From patchwork Sat Apr 15 15:33:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 22654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F003AC77B70 for ; Sat, 15 Apr 2023 15:33:57 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.10666.1681572837559471693 for ; Sat, 15 Apr 2023 08:33:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=mqPW6LJL; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id q2so26125858pll.7 for ; Sat, 15 Apr 2023 08:33:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1681572837; x=1684164837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=lQgU6Nb1fW6yQvFlj4dP9Py3h/cc+mJIyynDfey97GU=; b=mqPW6LJLiSgZK+Pdyh26iSA0Nlkds0leWFMqJ7nqUqA5J92OBAh8p4Fhi10XKr1VGS HSPF0d724cRML4aOg4moCliE63galaQIUCYj6hYOKpfjBzBFYYcIZP/Iqh7jKwHT8IPv QpLnDyf+2tC5Fh1laqyjce1BFXvXPCAoP6sVKqiDO4k+ol8Qinte+KqEp5euIPlngpwd A3WxG/xSYeCCOOdjgOG+ewXo8KPzHw4W3R8U0GCcEAPkRv9/2soYV5yJ6vm7UodsoYWK 9ZZdS2liv2Ug1t+Xz6DmMLgA5yxni6mPEtvchgCY0PEumY3SE8fwqdYGfVD+2ebsx89m UItQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681572837; x=1684164837; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lQgU6Nb1fW6yQvFlj4dP9Py3h/cc+mJIyynDfey97GU=; b=iX2vphx6ylBfQDoFJIT8WJQOwGKKaOwdPuj0ByYydS1h5P49f5Qfy0wfcOFWF3dSm3 fALv3AUI/twmhShGRPw3dhqYTlgfQka75QpNhwi1XxHaXANbSTrc6ATpUYAwudiiASPu OuyBWBtyftpHypWAubhfHASrY8YxFVIMSH2IYhJfBwaN2CQ2cEIUmc/qu9dhkBsNGFEg 9Yj1zZ9KLUr3daDAiFs1gubov1a7OKNEvLrDPI9J3ECyuNSo04bdAfqtQgOZVJK33ZMN R7UofZ7c7I0JR7qfP0NzEuq78prTmEHbG+B7+LR6BOt4QEVNzedCd7O+diPUObzKKHCA SqIQ== X-Gm-Message-State: AAQBX9dwiIVzF5dUCe2wMe0xqnGmRTJbZtzcJ0Nv9lOAoFTpCEQ3gyE4 atj0AXY2uBZ/QT6R2woXYb0ke5zZUInkqvSQUBA= X-Google-Smtp-Source: AKy350Z6kcLr00/kMk3VyPWyeRGJhWatAsTvhBZ9LIEjILt10aWSmvW3MnDCCtmpbuj3UBkF7zUJUg== X-Received: by 2002:a17:90b:4d81:b0:246:5f9e:e4cf with SMTP id oj1-20020a17090b4d8100b002465f9ee4cfmr9229825pjb.43.1681572836608; Sat, 15 Apr 2023 08:33:56 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112]) by smtp.gmail.com with ESMTPSA id cs19-20020a17090af51300b002367325203fsm6313969pjb.50.2023.04.15.08.33.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Apr 2023 08:33:56 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/4] ffmpeg: fix for CVE-2022-3341 Date: Sat, 15 Apr 2023 05:33:36 -1000 Message-Id: <0c68435a7c0ff1c417119dbd408e75443c09afcb.1681572706.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 15 Apr 2023 15:33:57 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180019 From: Bhabu Bindu avformat/nutdec: Add check for avformat_new_stream Check for failure of avformat_new_stream() and propagate the error code. Upstream-Status: Backport [https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=bba70ce34115151362bfdc49a545ee708eb297ca] (From OE-Core rev: e17ddd0fafb562ed7ebe7708dac9bcef2d6cecc1) Signed-off-by: Narpat Mali Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie (cherry picked from commit bba70ce34115151362bfdc49a545ee708eb297ca) Signed-off-by: Bhabu Bindu Signed-off-by: Steve Sakoman --- .../ffmpeg/ffmpeg/CVE-2022-3341.patch | 67 +++++++++++++++++++ .../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch new file mode 100644 index 0000000000..fcbd9b3e1b --- /dev/null +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-3341.patch @@ -0,0 +1,67 @@ +From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Wed, 23 Feb 2022 10:31:59 +0800 +Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream + +Check for failure of avformat_new_stream() and propagate +the error code. + +Signed-off-by: Michael Niedermayer + +CVE: CVE-2022-3341 + +Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] + +Comments: Refreshed Hunk +Signed-off-by: Narpat Mali +Signed-off-by: Bhabu Bindu +--- + libavformat/nutdec.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c +index 0a8a700acf..f9ad2c0af1 100644 +--- a/libavformat/nutdec.c ++++ b/libavformat/nutdec.c +@@ -351,8 +351,12 @@ static int decode_main_header(NUTContext *nut) + ret = AVERROR(ENOMEM); + goto fail; + } +- for (i = 0; i < stream_count; i++) +- avformat_new_stream(s, NULL); ++ for (i = 0; i < stream_count; i++) { ++ if (!avformat_new_stream(s, NULL)) { ++ ret = AVERROR(ENOMEM); ++ goto fail; ++ } ++ } + + return 0; + fail: +@@ -793,19 +793,23 @@ + NUTContext *nut = s->priv_data; + AVIOContext *bc = s->pb; + int64_t pos; +- int initialized_stream_count; ++ int initialized_stream_count, ret; + + nut->avf = s; + + /* main header */ + pos = 0; ++ ret = 0; + do { ++ if (ret == AVERROR(ENOMEM)) ++ return ret; ++ + pos = find_startcode(bc, MAIN_STARTCODE, pos) + 1; + if (pos < 0 + 1) { + av_log(s, AV_LOG_ERROR, "No main startcode found.\n"); + goto fail; + } +- } while (decode_main_header(nut) < 0); ++ } while ((ret = decode_main_header(nut)) < 0); + + /* stream headers */ + pos = 0; + diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index ffeec92e0e..1e000dddfa 100644 --- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb @@ -31,6 +31,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2021-38291.patch \ file://CVE-2022-1475.patch \ file://CVE-2022-3109.patch \ + file://CVE-2022-3341.patch \ " SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" From patchwork Sat Apr 15 15:33:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 22657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D643CC7619A for ; Sat, 15 Apr 2023 15:34:07 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web11.10546.1681572839585782582 for ; Sat, 15 Apr 2023 08:33:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=ZL6DD9b2; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id fw22-20020a17090b129600b00247255b2f40so7560835pjb.1 for ; Sat, 15 Apr 2023 08:33:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1681572839; x=1684164839; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=io8cvooHasUyz/PTqTOxbTIWabUYeoiW/UAQnRyUzRw=; b=ZL6DD9b2YlX1aZInyV0802Sxo/0DFWhZSKQvpw+fLegJIj5s0zbASH4T32H3iKSARB sGz/I6a2atu110OW8qzUTjzKGc48mgrAouxNu3KTZCm5tq7ogP7h1Vkei6nwaF30EW3j xmJIAjUJd1qq2Geo8cgex/EjX8UZQN554UjoCWkpv53wVA5MD/iXNMroLuq3s0KtYIIO 7T3rzTVojm2I/rnSNmuDLeuoM9Rxf5UdepOsYq9HDTrUtWiyZKbP7QoT4s71XhEPaHvP AmCCk8pn7PUD9Kvj23mR1S73H/Afak+OjQnVoPlVUpH7m7MTWqYxB4bSH0KoY95iYMlf 7EQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681572839; x=1684164839; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=io8cvooHasUyz/PTqTOxbTIWabUYeoiW/UAQnRyUzRw=; b=WR7PPDJEhsE5qt09clL8TjvCf377j/nTb6ehpXqsiq8kZkd1I/3SaPZikGU6nsqFU6 tS5Bs9rHU3znoXxiYtC7Qibcw8StEYiVyLgD/flttKBtIYxq1Yl8U6vORCf2IxXWK+/p TEYBuxbadjJZ7TH/wVm5quomOPiQTHP9YckqYDHazLwakA8jqcLw1gVcKOiwF0bjwg6Q bLzodRQPGp/x2OHr5f9ir9vjxTw8KET2sT7dnEY9fe0n8KzR5jk0vNxpGK+I9SabvDy7 dRASQFlfH5GkJIMNRdO8eeX4PhGiCXsUQDfVSGqpThy5lnik1rwLaJIZWeP7R1Crya5+ jEOg== X-Gm-Message-State: AAQBX9f/cCoC4RRED5Tnuk3FuzDqODKKYzORh7TSPALW5uXvqOR4CJms ViRgZnK3Y6JcOqPkWgxmlNkz6GRovGDFZ3nU3yI= X-Google-Smtp-Source: AKy350Zfr8Kcxbjc0WzA1o6U92cp+vrAoU0HR+2iXTRMWCVHuHuPEEqKiqo451g8vUlUI3O22n0VfA== X-Received: by 2002:a17:90b:4a0d:b0:246:5968:43f0 with SMTP id kk13-20020a17090b4a0d00b00246596843f0mr9094171pjb.10.1681572838426; Sat, 15 Apr 2023 08:33:58 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112]) by smtp.gmail.com with ESMTPSA id cs19-20020a17090af51300b002367325203fsm6313969pjb.50.2023.04.15.08.33.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Apr 2023 08:33:58 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/4] qemu: fix build error introduced by CVE-2021-3929 fix Date: Sat, 15 Apr 2023 05:33:37 -1000 Message-Id: <4ad98f0b27615ad59ae61110657cf69004c61ef4.1681572706.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 15 Apr 2023 15:34:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180020 From: Gaurav Gupta The patch for CVE-2021-3929 applied on dunfell returns a value for a void function. This results in the following compiler warning/error: hw/block/nvme.c:77:6: error: void function 'nvme_addr_read' should not return a value [-Wreturn-type] return NVME_DATA_TRAS_ERROR; ^ ~~~~~~~~~~~~~~~~~~~~ In newer versions of qemu, the functions is changed to have a return value, but that is not present in the version of qemu used in “dunfell”. Backport some of the patches to correct this. Signed-off-by: Gaurav Gupta Signed-off-by: Gaurav Gupta Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 2 + .../qemu/qemu/CVE-2021-3929.patch | 33 ++-- .../hw-block-nvme-handle-dma-errors.patch | 146 ++++++++++++++++++ ...w-block-nvme-refactor-nvme_addr_read.patch | 55 +++++++ 4 files changed, 221 insertions(+), 15 deletions(-) create mode 100644 meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch create mode 100644 meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5466303c94..3b1bd3b656 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -115,6 +115,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3638.patch \ file://CVE-2021-20196.patch \ file://CVE-2021-3507.patch \ + file://hw-block-nvme-refactor-nvme_addr_read.patch \ + file://hw-block-nvme-handle-dma-errors.patch \ file://CVE-2021-3929.patch \ file://CVE-2022-4144.patch \ file://CVE-2020-15859.patch \ diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch index 3df2f8886a..a1862f1226 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -1,7 +1,8 @@ -From 736b01642d85be832385063f278fe7cd4ffb5221 Mon Sep 17 00:00:00 2001 -From: Klaus Jensen -Date: Fri, 17 Dec 2021 10:44:01 +0100 -Subject: [PATCH] hw/nvme: fix CVE-2021-3929 +From 2c682b5975b41495f98cc34b8243042c446eec44 Mon Sep 17 00:00:00 2001 +From: Gaurav Gupta +Date: Wed, 29 Mar 2023 14:36:16 -0700 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 MIME-Version: 1.0 Content-Type: + text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -17,21 +18,23 @@ Reviewed-by: Keith Busch Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Klaus Jensen -Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385] +Upstream-Status: Backport +[https://gitlab.com/qemu-project/qemu/-/commit/736b01642d85be832385] CVE: CVE-2021-3929 Signed-off-by: Vivek Kumbhar +Signed-off-by: Gaurav Gupta --- hw/block/nvme.c | 23 +++++++++++++++++++++++ hw/block/nvme.h | 1 + 2 files changed, 24 insertions(+) diff --git a/hw/block/nvme.c b/hw/block/nvme.c -index 12d82542..e7d0750c 100644 +index bda446d..ae9b19f 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c -@@ -52,8 +52,31 @@ - - static void nvme_process_sq(void *opaque); +@@ -60,8 +60,31 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) + return addr >= low && addr < hi; + } +static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) +{ @@ -51,18 +54,18 @@ index 12d82542..e7d0750c 100644 + return addr >= lo && addr < hi; +} + - static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) { + + if (nvme_addr_is_iomem(n, addr)) { -+ return NVME_DATA_TRAS_ERROR; ++ return NVME_DATA_TRAS_ERROR; + } + - if (n->cmbsz && addr >= n->ctrl_mem.addr && - addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) { + if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); + return 0; diff --git a/hw/block/nvme.h b/hw/block/nvme.h -index 557194ee..5a2b119c 100644 +index 557194e..5a2b119 100644 --- a/hw/block/nvme.h +++ b/hw/block/nvme.h @@ -59,6 +59,7 @@ typedef struct NvmeNamespace { @@ -74,5 +77,5 @@ index 557194ee..5a2b119c 100644 MemoryRegion ctrl_mem; NvmeBar bar; -- -2.30.2 +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch new file mode 100644 index 0000000000..0fdae8351a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-handle-dma-errors.patch @@ -0,0 +1,146 @@ +From ea2a7c7676d8eb9d1458eaa4b717df46782dcb3a Mon Sep 17 00:00:00 2001 +From: Gaurav Gupta +Date: Wed, 29 Mar 2023 14:07:17 -0700 +Subject: [PATCH 2/2] hw/block/nvme: handle dma errors + +Handling DMA errors gracefully is required for the device to pass the +block/011 test ("disable PCI device while doing I/O") in the blktests +suite. + +With this patch the device sets the Controller Fatal Status bit in the +CSTS register when failing to read from a submission queue or writing to +a completion queue; expecting the host to reset the controller. + +If DMA errors occur at any other point in the execution of the command +(say, while mapping the PRPs), the command is aborted with a Data +Transfer Error status code. + +Signed-off-by: Klaus Jensen +Signed-off-by: Gaurav Gupta +--- + hw/block/nvme.c | 41 +++++++++++++++++++++++++++++++---------- + hw/block/trace-events | 3 +++ + 2 files changed, 34 insertions(+), 10 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index e6f24a6..bda446d 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -60,14 +60,14 @@ static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) + return addr >= low && addr < hi; + } + +-static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) ++static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { + memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); +- return; ++ return 0; + } + +- pci_dma_read(&n->parent_obj, addr, buf, size); ++ return pci_dma_read(&n->parent_obj, addr, buf, size); + } + + static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) +@@ -152,6 +152,7 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + hwaddr trans_len = n->page_size - (prp1 % n->page_size); + trans_len = MIN(len, trans_len); + int num_prps = (len >> n->page_bits) + 1; ++ int ret; + + if (unlikely(!prp1)) { + trace_nvme_err_invalid_prp(); +@@ -178,7 +179,11 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + + nents = (len + n->page_size - 1) >> n->page_bits; + prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); +- nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); ++ ret = nvme_addr_read(n, prp2, (void *)prp_list, prp_trans); ++ if (ret) { ++ trace_pci_nvme_err_addr_read(prp2); ++ return NVME_DATA_TRAS_ERROR; ++ } + while (len != 0) { + uint64_t prp_ent = le64_to_cpu(prp_list[i]); + +@@ -191,8 +196,12 @@ static uint16_t nvme_map_prp(QEMUSGList *qsg, QEMUIOVector *iov, uint64_t prp1, + i = 0; + nents = (len + n->page_size - 1) >> n->page_bits; + prp_trans = MIN(n->max_prp_ents, nents) * sizeof(uint64_t); +- nvme_addr_read(n, prp_ent, (void *)prp_list, +- prp_trans); ++ ret = nvme_addr_read(n, prp_ent, (void *)prp_list, ++ prp_trans); ++ if (ret) { ++ trace_pci_nvme_err_addr_read(prp_ent); ++ return NVME_DATA_TRAS_ERROR; ++ } + prp_ent = le64_to_cpu(prp_list[i]); + } + +@@ -286,6 +295,7 @@ static void nvme_post_cqes(void *opaque) + NvmeCQueue *cq = opaque; + NvmeCtrl *n = cq->ctrl; + NvmeRequest *req, *next; ++ int ret; + + QTAILQ_FOREACH_SAFE(req, &cq->req_list, entry, next) { + NvmeSQueue *sq; +@@ -295,15 +305,21 @@ static void nvme_post_cqes(void *opaque) + break; + } + +- QTAILQ_REMOVE(&cq->req_list, req, entry); + sq = req->sq; + req->cqe.status = cpu_to_le16((req->status << 1) | cq->phase); + req->cqe.sq_id = cpu_to_le16(sq->sqid); + req->cqe.sq_head = cpu_to_le16(sq->head); + addr = cq->dma_addr + cq->tail * n->cqe_size; ++ ret = pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, ++ sizeof(req->cqe)); ++ if (ret) { ++ trace_pci_nvme_err_addr_write(addr); ++ trace_pci_nvme_err_cfs(); ++ n->bar.csts = NVME_CSTS_FAILED; ++ break; ++ } ++ QTAILQ_REMOVE(&cq->req_list, req, entry); + nvme_inc_cq_tail(cq); +- pci_dma_write(&n->parent_obj, addr, (void *)&req->cqe, +- sizeof(req->cqe)); + QTAILQ_INSERT_TAIL(&sq->req_list, req, entry); + } + if (cq->tail != cq->head) { +@@ -888,7 +904,12 @@ static void nvme_process_sq(void *opaque) + + while (!(nvme_sq_empty(sq) || QTAILQ_EMPTY(&sq->req_list))) { + addr = sq->dma_addr + sq->head * n->sqe_size; +- nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd)); ++ if (nvme_addr_read(n, addr, (void *)&cmd, sizeof(cmd))) { ++ trace_pci_nvme_err_addr_read(addr); ++ trace_pci_nvme_err_cfs(); ++ n->bar.csts = NVME_CSTS_FAILED; ++ break; ++ } + nvme_inc_sq_head(sq); + + req = QTAILQ_FIRST(&sq->req_list); +diff --git a/hw/block/trace-events b/hw/block/trace-events +index c03e80c..4e4ad4e 100644 +--- a/hw/block/trace-events ++++ b/hw/block/trace-events +@@ -60,6 +60,9 @@ nvme_mmio_shutdown_set(void) "shutdown bit set" + nvme_mmio_shutdown_cleared(void) "shutdown bit cleared" + + # nvme traces for error conditions ++pci_nvme_err_addr_read(uint64_t addr) "addr 0x%"PRIx64"" ++pci_nvme_err_addr_write(uint64_t addr) "addr 0x%"PRIx64"" ++pci_nvme_err_cfs(void) "controller fatal status" + nvme_err_invalid_dma(void) "PRP/SGL is too small for transfer size" + nvme_err_invalid_prplist_ent(uint64_t prplist) "PRP list entry is null or not page aligned: 0x%"PRIx64"" + nvme_err_invalid_prp2_align(uint64_t prp2) "PRP2 is not page aligned: 0x%"PRIx64"" +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch new file mode 100644 index 0000000000..66ada52efb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/hw-block-nvme-refactor-nvme_addr_read.patch @@ -0,0 +1,55 @@ +From 55428706d5b0b8889b8e009eac77137bb556a4f0 Mon Sep 17 00:00:00 2001 +From: Klaus Jensen +Date: Tue, 9 Jun 2020 21:03:17 +0200 +Subject: [PATCH 1/2] hw/block/nvme: refactor nvme_addr_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Pull the controller memory buffer check to its own function. The check +will be used on its own in later patches. + +Signed-off-by: Klaus Jensen +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Maxim Levitsky +Reviewed-by: Keith Busch +Message-Id: <20200609190333.59390-7-its@irrelevant.dk> +Signed-off-by: Kevin Wolf +--- + hw/block/nvme.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/hw/block/nvme.c b/hw/block/nvme.c +index 12d8254..e6f24a6 100644 +--- a/hw/block/nvme.c ++++ b/hw/block/nvme.c +@@ -52,14 +52,22 @@ + + static void nvme_process_sq(void *opaque); + ++static bool nvme_addr_is_cmb(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr low = n->ctrl_mem.addr; ++ hwaddr hi = n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size); ++ ++ return addr >= low && addr < hi; ++} ++ + static void nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { +- if (n->cmbsz && addr >= n->ctrl_mem.addr && +- addr < (n->ctrl_mem.addr + int128_get64(n->ctrl_mem.size))) { ++ if (n->cmbsz && nvme_addr_is_cmb(n, addr)) { + memcpy(buf, (void *)&n->cmbuf[addr - n->ctrl_mem.addr], size); +- } else { +- pci_dma_read(&n->parent_obj, addr, buf, size); ++ return; + } ++ ++ pci_dma_read(&n->parent_obj, addr, buf, size); + } + + static int nvme_check_sqid(NvmeCtrl *n, uint16_t sqid) +-- +1.8.3.1 + From patchwork Sat Apr 15 15:33:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 22655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB2CBC77B70 for ; Sat, 15 Apr 2023 15:34:07 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.10668.1681572841209186941 for ; Sat, 15 Apr 2023 08:34:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=p+AlPXvh; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id la3so21081002plb.11 for ; Sat, 15 Apr 2023 08:34:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1681572840; x=1684164840; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0mTZX6Gvp+DLIdcWH+qoV/0dIGmdBLjyOJKGgUG0SgM=; b=p+AlPXvhl5ZOS6QKOAWJBQk8UHJS1AUogvijEA4L6uCNA0mcOpknkblxMAMBC2DD2P pnNFcdlHfM2c+qMNPW/xAaoHw2uEUbNyDqmeVgNwCkFf2RkZl1tmYDGfjiCicTiF86Jm m0pu/+t3cJ7/d09EvjpUBQth6P+9F9XOCi4p02O/Pv8JDfoXE8qiVSp8q7eJmJDFe9pZ LZL5uxpHngWCdbbQEbv11AtAQ0awMD0DjjPLsl8atdFIUp28bosFZ1yqmlrTdGcjX8cL mRf28wQqGgRypAfCBIYPXuxt2Yq2W98O/eJDS7kuW88ivgbSoM9eWXgnT0p/3LyocXIr YRiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681572840; x=1684164840; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0mTZX6Gvp+DLIdcWH+qoV/0dIGmdBLjyOJKGgUG0SgM=; b=NpBw7b+zUhOUWPHLvidvagNpQkvpe91SXa8bnDolgb+Bp1qrG3cRlao6CIEC0Zhcir M1zMDJcMNh7LhYljJl+uIGEW6HR1eRhRkdk/PlQmTd6CBFQdrnkZ/IH4ElXPO/09tHtz lvwwXXlbmNyJOTf720nwHRYFfJg/ggz6exaCSt9CqLcgBDDaJWOaUUJ9bwcSg4eD43/X VdGS6Y7vXrnHY0adtGgHuc2smsRK1S1+D7XUCbNK6Gm8Z5v0Z3WARf1RVp4z4TxKh8FR tUS/1y8qvHdx4vALglT6W8EMYIB72W1r8QnNLcW+vfKSgL5R5F+0Aqm2WhT397WNorEJ ybLQ== X-Gm-Message-State: AAQBX9fpV5pcd/tfQnJvflC624EuNi4DUOC456PJn/AqXDkj69JeCWWr jOsL4EB1kc5k3UiSLK9qyCP2JbsJ0dbjFQBOeEc= X-Google-Smtp-Source: AKy350a/ysYdzjELHuUcIRrQV4O4/dmrAYuCCchZfy2L5OU9iWrUJ8INmw70iwpeunl22989KkNmwA== X-Received: by 2002:a17:90b:18f:b0:23f:962e:826b with SMTP id t15-20020a17090b018f00b0023f962e826bmr9377574pjs.15.1681572840259; Sat, 15 Apr 2023 08:34:00 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112]) by smtp.gmail.com with ESMTPSA id cs19-20020a17090af51300b002367325203fsm6313969pjb.50.2023.04.15.08.33.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Apr 2023 08:33:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/4] ruby: CVE-2023-28756 ReDoS vulnerability in Time Date: Sat, 15 Apr 2023 05:33:38 -1000 Message-Id: <52d26edffdd0444588ecad56b40a65e225889a01.1681572706.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 15 Apr 2023 15:34:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180021 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../ruby/ruby/CVE-2023-28756.patch | 61 +++++++++++++++++++ meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 + 2 files changed, 62 insertions(+) create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..c25a147d36 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch @@ -0,0 +1,61 @@ +From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Wed, 29 Mar 2023 13:28:25 +0900 +Subject: [PATCH] CVE-2023-28756 + +CVE: CVE-2023-28756 +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e] + +Signed-off-by: Hitendra Prajapati +--- + lib/time.rb | 6 +++--- + test/test_time.rb | 9 +++++++++ + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/lib/time.rb b/lib/time.rb +index f27bacd..4a86e8e 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -501,8 +501,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +@@ -717,7 +717,7 @@ class Time + # + # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise. + # +- # +fractional_digits+ specifies a number of digits to use for fractional ++ # +fraction_digits+ specifies a number of digits to use for fractional + # seconds. Its default value is 0. + # + # require 'time' +diff --git a/test/test_time.rb b/test/test_time.rb +index ca20788..4f11048 100644 +--- a/test/test_time.rb ++++ b/test/test_time.rb +@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: + assert_equal(true, t.utc?) + end + ++ def test_rfc2822_nonlinear ++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n} ++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| ++ assert_raise(ArgumentError) do ++ Time.rfc2822(s) ++ end ++ end ++ end ++ + def test_encode_rfc2822 + t = Time.utc(1) + assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822) +-- +2.25.1 + diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb index 3af321a83e..91ffde5fa3 100644 --- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb +++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb @@ -7,6 +7,7 @@ SRC_URI += " \ file://run-ptest \ file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ + file://CVE-2023-28756.patch \ " SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042" From patchwork Sat Apr 15 15:33:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 22656 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB2FFC77B76 for ; Sat, 15 Apr 2023 15:34:07 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web11.10549.1681572843075133123 for ; Sat, 15 Apr 2023 08:34:03 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@sakoman-com.20221208.gappssmtp.com header.s=20221208 header.b=LmhGnoYv; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id v9so26600117pjk.0 for ; Sat, 15 Apr 2023 08:34:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20221208.gappssmtp.com; s=20221208; t=1681572842; x=1684164842; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=iLx6uU/xSYUGnVzx6zl8zqNzfwXY3pMk6cd7LdDG8vU=; b=LmhGnoYv1X+eiGgnYGS0eYdRyUImdSASl2Oho3vrK4BaAO2ZeurS9QZhJcLTF/nPRk ttHkQvLVpwrQeqHOycAODpKB4TGU7nKN6qZp6Iy11ltqU/NoHeSLGwMZhJ27yzr4HJOv 1U2YNoPSVUaquouVCU5HgxqvNMVAGH/4tcO1RCQzfhgzCEUu52DYyZoA0Pu6Ev5HKlC3 ZW8b6IA4Vpdvx5JEgMKagpk9msM+XcxRbb+4XNn9ykWTPXebAxWh+WBYosT7WudZ/vYy JCIGK+zPK2UY88SWjg1UlfvZOiCWLfOJ7WCmoyMCyQetn/DgfDXNhnU5/RqMt+aoyUhP nBlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681572842; x=1684164842; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iLx6uU/xSYUGnVzx6zl8zqNzfwXY3pMk6cd7LdDG8vU=; b=CdQQic4xkzLZQwD6hmP70FzzwqVTab7EEMOzetwTEMq42LNkeFEVbkQlr5Yarr/QiV 1DIXdg8kic4ZStHKiNHozHQc1mcAH0rdnWyT+iqH6EbZ8tzAOG7DWwkn/v3yoZM/Od16 gXZaIm1yA0g6uboaMqKmrmFK6FHeM/I7Xto0AJrF3qwT8b1OVQ3gUHNNsub3rY5RPNVQ RsB3otTEISAMrpC03yHoMj4LcAk7S1ramh1lJQq9wZk8cBGx+XF/uzI1yZPD+7NMPgQT +dA9BjrIaJsdfEDFc5B+QhkyWSVvMPjUEUwaIu5QZpl9a5G6rDQQm1tjq9osVUkM7H6R 38wA== X-Gm-Message-State: AAQBX9d4Oyfz8IsiCRkLbZiqbp3q3Mhtb/ZUcLQfsSUkYHqIhAMv1Pc6 pWdzeRyigED1BeGCvMGgxWl5vJxO52j22Z+E4Eo= X-Google-Smtp-Source: AKy350ZfQJdi2cD71ukB9n10N3F4c6RvcF0StXqd3aAxP+VJnU7pzm4hcfHhTySa5f5fKMsRNObxXw== X-Received: by 2002:a17:90a:540a:b0:23f:2486:5b53 with SMTP id z10-20020a17090a540a00b0023f24865b53mr15623609pjh.17.1681572841973; Sat, 15 Apr 2023 08:34:01 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-4-112.hawaiiantel.net. [72.253.4.112]) by smtp.gmail.com with ESMTPSA id cs19-20020a17090af51300b002367325203fsm6313969pjb.50.2023.04.15.08.34.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 15 Apr 2023 08:34:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/4] curl: CVE-2023-27534 SFTP path ~ resolving discrepancy Date: Sat, 15 Apr 2023 05:33:39 -1000 Message-Id: <9aefb4e46cf4fbf14b46f9adaf3771854553e7f3.1681572706.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 15 Apr 2023 15:34:07 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/180022 From: Hitendra Prajapati Upstream-Status: Backport from https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2023-27534.patch | 123 ++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/meta/recipes-support/curl/curl/CVE-2023-27534.patch new file mode 100644 index 0000000000..aeeffd5fea --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -0,0 +1,123 @@ +From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Mar 2023 16:22:11 +0100 +Subject: [PATCH] curl_path: create the new path with dynbuf + +CVE: CVE-2023-27534 +Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] + +Signed-off-by: Hitendra Prajapati +--- + lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- + 1 file changed, 35 insertions(+), 36 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..e17db4b 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -30,6 +30,8 @@ + #include "escape.h" + #include "memdebug.h" + ++#define MAX_SSHPATH_LEN 100000 /* arbitrary */ ++ + /* figure out the path to work with in this particular request */ + CURLcode Curl_getworkingpath(struct connectdata *conn, + char *homedir, /* when SFTP is used */ +@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + real path to work with */ + { + struct Curl_easy *data = conn->data; +- char *real_path = NULL; + char *working_path; + size_t working_path_len; ++ struct dynbuf npath; + CURLcode result = + Curl_urldecode(data, data->state.up.path, 0, &working_path, + &working_path_len, FALSE); + if(result) + return result; + ++ /* new path to switch to in case we need to */ ++ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); ++ + /* Check for /~/, indicating relative to the user's home directory */ +- if(conn->handler->protocol & CURLPROTO_SCP) { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { ++ if((data->conn->handler->protocol & CURLPROTO_SCP) && ++ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { ++ /* It is referenced to the home directory, so strip the leading '/~/' */ ++ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { + free(working_path); + return CURLE_OUT_OF_MEMORY; + } +- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) +- /* It is referenced to the home directory, so strip the leading '/~/' */ +- memcpy(real_path, working_path + 3, working_path_len - 2); +- else +- memcpy(real_path, working_path, 1 + working_path_len); + } +- else if(conn->handler->protocol & CURLPROTO_SFTP) { +- if((working_path_len > 1) && (working_path[1] == '~')) { +- size_t homelen = strlen(homedir); +- real_path = malloc(homelen + working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- /* It is referenced to the home directory, so strip the +- leading '/' */ +- memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; +- if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, +- 1 + working_path_len -3); +- } ++ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && ++ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { ++ size_t len; ++ const char *p; ++ int copyfrom = 3; ++ if(Curl_dyn_add(&npath, homedir)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } +- else { +- real_path = malloc(working_path_len + 1); +- if(real_path == NULL) { +- free(working_path); +- return CURLE_OUT_OF_MEMORY; +- } +- memcpy(real_path, working_path, 1 + working_path_len); ++ /* Copy a separating '/' if homedir does not end with one */ ++ len = Curl_dyn_len(&npath); ++ p = Curl_dyn_ptr(&npath); ++ if(len && (p[len-1] != '/')) ++ copyfrom = 2; ++ ++ if(Curl_dyn_addn(&npath, ++ &working_path[copyfrom], working_path_len - copyfrom)) { ++ free(working_path); ++ return CURLE_OUT_OF_MEMORY; + } + } + +- free(working_path); ++ if(Curl_dyn_len(&npath)) { ++ free(working_path); + +- /* store the pointer for the caller to receive */ +- *path = real_path; ++ /* store the pointer for the caller to receive */ ++ *path = Curl_dyn_ptr(&npath); ++ } ++ else ++ *path = working_path; + + return CURLE_OK; + } +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 64e4fb5809..a7f4f5748f 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-35260.patch \ file://CVE-2022-43552.patch \ file://CVE-2023-23916.patch \ + file://CVE-2023-27534.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"