Bruce Ashfield [Fri, 24 Aug 2018 14:59:53 +0000 (10:59 -0400)]
linux-yocto/4.12: update to v4.12.28
Integrating Paul Gortmaker's -stable updates to 4.12 that comprise the
following changes:
f4fd7580487d Linux 4.12.28 d15dfc7d192f net: mvneta: eliminate wrong call to handle rx descriptor error c7a79cbd2b44 net: mvneta: use proper rxq_number in loop on rx queues f65f1aed2ef2 net: mvneta: clear interface link status on port disable 402f4ea26693 tcp: add tcp_ooo_try_coalesce() helper 035eddf502ef tcp: call tcp_drop() from tcp_data_queue_ofo() c224a5920d55 tcp: detect malicious patterns in tcp_collapse_ofo_queue() 7c5d21c36cec tcp: avoid collapses in tcp_prune_queue() if possible f999a5cfc3eb tcp: free batches of packets in tcp_prune_ofo_queue() 3471d76b1128 net: add rb_to_skb() and other rb tree helpers fcd212157f50 libnvdimm, pfn: fix start_pad handling for aligned namespaces d90d61722843 libnvdimm, dax: fix 1GB-aligned namespaces vs physical misalignment df6a2110169e drm/sun4i: Fix error path handling d2d90272068d drm/i915: Flush pending GTT writes before unbinding 55e3ba836aee powerpc/perf: Dereference BHRB entries safely 32c5b092ac7e clk: sunxi: sun9i-mmc: Implement reset callback for reset controls a472f9b5c546 pinctrl: cherryview: Mask all interrupts on Intel_Strago based systems 32f9f01a1b49 spi: a3700: Fix clk prescaling for coefficient over 15 39e2376e2774 spi: xilinx: Detect stall with Unknown commands 104bf43e4653 Revert "parisc: Re-enable interrupts early" 2c6a864363b5 parisc: Hide Diva-built-in serial aux and graphics card 4e92abc4d371 parisc: Align os_hpmc_size on word boundary 8df2ad333664 ALSA: usb-audio: Add native DSD support for Esoteric D-05X 2d7184d7f8b1 ALSA: rawmidi: Avoid racy info ioctl via ctl device 425708ccc413 mfd: twl6040: Fix child-node lookup d99aacab316b mfd: twl4030-audio: Fix sibling-node lookup cd2ca561cdd7 mfd: cros ec: spi: Don't send first message too soon f5d153b69e6a crypto: mcryptd - protect the per-CPU queue with a lock 01b2634b17f4 acpi, nfit: fix health event notification 1170a37d5339 ACPI: APEI / ERST: Fix missing error handling in erst_reader() 0cf5d1f5ce10 bpf: fix incorrect sign extension in check_alu_op() 39cc58874bfc bpf, sparc: fix usage of wrong reg for load_skb_regs after call 8c570303798e bpf, ppc64: do not reload skb pointers in non-skb context 05bd23b36b88 bpf, s390x: do not reload skb pointers in non-skb context da92e092ffa7 platform/x86: asus-wireless: send an EV_SYN/SYN_REPORT between state changes ab3980511fa0 thermal/drivers/hisi: Fix multiple alarm interrupts firing ed7ec377cb05 thermal/drivers/hisi: Simplify the temperature/step computation b4322338048d thermal/drivers/hisi: Fix kernel panic on alarm interrupt e9b4b6019cc2 thermal/drivers/hisi: Fix missing interrupt enablement 01f1870f5aa8 IB/opa_vnic: Properly return the total MACs in UC MAC list 59522364dab2 IB/opa_vnic: Properly clear Mac Table Digest 84cf0ea1cb2a cpuidle: fix broadcast control when broadcast can not be entered fdb28a72dafa rtc: set the alarm to the next expiring timer 245a952509f6 tcp: fix under-evaluated ssthresh in TCP Vegas ebe28298b759 clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name collision c31c122f7744 staging: greybus: light: Release memory obtained by kasprintf 7900ee86e495 net: ipv6: send NS for DAD when link operationally up 0c8d7ea9c7db ibmvnic: Set state UP eb3237c59a98 fm10k: ensure we process SM mbx when processing VF mbx a076534d71b3 vfio/pci: Virtualize Maximum Payload Size 0e8c3cf3f83e i40e: fix client notify of VF reset 2e3bad157461 scsi: lpfc: PLOGI failures during NPIV testing 022e3fe9ac98 scsi: lpfc: Fix secure firmware updates 9e7341570bf9 fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw af88451b2676 ASoC: codecs: msm8916-wcd-analog: fix module autoload 2fc38deb5bed ASoC: img-parallel-out: Add pm_runtime_get/put to set_fmt callback 4529e660bc83 tracing: Exclude 'generic fields' from histograms 3485fd44f243 PCI/AER: Report non-fatal errors only to the affected endpoint 64e367610786 Bluetooth: BT_HCIUART now depends on SERIAL_DEV_BUS 47663fe61367 Bluetooth: hci_uart_set_flow_control: Fix NULL deref when using serdev 58adf4fe65f8 md: always set THREAD_WAKEUP and wake up wqueue if thread existed e9f7be0e550e block,bfq: Disable writeback throttling c09fcc304541 IB/rxe: put the pool on allocation failure 392f4c00adca IB/rxe: check for allocation failure on elem 179099ba0d69 ixgbe: fix use of uninitialized padding e2e131da3b6b i40e: use the safe hash table iterator when deleting mac filters 757ad831c703 igb: check memory allocation failure e156a3afb676 PM / OPP: Move error message to debug level 9bd17b3b4bb6 PCI: Create SR-IOV virtfn/physfn links before attaching driver 54da833e63b0 scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive 929cc7c94e3b scsi: cxgb4i: fix Tx skb leak 84aa72a81de3 PCI: Avoid bus reset if bridge itself is broken 3932edaebc65 net: phy: at803x: Change error to EINVAL for invalid MAC e9bd07539e3f rtc: pl031: make interrupt optional 9f77ab2f562c crypto: lrw - Fix an error handling path in 'create()' 59e5a2e7eec9 crypto: crypto4xx - increase context and scatter ring buffer elements 13c0df6a379d clk: sunxi-ng: sun5i: Fix bit offset of audio PLL post-divider 68e13e506d6e clk: sunxi-ng: nm: Check if requested rate is supported by fractional clock 3996734fc715 drm: Add retries for lspcon mode detection 77190a6d2d57 backlight: pwm_bl: Fix overflow condition d3b4b8043ff7 optee: fix invalid of_node_put() in optee_driver_init() 752218b19686 posix-timer: Properly check sigevent->sigev_notify 16c39a33a5c6 ACPI / APEI: adjust a local variable type in ghes_ioremap_pfn_irq() ba0b2e6cbb82 Linux 4.12.27 feea4d492d73 usb: musb: da8xx: fix babble condition handling 6d8d83c4ec67 ath10k: fix build errors with !CONFIG_PM 00e875f83a3c ath9k: fix tx99 potential info leak 01cf18e17476 lightnvm: pblk: fix min size for page mempool 4413575d48be lightnvm: pblk: initialize debug stat counter 87135620a06a lightnvm: pblk: fix changing GC group list for a line 3b1abf7d20f6 icmp: don't fail on fragment reassembly time exceeded 4be8ae2da97b IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush 7d284754ed54 IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop 634b3e0fefd7 RDMA/cma: Avoid triggering undefined behavior f9f24086ba42 macvlan: Only deliver one copy of the frame to the macvlan interface aba3745fc9b0 udf: Avoid overflow when session starts at large offset 4a9bf3983ef9 md-cluster: fix wrong condition check in raid1_write_request e08da1a3d9d5 raid5-ppl: check recovery_offset when performing ppl recovery a6b9b60622b0 scsi: bfa: integer overflow in debugfs a6adc19ff5a4 scsi: sd: change allow_restart to bool in sysfs interface d23a6641b217 scsi: sd: change manage_start_stop to bool in sysfs interface be59ef05ed52 rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd 9257df5ece69 vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend 5d0d0b750520 IB/core: Fix calculation of maximum RoCE MTU 950215a22a7a scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry 40dd3da9911d raid5: Set R5_Expanded on parity devices as well as data. d63147f7712f pinctrl: adi2: Fix Kconfig build problem b25a34c20291 dev/dax: fix uninitialized variable build warning 3b928d69ed7c tty fix oops when rmmod 8250 6fd73bd5acc5 ipv4: ipv4_default_advmss() should use route mtu e8552a24db2a soc: mediatek: pwrap: fix compiler errors 023499e5fff8 powerpc/xmon: Check before calling xive functions 7092b9c569ee powerpc/perf/hv-24x7: Fix incorrect comparison in memord d85bb8676f60 serdev: ttyport: enforce tty-driver open() requirement dcc2d9b7db19 mfd: mxs-lradc: Fix error handling in mxs_lradc_probe() d7630ac47698 scsi: hpsa: destroy sas transport properties before scsi_host a2133c918746 scsi: hpsa: cleanup sas_phy structures in sysfs when unloading 37686080a0c8 PCI: Detach driver before procfs & sysfs teardown on device remove 585eb66776b7 RDMA/cxgb4: Declare stag as __be32 06a21042a540 xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real 98da748f2c95 xfs: fix log block underflow during recovery cycle verification 9aaebfb38490 l2tp: cleanup l2tp_tunnel_delete calls 4fd806e81bcb nvme: use kref_get_unless_zero in nvme_find_get_ns 377d9449f868 platform/x86: hp_accel: Add quirk for HP ProBook 440 G4 89e9f0fce2a4 liquidio: fix kernel panic in VF driver 85aad298ecc2 samples/bpf: adjust rlimit RLIMIT_MEMLOCK for xdp1 767f9da42096 ARM64: dts: meson-gxbb-odroidc2: fix usb1 power supply 65743dd02181 mtd: spi-nor: stm32-quadspi: Fix uninitialized error return code 0501313aa697 btrfs: tests: Fix a memory leak in error handling path in 'run_test()' 563e097ec448 btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit 3faadbbe68b1 btrfs: undo writable superblocke when sprouting fails 7028f26c6034 btrfs: Explicitly handle btrfs_update_root failure 3f0a4dfc8eb9 Bluetooth: hci_ldisc: Fix another race when closing the tty. abb921b20fa0 Ib/hfi1: Return actual operational VLs in port info query 879b18ebb8f4 bcache: fix wrong cache_misses statistics 744eb7bd3386 bcache: explicitly destroy mutex while exiting 653aad5c1702 media: usbtv: fix brightness and contrast controls c4d5c7940953 GFS2: Take inode off order_write list when setting jdata flag 2e510357e1a6 scsi: scsi_debug: write_same: fix error report 56c755841ee6 misc: pci_endpoint_test: Avoid triggering a BUG() b55d52393e28 misc: pci_endpoint_test: Fix failure path return values in probe aeac8e4c0c15 thermal/drivers/step_wise: Fix temperature regulation misbehavior aaca414203c4 ASoC: rsnd: rsnd_ssi_run_mods() needs to care ssi_parent_mod 0587e5a36d00 ppp: Destroy the mutex when cleanup 4a7735ca4455 clk: tegra: Fix cclk_lp divisor register 0006385aadd0 clk: tegra: Use readl_relaxed_poll_timeout_atomic() in tegra210_clock_init() 6ae2754d991b blk-mq-sched: dispatch from scheduler IFF progress is made in ->dispatch ec4585cdc959 clk: hi6220: mark clock cs_atb_syspll as critical f203d6193f5c clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU c9ce9a4d1734 clk: imx: imx7d: Fix parent clock for OCRAM_CLK 5f200f317929 clk: mediatek: add the option for determining PLL source clock 6f7955a0aa2a crypto: tcrypt - fix buffer lengths in test_aead_speed() 40734099baaa xfs: truncate pagecache before writeback in xfs_setattr_size() 165b974bd72a iommu/amd: Limit the IOVA page range to the specified addresses a2e1fcc04fb6 badblocks: fix wrong return value in badblocks_set if badblocks are disabled 75920b77b802 target/file: Do not return error for UNMAP if length is zero ca73c042292d target:fix condition return in core_pr_dump_initiator_port() 8e2ee3f5ff33 iscsi-target: fix memory leak in lio_target_tiqn_addtpg() f1ae60da96df target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() d5adfbee09dc target/iscsi: Detect conn_cmd_list corruption early edd7fdf83184 platform/x86: intel_punit_ipc: Fix resource ioremap warning da2aa58cb07b powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister 2ae1d60028ab powerpc/ipic: Fix status get and status clear 1d0cfd6df447 powerpc/opal: Fix EBUSY bug in acquiring tokens 88189efa7ee7 netfilter: ipvs: Fix inappropriate output of procfs 39254860365c iommu/mediatek: Fix driver name c82f9ea385ab PCI: dwc: Fix enumeration end when reaching root subordinate 5dad0dfd17df PCI: Do not allocate more buses than available in parent 4a917030981d powerpc: Don't preempt_disable() in show_cpuinfo() 0bc0d339ff6c powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo 7842177fdc43 PCI/PME: Handle invalid data when reading Root Status 301c44edb5a1 dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type 2761bc37b1c2 ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case c42830902147 PM / s2idle: Clear the events_check_enabled flag 9c70ec2c413d scsi: aacraid: address UBSAN warning regression 3819c3c756b0 scsi: aacraid: use timespec64 instead of timeval e262d43729be rtc: pcf8563: fix output clock rate 3ecf1bdeb61e video: fbdev: au1200fb: Return an error code if a memory allocation fails d56242baba22 video: fbdev: au1200fb: Release some resources if a memory allocation fails 3b53b4e4c0ab video: udlfb: Fix read EDID timeout f50c8ab6dc0d fbdev: controlfb: Add missing modes to fix out of bounds access bfbfacb318cd sfc: don't warn on successful change of MAC ae058bf77e63 HID: cp2112: fix broken gpio_direction_input callback 91590951dec1 ext4: fix crash when a directory's i_size is too small 4fae0491c35c ext4: fix fdatasync(2) after fallocate(2) operation df19eb58d7be dmaengine: dmatest: fix container_of member in dmatest_callback 100cb4506fb4 dmaengine: dmatest: move callback wait queue to thread context 4d873e954ac0 eeprom: at24: change nvmem stride to 1 b90737b239b0 iw_cxgb4: only insert drain cqes if wq is flushed 6b1f48a27656 dm: fix various targets to dm_register_target after module __init resources created 26c2e6fc10f1 scsi: core: Fix a scsi_show_rq() NULL pointer dereference 04039227baf7 nfsd: auth: Fix gid sorting when rootsquash enabled 143fdc512ac6 NFS: Fix unstable write completion 7482c56f758c NFS: Use an atomic_long_t to count the number of commits 3ef4a32040bf nfs: don't wait on commit in nfs_commit_inode() if there were no commit requests 4a70dd38f444 xhci: Don't add a virt_dev to the devs array before it's fully allocated fa7944fd5601 usb: xhci: fix TDS for MTK xHCI1.1 80aa2eb9b51b ceph: drop negative child dentries before try pruning inode's alias b9db0ab47687 mmc: core: apply NO_CMD23 quirk to some specific cards ff1b82c5314c usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer cea2ad71f37b usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input 1e5edda8ccd3 usbip: fix stub_rx: get_pipe() to validate endpoint number 3ac1e4089c48 USB: core: prevent malicious bNumInterfaces overflow 2479ee21bf60 USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID b3fd05a19818 tracing: Allocate mask_str buffer dynamically 5eb37713e296 kernel: make groups_sort calling a responsibility group_info allocators d87a616735d8 cifs: fix NULL deref in SMB2_read d22121ce1210 crypto: rsa - fix buffer overread when stripping leading zeroes 0ad02bd37731 mfd: fsl-imx25: Clean up irq settings during removal
binutils: Change the ARM assembler's ADR and ADRl pseudo-ops so that they will only set the bottom bit of imported thumb function symbols if the -mthumb-interwork option is active.
Andrej Valek [Tue, 4 Sep 2018 15:48:06 +0000 (17:48 +0200)]
wpa-supplicant: fix CVE-2018-14526
Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.
Yi Zhao [Fri, 7 Sep 2018 00:22:05 +0000 (08:22 +0800)]
taglib: Security fix CVE-2018-11439
CVE-2018-11439: The TagLib::Ogg::FLAC::File::scan function in
oggflacfile.cpp in TagLib 1.11.1 allows remote attackers to cause
information disclosure (heap-based buffer over-read) via a crafted audio
file.
Mike Looijmans [Fri, 24 Aug 2018 07:21:44 +0000 (09:21 +0200)]
busybox/mdev-mount.sh: Fix partition detect and cleanup mountpoint on fail
This fixes issues mainly seen when mounting eMMC devices:
The wildcard /sys/block/${DEVBASE}/${DEVBASE}*1 matches both "mmcblk0p1"
and "mmcblk0boot1" for example, and this results in syntax errors. Fix this
by searching for a "partition" file instead, which only exists for real
partitions and not 'fakes' like the eMMC extra's.
When mount fails, the mountpoint file is left behind, causing later attempts
at auto-mounting it to fail. If mount fails, remove the mountpoint, leaving
the system in the state as it was before the mount attempt.
Yi Zhao [Fri, 24 Aug 2018 07:21:27 +0000 (15:21 +0800)]
blktrace: Security fix CVE-2018-10689
CVE-2018-10689: blktrace (aka Block IO Tracing) 1.2.0, as used with the
Linux kernel and Android, has a buffer overflow in the dev_map_read
function in btt/devmap.c because the device and devno arrays are too
small, as demonstrated by an invalid free when using the btt program
with a crafted file.
(perl #131844) fix various space calculation issues in
pp_pack.c
- for the originally reported case, if the start/cur pointer is in the
top 75% of the address space the add (cur) + glen addition would
overflow, resulting in the condition failing incorrectly.
- the addition of the existing space used to the space needed could
overflow, resulting in too small an allocation and a buffer overflow.
- the scaling for UTF8 could overflow.
- the multiply to calculate the space needed for many items could
overflow.
For the first case, do a space calculation without making new pointers.
For the other cases, detect the overflow and croak if there's an
overflow.
Originally this used Size_t_MAX as the maximum size of a memory
allocation, but for -DDEBUGGING builds realloc() throws a panic for
allocations over half the address space in size, changing the error
reported for the allocation.
For non-DEBUGGING builds the Size_t_MAX limit has the small chance
of finding a system that has 3GB of contiguous space available, and
allocating that space, which could be a denial of servce in some cases.
Unfortunately changing the limit to half the address space means that
the exact case with the original issue can no longer occur, so the
test is no longer testing against the address + length issue that
caused the original problem, since the allocation is failing earlier.
One option would be to change the test so the size request by pack is
just under 2GB, but this has a higher (but still low) probability that
the system has the address space available, and will actually try to
allocate the memory, so let's not do that.
Note: changed
plan tests => 14713;
to
plan tests => 14712;
in a/t/op/pack.t
to apply this patch on perl 5.24.1.
* CVE-2018-6798-1
The proximal cause is several instances in regexec.c of the code
assuming that the input was valid UTF-8, whereas the input was too short
for what the start byte claimed it would be.
I grepped through the core for any other similar uses, and did not find
any.
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
* CVE-2018-1000030-1
[2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads
* CVE-2018-1000030-2
Multiple threads iterating over a file can corrupt the file's internal readahead
buffer resulting in crashes. To fix this, cache buffer state thread-locally for
the duration of a file_iternext call and only update the file's internal state
after reading completes.
No attempt is made to define or provide "reasonable" semantics for iterating
over a file on multiple threads. (Non-crashing) races are still
present. Duplicated, corrupt, and missing data will happen.
This was originally fixed by 6401e56, which
raised an exception from seek() and next() when concurrent operations were
detected. Alas, this simpler solution breaks legitimate use cases such as
capturing the standard streams when multiple threads are logging.
proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!
For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.
The easy changes:
- Replace sprintf() with snprintf() (and check for truncation).
- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
do break instead of return: it simplifies the code (only one place to
handle errors), and also guarantees that in the while loop either n or
tot is > 0 (or both), even if n is reset to 0 when about to overflow.
- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
code, since we enter the while loop only if n >= 0.
- Rewrite the missing-null-terminator detection: in the original
function, if the size of the file is a multiple of 2047, a null-
terminator is appended even if the file is already null-terminated.
- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
to handle the first break of the while loop, and to guarantee that in
the rest of the function tot is > 0.
- Double-force ("belt and suspenders") the null-termination of rbuf:
this is (and was) essential to the correctness of the function.
- Replace the final "while" loop with a "for" loop that behaves just
like the preceding "for" loop: in the original function, this would
lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
would return the array {"",NULL} but should return {"","A",NULL}; and
if rbuf is |A|\0|B| (should never happen because rbuf should be null-
terminated), this would make room for two pointers in ret, but would
write three pointers to ret).
The hard changes:
- Prevent the integer overflow of tot in the while loop, but unlike
file2str(), file2strvec() cannot let tot grow until it almost reaches
INT_MAX, because it needs more space for the pointers: this is why we
introduced ARG_LEN, which also guarantees that we can add "align" and
a few sizeof(char*)s to tot without overflowing.
- Prevent the integer overflow of "tot + c + align": when INT_MAX is
(almost) reached, we write the maximal safe amount of pointers to ret
(ARG_LEN guarantees that there is always space for *ret = rbuf and the
NULL terminator).
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Affects: git < 2.13.7 and git < 2.14.4 and git < 2.15.2 and git < 2.16.4 and
git < 2.17.1
CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
CVE-2017-18018-2:
doc: warn about following symlinks recursively in chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.
* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
Andrej Valek [Tue, 17 Jul 2018 09:10:33 +0000 (11:10 +0200)]
openssl-1.1: fix c_rehash perl errors
Patch original c_rehash script with Debian patch instead
of overriding it with own version.
Error output from c_reshah without patching:
Unknown regexp modifier "/b" at ./c_rehash line 15, at end of line
Unknown regexp modifier "/W" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/3" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/2" at ./c_rehash line 28, at end of line
No such class installdir at ./c_rehash line 63, near "Prefix our
installdir"
(Might be a runaway multi-line // string starting on line 28)
syntax error at ./c_rehash line 63, near "Prefix our installdir"
Can't redeclare "my" in "my" at ./c_rehash line 68, near ""
Execution of ./c_rehash aborted due to compilation errors.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Marko Peter <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Andre McCurdy [Wed, 8 Aug 2018 18:15:12 +0000 (11:15 -0700)]
openssl_1.0: drop unnecessary call to perlpath.pl from do_configure()
The perlpath.pl script is used to patch the #! lines in all perl
scripts in the utils directory. However, as these scripts are run via
e.g. "perl foo.pl", they don't actually rely on the #! path to be
correct (which can be confirmed by the observation that the path is
currently being set to ${STAGING_BINDIR_NATIVE}/perl, which doesn't
exist).
Andre McCurdy [Tue, 31 Jul 2018 01:28:07 +0000 (18:28 -0700)]
openssl_1.0: drop unnecessary dependency on makedepend-native
The openssl Configure script will only select standalone makedepend
(vs running "$CC -M") when building with gcc < 3.x or with an Apple
Xcode version which predates the switch to clang (in approx 2010?).
Neither of these cases are possible when building under OE, therefore
the dependency on makedepend-native can be dropped (ie align the
openssl 1.0 recipe with the 1.1 recipe, which has dropped the
makedepend-native dependency already).
Andre McCurdy [Tue, 31 Jul 2018 13:57:56 +0000 (06:57 -0700)]
openssl: fix missing dependency on hostperl-runtime-native
Openssl 1.1 requires perl in order to build (just as openssl 1.0
does). The missing dependency has gone unnoticed up to now since
hostperl-runtime-native is included in ASSUME_PROVIDED.
Andre McCurdy [Sat, 28 Jul 2018 20:39:23 +0000 (13:39 -0700)]
openssl_1.0: squash whitespace in CC_INFO
Squash whitespace in CC_INFO to avoid recipe whitespace changes to
CFLAG affecting the final openssl binaries (the value of CC_INFO gets
embedded in libcrypto, via buildinf.h).
Andre McCurdy [Sat, 28 Jul 2018 20:39:22 +0000 (13:39 -0700)]
openssl_1.0: add PACKAGECONFIG option to control manpages
Creating the openssl manpages, which happens as part of do_install(),
can take a significant amount of time (e.g. ~50 seconds on a quad
core laptop). Provide a PACKAGECONFIG option to allow creation of the
manpages to be skipped completely if not required and inherit the
manpages class to automatically control the PACKAGECONFIG option
(based on the "api-documentation" distro feature).
Andre McCurdy [Sat, 28 Jul 2018 20:39:21 +0000 (13:39 -0700)]
openssl_1.0: drop unmaintained darwin support
The fact that the darwin support only appears to consider x86 (and
not x86_64) suggests that it's not maintained or tested. In general
oe-core doesn't support building on darwin.
Andre McCurdy [Sat, 28 Jul 2018 20:39:20 +0000 (13:39 -0700)]
openssl_1.0: drop obsolete exporting of AS, EX_LIBS and DIRS
Previously (when EXTRA_OEMAKE contained -e) exporting these variables
over-rode default values in the top-level openssl Makefile. However,
since -e was removed from EXTRA_OEMAKE as part of:
exporting these variables does nothing. The comment from that commit
that only AR is affected by removing -e wasn't correct, but the
effects of letting the openssl Makefile also control AS, EX_LIBS and
DIRS seem to be either benign or beneficial.
Since without -e make ignores DIRS from the environment and always
runs for all subdirs (including "test"), adding "test" to DIRS and
calling "make depend" again from do_compile_ptest() can be dropped.
Andre McCurdy [Sat, 28 Jul 2018 20:39:19 +0000 (13:39 -0700)]
openssl_1.0: drop obsolete ca.patch
This patch adds a second line to the -help output of the CA.pl script
(which lists almost the same command line options as the line above
it but in a slightly different order). Although it's tagged as a
Debian backport, there's no patch like it in recent Debian patch sets
for openssl 1.0.2.
Andre McCurdy [Tue, 24 Jul 2018 02:38:52 +0000 (19:38 -0700)]
openssl_1.0: avoid running make twice for target do_compile()
Currently target builds call make twice as part of do_compile(). It
appears to be an accidental side effect of needing to only pass
CC_INFO on the make command line for target builds, since CC_INFO is
only referenced by the reproducible build patches.
Andre McCurdy [Tue, 24 Jul 2018 02:38:50 +0000 (19:38 -0700)]
openssl_1.0: fix cryptodev-linux PACKAGECONFIG support
Since openssl isn't an autotools recipe, defining cryptodev-linux
related config options via PACKAGECONFIG hasn't worked correctly
since PACKAGECONFIG_CONFARGS stopped being automatically appended to
EXTRA_OECONF in 2016:
The issue appears to have been hidden as the flags are also hardcoded
in CFLAG - and therefore always enabled, regardless of the state of
the PACKAGECONFIG option. Fix by passing both EXTRA_OECONF and
PACKAGECONFIG_CONFARGS when running the openssl Configure script.
Although the openssl 1.1 recipe doesn't contain any PACKAGECONFIG
options yet, pre-emptively make the same fix there too.
Also only enable cryptodev-linux by default for target builds (based
on the historical comments in the recipe, that seems to have been the
original intention).
Joshua Watt [Tue, 7 Aug 2018 13:40:04 +0000 (08:40 -0500)]
alsa-lib: Cleanup packaging
Cleans up the packaging by moving libasound.so.2 back into the alsa-lib
package which was previously empty.
Previously, it was difficult to create an image that had libasound.so.2,
then create an SDK from that image that had the proper development
files, because the only way to get libasound.so.2 was to do:
IMAGE_INSTALL += "libasound"
This however caused a problem because all of the development files that
would be desired in the SDK were located in alsa-lib-dev, which wouldn't
be included because alsa-lib wasn't included, and it was impossible to
include alsa-lib because it was an empty package that was culled.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30352f3d84344bff8c06625f9674947417f6e8e1)
Ross Burton [Mon, 13 Aug 2018 17:20:54 +0000 (18:20 +0100)]
classes: sanity-check LIC_FILES_CHKSUM
We assume that LIC_FILES_CHKSUM is a file: URI but don't actually verify this,
which can lead to problems if you have a URI that resolves to a path of / as
Bitbake will then dutifully checksum / recursively.
Ross Burton [Mon, 13 Aug 2018 23:59:39 +0000 (00:59 +0100)]
bzip2: use Yocto Project mirror for SRC_URI
The bzip.org domain expired and is now a holding site for adverts, so we can't
trust a tarball that appears on that site (luckily we have source checksums to
detect this).
For now, point SRC_URI at the tarball in the Yocto Project source mirror, but
set HOMEPAGE and UPSTREAM_CHECK_URI to the sourceware.org/bzip2/ page which
apparently will be resurrected as the new canonical home page.
Daniel Díaz [Tue, 14 Aug 2018 16:14:36 +0000 (11:14 -0500)]
multilib_header: recognize BPF as a target
When building with `clang -target bpf` using the
multilib_header, a recursion was unavoidable because
bits/wordsize.h would #include itself, still lacking
a definition for __MHWORDSIZE or __WORDSIZE.
Daniel Díaz [Tue, 14 Aug 2018 16:14:35 +0000 (11:14 -0500)]
glibc: Make bits/wordsize.h multilibbed again
As reported by ChenQi, leaving bits/wordsize.h out of being
multilibbed introduced a problem in building the SDK for
arm64:
Error: Transaction check error:
file /usr/include/bits/wordsize.h conflicts between attempted installs of lib32-libc6-dev-2.27-r0.armv7vet2hf_vfp and libc6-dev-2.27-r0.aarch64
oe-pkgdata-util: Make parse_pkgdatafile() support package suffixed vars
Support for variables suffixed with package names, e.g., PKGV_foo, was
removed in commit 3d2c87c4, which broke support for recipes that set
other versions on their packages than what is in ${PV}.
If a package name exists in runtime-rprovides, lookup-recipe and
package-info would finish after printing information about that
package even if more packages were specified.
Chen Qi [Mon, 14 May 2018 08:35:22 +0000 (16:35 +0800)]
devtool/sdk.py: error out in case of downloading file failure
It's possible that downloading file from updateserver fails. In
this case, we should error out instead of continue.
We have users reporting unexpected behavior of 'devtool sdk-update'.
When an invalid url is supplied, e.g., `devtool sdk-update http://invalid',
the program reports 'Note: Already up-to-date'.
This is obviously not expected. We should error out in such case.
Martin Jansa [Mon, 30 Jul 2018 09:17:25 +0000 (09:17 +0000)]
linux-firmware: add separate packages for all brcm files
* no changes in the content of previously existing packages
* include some silly commands I've used to "parse" WHENCE file to
generate these, some manual changes are still needed, like separating
cypress licensed files, removing duplicates when 2 files are included
in the same package (bcm4356-pcie is exception because sdio and pcie
files have different license).
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Mon, 30 Jul 2018 09:17:23 +0000 (09:17 +0000)]
linux-firmware: add ${PN}-cypress-license handling from meta-raspberrypi
* this will break meta-raspberrypi once more, by including
${PN}-cypress-license package twice in PACKAGES
I've sent fix here:
https://github.com/agherzan/meta-raspberrypi/pull/295
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
u-boot attempts to build a Python library called pylibfdt. By default,
u-boot would attempt to use the build host's Python interpreter, which
causes numerous problems, not least of which is that it fails if the
host doesn't have the Python development package installed (complaining
about not being able to find Python.h)
Rectify this situation by including the proper build time dependencies
for pylibfdt and passing the proper arguments to make.
Yongxin Liu [Mon, 30 Jul 2018 09:16:32 +0000 (17:16 +0800)]
kdump: start kdump.service after basic.target
If kdump.service is set to run on boot and dump-capture kernel isn't
placed in /dev/root, kdump.service will fail to load the kernel,
since other partitions are not mounted yet. Starting kdump.service
after basic.target guarantees dump-capture kernel can be loaded in
this situation.
Signed-off-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
