be expected to perform full-width accesses based only - * on their address, without considering adjacent registers that could - * decode to completely different MemoryRegions. When such registers - * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO - * regions overlap wildly. For this reason we cannot clamp the accesses - * here. - * - * If the length is small (as is the case for address_space_ldl/stl), - * everything works fine. If the incoming length is large, however, - * the caller really has to do the clamping through memory_access_size. - */ - -address_space_cache_init is exactly one such case where "the incoming length -is large", therefore we need to clamp the resulting length---not to -memory_access_size though, since we are not doing an access yet, but to -the size of the resulting section. This ensures that subsequent accesses -to the cached MemoryRegionSection will be in range. - -With this patch, the enclosed testcase notices that the used ring does -not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" -error. - -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442] -CVE: CVE-2020-27821 - -Signed-off-by: Sakib Sajal ---- - softmmu/physmem.c | 10 ++++++++ - tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 61 insertions(+) - -diff --git a/softmmu/physmem.c b/softmmu/physmem.c -index 3027747c0..2cd1de4a2 100644 ---- a/softmmu/physmem.c -+++ b/softmmu/physmem.c -@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, - AddressSpaceDispatch *d; - hwaddr l; - MemoryRegion *mr; -+ Int128 diff; - - assert(len > 0); - -@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, - d = flatview_to_dispatch(cache->fv); - cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); - -+ /* -+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself. -+ * Take that into account to compute how many bytes are there between -+ * cache->xlat and the end of the section. -+ */ -+ diff = int128_sub(cache->mrs.size, -+ int128_make64(cache->xlat - cache->mrs.offset_within_region)); -+ l = int128_get64(int128_min(diff, int128_make64(l))); -+ - mr = cache->mrs.mr; - memory_region_ref(mr); - if (memory_access_is_direct(mr, is_write)) { -diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c -index 9cb4c42bd..28739248e 100644 ---- a/tests/qtest/fuzz-test.c -+++ b/tests/qtest/fuzz-test.c -@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void) - qtest_outl(s, 0x5d02, 0xebed205d); - } - -+/* -+ * Here a MemoryRegionCache pointed to an MMIO region but had a -+ * larger size than the underlying region. -+ */ -+static void test_mmio_oob_from_memory_region_cache(void) -+{ -+ QTestState *s; -+ -+ s = qtest_init("-M pc-q35-5.2 -display none -m 512M " -+ "-device virtio-scsi,num_queues=8,addr=03.0 "); -+ -+ qtest_outl(s, 0xcf8, 0x80001811); -+ qtest_outb(s, 0xcfc, 0x6e); -+ qtest_outl(s, 0xcf8, 0x80001824); -+ qtest_outl(s, 0xcf8, 0x80001813); -+ qtest_outl(s, 0xcfc, 0xa080000); -+ qtest_outl(s, 0xcf8, 0x80001802); -+ qtest_outl(s, 0xcfc, 0x5a175a63); -+ qtest_outb(s, 0x6e08, 0x9e); -+ qtest_writeb(s, 0x9f003, 0xff); -+ qtest_writeb(s, 0x9f004, 0x01); -+ qtest_writeb(s, 0x9e012, 0x0e); -+ qtest_writeb(s, 0x9e01b, 0x0e); -+ qtest_writeb(s, 0x9f006, 0x01); -+ qtest_writeb(s, 0x9f008, 0x01); -+ qtest_writeb(s, 0x9f00a, 0x01); -+ qtest_writeb(s, 0x9f00c, 0x01); -+ qtest_writeb(s, 0x9f00e, 0x01); -+ qtest_writeb(s, 0x9f010, 0x01); -+ qtest_writeb(s, 0x9f012, 0x01); -+ qtest_writeb(s, 0x9f014, 0x01); -+ qtest_writeb(s, 0x9f016, 0x01); -+ qtest_writeb(s, 0x9f018, 0x01); -+ qtest_writeb(s, 0x9f01a, 0x01); -+ qtest_writeb(s, 0x9f01c, 0x01); -+ qtest_writeb(s, 0x9f01e, 0x01); -+ qtest_writeb(s, 0x9f020, 0x01); -+ qtest_writeb(s, 0x9f022, 0x01); -+ qtest_writeb(s, 0x9f024, 0x01); -+ qtest_writeb(s, 0x9f026, 0x01); -+ qtest_writeb(s, 0x9f028, 0x01); -+ qtest_writeb(s, 0x9f02a, 0x01); -+ qtest_writeb(s, 0x9f02c, 0x01); -+ qtest_writeb(s, 0x9f02e, 0x01); -+ qtest_writeb(s, 0x9f030, 0x01); -+ qtest_outb(s, 0x6e10, 0x00); -+ qtest_quit(s); -+} -+ - int main(int argc, char **argv) - { - const char *arch = qtest_get_arch(); -@@ -58,6 +107,8 @@ int main(int argc, char **argv) - test_lp1878263_megasas_zero_iov_cnt); - qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert", - test_lp1878642_pci_bus_get_irq_level_assert); -+ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", -+ test_mmio_oob_from_memory_region_cache); - } - - return g_test_run(); --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch deleted file mode 100644 index c72324fce6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch +++ /dev/null @@ -1,107 +0,0 @@ -From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 18 Jan 2021 17:21:30 +0530 -Subject: [PATCH] ide: atapi: check logical block address and read size - (CVE-2020-29443) - -While processing ATAPI cmd_read/cmd_read_cd commands, -Logical Block Address (LBA) maybe invalid OR closer to the last block, -leading to an OOB access issues. Add range check to avoid it. - -Fixes: CVE-2020-29443 -Reported-by: Wenxiang Qian -Suggested-by: Paolo Bonzini -Reviewed-by: Paolo Bonzini -Signed-off-by: Prasad J Pandit -Message-Id: <20210118115130.457044-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini - -Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e] -CVE: CVE-2020-29443 - -Signed-off-by: Sakib Sajal ---- - hw/ide/atapi.c | 30 ++++++++++++++++++++++++------ - 1 file changed, 24 insertions(+), 6 deletions(-) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index e79157863..b626199e3 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size) - static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors, - int sector_size) - { -+ assert(0 <= lba && lba < (s->nb_sectors >> 2)); -+ - s->lba = lba; - s->packet_transfer_size = nb_sectors * sector_size; - s->elementary_transfer_size = 0; -@@ -420,6 +422,8 @@ eot: - static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors, - int sector_size) - { -+ assert(0 <= lba && lba < (s->nb_sectors >> 2)); -+ - s->lba = lba; - s->packet_transfer_size = nb_sectors * sector_size; - s->io_buffer_size = 0; -@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf) - - static void cmd_read(IDEState *s, uint8_t* buf) - { -- int nb_sectors, lba; -+ unsigned int nb_sectors, lba; -+ -+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ -+ uint64_t total_sectors = s->nb_sectors >> 2; - - if (buf[0] == GPCMD_READ_10) { - nb_sectors = lduw_be_p(buf + 7); - } else { - nb_sectors = ldl_be_p(buf + 6); - } -- -- lba = ldl_be_p(buf + 2); - if (nb_sectors == 0) { - ide_atapi_cmd_ok(s); - return; - } - -+ lba = ldl_be_p(buf + 2); -+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { -+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); -+ return; -+ } -+ - ide_atapi_cmd_read(s, lba, nb_sectors, 2048); - } - - static void cmd_read_cd(IDEState *s, uint8_t* buf) - { -- int nb_sectors, lba, transfer_request; -+ unsigned int nb_sectors, lba, transfer_request; - -- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; -- lba = ldl_be_p(buf + 2); -+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ -+ uint64_t total_sectors = s->nb_sectors >> 2; - -+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; - if (nb_sectors == 0) { - ide_atapi_cmd_ok(s); - return; - } - -+ lba = ldl_be_p(buf + 2); -+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { -+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); -+ return; -+ } -+ - transfer_request = buf[9] & 0xf8; - if (transfer_request == 0x00) { - /* nothing */ --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch deleted file mode 100644 index 73a4cb2064..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Thu, 4 Feb 2021 15:02:06 +0000 -Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open() - -Both lo_open() and lo_create() have similar code to open a file. Extract -a common lo_do_open() function from lo_open() that will be used by -lo_create() in a later commit. - -Since lo_do_open() does not otherwise need fuse_req_t req, convert -lo_add_fd_mapping() to use struct lo_data *lo instead. - -Signed-off-by: Stefan Hajnoczi -Message-Id: <20210204150208.367837-2-stefanha@redhat.com> -Reviewed-by: Greg Kurz -Signed-off-by: Dr. David Alan Gilbert - -Upstream-Status: Backport -[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c] - -CVE: CVE-2020-35517 - -Signed-off-by: Dr. David Alan Gilbert -Signed-off-by: Khairul Rohaizzat Jamaluddin ---- - tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++--------------- - 1 file changed, 46 insertions(+), 27 deletions(-) - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index 5fb36d9..f14fa51 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key) - } - - /* Assumes lo->mutex is held */ --static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd) -+static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd) - { - struct lo_map_elem *elem; - -- elem = lo_map_alloc_elem(&lo_data(req)->fd_map); -+ elem = lo_map_alloc_elem(&lo->fd_map); - if (!elem) { - return -1; - } - - elem->fd = fd; -- return elem - lo_data(req)->fd_map.elems; -+ return elem - lo->fd_map.elems; - } - - /* Assumes lo->mutex is held */ -@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io, - } - } - -+static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, -+ struct fuse_file_info *fi) -+{ -+ char buf[64]; -+ ssize_t fh; -+ int fd; -+ -+ update_open_flags(lo->writeback, lo->allow_direct_io, fi); -+ -+ sprintf(buf, "%i", inode->fd); -+ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); -+ if (fd == -1) { -+ return errno; -+ } -+ -+ pthread_mutex_lock(&lo->mutex); -+ fh = lo_add_fd_mapping(lo, fd); -+ pthread_mutex_unlock(&lo->mutex); -+ if (fh == -1) { -+ close(fd); -+ return ENOMEM; -+ } -+ -+ fi->fh = fh; -+ if (lo->cache == CACHE_NONE) { -+ fi->direct_io = 1; -+ } else if (lo->cache == CACHE_ALWAYS) { -+ fi->keep_cache = 1; -+ } -+ return 0; -+} -+ - static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, - mode_t mode, struct fuse_file_info *fi) - { -@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, - ssize_t fh; - - pthread_mutex_lock(&lo->mutex); -- fh = lo_add_fd_mapping(req, fd); -+ fh = lo_add_fd_mapping(lo, fd); - pthread_mutex_unlock(&lo->mutex); - if (fh == -1) { - close(fd); -@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync, - - static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) - { -- int fd; -- ssize_t fh; -- char buf[64]; - struct lo_data *lo = lo_data(req); -+ struct lo_inode *inode = lo_inode(req, ino); -+ int err; - - fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino, - fi->flags); - -- update_open_flags(lo->writeback, lo->allow_direct_io, fi); -- -- sprintf(buf, "%i", lo_fd(req, ino)); -- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); -- if (fd == -1) { -- return (void)fuse_reply_err(req, errno); -- } -- -- pthread_mutex_lock(&lo->mutex); -- fh = lo_add_fd_mapping(req, fd); -- pthread_mutex_unlock(&lo->mutex); -- if (fh == -1) { -- close(fd); -- fuse_reply_err(req, ENOMEM); -+ if (!inode) { -+ fuse_reply_err(req, EBADF); - return; - } - -- fi->fh = fh; -- if (lo->cache == CACHE_NONE) { -- fi->direct_io = 1; -- } else if (lo->cache == CACHE_ALWAYS) { -- fi->keep_cache = 1; -+ err = lo_do_open(lo, inode, fi); -+ lo_inode_put(lo, &inode); -+ if (err) { -+ fuse_reply_err(req, err); -+ } else { -+ fuse_reply_open(req, fi); - } -- fuse_reply_open(req, fi); - } - - static void lo_release(fuse_req_t req, fuse_ino_t ino, --- -1.8.3.1 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch deleted file mode 100644 index bf11bdb6f8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch +++ /dev/null @@ -1,117 +0,0 @@ -From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Thu, 4 Feb 2021 15:02:07 +0000 -Subject: [PATCH] virtiofsd: optionally return inode pointer from - lo_do_lookup() - -lo_do_lookup() finds an existing inode or allocates a new one. It -increments nlookup so that the inode stays alive until the client -releases it. - -Existing callers don't need the struct lo_inode so the function doesn't -return it. Extend the function to optionally return the inode. The next -commit will need it. - -Signed-off-by: Stefan Hajnoczi -Reviewed-by: Greg Kurz -Message-Id: <20210204150208.367837-3-stefanha@redhat.com> -Signed-off-by: Dr. David Alan Gilbert - -Upstream-Status: Backport -[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3] - -CVE: CVE-2020-35517 - -Signed-off-by: Dr. David Alan Gilbert -Signed-off-by: Khairul Rohaizzat Jamaluddin ---- - tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++-------- - 1 file changed, 21 insertions(+), 8 deletions(-) - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index f14fa51..aa35fc6 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname, - } - - /* -- * Increments nlookup and caller must release refcount using -- * lo_inode_put(&parent). -+ * Increments nlookup on the inode on success. unref_inode_lolocked() must be -+ * called eventually to decrement nlookup again. If inodep is non-NULL, the -+ * inode pointer is stored and the caller must call lo_inode_put(). - */ - static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, -- struct fuse_entry_param *e) -+ struct fuse_entry_param *e, -+ struct lo_inode **inodep) - { - int newfd; - int res; -@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, - struct lo_inode *inode = NULL; - struct lo_inode *dir = lo_inode(req, parent); - -+ if (inodep) { -+ *inodep = NULL; -+ } -+ - /* - * name_to_handle_at() and open_by_handle_at() can reach here with fuse - * mount point in guest, but we don't have its inode info in the -@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, - pthread_mutex_unlock(&lo->mutex); - } - e->ino = inode->fuse_ino; -- lo_inode_put(lo, &inode); -+ -+ /* Transfer ownership of inode pointer to caller or drop it */ -+ if (inodep) { -+ *inodep = inode; -+ } else { -+ lo_inode_put(lo, &inode); -+ } -+ - lo_inode_put(lo, &dir); - - fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent, -@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) - return; - } - -- err = lo_do_lookup(req, parent, name, &e); -+ err = lo_do_lookup(req, parent, name, &e, NULL); - if (err) { - fuse_reply_err(req, err); - } else { -@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent, - goto out; - } - -- saverr = lo_do_lookup(req, parent, name, &e); -+ saverr = lo_do_lookup(req, parent, name, &e, NULL); - if (saverr) { - goto out; - } -@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, - - if (plus) { - if (!is_dot_or_dotdot(name)) { -- err = lo_do_lookup(req, ino, name, &e); -+ err = lo_do_lookup(req, ino, name, &e, NULL); - if (err) { - goto error; - } -@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, - } - - fi->fh = fh; -- err = lo_do_lookup(req, parent, name, &e); -+ err = lo_do_lookup(req, parent, name, &e, NULL); - } - if (lo->cache == CACHE_NONE) { - fi->direct_io = 1; --- -1.8.3.1 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch deleted file mode 100644 index f348f3f2bd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch +++ /dev/null @@ -1,303 +0,0 @@ -From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Thu, 4 Feb 2021 15:02:08 +0000 -Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) - -A well-behaved FUSE client does not attempt to open special files with -FUSE_OPEN because they are handled on the client side (e.g. device nodes -are handled by client-side device drivers). - -The check to prevent virtiofsd from opening special files is missing in -a few cases, most notably FUSE_OPEN. A malicious client can cause -virtiofsd to open a device node, potentially allowing the guest to -escape. This can be exploited by a modified guest device driver. It is -not exploitable from guest userspace since the guest kernel will handle -special files inside the guest instead of sending FUSE requests. - -This patch fixes this issue by introducing the lo_inode_open() function -to check the file type before opening it. This is a short-term solution -because it does not prevent a compromised virtiofsd process from opening -device nodes on the host. - -Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT -| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not -necessary here. If the file exists and the user did not specify O_EXCL, -open it via lo_do_open(). - -Reported-by: Alex Xu -Fixes: CVE-2020-35517 -Reviewed-by: Dr. David Alan Gilbert -Reviewed-by: Vivek Goyal -Reviewed-by: Greg Kurz -Signed-off-by: Stefan Hajnoczi -Message-Id: <20210204150208.367837-4-stefanha@redhat.com> -Signed-off-by: Dr. David Alan Gilbert - -Upstream-Status: Backport -[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789] - -CVE: CVE-2020-35517 - -Signed-off-by: Dr. David Alan Gilbert -Signed-off-by: Khairul Rohaizzat Jamaluddin ---- - tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++----------- - 1 file changed, 92 insertions(+), 52 deletions(-) - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index aa35fc6ba5a5..147b59338a18 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino) - return fd; - } - -+/* -+ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a -+ * regular file or a directory. -+ * -+ * Use this helper function instead of raw openat(2) to prevent security issues -+ * when a malicious client opens special files such as block device nodes. -+ * Symlink inodes are also rejected since symlinks must already have been -+ * traversed on the client side. -+ */ -+static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode, -+ int open_flags) -+{ -+ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd); -+ int fd; -+ -+ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) { -+ return -EBADF; -+ } -+ -+ /* -+ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier -+ * that the inode is not a special file but if an external process races -+ * with us then symlinks are traversed here. It is not possible to escape -+ * the shared directory since it is mounted as "/" though. -+ */ -+ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW); -+ if (fd < 0) { -+ return -errno; -+ } -+ return fd; -+} -+ - static void lo_init(void *userdata, struct fuse_conn_info *conn) - { - struct lo_data *lo = (struct lo_data *)userdata; -@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, - if (fi) { - truncfd = fd; - } else { -- sprintf(procname, "%i", ifd); -- truncfd = openat(lo->proc_self_fd, procname, O_RDWR); -+ truncfd = lo_inode_open(lo, inode, O_RDWR); - if (truncfd < 0) { -+ errno = -truncfd; - goto out_err; - } - } -@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, - struct lo_inode *dir = lo_inode(req, parent); - - if (inodep) { -- *inodep = NULL; -+ *inodep = NULL; /* in case there is an error */ - } - - /* -@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io, - } - } - -+/* -+ * Open a regular file, set up an fd mapping, and fill out the struct -+ * fuse_file_info for it. If existing_fd is not negative, use that fd instead -+ * opening a new one. Takes ownership of existing_fd. -+ * -+ * Returns 0 on success or a positive errno. -+ */ - static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, -- struct fuse_file_info *fi) -+ int existing_fd, struct fuse_file_info *fi) - { -- char buf[64]; - ssize_t fh; -- int fd; -+ int fd = existing_fd; - - update_open_flags(lo->writeback, lo->allow_direct_io, fi); - -- sprintf(buf, "%i", inode->fd); -- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); -- if (fd == -1) { -- return errno; -+ if (fd < 0) { -+ fd = lo_inode_open(lo, inode, fi->flags); -+ if (fd < 0) { -+ return -fd; -+ } - } - - pthread_mutex_lock(&lo->mutex); -@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, - static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, - mode_t mode, struct fuse_file_info *fi) - { -- int fd; -+ int fd = -1; - struct lo_data *lo = lo_data(req); - struct lo_inode *parent_inode; -+ struct lo_inode *inode = NULL; - struct fuse_entry_param e; - int err; - struct lo_cred old = {}; -@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, - - update_open_flags(lo->writeback, lo->allow_direct_io, fi); - -- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW, -- mode); -+ /* Try to create a new file but don't open existing files */ -+ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode); - err = fd == -1 ? errno : 0; -- lo_restore_cred(&old); - -- if (!err) { -- ssize_t fh; -+ lo_restore_cred(&old); - -- pthread_mutex_lock(&lo->mutex); -- fh = lo_add_fd_mapping(lo, fd); -- pthread_mutex_unlock(&lo->mutex); -- if (fh == -1) { -- close(fd); -- err = ENOMEM; -- goto out; -- } -+ /* Ignore the error if file exists and O_EXCL was not given */ -+ if (err && (err != EEXIST || (fi->flags & O_EXCL))) { -+ goto out; -+ } - -- fi->fh = fh; -- err = lo_do_lookup(req, parent, name, &e, NULL); -+ err = lo_do_lookup(req, parent, name, &e, &inode); -+ if (err) { -+ goto out; - } -- if (lo->cache == CACHE_NONE) { -- fi->direct_io = 1; -- } else if (lo->cache == CACHE_ALWAYS) { -- fi->keep_cache = 1; -+ -+ err = lo_do_open(lo, inode, fd, fi); -+ fd = -1; /* lo_do_open() takes ownership of fd */ -+ if (err) { -+ /* Undo lo_do_lookup() nlookup ref */ -+ unref_inode_lolocked(lo, inode, 1); - } - - out: -+ lo_inode_put(lo, &inode); - lo_inode_put(lo, &parent_inode); - - if (err) { -+ if (fd >= 0) { -+ close(fd); -+ } -+ - fuse_reply_err(req, err); - } else { - fuse_reply_create(req, &e, fi); -@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo, - pid_t pid, int *err) - { - struct lo_inode_plock *plock; -- char procname[64]; - int fd; - - plock = -@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo, - } - - /* Open another instance of file which can be used for ofd locks. */ -- sprintf(procname, "%i", inode->fd); -- - /* TODO: What if file is not writable? */ -- fd = openat(lo->proc_self_fd, procname, O_RDWR); -- if (fd == -1) { -- *err = errno; -+ fd = lo_inode_open(lo, inode, O_RDWR); -+ if (fd < 0) { -+ *err = -fd; - free(plock); - return NULL; - } -@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) - return; - } - -- err = lo_do_open(lo, inode, fi); -+ err = lo_do_open(lo, inode, -1, fi); - lo_inode_put(lo, &inode); - if (err) { - fuse_reply_err(req, err); -@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) - static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync, - struct fuse_file_info *fi) - { -+ struct lo_inode *inode = lo_inode(req, ino); -+ struct lo_data *lo = lo_data(req); - int res; - int fd; -- char *buf; - - fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino, - (void *)fi); - -- if (!fi) { -- struct lo_data *lo = lo_data(req); -- -- res = asprintf(&buf, "%i", lo_fd(req, ino)); -- if (res == -1) { -- return (void)fuse_reply_err(req, errno); -- } -+ if (!inode) { -+ fuse_reply_err(req, EBADF); -+ return; -+ } - -- fd = openat(lo->proc_self_fd, buf, O_RDWR); -- free(buf); -- if (fd == -1) { -- return (void)fuse_reply_err(req, errno); -+ if (!fi) { -+ fd = lo_inode_open(lo, inode, O_RDWR); -+ if (fd < 0) { -+ res = -fd; -+ goto out; - } - } else { - fd = lo_fi_fd(req, fi); - } - - if (datasync) { -- res = fdatasync(fd); -+ res = fdatasync(fd) == -1 ? errno : 0; - } else { -- res = fsync(fd); -+ res = fsync(fd) == -1 ? errno : 0; - } - if (!fi) { - close(fd); - } -- fuse_reply_err(req, res == -1 ? errno : 0); -+out: -+ lo_inode_put(lo, &inode); -+ fuse_reply_err(req, res); - } - - static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch deleted file mode 100644 index 1b8c77f838..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch +++ /dev/null @@ -1,81 +0,0 @@ -From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Thu, 14 Jan 2021 17:04:12 +0100 -Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) - -Depending on the client activity, the server can be asked to open a huge -number of file descriptors and eventually hit RLIMIT_NOFILE. This is -currently mitigated using a reclaim logic : the server closes the file -descriptors of idle fids, based on the assumption that it will be able -to re-open them later. This assumption doesn't hold of course if the -client requests the file to be unlinked. In this case, we loop on the -entire fid list and mark all related fids as unreclaimable (the reclaim -logic will just ignore them) and, of course, we open or re-open their -file descriptors if needed since we're about to unlink the file. - -This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual -opening of a file can cause the coroutine to yield, another client -request could possibly add a new fid that we may want to mark as -non-reclaimable as well. The loop is thus restarted if the re-open -request was actually transmitted to the backend. This is achieved -by keeping a reference on the first fid (head) before traversing -the list. - -This is wrong in several ways: -- a potential clunk request from the client could tear the first - fid down and cause the reference to be stale. This leads to a - use-after-free error that can be detected with ASAN, using a - custom 9p client -- fids are added at the head of the list : restarting from the - previous head will always miss fids added by a some other - potential request - -All these problems could be avoided if fids were being added at the -end of the list. This can be achieved with a QSIMPLEQ, but this is -probably too much change for a bug fix. For now let's keep it -simple and just restart the loop from the current head. - -Fixes: CVE-2021-20181 -Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 -Reported-by: Zero Day Initiative -Reviewed-by: Christian Schoenebeck -Reviewed-by: Stefano Stabellini -Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> -Signed-off-by: Greg Kurz - -Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305] -CVE: CVE-2021-20181 - -Signed-off-by: Sakib Sajal ---- - hw/9pfs/9p.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 94df440fc..6026b51a1 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) - { - int err; - V9fsState *s = pdu->s; -- V9fsFidState *fidp, head_fid; -+ V9fsFidState *fidp; - -- head_fid.next = s->fid_list; -+again: - for (fidp = s->fid_list; fidp; fidp = fidp->next) { - if (fidp->path.size != path->size) { - continue; -@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) - * switched to the worker thread - */ - if (err == 0) { -- fidp = &head_fid; -+ goto again; - } - } - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch deleted file mode 100644 index 269c6f1294..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Prasad J Pandit - -While activating device in vmxnet3_acticate_device(), it does not -validate guest supplied configuration values against predefined -minimum - maximum limits. This may lead to integer overflow or -OOB access issues. Add checks to avoid it. - -Fixes: CVE-2021-20203 -Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 -Reported-by: Gaoning Pan -Signed-off-by: Prasad J Pandit - -Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] -CVE: CVE-2021-20203 -Signed-off-by: Minjae Kim ---- - hw/net/vmxnet3.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index eff299f629..4a910ca971 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) - vmxnet3_setup_rx_filtering(s); - /* Cache fields from shared memory */ - s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); -+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); - VMW_CFPRN("MTU is %u", s->mtu); - - s->max_rx_frags = -@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* Read rings memory locations for TX queues */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); -+ if (size > VMXNET3_TX_RING_MAX_SIZE) { -+ size = VMXNET3_TX_RING_MAX_SIZE; -+ } - - vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, - sizeof(struct Vmxnet3_TxDesc), false); -@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* TXC ring */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); -+ if (size > VMXNET3_TC_RING_MAX_SIZE) { -+ size = VMXNET3_TC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_TxCompDesc), true); - VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); -@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RX rings */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); -+ if (size > VMXNET3_RX_RING_MAX_SIZE) { -+ size = VMXNET3_RX_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, - sizeof(struct Vmxnet3_RxDesc), false); - VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", -@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RXC ring */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); -+ if (size > VMXNET3_RC_RING_MAX_SIZE) { -+ size = VMXNET3_RC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_RxCompDesc), true); - VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); --- -2.29.2 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch deleted file mode 100644 index d762a51d02..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch +++ /dev/null @@ -1,70 +0,0 @@ -From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Sun, 31 Jan 2021 11:34:01 +0100 -Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per the ARM Generic Interrupt Controller Architecture specification -(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, -not 10: - - - 4.3 Distributor register descriptions - - 4.3.15 Software Generated Interrupt Register, GICD_SG - - - Table 4-21 GICD_SGIR bit assignments - - The Interrupt ID of the SGI to forward to the specified CPU - interfaces. The value of this field is the Interrupt ID, in - the range 0-15, for example a value of 0b0011 specifies - Interrupt ID 3. - -Correct the irq mask to fix an undefined behavior (which eventually -lead to a heap-buffer-overflow, see [Buglink]): - - $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio - [I 1612088147.116987] OPENED - [R +0.278293] writel 0x8000f00 0xff4affb0 - ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' - SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 - -This fixes a security issue when running with KVM on Arm with -kernel-irqchip=off. (The default is kernel-irqchip=on, which is -unaffected, and which is also the correct choice for performance.) - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2021-20221 -Fixes: 9ee6e8bb853 ("ARMv7 support.") -Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 -Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 -Reported-by: Alexander Bulekov -Signed-off-by: Philippe Mathieu-Daudé -Message-id: 20210131103401.217160-1-f4bug@amsat.org -Reviewed-by: Peter Maydell -Signed-off-by: Peter Maydell - -Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a] -CVE: CVE-2021-20221 - -Signed-off-by: Sakib Sajal ---- - hw/intc/arm_gic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c -index c60dc6b5e..fbde60de0 100644 ---- a/hw/intc/arm_gic.c -+++ b/hw/intc/arm_gic.c -@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, - int target_cpu; - - cpu = gic_get_current_cpu(s); -- irq = value & 0x3ff; -+ irq = value & 0xf; - switch ((value >> 24) & 3) { - case 0: - mask = (value >> 16) & ALL_CPU_MASK; --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch deleted file mode 100644 index 7175b24e99..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch +++ /dev/null @@ -1,55 +0,0 @@ -From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 13:45:28 +0800 -Subject: [PATCH] e1000: fail early for evil descriptor - -During procss_tx_desc(), driver can try to chain data descriptor with -legacy descriptor, when will lead underflow for the following -calculation in process_tx_desc() for bytes: - - if (tp->size + bytes > msh) - bytes = msh - tp->size; - -This will lead a infinite loop. So check and fail early if tp->size if -greater or equal to msh. - -Reported-by: Alexander Bulekov -Reported-by: Cheolwoo Myung -Reported-by: Ruhr-University Bochum -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang - -Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] -CVE: CVE-2021-20257 - -Signed-off-by: Sakib Sajal ---- - hw/net/e1000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index cf22c4f07..c3564c7ce 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - msh = tp->tso_props.hdr_len + tp->tso_props.mss; - do { - bytes = split_size; -+ if (tp->size >= msh) { -+ goto eop; -+ } - if (tp->size + bytes > msh) - bytes = msh - tp->size; - -@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - tp->size += split_size; - } - -+eop: - if (!(txd_lower & E1000_TXD_CMD_EOP)) - return; - if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch deleted file mode 100644 index 4f9a91f0c6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch +++ /dev/null @@ -1,214 +0,0 @@ -From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001 -From: "Dr. David Alan Gilbert" -Date: Wed, 24 Feb 2021 19:56:25 +0000 -Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as - needed - -On Linux, the 'security.capability' xattr holds a set of -capabilities that can change when an executable is run, giving -a limited form of privilege escalation to those programs that -the writer of the file deemed worthy. - -Any write causes the 'security.capability' xattr to be dropped, -stopping anyone from gaining privilege by modifying a blessed -file. - -Fuse relies on the daemon to do this dropping, and in turn the -daemon relies on the host kernel to drop the xattr for it. However, -with the addition of -o xattrmap, the xattr that the guest -stores its capabilities in is now not the same as the one that -the host kernel automatically clears. - -Where the mapping changes 'security.capability', explicitly clear -the remapped name to preserve the same behaviour. - -This bug is assigned CVE-2021-20263. - -Signed-off-by: Dr. David Alan Gilbert -Reviewed-by: Vivek Goyal - -Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846] -CVE: CVE-2021-20263 - -Signed-off-by: Sakib Sajal ---- - docs/tools/virtiofsd.rst | 4 ++ - tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++- - 2 files changed, 80 insertions(+), 1 deletion(-) - -diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst -index 866b7db3e..00554c75b 100644 ---- a/docs/tools/virtiofsd.rst -+++ b/docs/tools/virtiofsd.rst -@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix - to the matched **key** (or all attributes if **key** is empty). - There may be at most one 'map' rule and it must be the last rule in the set. - -+Note: When the 'security.capability' xattr is remapped, the daemon has to do -+extra work to remove it during many operations, which the host kernel normally -+does itself. -+ - xattr-mapping Examples - ---------------------- - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index 03c5e0d13..c9197da86 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -160,6 +160,7 @@ struct lo_data { - int posix_lock; - int xattr; - char *xattrmap; -+ char *xattr_security_capability; - char *source; - char *modcaps; - double timeout; -@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0; - - static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st, - uint64_t mnt_id); -+static int xattr_map_client(const struct lo_data *lo, const char *client_name, -+ char **out_name); - - static int is_dot_or_dotdot(const char *name) - { -@@ -365,6 +368,37 @@ out: - return ret; - } - -+/* -+ * The host kernel normally drops security.capability xattr's on -+ * any write, however if we're remapping xattr names we need to drop -+ * whatever the clients security.capability is actually stored as. -+ */ -+static int drop_security_capability(const struct lo_data *lo, int fd) -+{ -+ if (!lo->xattr_security_capability) { -+ /* We didn't remap the name, let the host kernel do it */ -+ return 0; -+ } -+ if (!fremovexattr(fd, lo->xattr_security_capability)) { -+ /* All good */ -+ return 0; -+ } -+ -+ switch (errno) { -+ case ENODATA: -+ /* Attribute didn't exist, that's fine */ -+ return 0; -+ -+ case ENOTSUP: -+ /* FS didn't support attribute anyway, also fine */ -+ return 0; -+ -+ default: -+ /* Hmm other error */ -+ return errno; -+ } -+} -+ - static void lo_map_init(struct lo_map *map) - { - map->elems = NULL; -@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, - uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1; - gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; - -+ saverr = drop_security_capability(lo, ifd); -+ if (saverr) { -+ goto out_err; -+ } -+ - res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); - if (res == -1) { - goto out_err; -@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, - } - } - -+ saverr = drop_security_capability(lo, truncfd); -+ if (saverr) { -+ if (!fi) { -+ close(truncfd); -+ } -+ goto out_err; -+ } -+ - res = ftruncate(truncfd, attr->st_size); - if (!fi) { - saverr = errno; -@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, - if (fd < 0) { - return -fd; - } -+ if (fi->flags & (O_TRUNC)) { -+ int err = drop_security_capability(lo, fd); -+ if (err) { -+ close(fd); -+ return err; -+ } -+ } - } - - pthread_mutex_lock(&lo->mutex); -@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino, - "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino, - out_buf.buf[0].size, (unsigned long)off); - -+ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd); -+ if (res) { -+ fuse_reply_err(req, res); -+ return; -+ } -+ - /* - * If kill_priv is set, drop CAP_FSETID which should lead to kernel - * clearing setuid/setgid on file. -@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo) - { - const char *map = lo->xattrmap; - const char *tmp; -+ int ret; - - lo->xattr_map_nentries = 0; - while (*map) { -@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo) - * the last entry. - */ - parse_xattrmap_map(lo, map, sep); -- return; -+ break; - } else { - fuse_log(FUSE_LOG_ERR, - "%s: Unexpected type;" -@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo) - fuse_log(FUSE_LOG_ERR, "Empty xattr map\n"); - exit(1); - } -+ -+ ret = xattr_map_client(lo, "security.capability", -+ &lo->xattr_security_capability); -+ if (ret) { -+ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n", -+ strerror(ret)); -+ exit(1); -+ } -+ if (!strcmp(lo->xattr_security_capability, "security.capability")) { -+ /* 1-1 mapping, don't need to do anything */ -+ free(lo->xattr_security_capability); -+ lo->xattr_security_capability = NULL; -+ } - } - - /* -@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo) - - free(lo->xattrmap); - free_xattrmap(lo); -+ free(lo->xattr_security_capability); - free(lo->source); - } - --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch deleted file mode 100644 index af94cff7e8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001 -From: Michael Tokarev -Date: Mon, 19 Apr 2021 15:42:47 +0200 -Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field - (CVE-2021-3392) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While processing SCSI i/o requests in mptsas_process_scsi_io_request(), -the Megaraid emulator appends new MPTSASRequest object 'req' to -the 's->pending' queue. In case of an error, this same object gets -dequeued in mptsas_free_request() only if SCSIRequest object -'req->sreq' is initialised. This may lead to a use-after-free issue. - -Since s->pending is actually not used, simply remove it from -MPTSASState. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Michael Tokarev -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Philippe Mathieu-Daudé -Reported-by: Cheolwoo Myung -Message-id: 20210419134247.1467982-1-f4bug@amsat.org -Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru> -Suggested-by: Paolo Bonzini -Reported-by: Cheolwoo Myung -BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) -Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device") -[PMD: Reworded description, added more tags] -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Peter Maydell -Signed-off-by: Peter Maydell - -CVE: CVE-2021-3392 -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d] -Signed-off-by: Anuj Mittal ---- - hw/scsi/mptsas.c | 6 ------ - hw/scsi/mptsas.h | 1 - - 2 files changed, 7 deletions(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 7416e7870614..db3219e7d206 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) - - static void mptsas_free_request(MPTSASRequest *req) - { -- MPTSASState *s = req->dev; -- - if (req->sreq != NULL) { - req->sreq->hba_private = NULL; - scsi_req_unref(req->sreq); - req->sreq = NULL; -- QTAILQ_REMOVE(&s->pending, req, next); - } - qemu_sglist_destroy(&req->qsg); - g_free(req); -@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, - } - - req = g_new0(MPTSASRequest, 1); -- QTAILQ_INSERT_TAIL(&s->pending, req, next); - req->scsi_io = *scsi_io; - req->dev = s; - -@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp) - - s->request_bh = qemu_bh_new(mptsas_fetch_requests, s); - -- QTAILQ_INIT(&s->pending); -- - scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL); - } - -diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h -index b85ac1a5fcc7..c046497db719 100644 ---- a/hw/scsi/mptsas.h -+++ b/hw/scsi/mptsas.h -@@ -79,7 +79,6 @@ struct MPTSASState { - uint16_t reply_frame_size; - - SCSIBus bus; -- QTAILQ_HEAD(, MPTSASRequest) pending; - }; - - void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch deleted file mode 100644 index f9395add43..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Tue, 16 Feb 2021 11:46:52 +0800 -Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in - sdhci_sdma_transfer_multi_blocks() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -s->prnsts is updated in both branches of the if () else () statement. -Move the common bits outside so that it is cleaner. - -Signed-off-by: Bin Meng -Tested-by: Alexander Bulekov -Reviewed-by: Alexander Bulekov -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 2f8b74a84..f83c5e295 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - page_aligned = true; - } - -+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; - if (s->trnmod & SDHC_TRNS_READ) { -- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT | -- SDHC_DAT_LINE_ACTIVE; -+ s->prnsts |= SDHC_DOING_READ; - while (s->blkcnt) { - if (s->data_count == 0) { - sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); -@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - } - } - } else { -- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT | -- SDHC_DAT_LINE_ACTIVE; -+ s->prnsts |= SDHC_DOING_WRITE; - while (s->blkcnt) { - begin = s->data_count; - if (((boundary_count + begin) < block_size) && page_aligned) { --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch deleted file mode 100644 index f3d2bb1375..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Wed, 3 Mar 2021 20:26:35 +0800 -Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time - out -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -At the end of sdhci_send_command(), it starts a data transfer if the -command register indicates data is associated. But the data transfer -should only be initiated when the command execution has succeeded. - -With this fix, the following reproducer: - -outl 0xcf8 0x80001810 -outl 0xcfc 0xe1068000 -outl 0xcf8 0x80001804 -outw 0xcfc 0x7 -write 0xe106802c 0x1 0x0f -write 0xe1068004 0xc 0x2801d10101fffffbff28a384 -write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f -write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 -write 0xe1068003 0x1 0xfe - -cannot be reproduced with the following QEMU command line: - -$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ - -device sdhci-pci,sd-spec-version=3 \ - -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ - -device sd-card,drive=mydrive \ - -monitor none -serial none -qtest stdio - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2020-17380 -Fixes: CVE-2020-25085 -Fixes: CVE-2021-3409 -Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov -Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) -Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) -Reported-by: Simon Wörner (Ruhr-Universität Bochum) -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 -Acked-by: Alistair Francis -Tested-by: Alexander Bulekov -Tested-by: Philippe Mathieu-Daudé -Signed-off-by: Bin Meng -Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index f83c5e295..44f8a82ea 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) - SDRequest request; - uint8_t response[16]; - int rlen; -+ bool timeout = false; - - s->errintsts = 0; - s->acmd12errsts = 0; -@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) - trace_sdhci_response16(s->rspreg[3], s->rspreg[2], - s->rspreg[1], s->rspreg[0]); - } else { -+ timeout = true; - trace_sdhci_error("timeout waiting for command response"); - if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { - s->errintsts |= SDHC_EIS_CMDTIMEOUT; -@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) - - sdhci_update_irq(s); - -- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { -+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { - s->data_count = 0; - sdhci_data_transfer(s); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch deleted file mode 100644 index c3b37ed616..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Wed, 3 Mar 2021 20:26:36 +0800 -Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when - transfer is in progress -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Per "SD Host Controller Standard Specification Version 7.00" -chapter 2.2.1 SDMA System Address Register: - -This register can be accessed only if no transaction is executing -(i.e., after a transaction has stopped). - -With this fix, the following reproducer: - -outl 0xcf8 0x80001010 -outl 0xcfc 0xfbefff00 -outl 0xcf8 0x80001001 -outl 0xcfc 0x06000000 -write 0xfbefff2c 0x1 0x05 -write 0xfbefff0f 0x1 0x37 -write 0xfbefff0a 0x1 0x01 -write 0xfbefff0f 0x1 0x29 -write 0xfbefff0f 0x1 0x02 -write 0xfbefff0f 0x1 0x03 -write 0xfbefff04 0x1 0x01 -write 0xfbefff05 0x1 0x01 -write 0xfbefff07 0x1 0x02 -write 0xfbefff0c 0x1 0x33 -write 0xfbefff0e 0x1 0x20 -write 0xfbefff0f 0x1 0x00 -write 0xfbefff2a 0x1 0x01 -write 0xfbefff0c 0x1 0x00 -write 0xfbefff03 0x1 0x00 -write 0xfbefff05 0x1 0x00 -write 0xfbefff2a 0x1 0x02 -write 0xfbefff0c 0x1 0x32 -write 0xfbefff01 0x1 0x01 -write 0xfbefff02 0x1 0x01 -write 0xfbefff03 0x1 0x01 - -cannot be reproduced with the following QEMU command line: - -$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ - -nodefaults -device sdhci-pci,sd-spec-version=3 \ - -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ - -device sd-card,drive=mydrive -qtest stdio - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2020-17380 -Fixes: CVE-2020-25085 -Fixes: CVE-2021-3409 -Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov -Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) -Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) -Reported-by: Simon Wörner (Ruhr-Universität Bochum) -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 -Tested-by: Alexander Bulekov -Signed-off-by: Bin Meng -Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 44f8a82ea..d8a46f307 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - - switch (offset & ~0x3) { - case SDHC_SYSAD: -- s->sdmasysad = (s->sdmasysad & mask) | value; -- MASKED_WRITE(s->sdmasysad, mask, value); -- /* Writing to last byte of sdmasysad might trigger transfer */ -- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && -- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { -- if (s->trnmod & SDHC_TRNS_MULTI) { -- sdhci_sdma_transfer_multi_blocks(s); -- } else { -- sdhci_sdma_transfer_single_block(s); -+ if (!TRANSFERRING_DATA(s->prnsts)) { -+ s->sdmasysad = (s->sdmasysad & mask) | value; -+ MASKED_WRITE(s->sdmasysad, mask, value); -+ /* Writing to last byte of sdmasysad might trigger transfer */ -+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && -+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { -+ if (s->trnmod & SDHC_TRNS_MULTI) { -+ sdhci_sdma_transfer_multi_blocks(s); -+ } else { -+ sdhci_sdma_transfer_single_block(s); -+ } - } - } - break; --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch deleted file mode 100644 index d5be99759d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Wed, 3 Mar 2021 20:26:37 +0800 -Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for - ADMA -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When an ADMA transfer is started, the codes forget to set the -controller status to indicate a transfer is in progress. - -With this fix, the following 2 reproducers: - -https://paste.debian.net/plain/1185136 -https://paste.debian.net/plain/1185141 - -cannot be reproduced with the following QEMU command line: - -$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ - -nodefaults -device sdhci-pci,sd-spec-version=3 \ - -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ - -device sd-card,drive=mydrive -qtest stdio - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2020-17380 -Fixes: CVE-2020-25085 -Fixes: CVE-2021-3409 -Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov -Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) -Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) -Reported-by: Simon Wörner (Ruhr-Universität Bochum) -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 -Tested-by: Alexander Bulekov -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Bin Meng -Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index d8a46f307..7de03c6dd 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s) - - switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { - case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ -+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; - if (s->trnmod & SDHC_TRNS_READ) { -+ s->prnsts |= SDHC_DOING_READ; - while (length) { - if (s->data_count == 0) { - sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); -@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s) - } - } - } else { -+ s->prnsts |= SDHC_DOING_WRITE; - while (length) { - begin = s->data_count; - if ((length + begin) < block_size) { --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch deleted file mode 100644 index 7199056838..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Wed, 3 Mar 2021 20:26:38 +0800 -Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE - register is writable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The codes to limit the maximum block size is only necessary when -SDHC_BLKSIZE register is writable. - -Tested-by: Alexander Bulekov -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Bin Meng -Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 7de03c6dd..6c780126e 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - if (!TRANSFERRING_DATA(s->prnsts)) { - MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); - MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); -- } - -- /* Limit block size to the maximum buffer size */ -- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { -- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " -- "the maximum buffer 0x%x\n", __func__, s->blksize, -- s->buf_maxsz); -+ /* Limit block size to the maximum buffer size */ -+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { -+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " -+ "the maximum buffer 0x%x\n", __func__, s->blksize, -+ s->buf_maxsz); - -- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); -+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); -+ } - } - - break; --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch deleted file mode 100644 index 624c1f6496..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch +++ /dev/null @@ -1,99 +0,0 @@ -From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001 -From: Bin Meng -Date: Wed, 3 Mar 2021 20:26:39 +0800 -Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] - when a different block size is programmed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the block size is programmed to a different value from the -previous one, reset the data pointer of s->fifo_buffer[] so that -s->fifo_buffer[] can be filled in using the new block size in -the next transfer. - -With this fix, the following reproducer: - -outl 0xcf8 0x80001010 -outl 0xcfc 0xe0000000 -outl 0xcf8 0x80001001 -outl 0xcfc 0x06000000 -write 0xe000002c 0x1 0x05 -write 0xe0000005 0x1 0x02 -write 0xe0000007 0x1 0x01 -write 0xe0000028 0x1 0x10 -write 0x0 0x1 0x23 -write 0x2 0x1 0x08 -write 0xe000000c 0x1 0x01 -write 0xe000000e 0x1 0x20 -write 0xe000000f 0x1 0x00 -write 0xe000000c 0x1 0x32 -write 0xe0000004 0x2 0x0200 -write 0xe0000028 0x1 0x00 -write 0xe0000003 0x1 0x40 - -cannot be reproduced with the following QEMU command line: - -$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ - -nodefaults -device sdhci-pci,sd-spec-version=3 \ - -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ - -device sd-card,drive=mydrive -qtest stdio - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2020-17380 -Fixes: CVE-2020-25085 -Fixes: CVE-2021-3409 -Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov -Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) -Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) -Reported-by: Simon Wörner (Ruhr-Universität Bochum) -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 -Tested-by: Alexander Bulekov -Signed-off-by: Bin Meng -Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> -Signed-off-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9] -CVE: CVE-2021-3409 - -Signed-off-by: Sakib Sajal ---- - hw/sd/sdhci.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 6c780126e..216842420 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - break; - case SDHC_BLKSIZE: - if (!TRANSFERRING_DATA(s->prnsts)) { -+ uint16_t blksize = s->blksize; -+ - MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); - MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - -@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - - s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); - } -+ -+ /* -+ * If the block size is programmed to a different value from -+ * the previous one, reset the data pointer of s->fifo_buffer[] -+ * so that s->fifo_buffer[] can be filled in using the new block -+ * size in the next transfer. -+ */ -+ if (blksize != s->blksize) { -+ s->data_count = 0; -+ } - } - - break; --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch deleted file mode 100644 index 5bacd67481..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 11:44:36 +0800 -Subject: [PATCH 01/10] net: introduce qemu_receive_packet() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some NIC supports loopback mode and this is done by calling -nc->info->receive() directly which in fact suppresses the effort of -reentrancy check that is done in qemu_net_queue_send(). - -Unfortunately we can't use qemu_net_queue_send() here since for -loopback there's no sender as peer, so this patch introduce a -qemu_receive_packet() which is used for implementing loopback mode -for a NIC with this check. - -NIC that supports loopback mode will be converted to this helper. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Reviewed-by: Philippe Mathieu-Daudé -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang - -Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - include/net/net.h | 5 +++++ - include/net/queue.h | 8 ++++++++ - net/net.c | 38 +++++++++++++++++++++++++++++++------- - net/queue.c | 22 ++++++++++++++++++++++ - 4 files changed, 66 insertions(+), 7 deletions(-) - -diff --git a/include/net/net.h b/include/net/net.h -index 778fc787c..03f058ecb 100644 ---- a/include/net/net.h -+++ b/include/net/net.h -@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); - void qemu_del_net_client(NetClientState *nc); - typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); - void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); -+int qemu_can_receive_packet(NetClientState *nc); - int qemu_can_send_packet(NetClientState *nc); - ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, - int iovcnt); - ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, - int iovcnt, NetPacketSent *sent_cb); - ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); -+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); -+ssize_t qemu_receive_packet_iov(NetClientState *nc, -+ const struct iovec *iov, -+ int iovcnt); - ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); - ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, - int size, NetPacketSent *sent_cb); -diff --git a/include/net/queue.h b/include/net/queue.h -index c0269bb1d..9f2f289d7 100644 ---- a/include/net/queue.h -+++ b/include/net/queue.h -@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, - - void qemu_del_net_queue(NetQueue *queue); - -+ssize_t qemu_net_queue_receive(NetQueue *queue, -+ const uint8_t *data, -+ size_t size); -+ -+ssize_t qemu_net_queue_receive_iov(NetQueue *queue, -+ const struct iovec *iov, -+ int iovcnt); -+ - ssize_t qemu_net_queue_send(NetQueue *queue, - NetClientState *sender, - unsigned flags, -diff --git a/net/net.c b/net/net.c -index 6a2c3d956..5e15e5d27 100644 ---- a/net/net.c -+++ b/net/net.c -@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) - #endif - } - -+int qemu_can_receive_packet(NetClientState *nc) -+{ -+ if (nc->receive_disabled) { -+ return 0; -+ } else if (nc->info->can_receive && -+ !nc->info->can_receive(nc)) { -+ return 0; -+ } -+ return 1; -+} -+ - int qemu_can_send_packet(NetClientState *sender) - { - int vm_running = runstate_is_running(); -@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender) - return 1; - } - -- if (sender->peer->receive_disabled) { -- return 0; -- } else if (sender->peer->info->can_receive && -- !sender->peer->info->can_receive(sender->peer)) { -- return 0; -- } -- return 1; -+ return qemu_can_receive_packet(sender->peer); - } - - static ssize_t filter_receive_iov(NetClientState *nc, -@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) - return qemu_send_packet_async(nc, buf, size, NULL); - } - -+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) -+{ -+ if (!qemu_can_receive_packet(nc)) { -+ return 0; -+ } -+ -+ return qemu_net_queue_receive(nc->incoming_queue, buf, size); -+} -+ -+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, -+ int iovcnt) -+{ -+ if (!qemu_can_receive_packet(nc)) { -+ return 0; -+ } -+ -+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); -+} -+ - ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) - { - return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, -diff --git a/net/queue.c b/net/queue.c -index 19e32c80f..c872d51df 100644 ---- a/net/queue.c -+++ b/net/queue.c -@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, - return ret; - } - -+ssize_t qemu_net_queue_receive(NetQueue *queue, -+ const uint8_t *data, -+ size_t size) -+{ -+ if (queue->delivering) { -+ return 0; -+ } -+ -+ return qemu_net_queue_deliver(queue, NULL, 0, data, size); -+} -+ -+ssize_t qemu_net_queue_receive_iov(NetQueue *queue, -+ const struct iovec *iov, -+ int iovcnt) -+{ -+ if (queue->delivering) { -+ return 0; -+ } -+ -+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); -+} -+ - ssize_t qemu_net_queue_send(NetQueue *queue, - NetClientState *sender, - unsigned flags, --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch deleted file mode 100644 index 7deec1a347..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001 -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 14:35:30 -0500 -Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/lan9118.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c -index ab57c02c8..75f18ae2d 100644 ---- a/hw/net/lan9118.c -+++ b/hw/net/lan9118.c -@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s) - /* FIXME: Honor TX disable, and allow queueing of packets. */ - if (s->phy_control & 0x4000) { - /* This assumes the receive routine doesn't touch the VLANClient. */ -- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); -+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); - } else { - qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch deleted file mode 100644 index 5e53e20bac..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 12:13:22 +0800 -Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/e1000.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index d7d05ae30..cf22c4f07 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) - - NetClientState *nc = qemu_get_queue(s->nic); - if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { -- nc->info->receive(nc, buf, size); -+ qemu_receive_packet(nc, buf, size); - } else { - qemu_send_packet(nc, buf, size); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch deleted file mode 100644 index 3fc469e3e3..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 12:57:40 +0800 -Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for - loopback packet -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé - -Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/dp8393x.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c -index 205c0decc..533a8304d 100644 ---- a/hw/net/dp8393x.c -+++ b/hw/net/dp8393x.c -@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) - s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; - if (nc->info->can_receive(nc)) { - s->loopback_packet = 1; -- nc->info->receive(nc, s->tx_buffer, tx_len); -+ qemu_receive_packet(nc, s->tx_buffer, tx_len); - } - } else { - /* Transmit packet */ --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch deleted file mode 100644 index e14f37735d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 13:00:01 +0800 -Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/msf2-emac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c -index 32ba9e841..3e6206044 100644 ---- a/hw/net/msf2-emac.c -+++ b/hw/net/msf2-emac.c -@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s) - * R_CFG1 bit 0 is set. - */ - if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) { -- nc->info->receive(nc, buf, size); -+ qemu_receive_packet(nc, buf, size); - } else { - qemu_send_packet(nc, buf, size); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch deleted file mode 100644 index c3f8f97592..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch +++ /dev/null @@ -1,45 +0,0 @@ -From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 13:14:35 +0800 -Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Mark Cave-Ayland -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Alistair Francis -Signed-off-by: Jason Wang - -Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/sungem.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/sungem.c b/hw/net/sungem.c -index 33c3722df..3684a4d73 100644 ---- a/hw/net/sungem.c -+++ b/hw/net/sungem.c -@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, - NetClientState *nc = qemu_get_queue(s->nic); - - if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { -- nc->info->receive(nc, buf, size); -+ qemu_receive_packet(nc, buf, size); - } else { - qemu_send_packet(nc, buf, size); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch deleted file mode 100644 index 855c6970f4..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 24 Feb 2021 13:27:52 +0800 -Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_receive_iov() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/net_tx_pkt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c -index da262edc3..1f9aa59ec 100644 ---- a/hw/net/net_tx_pkt.c -+++ b/hw/net/net_tx_pkt.c -@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, - NetClientState *nc, const struct iovec *iov, int iov_cnt) - { - if (pkt->is_loopback) { -- nc->info->receive_iov(nc, iov, iov_cnt); -+ qemu_receive_packet_iov(nc, iov, iov_cnt); - } else { - qemu_sendv_packet(nc, iov, iov_cnt); - } --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch deleted file mode 100644 index 4e1115de02..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001 -From: Alexander Bulekov -Date: Fri, 26 Feb 2021 13:47:53 -0500 -Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/rtl8139.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index ba5ace1ab..d2dd03e6a 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, - } - - DPRINTF("+++ transmit loopback mode\n"); -- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); -+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); - - if (iov) { - g_free(buf2); --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch deleted file mode 100644 index ed716468dc..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001 -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 10:33:34 -0500 -Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang - -Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/pcnet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index f3f18d859..dcd3fc494 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1250,7 +1250,7 @@ txagain: - if (BCR_SWSTYLE(s) == 1) - add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); - s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); -+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); - s->looptest = 0; - } else { - if (s->nic) { --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch deleted file mode 100644 index 39d32b33a4..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch +++ /dev/null @@ -1,46 +0,0 @@ -From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001 -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 14:33:43 -0500 -Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for - loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Alexander Bulekov -Signed-off-by: Jason Wang - -Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed] -CVE: CVE-2021-3416 - -Signed-off-by: Sakib Sajal ---- - hw/net/cadence_gem.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c -index 7a534691f..43b760e3f 100644 ---- a/hw/net/cadence_gem.c -+++ b/hw/net/cadence_gem.c -@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s) - /* Send the packet somewhere */ - if (s->phy_loop || (s->regs[GEM_NWCTRL] & - GEM_NWCTRL_LOCALLOOP)) { -- gem_receive(qemu_get_queue(s->nic), s->tx_packet, -- total_bytes); -+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet, -+ total_bytes); - } else { - qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet, - total_bytes); --- -2.29.2 - diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch index 438c1ad086..a0fc39e5e2 100644 --- a/meta/recipes-devtools/qemu/qemu/cross.patch +++ b/meta/recipes-devtools/qemu/qemu/cross.patch @@ -6,19 +6,19 @@ Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?] Signed-off-by: Richard Purdie -Index: qemu-5.2.0/configure +Index: qemu-6.0.0/configure =================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -6973,7 +6973,6 @@ if has $sdl2_config; then +--- qemu-6.0.0.orig/configure ++++ qemu-6.0.0/configure +@@ -6371,7 +6371,6 @@ if has $sdl2_config; then fi echo "strip = [$(meson_quote $strip)]" >> $cross echo "windres = [$(meson_quote $windres)]" >> $cross --if test -n "$cross_prefix"; then +-if test "$cross_compile" = "yes"; then cross_arg="--cross-file config-meson.cross" echo "[host_machine]" >> $cross if test "$mingw32" = "yes" ; then -@@ -6999,9 +6998,6 @@ if test -n "$cross_prefix"; then +@@ -6403,9 +6402,6 @@ if test "$cross_compile" = "yes"; then else echo "endian = 'little'" >> $cross fi diff --git a/meta/recipes-devtools/qemu/qemu/determinism.patch b/meta/recipes-devtools/qemu/qemu/determinism.patch index cb1c907777..330a31204d 100644 --- a/meta/recipes-devtools/qemu/qemu/determinism.patch +++ b/meta/recipes-devtools/qemu/qemu/determinism.patch @@ -4,38 +4,19 @@ qemu build are not reproducible due to either full buildpaths or timestamps. Replace the full paths with relative ones. I couldn't figure out how to get meson to pass relative paths but we can fix that in the script. -For the keymaps, omit the timestamps as they don't matter to us. - Upstream-Status: Pending [some version of all/part of this may be accepted] RP 2021/3/1 -Index: qemu-5.2.0/scripts/decodetree.py +Index: qemu-6.0.0/scripts/decodetree.py =================================================================== ---- qemu-5.2.0.orig/scripts/decodetree.py -+++ qemu-5.2.0/scripts/decodetree.py -@@ -1303,8 +1303,8 @@ def main(): +--- qemu-6.0.0.orig/scripts/decodetree.py ++++ qemu-6.0.0/scripts/decodetree.py +@@ -1304,7 +1304,7 @@ def main(): toppat = ExcMultiPattern(0) for filename in args: - input_file = filename -- f = open(filename, 'r') + input_file = os.path.relpath(filename) -+ f = open(input_file, 'r') + f = open(filename, 'rt', encoding='utf-8') parse_file(f, toppat) f.close() - -Index: qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen -=================================================================== ---- qemu-5.2.0.orig/ui/keycodemapdb/tools/keymap-gen -+++ qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen -@@ -317,9 +317,8 @@ class LanguageGenerator(object): - raise NotImplementedError() - - def generate_header(self, database, args): -- today = time.strftime("%Y-%m-%d %H:%M") - self._boilerplate([ -- "This file is auto-generated from keymaps.csv on %s" % today, -+ "This file is auto-generated from keymaps.csv", - "Database checksum sha256(%s)" % database.mapchecksum, - "To re-generate, run:", - " %s" % args, diff --git a/meta/recipes-devtools/qemu/qemu/mingwfix.patch b/meta/recipes-devtools/qemu/qemu/mingwfix.patch deleted file mode 100644 index 8d76cef638..0000000000 --- a/meta/recipes-devtools/qemu/qemu/mingwfix.patch +++ /dev/null @@ -1,21 +0,0 @@ -OE assumes that mingw files are in a unix like file layout. The -'flattening' done by configure in qemu for mingw32 breaks things -for us. We are discussing with upstream but for now, hack this to -disable it and use the unix like layout everywhere. - -Signed-off-by: Richard Purdie -Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01073.html] - -Index: qemu-5.2.0/configure -=================================================================== ---- qemu-5.2.0.orig/configure -+++ qemu-5.2.0/configure -@@ -1541,7 +1541,7 @@ libdir="${libdir:-$prefix/lib}" - libexecdir="${libexecdir:-$prefix/libexec}" - includedir="${includedir:-$prefix/include}" - --if test "$mingw32" = "yes" ; then -+if test "$mingw32" = "dontwantthis" ; then - mandir="$prefix" - datadir="$prefix" - docdir="$prefix" diff --git a/meta/recipes-devtools/qemu/qemu/mmap.patch b/meta/recipes-devtools/qemu/qemu/mmap.patch deleted file mode 100644 index edd9734f30..0000000000 --- a/meta/recipes-devtools/qemu/qemu/mmap.patch +++ /dev/null @@ -1,29 +0,0 @@ -If mremap() is called without the MREMAP_MAYMOVE flag with a start address -just before the end of memory (reserved_va) where new_size would exceed -GUEST_ADD_MAX, the assert(end - 1 <= GUEST_ADDR_MAX) in page_set_flags() -would trigger. - -Add an extra guard to the guest_range_valid() checks to prevent this and -avoid asserting binaries when reserved_va is set. - -This meant a test case now gives the same behaviour regardless of whether -reserved_va is set or not. - -Upstream-Status: Backport [https://github.com/qemu/qemu/commit/ccc5ccc17f8cfbfd87d9aede5d12a2d47c56e712] -Signed-off-by: Richard Purdie Date: Sat, 15 May 2021 05:08:40 +0000 Subject: [PATCH 23/29] python3-markupsafe: upgrade 1.1.1 -> 2.0.0 (From OE-Core rev: e933129c612dfa7ee84293f792d35de532899132) Signed-off-by: Richard Purdie --- ...python3-markupsafe_1.1.1.bb => python3-markupsafe_2.0.0.bb} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename meta/recipes-devtools/python/{python3-markupsafe_1.1.1.bb => python3-markupsafe_2.0.0.bb} (81%) diff --git a/meta/recipes-devtools/python/python3-markupsafe_1.1.1.bb b/meta/recipes-devtools/python/python3-markupsafe_2.0.0.bb similarity index 81% rename from meta/recipes-devtools/python/python3-markupsafe_1.1.1.bb rename to meta/recipes-devtools/python/python3-markupsafe_2.0.0.bb index cade4e0f51..5e4be22ee3 100644 --- a/meta/recipes-devtools/python/python3-markupsafe_1.1.1.bb +++ b/meta/recipes-devtools/python/python3-markupsafe_2.0.0.bb @@ -3,8 +3,7 @@ HOMEPAGE = "http://github.com/mitsuhiko/markupsafe" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=ffeffa59c90c9c4a033c7574f8f3fb75" -SRC_URI[md5sum] = "43fd756864fe42063068e092e220c57b" -SRC_URI[sha256sum] = "29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b" +SRC_URI[sha256sum] = "4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527" PYPI_PACKAGE = "MarkupSafe" inherit pypi setuptools3 From 888cee94c26c9637d9086ea93def89f1372b2551 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sat, 15 May 2021 05:05:58 +0000 Subject: [PATCH 24/29] python3-jinja2: upgrade 2.11.3 -> 3.0.0 (From OE-Core rev: cc1a3b1c6b5c4d01e4e9579440e2221eec7e1b09) Signed-off-by: Richard Purdie --- .../{python3-jinja2_2.11.3.bb => python3-jinja2_3.0.0.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/python/{python3-jinja2_2.11.3.bb => python3-jinja2_3.0.0.bb} (92%) diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb b/meta/recipes-devtools/python/python3-jinja2_3.0.0.bb similarity index 92% rename from meta/recipes-devtools/python/python3-jinja2_2.11.3.bb rename to meta/recipes-devtools/python/python3-jinja2_3.0.0.bb index 11a4d5432c..5ae8d49b53 100644 --- a/meta/recipes-devtools/python/python3-jinja2_2.11.3.bb +++ b/meta/recipes-devtools/python/python3-jinja2_3.0.0.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://pypi.org/project/Jinja/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6" +SRC_URI[sha256sum] = "ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5" PYPI_PACKAGE = "Jinja2" From 8a3d7128a965c1e549db111d040bc90c8db73fc7 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Sat, 15 May 2021 08:18:57 +0000 Subject: [PATCH 25/29] lttng-ust: upgrade 2.12.1 -> 2.12.2 (From OE-Core rev: f71a8341fbaf6dca103ebfd36afec7c7d4fce7e7) Signed-off-by: Richard Purdie --- .../lttng/{lttng-ust_2.12.1.bb => lttng-ust_2.12.2.bb} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename meta/recipes-kernel/lttng/{lttng-ust_2.12.1.bb => lttng-ust_2.12.2.bb} (93%) diff --git a/meta/recipes-kernel/lttng/lttng-ust_2.12.1.bb b/meta/recipes-kernel/lttng/lttng-ust_2.12.2.bb similarity index 93% rename from meta/recipes-kernel/lttng/lttng-ust_2.12.1.bb rename to meta/recipes-kernel/lttng/lttng-ust_2.12.2.bb index 67b53cbbba..e340ff3460 100644 --- a/meta/recipes-kernel/lttng/lttng-ust_2.12.1.bb +++ b/meta/recipes-kernel/lttng/lttng-ust_2.12.2.bb @@ -33,8 +33,7 @@ SRC_URI = "https://lttng.org/files/lttng-ust/lttng-ust-${PV}.tar.bz2 \ file://0001-python-lttngust-Makefile.am-Add-install-lib-to-setup.patch \ " -SRC_URI[md5sum] = "11787d1df69b04dd7431614ab43b2e12" -SRC_URI[sha256sum] = "48a3948b168195123a749d22818809bd25127bb5f1a66458c3c012b210d2a051" +SRC_URI[sha256sum] = "bcd0f064b6ca88c72d84e760eac3472ae5c828411c634435922bee9fce359fc7" CVE_PRODUCT = "ust" From fdc1b9310a98986be891223f86494af6a1b42331 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Sat, 15 May 2021 11:45:21 -0400 Subject: [PATCH 26/29] lttng-modules: update devupstream to v2.13-rc To support builds against v5.13+ kernels, bumping the devupstream to 2.13 and the 2.13-rc series. Along with the SRCREV update, a port of the existing CONFIG_TRACEPOINTS patch from the main Makefile to src/Kbuild is done. The LICENSE file was part of commit [Cleanup: Move headers from toplevel to include/lttng/], so we adjust the checksum to the new fie contents. (From OE-Core rev: 681aefb49e394a00e2b69dd936ed7c824e6c6d4c) Signed-off-by: Bruce Ashfield Signed-off-by: Richard Purdie --- ...e-missing-CONFIG_TRACEPOINTS-to-warn.patch | 37 +++++++++++++++++++ .../lttng/lttng-modules_2.12.5.bb | 10 ++--- 2 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch new file mode 100644 index 0000000000..6d81c81efe --- /dev/null +++ b/meta/recipes-kernel/lttng/lttng-modules/0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch @@ -0,0 +1,37 @@ +From 0287f5c32b9fd99078e71c22ca679343d18f1513 Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield +Date: Sat, 15 May 2021 10:26:38 -0400 +Subject: [PATCH] src/Kbuild: change missing CONFIG_TRACEPOINTS to warning + +Taken from a previous patch to the main lttng-modules Makefile, by +Otavio Salvador: + + The lttng-modules are being pulled by the tools-profile image feature, + however, not every kernel has the CONFIG_TRACEPOINTS feature enabled. + + This change makes the build do not fail when CONFIG_TRACEPOINTS is not + available, allowing it to be kept being pulled by default. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Bruce Ashfield +--- + src/Kbuild | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/Kbuild b/src/Kbuild +index 7137874f..18a43b50 100644 +--- a/src/Kbuild ++++ b/src/Kbuild +@@ -2,7 +2,7 @@ + + ifdef CONFIG_LOCALVERSION # Check if dot-config is included. + ifeq ($(CONFIG_TRACEPOINTS),) +- $(error The option CONFIG_TRACEPOINTS needs to be enabled in your kernel configuration) ++ $(warning The option CONFIG_TRACEPOINTS needs to be enabled in your kernel configuration) + endif # CONFIG_TRACEPOINTS + endif # ifdef CONFIG_LOCALVERSION + +-- +2.19.1 + diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb b/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb index 1a01cb0c01..c5efbb061a 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb @@ -37,13 +37,13 @@ python do_package_prepend() { } BBCLASSEXTEND = "devupstream:target" -LIC_FILES_CHKSUM_class-devupstream = "file://LICENSE;md5=3f882d431dc0f32f1f44c0707aa41128" +LIC_FILES_CHKSUM_class-devupstream = "file://LICENSE;md5=0464cff101a009c403cd2ed65d01d4c4" DEFAULT_PREFERENCE_class-devupstream = "-1" -SRC_URI_class-devupstream = "git://git.lttng.org/lttng-modules;branch=stable-2.12 \ - file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \ +SRC_URI_class-devupstream = "git://git.lttng.org/lttng-modules;branch=stable-2.13 \ + file://0001-src-Kbuild-change-missing-CONFIG_TRACEPOINTS-to-warn.patch \ " -SRCREV_class-devupstream = "92cc3e7f76a545a2cd4828576971f1eea83f4e68" -PV_class-devupstream = "2.12.5+git${SRCPV}" +SRCREV_class-devupstream = "f982b51a98a29cb4aaf607cb9bbf2b509d8e6933" +PV_class-devupstream = "2.13.0-rc2+git${SRCPV}" S_class-devupstream = "${WORKDIR}/git" SRCREV_FORMAT ?= "lttng_git" From 50a72c634a943515b95b7b4d3e67eb555e34a1b8 Mon Sep 17 00:00:00 2001 From: Bruce Ashfield Date: Sat, 15 May 2021 11:45:32 -0400 Subject: [PATCH 27/29] lttng-modules: update to v2.12.6 To support building against v5.12+ and v5.13+ kernels, bumping to the v2.12.6 lttng-release. We drop the previously backported patches, and bring in the following commits: 0d8e4ab9 Version 2.12.6 78f56ae3 fix: adjust ranges for RHEL 8.2 and 8.3 4c996ea7 Disable block rwbs bitwise enum in default build 4ac46085 Disable sched_switch bitwise enum in default build 5e22c27b Add experimental bitwise enum config option 937d307e Add defaults to Kconfig options 4a114d43 Sync `show_inode_state()` macro with upstream stable kernels 3bd6ac3e fix: block: remove disk_part_iter (v5.12) 8bbb8c9d Fix: Backport of "Fix: increment buffer offset when failing to copy from user-space" 30cddf69 Fix: increment buffer offset when failing to copy from user-space 4733b9ab Sync `show_inode_state()` macro with Ubuntu 4.15 kernel ff21ec48 fix: mm, tracing: kfree event name mismatching with provider kmem (v5.12) b2b02c29 Set 'stable-2.12' branch in git review config 00b42dbf fix backport: block: add a disk_uevent helper (v5.12) 771ff089 fix: Adjust ranges for Ubuntu 5.4.0-67 kernel d8933959 fix: block: add a disk_uevent helper (v5.12) 71034df1 Fix: properly compare type enumeration 4d879d23 compiler warning cleanup: is_signed_type: compare -1 to 1 fead3a9c Fix: bytecode linker: validate event and field array/sequence encoding 92cc3e7f Fix: kretprobe: null ptr deref on session destroy 49c603ef fix: mm, tracing: record slab name for kmem_cache_free() (v5.12) 23a2f61f Fix: filter interpreter early-exits on uninitialized value b3fdf78b Fix: memory leaks on event destroy (From OE-Core rev: 6844ca8d75391e3a654658fde59311ca6cd49724) Signed-off-by: Bruce Ashfield Signed-off-by: Richard Purdie --- ...01-Fix-memory-leaks-on-event-destroy.patch | 58 ---- ...preter-early-exits-on-uninitialized-.patch | 159 --------- ...ecord-slab-name-for-kmem_cache_free-.patch | 91 ------ ...be-null-ptr-deref-on-session-destroy.patch | 41 --- ...block-add-a-disk_uevent-helper-v5.12.patch | 305 ------------------ ...block-add-a-disk_uevent-helper-v5.12.patch | 48 --- ...free-event-name-mismatching-with-pro.patch | 71 ---- ...ules_2.12.5.bb => lttng-modules_2.12.6.bb} | 9 +- 8 files changed, 1 insertion(+), 781 deletions(-) delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch rename meta/recipes-kernel/lttng/{lttng-modules_2.12.5.bb => lttng-modules_2.12.6.bb} (71%) diff --git a/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch b/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch deleted file mode 100644 index 21da932a75..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0001-Fix-memory-leaks-on-event-destroy.patch +++ /dev/null @@ -1,58 +0,0 @@ -From b3fdf78b15beb940918da1e41eb68e24ba31bb87 Mon Sep 17 00:00:00 2001 -From: Mathieu Desnoyers -Date: Wed, 3 Mar 2021 10:10:16 -0500 -Subject: [PATCH 1/4] Fix: memory leaks on event destroy - -Both filter runtime and event enabler ref objects are owned by the -event, but are not freed upon destruction of the event object, thus -leaking memory. - -Upstream-status: backport - -Signed-off-by: Mathieu Desnoyers -Change-Id: Ice9b1c18b47584838aea2b965494d3c8391f4c84 ---- - lttng-events.c | 7 +++++++ - lttng-events.h | 1 + - 2 files changed, 8 insertions(+) - -diff --git a/lttng-events.c b/lttng-events.c -index f3398adc..984bd341 100644 ---- a/lttng-events.c -+++ b/lttng-events.c -@@ -919,6 +919,8 @@ int _lttng_event_unregister(struct lttng_event *event) - static - void _lttng_event_destroy(struct lttng_event *event) - { -+ struct lttng_enabler_ref *enabler_ref, *tmp_enabler_ref; -+ - switch (event->instrumentation) { - case LTTNG_KERNEL_TRACEPOINT: - lttng_event_put(event->desc); -@@ -944,6 +946,11 @@ void _lttng_event_destroy(struct lttng_event *event) - } - list_del(&event->list); - lttng_destroy_context(event->ctx); -+ lttng_free_event_filter_runtime(event); -+ /* Free event enabler refs */ -+ list_for_each_entry_safe(enabler_ref, tmp_enabler_ref, -+ &event->enablers_ref_head, node) -+ kfree(enabler_ref); - kmem_cache_free(event_cache, event); - } - -diff --git a/lttng-events.h b/lttng-events.h -index 1b9ab167..13b6abf5 100644 ---- a/lttng-events.h -+++ b/lttng-events.h -@@ -716,6 +716,7 @@ int lttng_enabler_attach_bytecode(struct lttng_enabler *enabler, - struct lttng_kernel_filter_bytecode __user *bytecode); - void lttng_enabler_event_link_bytecode(struct lttng_event *event, - struct lttng_enabler *enabler); -+void lttng_free_event_filter_runtime(struct lttng_event *event); - - int lttng_probes_init(void); - --- -2.19.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch b/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch deleted file mode 100644 index 609690f05c..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 23a2f61ffc6a656f136fa2044c0c3b8f79766779 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?J=C3=A9r=C3=A9mie=20Galarneau?= - -Date: Wed, 3 Mar 2021 18:52:19 -0500 -Subject: [PATCH 2/4] Fix: filter interpreter early-exits on uninitialized - value -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -I observed that syscall filtering on string arguments wouldn't work on -my development machines, both running 5.11.2-arch1-1 (Arch Linux). - -For instance, enabling the tracing of the `openat()` syscall with the -'filename == "/proc/cpuinfo"' filter would not produce events even -though matching events were present in another session that had no -filtering active. The same problem occurred with `execve()`. - -I tried a couple of kernel versions before (5.11.1 and 5.10.13, if -memory serves me well) and I had the same problem. Meanwhile, I couldn't -reproduce the problem on various Debian machines (the LTTng CI) nor on a -fresh Ubuntu 20.04 with both the stock kernel and with an updated 5.11.2 -kernel. - -I built the lttng-modules with the interpreter debugging printout and -saw the following warning: - LTTng: [debug bytecode in /home/jgalar/EfficiOS/src/lttng-modules/src/lttng-bytecode-interpreter.c:bytecode_interpret@1508] Bytecode warning: loading a NULL string. - -After a shedload (yes, a _shed_load) of digging, I figured that the -problem was hidden in plain sight near that logging statement. - -In the `BYTECODE_OP_LOAD_FIELD_REF_USER_STRING` operation, the 'ax' -register's 'user_str' is initialized with the stack value (the user -space string's address in our case). However, a NULL check is performed -against the register's 'str' member. - -I initialy suspected that both members would be part of the same union -and alias each-other, but they are actually contiguous in a structure. - -On the unaffected machines, I could confirm that the `str` member was -uninitialized to a non-zero value causing the condition to evaluate to -false. - -Francis Deslauriers reproduced the problem by initializing the -interpreter stack to zero. - -I am unsure of the exact kernel configuration option that reveals this -issue on Arch Linux, but my kernel has the following option enabled: - -CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL: - Zero-initialize any stack variables that may be passed by reference - and had not already been explicitly initialized. This is intended to - eliminate all classes of uninitialized stack variable exploits and - information exposures. - -I have not tried to build without this enabled as, anyhow, this seems -to be a legitimate issue. - -I have spotted what appears to be an identical problem in -`BYTECODE_OP_LOAD_FIELD_REF_USER_SEQUENCE` and corrected it. However, -I have not exercised that code path. - -The commit that introduced this problem is 5b4ad89. - -The debug print-out of the `BYTECODE_OP_LOAD_FIELD_REF_USER_STRING` -operation is modified to print the user string (truncated to 31 chars). - -Upstream-status: backport - -Signed-off-by: Jérémie Galarneau -Signed-off-by: Mathieu Desnoyers -Change-Id: I2da3c31b9e3ce0e1b164cf3d2711c0893cbec273 ---- - lttng-filter-interpreter.c | 41 ++++++++++++++++++++++++++++++++++---- - 1 file changed, 37 insertions(+), 4 deletions(-) - -diff --git a/lttng-filter-interpreter.c b/lttng-filter-interpreter.c -index 5d572437..6e5a5139 100644 ---- a/lttng-filter-interpreter.c -+++ b/lttng-filter-interpreter.c -@@ -22,7 +22,7 @@ LTTNG_STACK_FRAME_NON_STANDARD(lttng_filter_interpret_bytecode); - * to handle user-space read. - */ - static --char get_char(struct estack_entry *reg, size_t offset) -+char get_char(const struct estack_entry *reg, size_t offset) - { - if (unlikely(offset >= reg->u.s.seq_len)) - return '\0'; -@@ -593,6 +593,39 @@ end: - return ret; - } - -+#ifdef DEBUG -+ -+#define DBG_USER_STR_CUTOFF 32 -+ -+/* -+ * In debug mode, print user string (truncated, if necessary). -+ */ -+static inline -+void dbg_load_ref_user_str_printk(const struct estack_entry *user_str_reg) -+{ -+ size_t pos = 0; -+ char last_char; -+ char user_str[DBG_USER_STR_CUTOFF]; -+ -+ pagefault_disable(); -+ do { -+ last_char = get_char(user_str_reg, pos); -+ user_str[pos] = last_char; -+ pos++; -+ } while (last_char != '\0' && pos < sizeof(user_str)); -+ pagefault_enable(); -+ -+ user_str[sizeof(user_str) - 1] = '\0'; -+ dbg_printk("load field ref user string: '%s%s'\n", user_str, -+ last_char != '\0' ? "[...]" : ""); -+} -+#else -+static inline -+void dbg_load_ref_user_str_printk(const struct estack_entry *user_str_reg) -+{ -+} -+#endif -+ - /* - * Return 0 (discard), or raise the 0x1 flag (log event). - * Currently, other flags are kept for future extensions and have no -@@ -1313,7 +1346,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_push(stack, top, ax, bx); - estack_ax(stack, top)->u.s.user_str = - *(const char * const *) &filter_stack_data[ref->offset]; -- if (unlikely(!estack_ax(stack, top)->u.s.str)) { -+ if (unlikely(!estack_ax(stack, top)->u.s.user_str)) { - dbg_printk("Filter warning: loading a NULL string.\n"); - ret = -EINVAL; - goto end; -@@ -1322,7 +1355,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_ax(stack, top)->u.s.literal_type = - ESTACK_STRING_LITERAL_TYPE_NONE; - estack_ax(stack, top)->u.s.user = 1; -- dbg_printk("ref load string %s\n", estack_ax(stack, top)->u.s.str); -+ dbg_load_ref_user_str_printk(estack_ax(stack, top)); - next_pc += sizeof(struct load_op) + sizeof(struct field_ref); - PO; - } -@@ -1340,7 +1373,7 @@ uint64_t lttng_filter_interpret_bytecode(void *filter_data, - estack_ax(stack, top)->u.s.user_str = - *(const char **) (&filter_stack_data[ref->offset - + sizeof(unsigned long)]); -- if (unlikely(!estack_ax(stack, top)->u.s.str)) { -+ if (unlikely(!estack_ax(stack, top)->u.s.user_str)) { - dbg_printk("Filter warning: loading a NULL sequence.\n"); - ret = -EINVAL; - goto end; --- -2.19.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch b/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch deleted file mode 100644 index 71f99b80a3..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 49c603ef2dc6969f4454f0d849af00ee24bb7f04 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson -Date: Thu, 4 Mar 2021 16:50:12 -0500 -Subject: [PATCH 3/4] fix: mm, tracing: record slab name for kmem_cache_free() - (v5.12) - -See upstream commit: - - commit 3544de8ee6e4817278b15fe08658de49abf58954 - Author: Jacob Wen - Date: Wed Feb 24 12:00:55 2021 -0800 - - mm, tracing: record slab name for kmem_cache_free() - - Currently, a trace record generated by the RCU core is as below. - - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=00000000f3b49a66 - - It doesn't tell us what the RCU core has freed. - - This patch adds the slab name to trace_kmem_cache_free(). - The new format is as follows. - - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=0000000037f79c8d name=dentry - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=00000000f78cb7b5 name=sock_inode_cache - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=0000000018768985 name=pool_workqueue - ... kmem_cache_free: call_site=rcu_core+0x1fd/0x610 ptr=000000006a6cb484 name=radix_tree_node - - We can use it to understand what the RCU core is going to free. For - example, some users maybe interested in when the RCU core starts - freeing reclaimable slabs like dentry to reduce memory pressure. - - Link: https://lkml.kernel.org/r/20201216072804.8838-1-jian.w.wen@oracle.com - -Upstream-status: backport - -Signed-off-by: Michael Jeanson -Signed-off-by: Mathieu Desnoyers -Change-Id: I1ee2fc476614cadcc8d3ac5d8feddc7910e1aa3a ---- - instrumentation/events/lttng-module/kmem.h | 27 ++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h -index b134620a..d787ea54 100644 ---- a/instrumentation/events/lttng-module/kmem.h -+++ b/instrumentation/events/lttng-module/kmem.h -@@ -87,6 +87,32 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node, - TP_ARGS(call_site, ptr, bytes_req, bytes_alloc, gfp_flags, node) - ) - -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)) -+LTTNG_TRACEPOINT_EVENT(kfree, -+ -+ TP_PROTO(unsigned long call_site, const void *ptr), -+ -+ TP_ARGS(call_site, ptr), -+ -+ TP_FIELDS( -+ ctf_integer_hex(unsigned long, call_site, call_site) -+ ctf_integer_hex(const void *, ptr, ptr) -+ ) -+) -+ -+LTTNG_TRACEPOINT_EVENT(kmem_cache_free, -+ -+ TP_PROTO(unsigned long call_site, const void *ptr, const char *name), -+ -+ TP_ARGS(call_site, ptr, name), -+ -+ TP_FIELDS( -+ ctf_integer_hex(unsigned long, call_site, call_site) -+ ctf_integer_hex(const void *, ptr, ptr) -+ ctf_string(name, name) -+ ) -+) -+#else - LTTNG_TRACEPOINT_EVENT_CLASS(kmem_free, - - TP_PROTO(unsigned long call_site, const void *ptr), -@@ -114,6 +140,7 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_free, kmem_cache_free, - - TP_ARGS(call_site, ptr) - ) -+#endif - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(3,3,0)) - LTTNG_TRACEPOINT_EVENT_MAP(mm_page_free, kmem_mm_page_free, --- -2.19.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch b/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch deleted file mode 100644 index 8a839c2b43..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 92cc3e7f76a545a2cd4828576971f1eea83f4e68 Mon Sep 17 00:00:00 2001 -From: Francis Deslauriers -Date: Wed, 17 Mar 2021 10:40:56 -0400 -Subject: [PATCH 4/4] Fix: kretprobe: null ptr deref on session destroy - -The `filter_bytecode_runtime_head` list is currently not initialized for -the return event of the kretprobe. This caused a kernel null ptr -dereference when destroying a session. It can reproduced with the -following commands: - - lttng create - lttng enable-event -k --function=lttng_test_filter_event_write my_event - lttng start - lttng stop - lttng destroy - -Upstream-status: backport - -Signed-off-by: Francis Deslauriers -Signed-off-by: Mathieu Desnoyers -Change-Id: I1162ce8b10dd7237a26331531f048346b984eee7 ---- - lttng-events.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lttng-events.c b/lttng-events.c -index 984bd341..3450fa40 100644 ---- a/lttng-events.c -+++ b/lttng-events.c -@@ -704,6 +704,8 @@ struct lttng_event *_lttng_event_create(struct lttng_channel *chan, - event_return->enabled = 0; - event_return->registered = 1; - event_return->instrumentation = itype; -+ INIT_LIST_HEAD(&event_return->bytecode_runtime_head); -+ INIT_LIST_HEAD(&event_return->enablers_ref_head); - /* - * Populate lttng_event structure before kretprobe registration. - */ --- -2.19.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch b/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch deleted file mode 100644 index 3a2280ccdc..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch +++ /dev/null @@ -1,305 +0,0 @@ -From 17cd2dc91cb82ed342b0da699f2b1a70c1bf6a03 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson -Date: Mon, 15 Mar 2021 14:54:02 -0400 -Subject: [PATCH 2/4] fix: block: add a disk_uevent helper (v5.12) - -See upstream commit: - - commit bc359d03c7ec1bf3b86d03bafaf6bbb21e6414fd - Author: Christoph Hellwig - Date: Sun Jan 24 11:02:39 2021 +0100 - - block: add a disk_uevent helper - - Add a helper to call kobject_uevent for the disk and all partitions, and - unexport the disk_part_iter_* helpers that are now only used in the core - block code. - -Upstream-status: Backport [2.12.6] - -Change-Id: If6e8797049642ab382d5699660ee1dd734e92c90 -Signed-off-by: Michael Jeanson -Signed-off-by: Mathieu Desnoyers ---- - Makefile | 1 + - lttng-statedump-impl.c | 34 +++++++++---- - src/wrapper/genhd.c | 111 +++++++++++++++++++++++++++++++++++++++++ - wrapper/genhd.h | 62 +++++++++++++++++++++++ - 4 files changed, 198 insertions(+), 10 deletions(-) - create mode 100644 src/wrapper/genhd.c - -diff --git a/Makefile b/Makefile -index a9aff3f1..34043cfb 100644 ---- a/Makefile -+++ b/Makefile -@@ -80,6 +80,7 @@ ifneq ($(KERNELRELEASE),) - wrapper/kallsyms.o \ - wrapper/irqdesc.o \ - wrapper/fdtable.o \ -+ wrapper/genhd.o \ - lttng-wrapper-impl.o - - ifneq ($(CONFIG_HAVE_SYSCALL_TRACEPOINTS),) -diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c -index 60b937c9..5511c7e8 100644 ---- a/lttng-statedump-impl.c -+++ b/lttng-statedump-impl.c -@@ -250,13 +250,17 @@ int lttng_enumerate_block_devices(struct lttng_session *session) - struct device_type *ptr_disk_type; - struct class_dev_iter iter; - struct device *dev; -+ int ret = 0; - - ptr_block_class = wrapper_get_block_class(); -- if (!ptr_block_class) -- return -ENOSYS; -+ if (!ptr_block_class) { -+ ret = -ENOSYS; -+ goto end; -+ } - ptr_disk_type = wrapper_get_disk_type(); - if (!ptr_disk_type) { -- return -ENOSYS; -+ ret = -ENOSYS; -+ goto end; - } - class_dev_iter_init(&iter, ptr_block_class, NULL, ptr_disk_type); - while ((dev = class_dev_iter_next(&iter))) { -@@ -272,22 +276,32 @@ int lttng_enumerate_block_devices(struct lttng_session *session) - (disk->flags & GENHD_FL_SUPPRESS_PARTITION_INFO)) - continue; - -- disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0); -- while ((part = disk_part_iter_next(&piter))) { -+ /* -+ * The original 'disk_part_iter_init' returns void, but our -+ * wrapper can fail to lookup the original symbol. -+ */ -+ if (wrapper_disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0) < 0) { -+ ret = -ENOSYS; -+ goto iter_exit; -+ } -+ -+ while ((part = wrapper_disk_part_iter_next(&piter))) { - char name_buf[BDEVNAME_SIZE]; - - if (lttng_get_part_name(disk, part, name_buf) == -ENOSYS) { -- disk_part_iter_exit(&piter); -- class_dev_iter_exit(&iter); -- return -ENOSYS; -+ wrapper_disk_part_iter_exit(&piter); -+ ret = -ENOSYS; -+ goto iter_exit; - } - trace_lttng_statedump_block_device(session, - lttng_get_part_devt(part), name_buf); - } -- disk_part_iter_exit(&piter); -+ wrapper_disk_part_iter_exit(&piter); - } -+iter_exit: - class_dev_iter_exit(&iter); -- return 0; -+end: -+ return ret; - } - - #ifdef CONFIG_INET -diff --git a/src/wrapper/genhd.c b/src/wrapper/genhd.c -new file mode 100644 -index 00000000..a5a6c410 ---- /dev/null -+++ b/src/wrapper/genhd.c -@@ -0,0 +1,111 @@ -+/* SPDX-License-Identifier: (GPL-2.0-only OR LGPL-2.1-only) -+ * -+ * wrapper/genhd.c -+ * -+ * Wrapper around disk_part_iter_(init|next|exit). Using KALLSYMS to get the -+ * addresses when available, else we need to have a kernel that exports this -+ * function to GPL modules. This export was removed in 5.12. -+ * -+ * Copyright (C) 2021 Michael Jeanson -+ */ -+ -+#include -+#include -+#include -+ -+#if (defined(CONFIG_KALLSYMS) && \ -+ (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0))) -+ -+#include -+ -+static -+void (*disk_part_iter_init_sym)(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags); -+ -+static -+LTTNG_DISK_PART_TYPE *(*disk_part_iter_next_sym)(struct disk_part_iter *piter); -+ -+static -+void (*disk_part_iter_exit_sym)(struct disk_part_iter *piter); -+ -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', to be -+ * able to report the symbol lookup failure to the caller. -+ * -+ * Return 0 on success, -1 on error. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ if (!disk_part_iter_init_sym) -+ disk_part_iter_init_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_init"); -+ -+ if (disk_part_iter_init_sym) { -+ disk_part_iter_init_sym(piter, disk, flags); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_init symbol lookup failed.\n"); -+ return -1; -+ } -+ return 0; -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); -+ -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ if (!disk_part_iter_next_sym) -+ disk_part_iter_next_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_next"); -+ -+ if (disk_part_iter_next_sym) { -+ return disk_part_iter_next_sym(piter); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_next symbol lookup failed.\n"); -+ return NULL; -+ } -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); -+ -+/* -+ * We don't return an error on symbol lookup failure here because there is -+ * nothing the caller can do to cleanup the iterator. -+ */ -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ if (!disk_part_iter_exit_sym) -+ disk_part_iter_exit_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_exit"); -+ -+ if (disk_part_iter_exit_sym) { -+ disk_part_iter_exit_sym(piter); -+ } else { -+ printk_once(KERN_WARNING "LTTng: disk_part_iter_exit symbol lookup failed.\n"); -+ } -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); -+ -+#else -+ -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', so the -+ * kallsyms variant can report the symbol lookup failure to the caller. -+ * -+ * This variant always succeeds and returns 0. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ disk_part_iter_init(piter, disk, flags); -+ return 0; -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); -+ -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_next(piter); -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); -+ -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ disk_part_iter_exit(piter); -+} -+EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); -+#endif -diff --git a/wrapper/genhd.h b/wrapper/genhd.h -index 98feb57b..6bae239d 100644 ---- a/wrapper/genhd.h -+++ b/wrapper/genhd.h -@@ -13,6 +13,13 @@ - #define _LTTNG_WRAPPER_GENHD_H - - #include -+#include -+ -+#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) -+#define LTTNG_DISK_PART_TYPE struct block_device -+#else -+#define LTTNG_DISK_PART_TYPE struct hd_struct -+#endif - - #ifdef CONFIG_KALLSYMS_ALL - -@@ -94,4 +101,59 @@ struct device_type *wrapper_get_disk_type(void) - - #endif - -+/* -+ * This wrapper has an 'int' return type instead of the original 'void', to be -+ * able to report the symbol lookup failure to the caller. -+ * -+ * Return 0 on success, -1 on error. -+ */ -+int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags); -+LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter); -+void wrapper_disk_part_iter_exit(struct disk_part_iter *piter); -+ -+/* -+ * Canary function to check for 'disk_part_iter_init()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * extern void disk_part_iter_init(struct disk_part_iter *piter, -+ * struct gendisk *disk, unsigned int flags); -+ * -+ */ -+static inline -+void __canary__disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, -+ unsigned int flags) -+{ -+ disk_part_iter_init(piter, disk, flags); -+} -+ -+/* -+ * Canary function to check for 'disk_part_iter_next()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * struct block_device *disk_part_iter_next(struct disk_part_iter *piter); -+ * -+ */ -+static inline -+LTTNG_DISK_PART_TYPE *__canary__disk_part_iter_next(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_next(piter); -+} -+ -+/* -+ * Canary function to check for 'disk_part_iter_exit()' at compile time. -+ * -+ * From 'include/linux/genhd.h': -+ * -+ * extern void disk_part_iter_exit(struct disk_part_iter *piter); -+ * -+ */ -+static inline -+void __canary__disk_part_iter_exit(struct disk_part_iter *piter) -+{ -+ return disk_part_iter_exit(piter); -+} -+ - #endif /* _LTTNG_WRAPPER_GENHD_H */ --- -2.25.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch b/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch deleted file mode 100644 index e32b3e7a2e..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 127135b6a45d5fca828815c62308f72de97e5739 Mon Sep 17 00:00:00 2001 -From: Michael Jeanson -Date: Thu, 15 Apr 2021 13:56:24 -0400 -Subject: [PATCH 3/4] fix backport: block: add a disk_uevent helper (v5.12) - -Upstream-Status: Backport [2.12.6] - -Signed-off-by: Michael Jeanson -Signed-off-by: Mathieu Desnoyers -Change-Id: I717162069990577abe78e5e7fed28816f32b2c84 ---- - {src/wrapper => wrapper}/genhd.c | 2 +- - wrapper/genhd.h | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - rename {src/wrapper => wrapper}/genhd.c (98%) - -diff --git a/src/wrapper/genhd.c b/wrapper/genhd.c -similarity index 98% -rename from src/wrapper/genhd.c -rename to wrapper/genhd.c -index a5a6c410..cbec06f7 100644 ---- a/src/wrapper/genhd.c -+++ b/wrapper/genhd.c -@@ -9,7 +9,7 @@ - * Copyright (C) 2021 Michael Jeanson - */ - --#include -+#include - #include - #include - -diff --git a/wrapper/genhd.h b/wrapper/genhd.h -index 6bae239d..1b4a4201 100644 ---- a/wrapper/genhd.h -+++ b/wrapper/genhd.h -@@ -13,7 +13,7 @@ - #define _LTTNG_WRAPPER_GENHD_H - - #include --#include -+#include - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) - #define LTTNG_DISK_PART_TYPE struct block_device --- -2.25.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch b/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch deleted file mode 100644 index dfc9427dca..0000000000 --- a/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 853d5903a200d8a15b3f38780ddaea5c92fa1a03 Mon Sep 17 00:00:00 2001 -From: He Zhe -Date: Mon, 19 Apr 2021 09:09:28 +0000 -Subject: [PATCH 4/4] fix: mm, tracing: kfree event name mismatching with - provider kmem (v5.12) - -a8bc8ae5c932 ("fix: mm, tracing: record slab name for kmem_cache_free() (v5.12)") -introduces the following call trace for kfree. This is caused by mismatch -between kfree event and its provider kmem. - -This patch maps kfree to kmem_kfree. - -WARNING: CPU: 2 PID: 42294 at src/lttng-probes.c:81 fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] -CPU: 2 PID: 42294 Comm: modprobe Tainted: G O 5.12.0-rc6-yoctodev-standard #1 -Hardware name: Intel Corporation JACOBSVILLE/JACOBSVILLE, BIOS JBVLCRB2.86B.0014.P20.2004020248 04/02/2020 -RIP: 0010:fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] -Code: 75 28 83 c3 01 3b 5d c4 74 22 48 8b 4d d0 48 63 - c3 4c 89 e2 4c 89 f6 48 8b 04 c1 4c 8b 38 4c 89 - ff e8 64 9f 4b de 85 c0 74 c3 <0f> 0b 48 8b 05 bf - f2 1e 00 48 8d 50 e8 48 3d f0 a0 98 c0 75 18 eb -RSP: 0018:ffffb976807bfbe0 EFLAGS: 00010286 -RAX: 00000000ffffffff RBX: 0000000000000004 RCX: 0000000000000004 -RDX: 0000000000000066 RSI: ffffffffc03c10a7 RDI: ffffffffc03c11a1 -RBP: ffffb976807bfc28 R08: 0000000000000000 R09: 0000000000000001 -R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000004 -R13: ffffffffc03c2000 R14: ffffffffc03c10a7 R15: ffffffffc03c11a1 -FS: 00007f0ef9533740(0000) GS:ffffa100faa00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000561e8f0aa000 CR3: 000000015b318000 CR4: 0000000000350ee0 -Call Trace: - lttng_probe_register+0x38/0xe0 [lttng_tracer] - ? __event_probe__module_load+0x520/0x520 [lttng_probe_module] - __lttng_events_init__module+0x15/0x20 [lttng_probe_module] - do_one_initcall+0x68/0x310 - ? kmem_cache_alloc_trace+0x2ad/0x4c0 - ? do_init_module+0x28/0x280 - do_init_module+0x62/0x280 - load_module+0x26e4/0x2920 - ? kernel_read_file+0x22e/0x290 - __do_sys_finit_module+0xb1/0xf0 - __x64_sys_finit_module+0x1a/0x20 - do_syscall_64+0x38/0x50 - entry_SYSCALL_64_after_hwframe+0x44/0xae - -Upstream-Status: Backport [2.12.6] - -Signed-off-by: He Zhe -Signed-off-by: Mathieu Desnoyers -Change-Id: I00e8ee2b8c35f6f8602c88295f5113fbbd139709 ---- - instrumentation/events/lttng-module/kmem.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h -index d787ea54..c9edee61 100644 ---- a/instrumentation/events/lttng-module/kmem.h -+++ b/instrumentation/events/lttng-module/kmem.h -@@ -88,7 +88,9 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node, - ) - - #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)) --LTTNG_TRACEPOINT_EVENT(kfree, -+LTTNG_TRACEPOINT_EVENT_MAP(kfree, -+ -+ kmem_kfree, - - TP_PROTO(unsigned long call_site, const void *ptr), - --- -2.25.1 - diff --git a/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb b/meta/recipes-kernel/lttng/lttng-modules_2.12.6.bb similarity index 71% rename from meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb rename to meta/recipes-kernel/lttng/lttng-modules_2.12.6.bb index c5efbb061a..94e849de59 100644 --- a/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb +++ b/meta/recipes-kernel/lttng/lttng-modules_2.12.6.bb @@ -11,16 +11,9 @@ include lttng-platforms.inc SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://Makefile-Do-not-fail-if-CONFIG_TRACEPOINTS-is-not-en.patch \ - file://0001-Fix-memory-leaks-on-event-destroy.patch \ - file://0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch \ - file://0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch \ - file://0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch \ - file://0005-fix-block-add-a-disk_uevent-helper-v5.12.patch \ - file://0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch \ - file://0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch \ " -SRC_URI[sha256sum] = "c4d1a1b42c728e37b6b7947ae16563a011c4b297311aa04d56f9a1791fb5a30a" +SRC_URI[sha256sum] = "95ac2a2cf92d85d23ffbdaca6a1ec0d7c167211d1e0fb850ab90004a3f475eaa" export INSTALL_MOD_DIR="kernel/lttng-modules" From d17cc59be03107d1a15151e52513f88c8976560a Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Wed, 21 Apr 2021 22:34:31 +0100 Subject: [PATCH 28/29] test-manual: WIP (From yocto-docs rev: c78e03e8b02cc475ea8ca819917861610d7d8ee5) Signed-off-by: Richard Purdie --- documentation/test-manual/index.rst | 2 + .../test-manual/reproducible-builds.rst | 56 +++++++++++++++++++ .../test-manual/yocto-project-compatible.rst | 52 +++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 documentation/test-manual/reproducible-builds.rst create mode 100644 documentation/test-manual/yocto-project-compatible.rst diff --git a/documentation/test-manual/index.rst b/documentation/test-manual/index.rst index e2198c4c39..4c590a6aa9 100644 --- a/documentation/test-manual/index.rst +++ b/documentation/test-manual/index.rst @@ -13,6 +13,8 @@ Yocto Project Test Environment Manual intro test-process understand-autobuilder + reproducible-builds + yocto-project-compatible history .. include:: /boilerplate.rst diff --git a/documentation/test-manual/reproducible-builds.rst b/documentation/test-manual/reproducible-builds.rst new file mode 100644 index 0000000000..4215afb9e1 --- /dev/null +++ b/documentation/test-manual/reproducible-builds.rst @@ -0,0 +1,56 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +******************* +Reproducible Builds +******************* + +================ +How we define it +================ + +The Yocto Project defines reproducibility as being where a given input build configuration will give the same binary output regardless of when it is built (now or in 5 years time), regardless of the path on the filesystem the build is run in and regardless of the distro and tools on the underlying host system the build is running on. + +============== +Why it matters +============== + +The project aligns with the Reproducibile Builds project (https://reproducible-builds.org/) and they have information about why it matters. In addition to being able to validate for security issues being introduced which they talk about at length, from a Yocto Project perspective, it is hugely important that our builds are deterministic. We expect that when you build a given input set of metadata, you get consistent output. This has always been a key focus but is now true down to the binary level including timestamps. + +For example, if you find at some point in the future life of a product that you need to rebuild to add a security fix, only the components that have changed should change at the binary level leading to much easier and clearer bounds on where validation is needed. + +This also gives an additional benefit to the project builds themselves, our hash equivalence for sstate object reuse works much more effecitvely when the binary outputis unchanging. + +=================== +How we implement it +=================== + +We add mappings to the compiler options to ensure debug filepaths are mapped to consistent target compatible paths + +We are explict about recipe dependencies and their configuration (no floating configure options or host dependencies creeping in) + +We have recipe specific sysroots to isolate recipes so they only see their dependencies. + +We filter the tools availble from the host's PATH through HOSTTOOLS. + +========================================= +Can we prove the project is reproducible? +========================================= + +Yes, we can prove it and we now regularlly test this on the autobuilder. At the time of writing, OE-Core is 100% reproducible for all it's recipes (i.e. world builds) apart from go-lang and ruby's docs package. go-lang has some fundamental problems with reproducibility as it currently always depends upon the paths it is build in unfortunately. + +[Info about what we run] + +[Add info about diffoscope] + +You can see the current status at: https://www.yoctoproject.org/reproducible-build-results/ + +==================== +Can I test my layer? +==================== + +[Yes, add instructions] + + + + + diff --git a/documentation/test-manual/yocto-project-compatible.rst b/documentation/test-manual/yocto-project-compatible.rst new file mode 100644 index 0000000000..372b701bcf --- /dev/null +++ b/documentation/test-manual/yocto-project-compatible.rst @@ -0,0 +1,52 @@ +.. SPDX-License-Identifier: CC-BY-SA-2.0-UK + +************************ +Yocto Project Compatible +************************ + +============ +Introduction +============ + +After the introduction of layers to OpenEmbedded, it quickly became clear that some layers were popular and worked well, others developed a reputation for being 'problematic'. Those were layers which didn't inter-operate well with other layers and tended to assume they controlled all the aspects of the end resulting output. This isn't usually intentional but because they're often developed by developers with a particular focus (e.g. a company's BSP) whilst the end users have a different focus (e.g. integrating that BSP into a product). + +As a result of noticing patterns like this and friction between layers, the project developed the "Yocto Project Compatible" badge programme where layers modelling the best known practises could be marked as being widely compatible with other layers. This takes the form of a set of yes/no binary answer questions where layers can declare if they have met the appropriate criteria. In the second version of the programme, a script was added to make validation easier and clearer, the script is called 'yocto-check-layer' and is available in OpenEmbedded-Core. + +======== +Benefits +======== + +The OpenEmbedded Layer model is powerful and flexible, it gives users the ultimate power to change pretty much any aspect of the system but as with most things, power comes with responsibility. The Yocto Project would like to see people able to mix and match BSPs with distro configs or software stacks and be able to merge these together such that the result inter-operates well together. Over time, the project has realised that there were things that work well in layers to allow them to operate together. There were also 'anti-patterns' which stopped layers working well together. + +The intent of the compatibility programme is simple, if the layer passes the compatibility tests, it is considered “well behaved” and should operate and cooperate well with other compatible layers. + +The benefits of compatibility apply from multiple different user and member perspectives. From a hardware perspective (a BSP layer), compatibility means the hardware can be used in many different products and use cases without impacting the software stacks being run with it. For a company developing a product, compatibility gives you a specification/standard you can require in a contract and then know it will have certain desired characteristics for interoperability. It also puts constraints on how invasive these code bases are into the rest of the system, meaning that multiple different separate hardware support layers can coexist (e.g. for multiple product lines from different manufacturers). This can also influence how easily those system components might be upgraded or maintained for security purposes by one or more parties during the lifecycle of a product through development and widespread use. + +================== +Validating a layer +================== + +The badges are available to members of the project or open source projects run on a non-commercial basis and are tried to the project member level as a member benefit but anyone can answer the questions and run the script. + +The project encourages all layer maintainers to consider the questions and the output from the script against their layer as there are often unintentional consequences of the way some layers are constructed and the questions and script are designed to highlight commonly known issues which can often easily be solved leading to easier and wider layer use. + +It is intended that over time, the tests will evolve as best known practices are identified and as new interoperability issues are identified which unnecessarily restrict layer interoperability. If anyone becomes aware of either issue, please do mention it to the project (in our tech calls, on the mailing list or to the TSC). The TSC is holds overall responsibility for the technical criteria used by the programme. + +Layers are divided into three types: + +* "BSP" or "hardware support" layers contain support for particular pieces of hardware. This would include kernel and boot loader configuration, any recipes needed for firmware/modules needed for the hardware. They would usually correspond to a MACHINE setting. + +* "distro" layers defined as layers providing configuration options and settings such as a choice of init system, compiler/optimisation options or configuration and choices of software components. This would usually correspond to a DSITRO setting. + +* "software" layers are usually recipes. A layer might target a particular graphical UI or software stack component. + +Key best practises the programme tries to encourage: + +* A layer should clearly show who maintains it, where change submissions and bug reports should be sent +* Where multiple types of functionality are present, the layer be internally subdivided into layers to separate these components as users would likely want to use only one of them and separability is a key best practise. +* Adding a layer to a build should not change that build without the user taking some additional step of configuration to active the layer (such as selecting a MACHINE, a DISTRO or a DISTRO_FEATURE) + +The project does test the compatibility status of the core project layers on the project autobuilder. + +The official form to submit compatibility requests with is at https://www.yoctoproject.org/ecosystem/branding/compatible-registration/. Successful applicants can display the appropraiate badge which would be provided to them on success of the application. + From af7eb9b9101f7385d708bfc74e322aea03b06d03 Mon Sep 17 00:00:00 2001 From: Marius Kriegerowski Date: Sat, 15 May 2021 22:58:24 +0200 Subject: [PATCH 29/29] fetch pseudo with https protocol Avoids additional configuration effort when working behind a company proxy. Signed-off-by: Marius Kriegerowski --- meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 4eab133128..d54936473b 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -1,6 +1,6 @@ require pseudo.inc -SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ +SRC_URI = "git://git.yoctoproject.org/git/pseudo;branch=oe-core;protocol=https \ file://0001-configure-Prune-PIE-flags.patch \ file://fallback-passwd \ file://fallback-group \