From patchwork Tue Feb 25 20:56:24 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57876
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 01749C021B2
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.web11.19969.1740517001399922107
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:41 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=hK/PhRRM;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-2fc4418c0e1so305226a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517001;
 x=1741121801; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=1sNhz6B7SNuFptpSxXYMmVb+23dBr9vW3b1Z9Hi/6+M=;
        b=hK/PhRRMSIsus5vXN6ogM+fChSTwWaQaTzGTMhd6RqEYO9FmOk9kPD+p8wJPy+JXep
         j4ts9mZZnMSsZgvM/AZN7Lvokebr/XmjVtcwbyz3ucsUY+UnoZifO/Yv8Ui6ae+DBD99
         6mihZ7/Et3o1gEovohx5Ag9MLR7fcps4jXp2x2DGNiHEOom4e3d+awgdgTLnN2kqA6Y0
         5uAEqIfLKIHDt9tx+yQcVm1TVncDyjE0HSeo6231ywMlpwjG7b0EJmEOWGE0sdxZt2Nh
         I7b2xBBlsravM6LC+doVawRin00iNW2iXvGr2dhb67mUKeDbHkz1Ci/9v8aw+XtBHEWw
         brCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517001; x=1741121801;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=1sNhz6B7SNuFptpSxXYMmVb+23dBr9vW3b1Z9Hi/6+M=;
        b=Lnt1zM9Dg0iFrCkywm1WVelLeRKTgqQiYzR8vSqiQfHV9b/kWGnr3qtyBlVnOVUO/R
         V0K6/FTC5TrVnD6N74slTG7ksVtOufMrE8CbXChGVoiAZxENDxkQEDEAA740nZ50aroc
         LHqyOHFU2ieeLzNb13zRkqH8m4bB7DRaCb5tuFSv6uxrxWqBRu1Sg/BAcRxSH7XbQt/B
         dJ+d493Vw99VDs7+vE5liA6gTMBgq4XOH0vdAhqZtYf2UBhG5WdLXlPjqVGn5e7u0gLp
         DHvdwz0UVYS21N7pHhlaq7qnEeUBijtK78jDq0TzwmNS3dFEop64RWiKrZZbZwZsMBJz
         GsdA==
X-Gm-Message-State: AOJu0YxnuK3nB3I5fVlHY0+9SrUfsjk29BotOGH6TGWIQw85JhLpe1gc
	sNFmo8o/hIAAX8WnGx47q2KSZ8T9GVhzGqJgkS1J0bX8TBBcVPIsB0clN3/QkZFI1fFgYAybfU1
	4
X-Gm-Gg: ASbGnctZRy/rAm1VwOqgSGQ0ZnmmfTyhXTKoA5hLcAfhbT1MiOZrnDj0iLNZA+9nZ5O
	wJJ6+kCp4T40kIn6LUnTBRJMOmAabaN3oGwN7fjKZEXBzrCSmpAk6GgR+A8h/fTTT5EI/86+c2d
	UCiu4UHaXa80KhW9EP3Wl07kCHYxiAy/KFuhIWLElYxe6nCvY0za+GTNlhZ13UCSUApNf1FvIEI
	D0Hd4cFax7X7UfJdIu9JC8Cs5+NgPvDstHnlaFtcVyOihaqY5k88EcOWLhdGvCIq+9Z5DA+3dly
	5Sskv+xfq9uO2gNQfA==
X-Google-Smtp-Source: 
 AGHT+IGUMlAswoBUm50mzaTglo1flmK6NgM66G593WaFxSyaSZk4nlLxSYK9dRGzTaekj/jrl4rHWA==
X-Received: by 2002:a17:90b:2792:b0:2fa:1e56:5d82 with SMTP id
 98e67ed59e1d1-2fce7b74fbbmr30990471a91.17.1740517000666;
        Tue, 25 Feb 2025 12:56:40 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.40
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:40 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 01/10] u-boot: fix CVE-2024-57254
Date: Tue, 25 Feb 2025 12:56:24 -0800
Message-ID: 
 <eea9fee59bc7576bef94f0da466887e4daff0356.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211925

From: Hongxu Jia <hongxu.jia@windriver.com>

An integer overflow in sqfs_inode_size in Das U-Boot before
2025.01-rc1 occurs in the symlink size calculation via a
crafted squashfs filesystem.

https://nvd.nist.gov/vuln/detail/CVE-2024-57254

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57254.patch         | 47 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  4 +-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
new file mode 100644
index 0000000000..be00121224
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57254.patch
@@ -0,0 +1,47 @@
+From 3f9deb424ecd6ecd50f165b42f0b0290d83853f5 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:45 +0200
+Subject: [PATCH 1/8] squashfs: Fix integer overflow in sqfs_inode_size()
+
+A carefully crafted squashfs filesystem can exhibit an extremly large
+inode size and overflow the calculation in sqfs_inode_size().
+As a consequence, the squashfs driver will read from wrong locations.
+
+Fix by using __builtin_add_overflow() to detect the overflow.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57254
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c8e929e5758999933f9e905049ef2bf3fe6b140d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs_inode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs_inode.c b/fs/squashfs/sqfs_inode.c
+index d25cfb53..bb3ccd37 100644
+--- a/fs/squashfs/sqfs_inode.c
++++ b/fs/squashfs/sqfs_inode.c
+@@ -78,11 +78,16 @@ int sqfs_inode_size(struct squashfs_base_inode *inode, u32 blk_size)
+ 
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE: {
++		int size;
++
+ 		struct squashfs_symlink_inode *symlink =
+ 			(struct squashfs_symlink_inode *)inode;
+ 
+-		return sizeof(*symlink) +
+-			get_unaligned_le32(&symlink->symlink_size);
++		if (__builtin_add_overflow(sizeof(*symlink),
++		    get_unaligned_le32(&symlink->symlink_size), &size))
++			return -EINVAL;
++
++		return size;
+ 	}
+ 
+ 	case SQFS_BLKDEV_TYPE:
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 1f17bd7d0a..9ce42e829f 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
 
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2024-57254.patch \
+"
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"

From patchwork Tue Feb 25 20:56:25 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57877
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1590CC021BE
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com
 [209.85.214.182])
 by mx.groups.io with SMTP id smtpd.web10.19951.1740517002791022137
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:42 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=MbsK7YTX;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.182,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f182.google.com with SMTP id
 d9443c01a7336-221050f3f00so138647515ad.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517002;
 x=1741121802; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=ufnRetGq+/k2JheWvltkVw7DJrLIOlqBA1PUuAgPrvY=;
        b=MbsK7YTXuFvkJcodq1KKzSm1RPlYBMGd/vGVy3/UnBMogk8FMXLHvGzE2/ElAmMjJD
         p+PsgrJIIkJ/aeKoj5T/qggR/zJ4TbwamPeLKfUEU/5pzZoK/j6aJLps2qpjvRt5bg68
         ucCyIgY8EOsrTdKH+Hdl/8wxy4Xh90xsbRkjKfCTLE6ip3x48Fb78tLt2e8iyH07WwEJ
         IyxYd18BXYv9EPK0c+h9ciB5RKEVm6Y9dfJd7PNk7lTqDqxTeYfOOrePIP1pFybRWua0
         Ad1tIdBiMyTatM530CKD9UMqmExyX4V0uvQacnqkhQmQw6gB8O5vYLyqiGbDc7EyL6Gz
         VLbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517002; x=1741121802;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ufnRetGq+/k2JheWvltkVw7DJrLIOlqBA1PUuAgPrvY=;
        b=pH4/r3HOGA77N2K4D6ei2PXwlegCfeDMqIQY8cPF7l+buYPb+ytvro2w6Rqs/uHqvl
         vsqt9cDHHxPn+NWZnup19QXBOFQZ4YC4tt6ssm3gnwdbytEuGy9i9aWwKLrNTEUgZkSa
         kDg0SP/HS1h5ZAkHq9AVBvjLLtSUoRW+ijHF2AqKkgGEQb5JkgqlpfnpWQ4Oj8yxT1xQ
         yMF5QhDc/tQVgGUcvMqGerZZkiqGs/B2sHrKbQmE8gXQsCc28MpS+VwxlW/e5zGG0cex
         g9Uuj9EWpH/C3Tnp5XH8FVOEKYr7Jjq3E71WzXSkBJqidcGalcrQx+/xxO1C/+UA6Ig8
         XXHw==
X-Gm-Message-State: AOJu0YwDfuQicvD4/jBqmhduNwN++TAiXziovsGfVR4Qv70M5xLIPBJf
	G3TIj6LITJUcmeNsgRFgEafkx0IpalNVVyZ5x7mLRcijRSnf0xZEGzLargjzLMPWku8yqYaKL7n
	T
X-Gm-Gg: ASbGncvx5CSoZ94Y0+a3AYZz+xVX1AZTrjdRnbGOkrRb8stdDzSs4KAyKcmHq25Jk+9
	KsNpoZkyVGRM58Jaw9tkRR2M1JgTfUSgfZjrVuWpAx+Jjv3gL7dt/IbbcORXAY3KTIc9q0yIZkc
	x1jJgDWE/mtk4tRduW68oZJT0ULJVqRn8BQEmZ4PGLK3vRQNni7GEUFmpXBjMz9fiEZgV9uAI96
	sjLS4SjqgnuWQsUIWGH/rxFo7GVgTk+kK3UHZCqp86V99Q3Yl/agoXA4AFqUV8QTtb0GDOaEtqC
	U42A5iThfkGe9DMajg==
X-Google-Smtp-Source: 
 AGHT+IF/zUS8qqXeLOasXJ0MeBu5/ga9jsI7oUTJ5BoNG1jyS0AbTXEDVd7uUUFbKbyNxdS8QBhjCg==
X-Received: by 2002:a17:90b:2dc6:b0:2fa:1e3e:9be5 with SMTP id
 98e67ed59e1d1-2fe68a2df32mr8908374a91.0.1740517002057;
        Tue, 25 Feb 2025 12:56:42 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.41
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:41 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/10] u-boot: fix CVE-2024-57255
Date: Tue, 25 Feb 2025 12:56:25 -0800
Message-ID: 
 <c3784c108f003c6663ca969585414e4a90f06606.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211926

From: Hongxu Jia <hongxu.jia@windriver.com>

An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with an inode size of 0xffffffff,
resulting in a malloc of zero and resultant memory overwrite.

https://nvd.nist.gov/vuln/detail/CVE-2024-57255

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57255.patch         | 53 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
new file mode 100644
index 0000000000..4ca72da554
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57255.patch
@@ -0,0 +1,53 @@
+From 5d7ca74388544bf8c95e104517a9120e94bfe40d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:44 +0200
+Subject: [PATCH 2/8] squashfs: Fix integer overflow in sqfs_resolve_symlink()
+
+A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
+as a consequence malloc() will do a zero allocation.
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57255
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/233945eba63e24061dffeeaeb7cd6fe985278356]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 1430e671..16a07c06 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -422,8 +422,10 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ 	char *resolved, *target;
+ 	u32 sz;
+ 
+-	sz = get_unaligned_le32(&sym->symlink_size);
+-	target = malloc(sz + 1);
++	if (__builtin_add_overflow(get_unaligned_le32(&sym->symlink_size), 1, &sz))
++		return NULL;
++
++	target = malloc(sz);
+ 	if (!target)
+ 		return NULL;
+ 
+@@ -431,9 +433,9 @@ static char *sqfs_resolve_symlink(struct squashfs_symlink_inode *sym,
+ 	 * There is no trailling null byte in the symlink's target path, so a
+ 	 * copy is made and a '\0' is added at its end.
+ 	 */
+-	target[sz] = '\0';
++	target[sz - 1] = '\0';
+ 	/* Get target name (relative path) */
+-	strncpy(target, sym->symlink, sz);
++	strncpy(target, sym->symlink, sz - 1);
+ 
+ 	/* Relative -> absolute path conversion */
+ 	resolved = sqfs_get_abs_path(base_path, target);
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 9ce42e829f..e907edd2eb 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -16,6 +16,7 @@ SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
 
 SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57254.patch \
+           file://CVE-2024-57255.patch \
 "
 
 S = "${WORKDIR}/git"

From patchwork Tue Feb 25 20:56:26 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57878
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1CD6FC18E7C
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
 by mx.groups.io with SMTP id smtpd.web11.19970.1740517004270261391
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:44 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=edDiqOIB;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.48,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-2fbfa8c73a6so11982858a91.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517003;
 x=1741121803; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dbEkiJQRvVGvexlWumXNWkO0oNUQo/IXFpe18YTFd+0=;
        b=edDiqOIB6+G0Xt1ODhD0Zv8jAbP47cM/Dt8TTf2w3+MMiqNVs5ZOt4EcGLGQdcYE4l
         X5/cvTd3ptkmNuNYhWmTbShAg1UNBJ+UkpTAgoL99qiEy2TnnweErodquhhfg3DZTsua
         9qiGux6bVf10TZoEDOvkW3B5SZmj3e8OCNEV0wO+BYjlXf3bQuLY5fg97XfPWpIoOSlt
         YJqmm/KNE8YTH0pjP8NVSdoJ9ohL4KPbmN9om6AdW7Vb2QvClUOKrNrJV7cKlEXLUhcH
         0+ZlxK9pS3irzZzIUXehYWMhnuQWOiY/3+/bcPWTW0Td758mGYvM2q+dvWgeCVG7OxwK
         4/vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517003; x=1741121803;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dbEkiJQRvVGvexlWumXNWkO0oNUQo/IXFpe18YTFd+0=;
        b=aLwNHqgSEpzxF/9hhPUN8TDSWPeNTRGF4P+kGpPGrRkF4fD5r2InsXBZngQZYGjd1N
         5Aatis6MH/nG32BpxV9IVBRPR6GOA+st5fn8u8UmFUBB0WWxyF5wWkYkZIcr/wrwgZCc
         X5cC4B+EiN7SD6wpYabYzz6AJt5LHsN/gVG+wXZbsE6nPRHahW7H5JYtCoijD05hNOaO
         1t17k3Rpu9l/k3UyXyMe7KPCh+K8bem6oGkBwmdsn1uPfi2fBQuTRr0DxRZ9/FmWS2G4
         9kvWIJ2Y/C7OH1qd2hfg9QSjR2wACLxKFeo7+fqi4K6WnpNG3GNLyekPGoQX2y8mkUBf
         5USg==
X-Gm-Message-State: AOJu0Yxxvovg1rC/hDiwPxR8xW3GmQwK143NwHv/Hzc7YcNxBuLCP9s6
	CozGdLh3KLiAUtXmdCZBO57gWiLUWi/D5IfL3JYKhPSDZmR6nIoxQlqGpgmk88xGT+k6mkd+lIA
	i
X-Gm-Gg: ASbGncvL2PzMFMaxfcAC6IwP7RSkj3Pyxc5Oajmm4XLelmXfNckfwUNV3+pBFOp0YN5
	NJc4AbHDXIyOwxnWVhoCkV2xDZb+rjM96lLBezZMJ2B2/JRuuV523lF1mGuy89xszlqKY6GgNC5
	lj4vm7IvREzUc7Pq23uW9SC//Q7OCMfYZzT0ewcjhzWcm1BpWvhEvz1TPzywYWGEeXrNhsMG/VP
	0DUqBDt2Z0twm4sEXczLezeBEZckHnCHWwFy6YDRuJ2JwgDm1jlbJQ4jmoSZsWqWMJ0MWBJfDEH
	xQdg/E4FhblXe2ryZA==
X-Google-Smtp-Source: 
 AGHT+IHssDdzJbIv9szohzcFmQBM/6cCXBQzj9BV/RcMTva7n6Xiz97woe6XUr30g8pIZaDC6/1f0g==
X-Received: by 2002:a17:90b:2242:b0:2ee:ee77:2263 with SMTP id
 98e67ed59e1d1-2fce868c4f9mr32649158a91.7.1740517003396;
        Tue, 25 Feb 2025 12:56:43 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.42
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:43 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/10] u-boot: fix CVE-2024-57256
Date: Tue, 25 Feb 2025 12:56:26 -0800
Message-ID: 
 <21e6ac6e53112b9dddc5a84f27be5851469b9c46.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211927

From: Hongxu Jia <hongxu.jia@windriver.com>

An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1
occurs for zalloc (adding one to an le32 variable) via a crafted ext4
filesystem with an inode size of 0xffffffff, resulting in a malloc of
zero and resultant memory overwrite.

https://nvd.nist.gov/vuln/detail/CVE-2024-57256

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57256.patch         | 51 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
new file mode 100644
index 0000000000..78cf4ac225
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57256.patch
@@ -0,0 +1,51 @@
+From 49cab731abe7a98db4ac16666e3b5ab3bc799282 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 9 Aug 2024 11:54:28 +0200
+Subject: [PATCH 3/8] ext4: Fix integer overflow in ext4fs_read_symlink()
+
+While zalloc() takes a size_t type, adding 1 to the le32 variable
+will overflow.
+A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
+and as consequence zalloc() will do a zero allocation.
+
+Later in the function the inode size is again used for copying data.
+So an attacker can overwrite memory.
+
+Avoid the overflow by using the __builtin_add_overflow() helper.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+
+CVE: CVE-2024-57256
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/35f75d2a46e5859138c83a75cd2f4141c5479ab9]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/ext4/ext4_common.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ext4_common.c b/fs/ext4/ext4_common.c
+index f50de7c0..a7798296 100644
+--- a/fs/ext4/ext4_common.c
++++ b/fs/ext4/ext4_common.c
+@@ -2188,13 +2188,18 @@ static char *ext4fs_read_symlink(struct ext2fs_node *node)
+ 	struct ext2fs_node *diro = node;
+ 	int status;
+ 	loff_t actread;
++	size_t alloc_size;
+ 
+ 	if (!diro->inode_read) {
+ 		status = ext4fs_read_inode(diro->data, diro->ino, &diro->inode);
+ 		if (status == 0)
+ 			return NULL;
+ 	}
+-	symlink = zalloc(le32_to_cpu(diro->inode.size) + 1);
++
++	if (__builtin_add_overflow(le32_to_cpu(diro->inode.size), 1, &alloc_size))
++		return NULL;
++
++	symlink = zalloc(alloc_size);
+ 	if (!symlink)
+ 		return NULL;
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index e907edd2eb..097ef685e9 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -17,6 +17,7 @@ SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
 SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57254.patch \
            file://CVE-2024-57255.patch \
+           file://CVE-2024-57256.patch \
 "
 
 S = "${WORKDIR}/git"

From patchwork Tue Feb 25 20:56:27 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57880
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2C339C197BF
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com
 [209.85.216.53])
 by mx.groups.io with SMTP id smtpd.web11.19972.1740517005849937733
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:45 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=cATU0XvB;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.53,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f53.google.com with SMTP id
 98e67ed59e1d1-2fa5af6d743so9445751a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517005;
 x=1741121805; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=28/MvCg5g/jB5W5n0HlcxUJecJ7HTloTNa2Us2d2C+M=;
        b=cATU0XvB2fvX/CE5cyGWUJAHR7hFkYvVwVBi5XK1r6zKIxKB2PTGOYRDoV7hGMyjOQ
         01eNiLwJoL7UEqvb/KPvlloqwr5PdLK94IK9iLY/Ik8TX+WOyf15HWBo1hIApcaC8uYE
         go9Jj2Wgd/EKzbMTnPqxbVpgOtI/DyG5GSks2xvyoFhbr6mYcZuK10OfY1vATlgtrcCw
         VrYibL1RNAfWXXvIRaZTjp97cq91aPMAndXeJpCLyp61rg7lXRrvi2uynqHHuOTJQlCT
         StThqwbQAcfL0qqNx/v1q/6mZFMCoiVmq9KMBbrEIhEvOeuVxPOoSo//MQ1P4ANr4Cg/
         kjFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517005; x=1741121805;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=28/MvCg5g/jB5W5n0HlcxUJecJ7HTloTNa2Us2d2C+M=;
        b=KNtZZ00rDf6Tp+UCFHiKEof9Tog9s9Wv6wtN7sYMNZkY0RbXduwTKfWCV3za3I1b8y
         +kscWbimTgtk3j3fAy13LAtuPH+vBYl37ZWcL5Asf0M1cr37S2mLnqBHIcRrPzwaA3+C
         DYzacmGdN4zuwemB8T68257jdlNs7Eted9+RQDqbYAQ3x/YccJo/aMGd++4BaLEE4Gnt
         ch5kiwfx2T6X1clKHpzxA//uhR2Vt6MCX/8F8Is+vxkzoUlxKZGdgFRu2S80WOEcJqAS
         6//DYVEgKFXm5L6isOYvk6cdtLGi7+0GPAnb3VKqJkQWqSKjnwBY9I2qWKAidAH2ieop
         wZGA==
X-Gm-Message-State: AOJu0Yzgmc+LoIbkGHoqHHBgb30M0GAmcpCF0gcPbl7z99KyF+f54xJ0
	i+BraPb1XgJTHdKrZER3c2TCfN8lGsx31UXF+ZbBOyE0Hmi4Z4/MDOkk8AVYazr6jUIpAprQVIN
	U
X-Gm-Gg: ASbGncstJCtrosyIWwzHd9NB5E894q/RQ4HafNAdvhemmYOhEL/DdNW3Rt9eDIjZ2Rm
	RD2uuAA2Uxel5LMJo9qiNCHkZ1RffNQBxpUB6vw6/20p2acmrV4gUDQRAPIx+WsrezGXmZvfSnZ
	rB62vLp5yc3T9M8fSHVk2uzK9v8cXXutZjjQ0+0uUO00kr25aq7SYeq7N5+hf9AjYFw6Po03fCv
	mrEB7JeHMFQtYEYpCM2oP0beslot+3Ddl1DHgxgBPa5uvZlhSZkwLq7aPPemHVbfVlxi5zwsP2V
	KWvBmOddD+RQVnNWkA==
X-Google-Smtp-Source: 
 AGHT+IHg1sh/POAMaQMJDIOh04ButF0WlvXDkCWoi+h4DTEW4PY9hE3Mud9HJIem4F9WlPvoJ1fssA==
X-Received: by 2002:a17:90b:4ecf:b0:2ee:f19b:86e5 with SMTP id
 98e67ed59e1d1-2fe68ada443mr8695066a91.14.1740517005018;
        Tue, 25 Feb 2025 12:56:45 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.44
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:44 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 04/10] u-boot: fix CVE-2024-57257
Date: Tue, 25 Feb 2025 12:56:27 -0800
Message-ID: 
 <890597539246c0f2b427d60965d5665cf7f4731c.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211928

From: Hongxu Jia <hongxu.jia@windriver.com>

A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.

https://nvd.nist.gov/vuln/detail/CVE-2024-57257

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57257.patch         | 227 ++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |   1 +
 2 files changed, 228 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
new file mode 100644
index 0000000000..bfffcafa43
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57257.patch
@@ -0,0 +1,227 @@
+From 4eb527c473068953f90ea65b33046a25140e0a89 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 18:36:47 +0200
+Subject: [PATCH 4/8] squashfs: Fix stack overflow while symlink resolving
+
+The squashfs driver blindly follows symlinks, and calls sqfs_size()
+recursively. So an attacker can create a crafted filesystem and with
+a deep enough nesting level a stack overflow can be achieved.
+
+Fix by limiting the nesting level to 8.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57257
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/4f5cc096bfd0a591f8a11e86999e3d90a9484c34]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 76 +++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 61 insertions(+), 15 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index 16a07c06..a5b7890e 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -24,7 +24,12 @@
+ #include "sqfs_filesystem.h"
+ #include "sqfs_utils.h"
+ 
++#define MAX_SYMLINK_NEST 8
++
+ static struct squashfs_ctxt ctxt;
++static int symlinknest;
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp);
+ 
+ static int sqfs_disk_read(__u32 block, __u32 nr_blocks, void *buf)
+ {
+@@ -508,7 +513,7 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 			goto out;
+ 		}
+ 
+-		while (!sqfs_readdir(dirsp, &dent)) {
++		while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 			ret = strcmp(dent->name, token_list[j]);
+ 			if (!ret)
+ 				break;
+@@ -533,6 +538,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 
+ 		/* Check for symbolic link and inode type sanity */
+ 		if (get_unaligned_le16(&dir->inode_type) == SQFS_SYMLINK_TYPE) {
++			if (++symlinknest == MAX_SYMLINK_NEST) {
++				ret = -ELOOP;
++				goto out;
++			}
++
+ 			sym = (struct squashfs_symlink_inode *)table;
+ 			/* Get first j + 1 tokens */
+ 			path = sqfs_concat_tokens(token_list, j + 1);
+@@ -880,7 +890,7 @@ out:
+ 	return metablks_count;
+ }
+ 
+-int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++static int sqfs_opendir_nest(const char *filename, struct fs_dir_stream **dirsp)
+ {
+ 	unsigned char *inode_table = NULL, *dir_table = NULL;
+ 	int j, token_count = 0, ret = 0, metablks_count;
+@@ -975,7 +985,19 @@ out:
+ 	return ret;
+ }
+ 
++int sqfs_opendir(const char *filename, struct fs_dir_stream **dirsp)
++{
++	symlinknest = 0;
++	return sqfs_opendir_nest(filename, dirsp);
++}
++
+ int sqfs_readdir(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
++{
++	symlinknest = 0;
++	return sqfs_readdir_nest(fs_dirs, dentp);
++}
++
++static int sqfs_readdir_nest(struct fs_dir_stream *fs_dirs, struct fs_dirent **dentp)
+ {
+ 	struct squashfs_super_block *sblk = ctxt.sblk;
+ 	struct squashfs_dir_stream *dirs;
+@@ -1319,8 +1341,8 @@ static int sqfs_get_lregfile_info(struct squashfs_lreg_inode *lreg,
+ 	return datablk_count;
+ }
+ 
+-int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+-	      loff_t *actread)
++static int sqfs_read_nest(const char *filename, void *buf, loff_t offset,
++			  loff_t len, loff_t *actread)
+ {
+ 	char *dir = NULL, *fragment_block, *datablock = NULL;
+ 	char *fragment = NULL, *file = NULL, *resolved, *data;
+@@ -1350,11 +1372,11 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 	}
+ 
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+ 	sqfs_split_path(&file, &dir, filename);
+-	ret = sqfs_opendir(dir, &dirsp);
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		goto out;
+ 	}
+@@ -1362,7 +1384,7 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+ 	/* For now, only regular files are able to be loaded */
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1411,9 +1433,14 @@ int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
+ 		break;
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE:
++		if (++symlinknest == MAX_SYMLINK_NEST) {
++			ret = -ELOOP;
++			goto out;
++		}
++
+ 		symlink = (struct squashfs_symlink_inode *)ipos;
+ 		resolved = sqfs_resolve_symlink(symlink, filename);
+-		ret = sqfs_read(resolved, buf, offset, len, actread);
++		ret = sqfs_read_nest(resolved, buf, offset, len, actread);
+ 		free(resolved);
+ 		goto out;
+ 	case SQFS_BLKDEV_TYPE:
+@@ -1584,7 +1611,14 @@ out:
+ 	return ret;
+ }
+ 
+-int sqfs_size(const char *filename, loff_t *size)
++int sqfs_read(const char *filename, void *buf, loff_t offset, loff_t len,
++	      loff_t *actread)
++{
++	symlinknest = 0;
++	return sqfs_read_nest(filename, buf, offset, len, actread);
++}
++
++static int sqfs_size_nest(const char *filename, loff_t *size)
+ {
+ 	struct squashfs_super_block *sblk = ctxt.sblk;
+ 	struct squashfs_symlink_inode *symlink;
+@@ -1600,10 +1634,10 @@ int sqfs_size(const char *filename, loff_t *size)
+ 
+ 	sqfs_split_path(&file, &dir, filename);
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+-	ret = sqfs_opendir(dir, &dirsp);
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		ret = -EINVAL;
+ 		goto free_strings;
+@@ -1611,7 +1645,7 @@ int sqfs_size(const char *filename, loff_t *size)
+ 
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1644,6 +1678,11 @@ int sqfs_size(const char *filename, loff_t *size)
+ 		break;
+ 	case SQFS_SYMLINK_TYPE:
+ 	case SQFS_LSYMLINK_TYPE:
++		if (++symlinknest == MAX_SYMLINK_NEST) {
++			*size = 0;
++			return -ELOOP;
++		}
++
+ 		symlink = (struct squashfs_symlink_inode *)ipos;
+ 		resolved = sqfs_resolve_symlink(symlink, filename);
+ 		ret = sqfs_size(resolved, size);
+@@ -1683,10 +1722,11 @@ int sqfs_exists(const char *filename)
+ 
+ 	sqfs_split_path(&file, &dir, filename);
+ 	/*
+-	 * sqfs_opendir will uncompress inode and directory tables, and will
++	 * sqfs_opendir_nest will uncompress inode and directory tables, and will
+ 	 * return a pointer to the directory that contains the requested file.
+ 	 */
+-	ret = sqfs_opendir(dir, &dirsp);
++	symlinknest = 0;
++	ret = sqfs_opendir_nest(dir, &dirsp);
+ 	if (ret) {
+ 		ret = -EINVAL;
+ 		goto free_strings;
+@@ -1694,7 +1734,7 @@ int sqfs_exists(const char *filename)
+ 
+ 	dirs = (struct squashfs_dir_stream *)dirsp;
+ 
+-	while (!sqfs_readdir(dirsp, &dent)) {
++	while (!sqfs_readdir_nest(dirsp, &dent)) {
+ 		ret = strcmp(dent->name, file);
+ 		if (!ret)
+ 			break;
+@@ -1711,6 +1751,12 @@ free_strings:
+ 	return ret == 0;
+ }
+ 
++int sqfs_size(const char *filename, loff_t *size)
++{
++	symlinknest = 0;
++	return sqfs_size_nest(filename, size);
++}
++
+ void sqfs_close(void)
+ {
+ 	sqfs_decompressor_cleanup(&ctxt);
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 097ef685e9..ec3b4d8fdf 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -18,6 +18,7 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57254.patch \
            file://CVE-2024-57255.patch \
            file://CVE-2024-57256.patch \
+           file://CVE-2024-57257.patch \
 "
 
 S = "${WORKDIR}/git"

From patchwork Tue Feb 25 20:56:28 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57881
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2BA1CC19777
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com
 [209.85.216.54])
 by mx.groups.io with SMTP id smtpd.web11.19973.1740517007289286655
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:47 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=1TI3xIMG;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.54,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f54.google.com with SMTP id
 98e67ed59e1d1-2fc6272259cso9838804a91.0
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517006;
 x=1741121806; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=46AbDG+UpKYhhIw384h+uELviFq3CNie02sbTZgtwjU=;
        b=1TI3xIMGoBi1lcUJzbj+2hpTWT9G7OZq708+SbD3SkJQbWI1AaZG9bMSv/RG5Fpy8E
         YbqfBCvjPuwzpq49vEDlMqQkgx5cdWVl1QbE6xbOvrmoIucGV+u6UjClpHXJ+/Iayj2M
         wnHfwjxy7X17394J4qzwqTMAstVuiF1fbG77Clkjoe/ntziRil+0TW1V6/TNmuUogvzR
         0f4E1GvgrbEcET5wAyTkKr1fCsAn3IiOd7ZKT/qHwsWztqth6APqvNF8tjfIkOfh2TQT
         vcBgiz8w85CscCCLFHG73bV1FalEKSGfHg7v859ALHO66XLK735iVkG/Fz5JpfkKHPWf
         qIwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517006; x=1741121806;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=46AbDG+UpKYhhIw384h+uELviFq3CNie02sbTZgtwjU=;
        b=go3cuwNGfjzJgwoM9tg203ouco790WlAEEV7a+uQLI8P6gPTRciaeV5M2J1MGZ6MVY
         qMfUluENgIxUpvMLnAi1GpSjOCwqbwtmvBzNFp1fPjKeifPgEblSzcD2SZia9tqZNYq1
         ZByNZVkO/2P8Sdo5CcXNmovbZr/cz/JoR1k3Aq1jD+62zapgBwfpiUMrdcLSR5ddPYHh
         ZZTtGqokoGml0ZOKkECUuko8Xjewj1YAQdqtabHca9yKydqb80GOAKywpLQbEU5THab1
         n8/0GqmNtDS4XP37jPHuahdSgjLTARkt/wfH2Nd+gQtnMj7X57jYEyxeaSe1sMstdNSY
         ks3Q==
X-Gm-Message-State: AOJu0YyTsqaUD4UYTi6Ep+Hxr2cLbK8SkA7ENDQskJiplOK1rqsFdXqR
	trXiwOfXL7ghgE2k8h96Hjph8fC+llUECLqh3fD42tYDXsOGatKvbkedrTpSJLqeCTr6EGfCLTX
	f
X-Gm-Gg: ASbGncuHaArkGXNOBD9INU9di/YyGesdBBiYXL/QAOvjvuEwuI67Y+2wikL4MYG4ao7
	Sp4F8I+EG8YrEobpw93UO59r9S9PtlUjYhUY+w3aZOdJgXgIgvWU9DNR0drPYqRzRmdLrhJ4COv
	I0aSmoY8HZmIHkfA2orSkFzNAJ/ERaVP2/thOIl6OnuoM9oosGTII/vjbeTk5udL1Bi+KoXSDVw
	XMPziLlvcNUlU7LDCD6mtXUgYE0F5i0B4nlS1d7CnkALFm/aVwvA5nYH/XD18Lsz5aG5LGBhapq
	fReYLXyQgvm5pz8t+w==
X-Google-Smtp-Source: 
 AGHT+IGYs2/qnLGA7fDjdFqzRo8d7yUlty742nNO/18UYGw+wL+4Xz7QNhXYu8CmEFIIcwYUmjhuWA==
X-Received: by 2002:a17:90a:c88d:b0:2f4:f7f8:fc8b with SMTP id
 98e67ed59e1d1-2fe68bff7b9mr7177219a91.27.1740517006544;
        Tue, 25 Feb 2025 12:56:46 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.45
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:46 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 05/10] u-boot: fix CVE-2024-57258
Date: Tue, 25 Feb 2025 12:56:28 -0800
Message-ID: 
 <12e1d55ae2427b6aaca6a1f7d8f947f0d6bbd28d.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211929

From: Hongxu Jia <hongxu.jia@windriver.com>

Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1
occur for a crafted squashfs filesystem via sbrk, via request2size,
or because ptrdiff_t is mishandled on x86_64.

https://nvd.nist.gov/vuln/detail/CVE-2024-57258

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57258-1.patch       | 47 +++++++++++++++++++
 .../u-boot/files/CVE-2024-57258-2.patch       | 43 +++++++++++++++++
 .../u-boot/files/CVE-2024-57258-3.patch       | 40 ++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  3 ++
 4 files changed, 133 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
new file mode 100644
index 0000000000..d33a4260ba
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-1.patch
@@ -0,0 +1,47 @@
+From 50ab41c3628dedeca1a331dd86dd203b73faea74 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:45 +0200
+Subject: [PATCH 5/8] dlmalloc: Fix integer overflow in sbrk()
+
+Make sure that the new break is within mem_malloc_start
+and mem_malloc_end before making progress.
+ulong new = old + increment; can overflow for extremely large
+increment values and memset() can get wrongly called.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/0a10b49206a29b4aa2f80233a3e53ca0466bb0b3]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index de3f0422..bae2a27c 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -591,6 +591,9 @@ void *sbrk(ptrdiff_t increment)
+ 	ulong old = mem_malloc_brk;
+ 	ulong new = old + increment;
+ 
++	if ((new < mem_malloc_start) || (new > mem_malloc_end))
++		return (void *)MORECORE_FAILURE;
++
+ 	/*
+ 	 * if we are giving memory back make sure we clear it out since
+ 	 * we set MORECORE_CLEARS to 1
+@@ -598,9 +601,6 @@ void *sbrk(ptrdiff_t increment)
+ 	if (increment < 0)
+ 		memset((void *)new, 0, -increment);
+ 
+-	if ((new < mem_malloc_start) || (new > mem_malloc_end))
+-		return (void *)MORECORE_FAILURE;
+-
+ 	mem_malloc_brk = new;
+ 
+ 	return (void *)old;
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
new file mode 100644
index 0000000000..688e2c64d8
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-2.patch
@@ -0,0 +1,43 @@
+From db7c626204f488a802a2e58b7a788b11fde6be7d Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:44 +0200
+Subject: [PATCH 6/8] dlmalloc: Fix integer overflow in request2size()
+
+req is of type size_t, casting it to long opens the door
+for an integer overflow.
+Values between LONG_MAX - (SIZE_SZ + MALLOC_ALIGN_MASK) - 1 and LONG_MAX
+cause and overflow such that request2size() returns MINSIZE.
+
+Fix by removing the cast.
+The origin of the cast is unclear, it's in u-boot and ppcboot since ever
+and predates the CVS history.
+Doug Lea's original dlmalloc implementation also doesn't have it.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/8642b2178d2c4002c99a0b69a845a48f2ae2706f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ common/dlmalloc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/common/dlmalloc.c b/common/dlmalloc.c
+index bae2a27c..1ac4ee9f 100644
+--- a/common/dlmalloc.c
++++ b/common/dlmalloc.c
+@@ -379,8 +379,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ /* pad request bytes into a usable size */
+ 
+ #define request2size(req) \
+- (((long)((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
+-  (long)(MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
++ ((((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) < \
++  (MINSIZE + MALLOC_ALIGN_MASK)) ? MINSIZE : \
+    (((req) + (SIZE_SZ + MALLOC_ALIGN_MASK)) & ~(MALLOC_ALIGN_MASK)))
+ 
+ /* Check if m has acceptable alignment */
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
new file mode 100644
index 0000000000..2c8a7c9d91
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57258-3.patch
@@ -0,0 +1,40 @@
+From 37095a204127b60b5e00c4c5d435d6e48a6a1c51 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 12:08:43 +0200
+Subject: [PATCH 7/8] x86: Fix ptrdiff_t for x86_64
+
+sbrk() assumes ptrdiff_t is large enough to enlarge/shrink the heap
+by LONG_MIN/LONG_MAX.
+So, use the long type, also to match the rest of the Linux ecosystem.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Simon Glass <sjg@chromium.org>
+
+CVE: CVE-2024-57258
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/c17b2a05dd50a3ba437e6373093a0d6a359cdee0]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ arch/x86/include/asm/posix_types.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/include/asm/posix_types.h b/arch/x86/include/asm/posix_types.h
+index dbcea7f4..e1ed9bca 100644
+--- a/arch/x86/include/asm/posix_types.h
++++ b/arch/x86/include/asm/posix_types.h
+@@ -20,11 +20,12 @@ typedef unsigned short	__kernel_gid_t;
+ #if defined(__x86_64__)
+ typedef unsigned long	__kernel_size_t;
+ typedef long		__kernel_ssize_t;
++typedef long		__kernel_ptrdiff_t;
+ #else
+ typedef unsigned int	__kernel_size_t;
+ typedef int		__kernel_ssize_t;
+-#endif
+ typedef int		__kernel_ptrdiff_t;
++#endif
+ typedef long		__kernel_time_t;
+ typedef long		__kernel_suseconds_t;
+ typedef long		__kernel_clock_t;
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index ec3b4d8fdf..d3af17f82b 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -19,6 +19,9 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57255.patch \
            file://CVE-2024-57256.patch \
            file://CVE-2024-57257.patch \
+           file://CVE-2024-57258-1.patch \
+           file://CVE-2024-57258-2.patch \
+           file://CVE-2024-57258-3.patch \
 "
 
 S = "${WORKDIR}/git"

From patchwork Tue Feb 25 20:56:29 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57875
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0460BC021BB
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:56:50 +0000 (UTC)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51])
 by mx.groups.io with SMTP id smtpd.web10.19952.1740517008792675277
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:48 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=GQsNzY9A;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.51,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f51.google.com with SMTP id
 98e67ed59e1d1-2fa8ada6662so12001833a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517008;
 x=1741121808; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=k35+yDCoj/NO1SJ5B7NyXM5nsiayhurrbygb4jHOzF4=;
        b=GQsNzY9AX+eqfzVvvX1mPK5fm1kbyFYg1TKMWrMWvsqBJpCZTOwfFH5en8bip6aQXm
         hjWcrfXsCCYUjFwqNat5kB/o4lE7QJa91DBGEyjfpTw4dA7jOOPhrQsSgaIIpjMCEQP/
         rV6XdGvwFcIbyjU8c+oteibZdKEWV35NMNJoax4nFnB2TjltgM6HJYT4sUiZHCCQr7Rl
         AjSVIrfId2ZIm9gqaMwNBzstpqUZI7e4wPQu0ACWGzg14zLpPCjFLfGLyxJWWK8b2W9d
         8GkhafB2j/S5ai4o/NG3O/rveJqMlsJfBJZdvhLrU9tEohkH32cWOUi0a4PsRxaicgKs
         7WMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517008; x=1741121808;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=k35+yDCoj/NO1SJ5B7NyXM5nsiayhurrbygb4jHOzF4=;
        b=O+G2whcaB0YDzfqYUenjAsGfoBXM3jYJU8L5SsaM7/AZKS6GQ+rWWtLnJV8qKyqCYx
         GasQUeNsjunZs1SooToRVjO3h0JcXuMkZiZ0IfjJA29LgY6JHXjZ6+mvwuc0nP+1Ltci
         SN22lNsoiWhUCivt6ctwMZoIqLJdLwtwflUFgXiN6yYtKdOcucxgD9xb7atxjB65m6dx
         pEgZKbUA0CjKiDFdMCYfhQRRFQdgOeA9GFRkB0qKT/yzoerIiArUbEsWvRhQwysHlR79
         1fk3g6azErVo7gTdkJrz0lw4gY0y4/L+HJ51Jb4+HwOTdzX8Tq/44NszEPMGQTjLcTYz
         Yc3w==
X-Gm-Message-State: AOJu0YyzpPiqR0/fge94ELd1YpH/DuZCJigtg4QQa5kD30htVPmPVwcO
	k+h73vlq1Wz3vE7UUiDoyjMVM2nX9UvOZhkPW6l73i4O53KTZBuv4V/PFLsAYrO6ld3sTk/ahr8
	R
X-Gm-Gg: ASbGncth8ghIj+ODQPKYP3IRjFHatYV2krkXODlcXcx/gyjKB4kRrpGTIRHR84wh9FB
	4hQY7AHTRjqQXMvImml/jLydQMvOKQRfUwQh85E2xyjqvryvUmbR48TGgUMnHYitoeMPysIb26r
	uHslqh79zJdaPnipJVUNhEftZfHO78JxGLaxI8fZCgQ7g7vrh7jIqt0J1LR4/9WXPnkVuXqHUvo
	uqyJywWW+1oO3YKDlRv/Ht1ffkH2GU49AspD1CMYjYukaHZcsB2sIpIhkLcp/5mlYXmL/1xem+g
	n0iroGfBsU9UeRiD2g==
X-Google-Smtp-Source: 
 AGHT+IHaKMzqNJlfUGsgbvLjySAa9mbuBLTXF6LDunv5QKRGhetKY0rVC88OsbB4uYX73qVwKHocQg==
X-Received: by 2002:a17:90b:548f:b0:2ee:5958:828 with SMTP id
 98e67ed59e1d1-2fce86adf6cmr33130477a91.9.1740517008039;
        Tue, 25 Feb 2025 12:56:48 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.47
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:47 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 06/10] u-boot: fix CVE-2024-57259
Date: Tue, 25 Feb 2025 12:56:29 -0800
Message-ID: 
 <8fad176e6258a44d1ba1eed224cd27745b6a57cf.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:56:50 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211930

From: Hongxu Jia <hongxu.jia@windriver.com>

sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.

https://nvd.nist.gov/vuln/detail/CVE-2024-57259

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../u-boot/files/CVE-2024-57259.patch         | 41 +++++++++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
new file mode 100644
index 0000000000..fdf5fdfce4
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2024-57259.patch
@@ -0,0 +1,41 @@
+From 2c08fe306c6cbc60ec4beb434c71e56bb7abb678 Mon Sep 17 00:00:00 2001
+From: Richard Weinberger <richard@nod.at>
+Date: Fri, 2 Aug 2024 22:05:09 +0200
+Subject: [PATCH 8/8] squashfs: Fix heap corruption in sqfs_search_dir()
+
+res needs to be large enough to store both strings rem and target,
+plus the path separator and the terminator.
+Currently the space for the path separator is not accounted, so
+the heap is corrupted by one byte.
+
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+
+CVE: CVE-2024-57259
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/squashfs/sqfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
+index a5b7890e..1bd9b2a4 100644
+--- a/fs/squashfs/sqfs.c
++++ b/fs/squashfs/sqfs.c
+@@ -563,8 +563,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
+ 				ret = -ENOMEM;
+ 				goto out;
+ 			}
+-			/* Concatenate remaining tokens and symlink's target */
+-			res = malloc(strlen(rem) + strlen(target) + 1);
++			/*
++			 * Concatenate remaining tokens and symlink's target.
++			 * Allocate enough space for rem, target, '/' and '\0'.
++			 */
++			res = malloc(strlen(rem) + strlen(target) + 2);
+ 			if (!res) {
+ 				ret = -ENOMEM;
+ 				goto out;
+-- 
+2.34.1
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index d3af17f82b..3a48b63c42 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -22,6 +22,7 @@ SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
            file://CVE-2024-57258-1.patch \
            file://CVE-2024-57258-2.patch \
            file://CVE-2024-57258-3.patch \
+           file://CVE-2024-57259.patch \
 "
 
 S = "${WORKDIR}/git"

From patchwork Tue Feb 25 20:56:30 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57885
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 21983C021B8
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:57:00 +0000 (UTC)
Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com
 [209.85.216.49])
 by mx.groups.io with SMTP id smtpd.web11.19975.1740517009998524841
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:50 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=lGTAx1IF;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.49,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f49.google.com with SMTP id
 98e67ed59e1d1-2fcf3a69c3cso6467646a91.1
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517009;
 x=1741121809; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=88Io/O0nFBkp6yvy6xlyU8BYx991rnq5h2lqj7Vlk0Q=;
        b=lGTAx1IFv/mwSwNmM5+x8xnEdOAd2QS6XMwjRfT1vrKxqAB8ny75OAoKmX5OiC74P+
         3K2TLy/M1/FZPh/w+5F0LekL+1ha6aLCeaTb9VthXaQRKPlCfiyXo/iAU6UVIvireVM2
         SfJrPtmYmcRyvWaalG9rbEBm1pQKBY1BjQoYZtFGqro+fC8Hpqxfw2BR68BvOfHRbofu
         qIH5UqB89DU6F0/dYP8fdXC7dxqZvTYov/yf/JZrKAjR1qTkASfoPvkrf6g75fWggJ7/
         3MWW1lRe1lQXq5m8edRyDAiTERlI60fUb+dgOI4DqXJFXX1zfcClMYgk0zvh2n42Bb2A
         J3/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517009; x=1741121809;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=88Io/O0nFBkp6yvy6xlyU8BYx991rnq5h2lqj7Vlk0Q=;
        b=aFJySZ32VHE0IHVeZElSP14PSjMC5KO/+ncM0YcNksYWLFuYTMiFw+9DdfV0OjwmyC
         mO5Q8QDgnm3LA+uRjgXRwGSpAMllFALVJOVPnRab8EMEn0r8088gFQys6phj1AQK8V8U
         gsU5/O8SdWpCZsQlxl2FQ3ElbFjJ45FD4aR/vCy3GbZociwAewL0++/+HSQcK3zlpdVA
         MvSwYOaI/E2CtiV56m8J4GCnLuNeW93X7Kp6CB/JoekUO0G8aulW8AhwhmIEsJ5M/cy4
         mT7AUXx1XZDE3NgB2y6LN93m7cqm2Z8G6H0SJtKjtdEKPsRjipZohGVokGhEiCR7DVxJ
         1/6Q==
X-Gm-Message-State: AOJu0YwruF5XbgDSb03B5AG8JklaEesnDiCyzdluAKcksfex5JoyLmrj
	TNURmFLJRlJ6DqVHMSivhSU68yMPp7rqVY3Z2pprENkZa0lGQpOl6TO0AzSjgsMEBk/sLTNmgdG
	l
X-Gm-Gg: ASbGnctMwxw3hrwhRy8nhfKmKu5ZX7OhpXzhIeryJI+GC5l41jVRaEaBXL971v9T6aH
	hj6PM58q116Jww8HAOiQ3WJgv+x9wxcbOl31OorLfObHagtVSNqPXvZ8Hlw4avb+Diw/9ykzuVE
	+OD22fxKlsTcK4iUCkHfNZI5CCYpAWwDDSb8QeYahXhQWuWEYZMRRSwOxtmPPTVkHMs5Gd+ixXk
	dXB/KvYvlS/fb/QEU6o3YkuIGcP1D1KkWxzcZlweNzpcyARQzCWXiW3xpkcln4C1EB5XB/SEC0k
	A3OCa/f7t7ifSgt4Zg==
X-Google-Smtp-Source: 
 AGHT+IEZ6/utb/owy1wUr52m5jwt/UdOYYKQv2ChuZ+0zr3RhNgFKZZgjGZo+TtO8e7UR97dTIPiRQ==
X-Received: by 2002:a17:90a:d00f:b0:2fa:f8d:65e7 with SMTP id
 98e67ed59e1d1-2fe7e2e105emr1357298a91.2.1740517009285;
        Tue, 25 Feb 2025 12:56:49 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.48
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:49 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 07/10] libcap: fix CVE-2025-1390
Date: Tue, 25 Feb 2025 12:56:30 -0800
Message-ID: 
 <b975db55f6e0d551e69c870620292b58425f9aab.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:57:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211931

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libcap/files/CVE-2025-1390.patch          | 36 +++++++++++++++++++
 meta/recipes-support/libcap/libcap_2.69.bb    |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-support/libcap/files/CVE-2025-1390.patch

diff --git a/meta/recipes-support/libcap/files/CVE-2025-1390.patch b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
new file mode 100644
index 0000000000..a0f7dda503
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2025-1390.patch
@@ -0,0 +1,36 @@
+From 1ad42b66c3567481cc5fa22fc1ba1556a316d878 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Mon, 17 Feb 2025 10:31:55 +0800
+Subject: pam_cap: Fix potential configuration parsing error
+
+The current configuration parsing does not actually skip user names
+that do not start with @, but instead treats the name as a group
+name for further parsing, which can result in matching unexpected
+capability sets and may trigger potential security issues.  Only
+names starting with @ should be parsed as group names.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878]
+CVE: CVE-2025-1390
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ pam_cap/pam_cap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
+index b9419cb..18647a1 100644
+--- a/pam_cap/pam_cap.c
++++ b/pam_cap/pam_cap.c
+@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
+ 
+ 	    if (line[0] != '@') {
+ 		D(("user [%s] is not [%s] - skipping", user, line));
++		continue;
+ 	    }
+ 
+ 	    int i;
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libcap/libcap_2.69.bb b/meta/recipes-support/libcap/libcap_2.69.bb
index 92fa766d37..03975b44a0 100644
--- a/meta/recipes-support/libcap/libcap_2.69.bb
+++ b/meta/recipes-support/libcap/libcap_2.69.bb
@@ -15,6 +15,7 @@ DEPENDS = "hostperl-runtime-native gperf-native"
 SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz \
            file://0001-ensure-the-XATTR_NAME_CAPS-is-defined-when-it-is-use.patch \
            file://0002-tests-do-not-run-target-executables.patch \
+           file://CVE-2025-1390.patch \
            "
 SRC_URI:append:class-nativesdk = " \
            file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \

From patchwork Tue Feb 25 20:56:31 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57882
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2194DC021B2
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:57:00 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
 [209.85.214.174])
 by mx.groups.io with SMTP id smtpd.web11.19976.1740517011419487078
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:51 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=s3uiLqUU;
 spf=softfail (domain: sakoman.com, ip: 209.85.214.174,
 mailfrom: steve@sakoman.com)
Received: by mail-pl1-f174.google.com with SMTP id
 d9443c01a7336-2211cd4463cso124243295ad.2
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517011;
 x=1741121811; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=V7OtbAan6CU3bGmax9rTVUqj8lUbYed774a7bZEdri0=;
        b=s3uiLqUUXa5mCvouuwVUanK3knFTkTZVypgmoUfnIONHQn5Aasn0HdKYx7dPf2sTC5
         M+VzdRjyhfb3/QN9tzIK2Ylk2aHlIh6GWgfaueLWjkjpxq8RVNEteqB15kum2/hi2Ykk
         D56jRn/2d8kyzfMwUOCpZcSOmSZfMiqbSAlkJ0cShv/dsavMQW5io6SBN2S8OdV9LpPQ
         fe9ke3HWlJMqawRLhS8o78RfqgPODTFjGkEXVA8/X/vkP7IHESjC8Wwqzi3krrtou8hh
         uP0oSIygTpVL6yMlWMpuOBef9LO2mk9CmYwHZCxgxxkfxOc00ddWBtCNyyssIyB5gN7p
         8rag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517011; x=1741121811;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=V7OtbAan6CU3bGmax9rTVUqj8lUbYed774a7bZEdri0=;
        b=QzjP3HxCj2UIdyippcjmMY7KcS/SBEj1REUqdLie4J/j/Oi95mMfwtcY2zqyrfy+8U
         9SzLov1NxFsZ+Mzqxu5CiG25bRFowN6jkyv3xG73sLfy3L/Np8MOC9t3BdZynmAuD8yE
         Obky8wUQqkol1YVfnIJgAaB7jCf27B6Um7WLELPiVIHULt0/1tyKK7PZzrEG9T7GgalR
         E3/lmgossFQszwtTPUKgmfEg9Q8ZyH2MRstNkxoW3HJIBmbiRNBOg0o2spXsksd0lNtU
         SrvV1Ia3+dFKA2H+pbxOzSLmrfRoObXlWH9Jyzqw93C3OV9StDgN+haZ3DLEygh7+Td8
         sRfw==
X-Gm-Message-State: AOJu0Yy5XDWXMWAcCkYp87b26jvKLGvsutgerp5sogExfMwJyHb9qAPp
	jGUWh8fotk/2khBbNUUfGkHSHNC5NYH0S8gn09izfQXN87KV/24tcVqpOlcRYYS1VdZ7vzq0vwn
	1
X-Gm-Gg: ASbGnctiDAw4Ii+cn7zHRQvLejzwp819B1y3xHwcEqWEVJlaub9OKBLgz6gukIKyCGE
	6IMQstYsV6AXUzx0GOi+fmtkn+LLUu4NRdycGA/DWLtdcY91zxOuO1pLSlHCLZMLooP4Fd8gxOU
	pxAs4HgTLFqlnw5kdW6L0brE2isF7M1sQ0+ElV6SFBHHKP+tmmOeNvdoIDByA9p8Q3NT9Zs833X
	l5V6S9vXeH9pTtWrSgLIRU9n4jGXZel6izKdjPYU2hCx4w+sBERlpLdm0gzCDltdGJa4Fhp7m6A
	k5RktQxTAnJhdtYe/Q==
X-Google-Smtp-Source: 
 AGHT+IGuH+V66M0eHnuceG1xf5Mi+Q3B6Db6XHtpIqqXswWESw8DJ/OAbZmHyriUzfHHn0dHCeOWzg==
X-Received: by 2002:a17:902:d48c:b0:216:7ee9:220b with SMTP id
 d9443c01a7336-22307b4cc17mr62019645ad.22.1740517010678;
        Tue, 25 Feb 2025 12:56:50 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.50
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:50 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 08/10] libxml2: upgrade 2.12.9 -> 2.12.10
Date: Tue, 25 Feb 2025 12:56:31 -0800
Message-ID: 
 <4540dd4bb71e00b7f8c1a3f5a9e10d482e0b2abd.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:57:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211932

From: Peter Marko <peter.marko@siemens.com>

https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.10

Security
* [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
* [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
* pattern: Fix compilation of explicit child axis
Regressions
* parser: Fix detection of duplicate attributes
Bug fixes
* xpath: Fix parsing of non-ASCII names
Portability
* python: Declare init func with PyMODINIT_FUNC
* tests: Fix sanitizer version check on old Apple clang
Build
* autotools: Set AC_CONFIG_AUX_DIR
* cmake: Always build Python module as shared library
* cmake: Fix compatibility in package version file

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/{libxml2_2.12.9.bb => libxml2_2.12.10.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/libxml/{libxml2_2.12.9.bb => libxml2_2.12.10.bb} (97%)

diff --git a/meta/recipes-core/libxml/libxml2_2.12.9.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
similarity index 97%
rename from meta/recipes-core/libxml/libxml2_2.12.9.bb
rename to meta/recipes-core/libxml/libxml2_2.12.10.bb
index 7777c9f181..c4f76c281d 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.9.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -20,7 +20,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://install-tests.patch \
            "
 
-SRC_URI[archive.sha256sum] = "59912db536ab56a3996489ea0299768c7bcffe57169f0235e7f962a91f483590"
+SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
 # Disputed as a security issue, but fixed in d39f780

From patchwork Tue Feb 25 20:56:32 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57884
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 28020C021BE
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:57:00 +0000 (UTC)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com
 [209.85.216.47])
 by mx.groups.io with SMTP id smtpd.web10.19954.1740517012798483214
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:52 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=tmx6h/5u;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.47,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f47.google.com with SMTP id
 98e67ed59e1d1-2f441791e40so9424860a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517012;
 x=1741121812; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Ye2oqwf/XFDGyA5vxlXGMdHMhj/8Q4efILkPJhFWhXA=;
        b=tmx6h/5uayq7FTPOjnA9eCzxQOeA/W6kOjO7egFlscLTsc/LwPVaXizAprTwx3mi0G
         eDT+RfLHAMjptBgdleIuJxTmavr3sAhpmj6IJ7GrPpL5DA7Y8ZRrePitldAHfYm8MfQd
         AL0gfn+ovpf7mL+4RWQwpDgSFtUc7bIOlSFJJe+CiBDQatalB5oZUw4BSES7Ek3FHRMP
         PoMCg1TM8VKZv81GGNMRZX5zt3r7qA8PcvakpjG/bhZBrz5xcOkmsyvR8yK4bdJxIpxE
         OuIB50GA2hMDZk9p4GxQ7jSQWCSszCIrBMruzqy/5GTZsXWw62znmHWlYiZFWJ0pR4ZD
         8s6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517012; x=1741121812;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Ye2oqwf/XFDGyA5vxlXGMdHMhj/8Q4efILkPJhFWhXA=;
        b=Uro9fzvKX70mtAvfpJZQDjvby4jyzO4xC65ttGINIefdBS+fORZeTfy1u1+3X9J1z9
         fov4q76/NG2f1lJZyYTarBx0VOK1arEQwF328ReO5MSZ/tbNTjPt3V5//aTa4hSKfK9e
         VrNYm5ay9wtkx1R/uCRFxXOfycexmF8El1EKoj3qketgETdIK5gRi/DBEz9bkV8YM5qq
         BosD0q2sSOuWTzgox73nPgY+RXnTJ7WKNL/KvKwrpBZ56KZGlDLr52a30Uui8BZtPvcK
         9PeqxvzU1C6WYWZe5n8fsMakurQANE6qvu1+1isZ0+Xbs9L7+sxAczHuFOfONtk+40DN
         tbjg==
X-Gm-Message-State: AOJu0YzHxI/2CJivuzhyhBrfEQunDJf94+sb9sCbUsF7p/mTf8LOLVBs
	C9sVJcNoy6NtuBcASFd5dlQ3YOWdTFrUFbjH8uf/wGadzNWrbijvIVh9c0jpNpMDVAEmoJ7ao3+
	p
X-Gm-Gg: ASbGncsYJoTGiLF/in93m/9qfmSuIEmLCccfjOI7fG2/REBZFuLabH2EDgjK8iF2tA4
	35XQ0+uJH1quzofVwIZLMoaiN3wJcXWXXVsoOQNet1PW474GgVw/sT0X9uWvcOIUzshDFmDwbf/
	ePAl19fmERdHUD73OC2jwaxr0i8QbIt2udDUyhBJa5iY5+W8f6K8eFAgB6iZUQ8iZhfXCEkPcKR
	klk1qpHxjZvmQaO1qqLS4Cf8bkJBIy6JZlw1UPTXmSeE6eGIeU6yPieAaCLed090sTsiAZtAUMl
	2YHhwoKAhc/iwXaJZQ==
X-Google-Smtp-Source: 
 AGHT+IF2OTrM09qlCUaXfslWFrULzikV4NZP3Wx3jVdAoYvPHyiyD9GaiWeOXbUZtFgFTVZKMbjvjA==
X-Received: by 2002:a17:90b:1643:b0:2ea:a9ac:eee1 with SMTP id
 98e67ed59e1d1-2fce86ae28amr31391646a91.10.1740517012089;
        Tue, 25 Feb 2025 12:56:52 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.51
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:51 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 09/10] bind: Upgrade 9.18.28 -> 9.18.33
Date: Tue, 25 Feb 2025 12:56:32 -0800
Message-ID: 
 <37f07393c6977e7765ebfd948a017dab9be6a367.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:57:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211933

From: Vijay Anusuri <vanusuri@mvista.com>

Includes security fixes for CVE-2024-12705 CVE-2024-11187 and other bug
fixes

Release Notes:
https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-33
https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-32
https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-31
https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-30
https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-29

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bind/{bind_9.18.28.bb => bind_9.18.33.bb}                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/bind/{bind_9.18.28.bb => bind_9.18.33.bb} (97%)

diff --git a/meta/recipes-connectivity/bind/bind_9.18.28.bb b/meta/recipes-connectivity/bind/bind_9.18.33.bb
similarity index 97%
rename from meta/recipes-connectivity/bind/bind_9.18.28.bb
rename to meta/recipes-connectivity/bind/bind_9.18.33.bb
index 4b0948298e..2554a7bb5f 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.28.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.33.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "e7cce9a165f7b619eefc4832f0a8dc16b005d29e3890aed6008c506ea286a5e7"
+SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2

From patchwork Tue Feb 25 20:56:33 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman <steve@sakoman.com>
X-Patchwork-Id: 57883
X-Patchwork-Delegate: steve@sakoman.com
Return-Path: <steve@sakoman.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2E881C021BB
	for <webhook@archiver.kernel.org>; Tue, 25 Feb 2025 20:57:00 +0000 (UTC)
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com
 [209.85.216.50])
 by mx.groups.io with SMTP id smtpd.web10.19955.1740517014510856102
 for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:54 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
 header.b=T+VvEGmg;
 spf=softfail (domain: sakoman.com, ip: 209.85.216.50,
 mailfrom: steve@sakoman.com)
Received: by mail-pj1-f50.google.com with SMTP id
 98e67ed59e1d1-2fc0d44a876so9803721a91.3
        for <openembedded-core@lists.openembedded.org>;
 Tue, 25 Feb 2025 12:56:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1740517014;
 x=1741121814; darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=wvbSCe2L5kUPTC0lizulI7BdQzfxN2N1R6ruUolD1uk=;
        b=T+VvEGmgz2yVydjFtUzRQF2uz+GSqDoxIQ4Gu650WEOFot+31tpT/EReS2uP1+HiZU
         cso2E8ev6GEX5uEJtD0dCbqdZKtkSC1pSrZSdUk7CDvZ/gSTqVjf5qEC5uqGgA4BXpZB
         4A70JhT7hKbNGGenQkPZiEASdPOrmhDPfetjx8V5VJdfYw+lIdslLhdYSO3O2YeNITQV
         XlI2MHscOc8f5D1KZd5ayT1enCL4Imz1DKwNK00NugV+ckwbSTIHHGtq0SL3U6mB178v
         wIELMnAEDgDDUqC/i3PXB95+NHtMlT4aVKVSEZ/mZprehRGqLCcuAI6Pvlc7RpC5ZXy4
         1C1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1740517014; x=1741121814;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=wvbSCe2L5kUPTC0lizulI7BdQzfxN2N1R6ruUolD1uk=;
        b=HiB/EAHPLj3oXIAGmj6HErDLLtTXQ+2gRCn6HWi93zNPtN2GTzGaorkAIqvfcK2m5g
         TxneuibNpULlwUJu0+FP7fnjrY3Lr03OZIWouIxURWx3l4rh3ss56YqT2fW9oa0gnYEg
         060Ob/L6ht+7zVgpavCkOzDrSukjLbIL3tykM7aBO6NhhLBfhpJMoNEFtWuOCCnZJ0Do
         pufk3vQK7PMyxmuN6f0ggaHgB1wEtblcWwPA4Id1EdYCYo7YlybnhZQaUIf4+nwlp3yz
         3EEr/VinAS4sJlNt/cF4/UK7KK1RaMEI3HVwlKGENRmD3c2om1uNt/TVNpea1cfLydde
         l8/Q==
X-Gm-Message-State: AOJu0YyAT9p2wFiWbAc5J7wcjEKuCZS0wevhas7xsXjb65mi5ZDPhhTC
	JeabkjFO+q/GAzEwytDwzrgTQysotnuaV1yCftTT89F6fORls5JQEd3Z8XmCSlp0UaJQkNsGHDX
	e
X-Gm-Gg: ASbGncvJz3jJRmohsCfvTAIQldlZcdkYEz7824qRLQjLgy+vfB4NZgaKSTDWEvRsoe0
	2XwJE0i6KZLSJGfI2BNJUrS3NPJmJRv4AAMTef/9dSKHLErNBXAaDZtK8wfcBDAyYJHTFUArSGE
	c+6R4qv4cdV691t0n8+XQVy1rhUp2Jho8USjjaC9MUYPWOqGvS10AG3IK305FfUeI3uobxrwPjf
	odhAPEyFDRbuPDewV1+YmBAGbJD+pSNqKUh+rUb/ELTYF5CapKhSiciqw4iw1GEi/k8Feyr/jzS
	9IeON2UfkHavhrOkfA==
X-Google-Smtp-Source: 
 AGHT+IG9sxv0WMOnCUfxeeUvCp4YMd18LJqoLOYqVX/t/B+dQPf7XmT14Tz6Bp4WCJYkb4kzdgKGrA==
X-Received: by 2002:a17:90b:2e10:b0:2fa:1f1b:3db2 with SMTP id
 98e67ed59e1d1-2fe68bff7c6mr7488200a91.25.1740517013554;
        Tue, 25 Feb 2025 12:56:53 -0800 (PST)
Received: from hexa.. ([2602:feb4:3b:2100:c473:2777:3793:104c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-2fceb02d9b4sm10083810a91.6.2025.02.25.12.56.52
        for <openembedded-core@lists.openembedded.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 25 Feb 2025 12:56:53 -0800 (PST)
From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 10/10] python3-setuptools-scm: respect
 GIT_CEILING_DIRECTORIES
Date: Tue, 25 Feb 2025 12:56:33 -0800
Message-ID: 
 <369eebad4f38c3641be73dbc0490c87636e0912d.1740516861.git.steve@sakoman.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <cover.1740516861.git.steve@sakoman.com>
References: <cover.1740516861.git.steve@sakoman.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Tue, 25 Feb 2025 20:57:00 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211934

From: Etienne Cordonnier <ecordonnier@snap.com>

Fixes https://bugzilla.yoctoproject.org/show_bug.cgi?id=15740

python3-setuptools-scm was ignoring GIT_CEILING_DIRECTORIES which is set by poky,
and it was thus finding a wrong value of "toplevel" in ./src/setuptools_scm/_file_finders/git.py
The code is supposed to generate the list of files contained in python3-setuptools-scm, but it was
instead running "git archive" on whatever git repository was above the build directory, because the
tarball containing the sources of python3-setuptools-scm does not contain a .git directory.

This is barely noticeable when building as a subdirectory of poky which is only 48MB, but this was
causing serious slowdowns of python3-setuptools-scm:do_compile when building
inside a big git repository with files tracked using git-lfs (50 minutes in my use-case).

Reported upstream as https://github.com/pypa/setuptools-scm/issues/1103

(From OE-Core rev: 4ebe72477484cf68165b6f736ce10373e97d0e6d)

Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...0001-respect-GIT_CEILING_DIRECTORIES.patch | 36 +++++++++++++++++++
 .../python/python3-setuptools-scm_8.0.4.bb    |  1 +
 2 files changed, 37 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-setuptools-scm/0001-respect-GIT_CEILING_DIRECTORIES.patch

diff --git a/meta/recipes-devtools/python/python3-setuptools-scm/0001-respect-GIT_CEILING_DIRECTORIES.patch b/meta/recipes-devtools/python/python3-setuptools-scm/0001-respect-GIT_CEILING_DIRECTORIES.patch
new file mode 100644
index 0000000000..7d2808cc0c
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-setuptools-scm/0001-respect-GIT_CEILING_DIRECTORIES.patch
@@ -0,0 +1,36 @@
+From a1cc419a118560d63e1ab8838c256a3622185750 Mon Sep 17 00:00:00 2001
+From: Etienne Cordonnier <ecordonnier@snap.com>
+Date: Thu, 13 Feb 2025 15:44:40 +0100
+Subject: [PATCH] respect GIT_CEILING_DIRECTORIES
+
+Fix for https://github.com/pypa/setuptools-scm/issues/1103
+
+When searching for the root-directory of the git repository e.g. with git rev-parse --show-toplevel,
+git stops the search when reaching $GIT_CEILING_DIRECTORIES. By ignoring this variable, the function
+_git_toplevel can go above the real git repository (e.g. when packaging a tarball without .git repository),
+and then runs "git archive" on an unrelated git repository.
+
+Upstream-Status: Pending
+
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
+---
+ src/setuptools_scm/_run_cmd.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/setuptools_scm/_run_cmd.py b/src/setuptools_scm/_run_cmd.py
+index f2a8285..7e13d9f 100644
+--- a/src/setuptools_scm/_run_cmd.py
++++ b/src/setuptools_scm/_run_cmd.py
+@@ -98,7 +98,7 @@ def no_git_env(env: Mapping[str, str]) -> dict[str, str]:
+         k: v
+         for k, v in env.items()
+         if not k.startswith("GIT_")
+-        or k in ("GIT_EXEC_PATH", "GIT_SSH", "GIT_SSH_COMMAND")
++        or k in ("GIT_CEILING_DIRECTORIES", "GIT_EXEC_PATH", "GIT_SSH", "GIT_SSH_COMMAND")
+     }
+ 
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-setuptools-scm_8.0.4.bb b/meta/recipes-devtools/python/python3-setuptools-scm_8.0.4.bb
index 64b5050c3b..d5f8358a61 100644
--- a/meta/recipes-devtools/python/python3-setuptools-scm_8.0.4.bb
+++ b/meta/recipes-devtools/python/python3-setuptools-scm_8.0.4.bb
@@ -6,6 +6,7 @@ argument or in a SCM managed file."
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=838c366f69b72c5df05c96dff79b35f2"
 
+SRC_URI += "file://0001-respect-GIT_CEILING_DIRECTORIES.patch"
 SRC_URI[sha256sum] = "b5f43ff6800669595193fd09891564ee9d1d7dcb196cab4b2506d53a2e1c95c7"
 
 inherit pypi python_setuptools_build_meta