From patchwork Wed Sep 21 02:37:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74696C6FA92 for ; Wed, 21 Sep 2022 02:37:49 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web09.2081.1663727863522724612 for ; Tue, 20 Sep 2022 19:37:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=xz4aiuU9; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id e68so4555626pfe.1 for ; Tue, 20 Sep 2022 19:37:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=7upKRVMhfjwcAtmIm6l8YKr9S9XEkl04z8gvIdOCg2U=; b=xz4aiuU95lqS8xIUMf/8m0ScUFy4PE4Ze5GcQ6f7+eGmQD7iokuVE6jVFuNHv40VI2 BFXbp1CVyd9WAPx+wVdgS1aBkVyA6xTzPsIA9Qgrh9ZPPPCs0cle5XZCU6A+AnUGmSKC QUFrs/YZfsHj9X0J+RSxTm7tZairTRqsDL9Hzjqdz76aEcxWCTZf2FBaQoAu2UJsfUB9 +d30ER6lu4FiHafPUg/YQHBj9bD8nNEt7iLgfimvpXIGK4FAxBCHkTaIt1cR3alHdGov hUV4bdFdF2Gr7q7QLvjPe2Pfbh6GuPWGT0ypPp9R0lYODyvpRLO+68d7AIcXLTDrjk6O sb4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=7upKRVMhfjwcAtmIm6l8YKr9S9XEkl04z8gvIdOCg2U=; b=XxN3BKkaldwc9AzXTEiq/2erQinM4Q+XzjNxKZR4u1y+dAPoKbCR3OwQfYlRCQ8qTW 69B+5F6YDvUl+36WlnpPvj7LK1+TP0v551Ewri/FtxZxC6HyeX1xvw5TdyY3zs+AU4TR Y+A7dmPmN8UXYn48hbax9kkvqIollIZGJrH5Cy4z74wZ0l9y/yLUgGL1kGY/Tk4txUVS Cgqei5YfdlCNOU0vhrZQqUT3f/ENjK7cB5AGOrYsUC292hdrN7H0366tSPcSANhJMVuC Lp6vC2Vxnllm7zicVm6dKVPVjlCCMyh3nGAj8UKHkZ3wEO0FZX4rRQIIg9dJtOfXeDEC U/FA== X-Gm-Message-State: ACrzQf152l6VVVL6/eCE7LkKVDtDhJkLlelZwYLhoAb3dYkTQ4knseNE DZ5jOwAgG4bwsYrnJH9Vw5cez175wwEc9NmI X-Google-Smtp-Source: AMsMyM7HG1uNZ2NN24y/MjggqgK5+8cVgcy/Ox8GLNYNYtuo21VjkVwAn3W8d7mKphu5MGCVuztwyA== X-Received: by 2002:a05:6a00:1ad0:b0:545:b61b:fe7 with SMTP id f16-20020a056a001ad000b00545b61b0fe7mr26234242pfv.25.1663727862427; Tue, 20 Sep 2022 19:37:42 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id 207-20020a6215d8000000b00537a6b81bb7sm670154pfv.148.2022.09.20.19.37.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 19:37:41 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/6] sqlite3: Fix CVE-2020-35525 Date: Tue, 20 Sep 2022 16:37:12 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Sep 2022 02:37:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170921 From: Virendra Thakur Add patch to fix CVE-2020-35525 Reference: http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- .../sqlite/files/CVE-2020-35525.patch | 21 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 22 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35525.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35525.patch b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch new file mode 100644 index 0000000000..27d81d42d9 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35525.patch @@ -0,0 +1,21 @@ +From: drh +Date: Thu, 20 Feb 2020 14:08:51 +0000 +Subject: [PATCH] Early-out on the INTERSECT query processing following an + error. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35525 +Signed-off-by: Virendra Thakur +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -130767,6 +130767,7 @@ static int multiSelect( + /* Generate code to take the intersection of the two temporary + ** tables. + */ ++ if( rc ) break; + assert( p->pEList ); + iBreak = sqlite3VdbeMakeLabel(pParse); + iCont = sqlite3VdbeMakeLabel(pParse); diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 3440bf4913..48051593e4 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -14,6 +14,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13631.patch \ file://CVE-2020-13632.patch \ file://CVE-2022-35737.patch \ + file://CVE-2020-35525.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" From patchwork Wed Sep 21 02:37:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64971C6FA90 for ; Wed, 21 Sep 2022 02:37:49 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web10.2088.1663727865797885523 for ; Tue, 20 Sep 2022 19:37:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=IWHIalhC; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id bh13so4578031pgb.4 for ; Tue, 20 Sep 2022 19:37:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=JdJj5YbV9kB0VgR5CJ2UZAZ6OfxtbIYZTSEgRseBtTo=; b=IWHIalhCFrJk9MDGb1CgNpsqmji4mKRcfEL/sqED8MdD0hLU901CeMOSHnFDXBz4q8 rzKFXTp9+lKYnWOpTh+AX9hV0+LCV+iGl2ZbPRQRdw0rwZeaxU9fT41yVgu+6X97VzqK Nsjw8lfvSot4+gbv7+gKXrCIiHSPld350RXX4A0Q7b2jrYdtEMmci3UzwgV0C2vZoRmL MNXLDSK61CHpS6u/HUn12GFDs622u4/hCe4hbk7qyEVpnDZfCUvLRo0PaNiEBfTLEh/K SMem2UAGWOTPVL1CRNkCJ3SVv9b+ulnTsfPydUwCC7dAb4yACka+j1aWKeEdu99oQiEy FywA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=JdJj5YbV9kB0VgR5CJ2UZAZ6OfxtbIYZTSEgRseBtTo=; b=gOfyzPJi0R27fqiZyca5Yuc7fpqZx9lWfs96FjbDXicn4KT7wuOgtsWnz7Wtp5n5DA 1P/qa/BIsMmnoAiUZtMdEClvXiTtWHyH09DfMM9XK9YyRIUR0EfB0d7kscQ/mBxtdPHu tOEnWn+ZjxOI65kaemykkJ9j1LLPJOTluUazYse0MEHvMZmQzM3D/0OYahCTGKZrO74G 7SFXiqEuxitYwbFKgM4oiuI2C9cZG5lhXYKbUZ5e3NnHHXhOCfp/2Nb/IAhaTyYKIP1T h5R1Bq0b/UPAN8UHpxIl48wBkjKm2gUAkfojhQoc0etFedAJsZV+hXUzvLAD6eeCy9VS aUlw== X-Gm-Message-State: ACrzQf1jAiVqJXfTQb1JoeeKhjfjZWksVoOMhXbIytueNwsFl1935a3f 1sA/BhCafxMSbrbPg9N8Qmmv7ZgWDGMAcpLh X-Google-Smtp-Source: AMsMyM470C6xbQYD21TxnQOKuwKrGtKTnGJWv1+nNlfxatrgzme9f0ARwIqd/KNbC71pjSl9ASP9ZQ== X-Received: by 2002:a63:ff4f:0:b0:439:61d6:197 with SMTP id s15-20020a63ff4f000000b0043961d60197mr22199654pgk.67.1663727864647; Tue, 20 Sep 2022 19:37:44 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id 207-20020a6215d8000000b00537a6b81bb7sm670154pfv.148.2022.09.20.19.37.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 19:37:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/6] sqlite3: Fix CVE-2020-35527 Date: Tue, 20 Sep 2022 16:37:13 -1000 Message-Id: <2541fd0d0e2c0919d80d6b0f6262cf2c50fe309b.1663727733.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Sep 2022 02:37:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170922 From: Virendra Thakur Add patch file to fix CVE-2020-35527 Reference: http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz Signed-off-by: Virendra Thakur Signed-off-by: Steve Sakoman --- .../sqlite/files/CVE-2020-35527.patch | 22 +++++++++++++++++++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + 2 files changed, 23 insertions(+) create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-35527.patch diff --git a/meta/recipes-support/sqlite/files/CVE-2020-35527.patch b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch new file mode 100644 index 0000000000..d1dae389b0 --- /dev/null +++ b/meta/recipes-support/sqlite/files/CVE-2020-35527.patch @@ -0,0 +1,22 @@ +From: dan +Date: Mon, 26 Oct 2020 13:24:36 +0000 +Subject: [PATCH] Fix a problem with ALTER TABLE for views that have a nested + FROM clause. Ticket [f50af3e8a565776b]. + +Upstream-Status: Backport [http://security.debian.org/debian-security/pool/updates/main/s/sqlite3/sqlite3_3.27.2-3+deb10u2.debian.tar.xz] +CVE: CVE-2020-35527 +Signed-off-by: Virendra Thakur +--- +Index: sqlite-autoconf-3310100/sqlite3.c +=================================================================== +--- sqlite-autoconf-3310100.orig/sqlite3.c ++++ sqlite-autoconf-3310100/sqlite3.c +@@ -133110,7 +133110,7 @@ static int selectExpander(Walker *pWalke + pNew = sqlite3ExprListAppend(pParse, pNew, pExpr); + sqlite3TokenInit(&sColname, zColname); + sqlite3ExprListSetName(pParse, pNew, &sColname, 0); +- if( pNew && (p->selFlags & SF_NestedFrom)!=0 ){ ++ if( pNew && (p->selFlags & SF_NestedFrom)!=0 && !IN_RENAME_OBJECT ){ + struct ExprList_item *pX = &pNew->a[pNew->nExpr-1]; + sqlite3DbFree(db, pX->zEName); + if( pSub ){ diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index 48051593e4..d9e98c9120 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -15,6 +15,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \ file://CVE-2020-13632.patch \ file://CVE-2022-35737.patch \ file://CVE-2020-35525.patch \ + file://CVE-2020-35527.patch \ " SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125" SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae" From patchwork Wed Sep 21 02:37:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13066 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60F5DC54EE9 for ; Wed, 21 Sep 2022 02:37:49 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web10.2089.1663727867871156490 for ; Tue, 20 Sep 2022 19:37:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=5/8NJ+O2; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id iw17so4321689plb.0 for ; Tue, 20 Sep 2022 19:37:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=JWbFVIN0bR6f1k25zNmdGNm+bS+q6EmQLFXH/QpgEVo=; b=5/8NJ+O2kOOmVB0JScsLwJNt+pmPh/RytZxN1quBv/JmwghCPBuieDDJxx76+eJcey zpGMkEK0HR9H3iG6SzG8BAyf8y3d36Y2QD/pl+lt5/sfMcfiCdDlv3bm9AhhbRTrq66Q 74sGbTkWEMnl4SW5wyz3GdzC04fD3Tga5okhjpt0dNFrDUOUp7UzIp8q/Olb8jl4QaJd KlJ/BaVo1CGKtvAors6xIUcfBAbQ04Nwq2/5+n4qOxP86BBO0Mj3Nvrfearx+Jn2bd4I uXHQgpWYorTR51NzJVlGPj8GFcRLcIrLMQN20g4Fj8syVb9u/17PMJa4o2A9WIW4WHmk NN1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=JWbFVIN0bR6f1k25zNmdGNm+bS+q6EmQLFXH/QpgEVo=; b=MzDB7lg4CaH6gA7ALwDFcT+LXOcVag8JfPVfhZcY7mCyr2e+e4wFktEWGrbiPSvjEn f3i0nDORpunpN3Ks4Vv4xZSeyUYuZkYkywULLqAUS7+oJBGt0KGWKXoVMRk07O+OsWe4 duCksV/3CHsKdRrwYXfa7w2G93oD6fmDmFbhX4ciIn61uKUC3DYVeyFPQWODmI6QUIiw myby7FWd8C/0MOr9cHllti3SBaAW8M+DJ6ySF98AIzuavz0NDe8Bcj2/eeoqgzRak+Vq 8Drc/Xlr3trPDkGxwbapDKd3WQR3kSb21SuxRJf2fLzVU+RNBI5wU6A6lGpQqv1RkRkF q44w== X-Gm-Message-State: ACrzQf2bjUFAyieNnQhsz6Bi2UOVqopXLYS8OxQXJ3MXAjRERYUo8U6P xXjLom7lnWNTVmSkkVoKT7pjouUNDQJoATeK X-Google-Smtp-Source: AMsMyM7GKE1GdQAeILIPW6p48JmcBa1hl6GzHGAlUK+AR7wY2Gs1kTw1+I49bKEFXl3POIpLxa9VYQ== X-Received: by 2002:a17:90b:3ec7:b0:202:b984:8436 with SMTP id rm7-20020a17090b3ec700b00202b9848436mr7143297pjb.4.1663727866865; Tue, 20 Sep 2022 19:37:46 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id 207-20020a6215d8000000b00537a6b81bb7sm670154pfv.148.2022.09.20.19.37.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 19:37:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/6] connman: CVE-2022-32293 man-in-the-middle attack against a WISPR HTTP Date: Tue, 20 Sep 2022 16:37:14 -1000 Message-Id: <86334559e3dcf30e07e2a10a58bbe40a2e8cc887.1663727733.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Sep 2022 02:37:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170923 From: Hitendra Prajapati Source: https://git.kernel.org/pub/scm/network/connman/connman.git/ MR: 120508 Type: Security Fix Disposition: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a ChangeID: 1583badc6de6bb8a7f63c06749b90b97caab5cdf Description: CVE-2022-32293 connman: man-in-the-middle attack against a WISPR HTTP. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../connman/connman/CVE-2022-32293.patch | 266 ++++++++++++++++++ .../connman/connman_1.37.bb | 1 + 2 files changed, 267 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch new file mode 100644 index 0000000000..83a013981c --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch @@ -0,0 +1,266 @@ +From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Tue, 20 Sep 2022 17:58:19 +0530 +Subject: [PATCH] CVE-2022-32293 + +CVE: CVE-2022-32293 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] +Signed-off-by: Hitendra Prajapati +--- + src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 63 insertions(+), 20 deletions(-) + +diff --git a/src/wispr.c b/src/wispr.c +index 473c0e0..97e0242 100644 +--- a/src/wispr.c ++++ b/src/wispr.c +@@ -59,6 +59,7 @@ struct wispr_route { + }; + + struct connman_wispr_portal_context { ++ int refcount; + struct connman_service *service; + enum connman_ipconfig_type type; + struct connman_wispr_portal *wispr_portal; +@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data); + + static GHashTable *wispr_portal_list = NULL; + ++#define wispr_portal_context_ref(wp_context) \ ++ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) ++#define wispr_portal_context_unref(wp_context) \ ++ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) ++ + static void connman_wispr_message_init(struct connman_wispr_message *msg) + { +- DBG(""); +- + msg->has_error = false; + msg->current_element = NULL; + +@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) + static void free_connman_wispr_portal_context( + struct connman_wispr_portal_context *wp_context) + { +- DBG("context %p", wp_context); +- +- if (!wp_context) +- return; +- + if (wp_context->wispr_portal) { + if (wp_context->wispr_portal->ipv4_context == wp_context) + wp_context->wispr_portal->ipv4_context = NULL; +@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context( + g_free(wp_context); + } + ++static struct connman_wispr_portal_context * ++wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount + 1, file, line, caller); ++ ++ __sync_fetch_and_add(&wp_context->refcount, 1); ++ ++ return wp_context; ++} ++ ++static void wispr_portal_context_unref_debug( ++ struct connman_wispr_portal_context *wp_context, ++ const char *file, int line, const char *caller) ++{ ++ if (!wp_context) ++ return; ++ ++ DBG("%p ref %d by %s:%d:%s()", wp_context, ++ wp_context->refcount - 1, file, line, caller); ++ ++ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) ++ return; ++ ++ free_connman_wispr_portal_context(wp_context); ++} ++ + static struct connman_wispr_portal_context *create_wispr_portal_context(void) + { +- return g_try_new0(struct connman_wispr_portal_context, 1); ++ return wispr_portal_context_ref( ++ g_new0(struct connman_wispr_portal_context, 1)); + } + + static void free_connman_wispr_portal(gpointer data) +@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data) + if (!wispr_portal) + return; + +- free_connman_wispr_portal_context(wispr_portal->ipv4_context); +- free_connman_wispr_portal_context(wispr_portal->ipv6_context); ++ wispr_portal_context_unref(wispr_portal->ipv4_context); ++ wispr_portal_context_unref(wispr_portal->ipv6_context); + + g_free(wispr_portal); + } +@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result, + &str)) + connman_info("Client-Timezone: %s", str); + +- free_connman_wispr_portal_context(wp_context); +- + __connman_service_ipconfig_indicate_state(service, + CONNMAN_SERVICE_STATE_ONLINE, type); + } +@@ -509,14 +535,17 @@ static void wispr_portal_request_portal( + { + DBG(""); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + wp_context->status_url, + wispr_portal_web_result, + wispr_route_request, + wp_context); + +- if (wp_context->request_id == 0) ++ if (wp_context->request_id == 0) { + wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); ++ } + } + + static bool wispr_input(const guint8 **data, gsize *length, +@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, + return; + + if (!authentication_done) { +- wispr_portal_error(wp_context); + free_wispr_routes(wp_context); ++ wispr_portal_error(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + + /* Restarting the test */ + __connman_service_wispr_start(service, wp_context->type); ++ wispr_portal_context_unref(wp_context); + } + + static void wispr_portal_request_wispr_login(struct connman_service *service, +@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, + return; + } + +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + return; + } + +@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result, + + wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; + ++ wispr_portal_context_ref(wp_context); + if (__connman_agent_request_login_input(wp_context->service, + wispr_portal_request_wispr_login, +- wp_context) != -EINPROGRESS) ++ wp_context) != -EINPROGRESS) { + wispr_portal_error(wp_context); +- else ++ wispr_portal_context_unref(wp_context); ++ } else + return true; + + break; +@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (length > 0) { + g_web_parser_feed_data(wp_context->wispr_parser, + chunk, length); ++ wispr_portal_context_unref(wp_context); + return true; + } + +@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + switch (status) { + case 000: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + if (g_web_result_get_header(result, "X-ConnMan-Status", + &str)) { + portal_manage_status(result, wp_context); ++ wispr_portal_context_unref(wp_context); + return false; +- } else ++ } else { ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->redirect_url, wp_context); ++ } + + break; + case 302: +@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + !g_web_result_get_header(result, "Location", + &redirect)) { + ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + wp_context->redirect_url = g_strdup(redirect); + ++ wispr_portal_context_ref(wp_context); + wp_context->request_id = g_web_request_get(wp_context->web, + redirect, wispr_portal_web_result, + wispr_route_request, wp_context); +@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + + break; + case 505: ++ wispr_portal_context_ref(wp_context); + __connman_agent_request_browser(wp_context->service, + wispr_portal_browser_reply_cb, + wp_context->status_url, wp_context); +@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) + wp_context->request_id = 0; + done: + wp_context->wispr_msg.message_type = -1; ++ wispr_portal_context_unref(wp_context); + return false; + } + +@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data) + xml_wispr_parser_callback, wp_context); + + wispr_portal_request_portal(wp_context); ++ wispr_portal_context_unref(wp_context); + } + + static gboolean no_proxy_callback(gpointer user_data) +@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) + + if (wp_context->token == 0) { + err = -EINVAL; +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + } + } else if (wp_context->timeout == 0) { + wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); +@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service, + + /* If there is already an existing context, we wipe it */ + if (wp_context) +- free_connman_wispr_portal_context(wp_context); ++ wispr_portal_context_unref(wp_context); + + wp_context = create_wispr_portal_context(); + if (!wp_context) +-- +2.25.1 + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 4f22c7ad49..73d7f7527e 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -13,6 +13,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ file://CVE-2022-32292.patch \ + file://CVE-2022-32293.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" From patchwork Wed Sep 21 02:37:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 14298 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Steve Sakoman" Subject: [OE-core][dunfell 4/6] qemu: fix and ignore several CVEs Date: Tue, 20 Sep 2022 16:37:15 -1000 Message-Id: <16a6e8530c4820f070973a1b4d64764c20706087.1663727733.git.steve@sakoman.com> In-Reply-To: References: MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Chee Yang Lee backport fixes: CVE-2020-13754, backport patches as debian security tracker notes https://security-tracker.debian.org/tracker/CVE-2020-13754 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2. Ignore: CVE-2020-27661, issue introduced in v5.1.0-rc0 https://security-tracker.debian.org/tracker/CVE-2020-27661 Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 14 ++ .../qemu/qemu/CVE-2020-13754-1.patch | 91 +++++++++++++ .../qemu/qemu/CVE-2020-13754-2.patch | 69 ++++++++++ .../qemu/qemu/CVE-2020-13754-3.patch | 65 +++++++++ .../qemu/qemu/CVE-2020-13754-4.patch | 39 ++++++ .../qemu/qemu/CVE-2021-3713.patch | 67 ++++++++++ .../qemu/qemu/CVE-2021-3748.patch | 124 ++++++++++++++++++ .../qemu/qemu/CVE-2021-3930.patch | 53 ++++++++ .../qemu/qemu/CVE-2021-4206.patch | 89 +++++++++++++ .../qemu/qemu/CVE-2021-4207.patch | 43 ++++++ .../qemu/qemu/CVE-2022-0216-1.patch | 42 ++++++ .../qemu/qemu/CVE-2022-0216-2.patch | 52 ++++++++ 12 files changed, 748 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index a773068499..c1db723e90 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -100,6 +100,17 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-13791.patch \ file://CVE-2022-35414.patch \ file://CVE-2020-27821.patch \ + file://CVE-2020-13754-1.patch \ + file://CVE-2020-13754-2.patch \ + file://CVE-2020-13754-3.patch \ + file://CVE-2020-13754-4.patch \ + file://CVE-2021-3713.patch \ + file://CVE-2021-3748.patch \ + file://CVE-2021-3930.patch \ + file://CVE-2021-4206.patch \ + file://CVE-2021-4207.patch \ + file://CVE-2022-0216-1.patch \ + file://CVE-2022-0216-2.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" @@ -117,6 +128,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_WHITELIST += "CVE-2018-18438" +# the issue introduced in v5.1.0-rc0 +CVE_CHECK_WHITELIST += "CVE-2020-27661" + COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch new file mode 100644 index 0000000000..fdfff9d81d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-1.patch @@ -0,0 +1,91 @@ +From 5d971f9e672507210e77d020d89e0e89165c8fc9 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 10 Jun 2020 09:47:49 -0400 +Subject: [PATCH] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini + +https://git.qemu.org/?p=qemu.git;a=patch;h=5d971f9e672507210e77d020d89e0e89165c8fc9 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 2f15a4b..9200b20 100644 +--- a/memory.c ++++ b/memory.c +@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch new file mode 100644 index 0000000000..7354edc54d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-2.patch @@ -0,0 +1,69 @@ +From dba04c3488c4699f5afe96f66e448b1d447cf3fb Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Mon, 20 Jul 2020 19:06:27 +0300 +Subject: [PATCH] acpi: accept byte and word access to core ACPI registers + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John +Signed-off-by: Michael Tokarev +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +https://git.qemu.org/?p=qemu.git;a=patch;h=dba04c3488c4699f5afe96f66e448b1d447cf3fb +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index f6d9ec4..ac06db3 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -458,7 +458,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -527,7 +528,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -599,7 +601,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch new file mode 100644 index 0000000000..2a8781050f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-3.patch @@ -0,0 +1,65 @@ +From 8e67fda2dd6202ccec093fda561107ba14830a17 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Tue, 21 Jul 2020 10:33:22 +0200 +Subject: [PATCH] xhci: fix valid.max_access_size to access address registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = â1â), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = â0â), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy +Signed-off-by: Laurent Vivier +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann + +https://git.qemu.org/?p=qemu.git;a=patch;h=8e67fda2dd6202ccec093fda561107ba14830a17 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index b330e36..67a18fe 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3184,7 +3184,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3200,7 +3200,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch new file mode 100644 index 0000000000..6bad07d03f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-13754-4.patch @@ -0,0 +1,39 @@ +From 70b78d4e71494c90d2ccb40381336bc9b9a22f79 Mon Sep 17 00:00:00 2001 +From: Alistair Francis +Date: Tue, 30 Jun 2020 13:12:11 -0700 +Subject: [PATCH] hw/riscv: Allow 64 bit access to SiFive CLINT + +Commit 5d971f9e672507210e77d020d89e0e89165c8fc9 +"memory: Revert "memory: accept mismatching sizes in +memory_region_access_valid"" broke most RISC-V boards as they do 64 bit +accesses to the CLINT and QEMU would trigger a fault. Fix this failure +by allowing 8 byte accesses. + +Signed-off-by: Alistair Francis +Reviewed-by: LIU Zhiwei +Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c.1593547870.git.alistair.francis@wdc.com> + +https://git.qemu.org/?p=qemu.git;a=patch;h=70b78d4e71494c90d2ccb40381336bc9b9a22f79 +CVE: CVE-2020-13754 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/riscv/sifive_clint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/riscv/sifive_clint.c b/hw/riscv/sifive_clint.c +index b11ffa0..669c21a 100644 +--- a/hw/riscv/sifive_clint.c ++++ b/hw/riscv/sifive_clint.c +@@ -181,7 +181,7 @@ static const MemoryRegionOps sifive_clint_ops = { + .endianness = DEVICE_LITTLE_ENDIAN, + .valid = { + .min_access_size = 4, +- .max_access_size = 4 ++ .max_access_size = 8 + } + }; + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch new file mode 100644 index 0000000000..cdd9c38db9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3713.patch @@ -0,0 +1,67 @@ +From a114d6baedf2cccb454a46d36e399fec1bc3e1c0 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 18 Aug 2021 14:05:05 +0200 +Subject: [PATCH] uas: add stream number sanity checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device uses the guest-supplied stream number unchecked, which can +lead to guest-triggered out-of-band access to the UASDevice->data3 and +UASDevice->status3 fields. Add the missing checks. + +Fixes: CVE-2021-3713 +Signed-off-by: Gerd Hoffmann +Reported-by: Chen Zhe +Reported-by: Tan Jingguo +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> + +https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a +CVE: CVE-2021-3713 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/usb/dev-uas.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index 6d6d1073..0b8cd4dd 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + } + break; + case UAS_PIPE_ID_STATUS: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + QTAILQ_FOREACH(st, &uas->results, next) { + if (st->stream == p->stream) { +@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + break; + case UAS_PIPE_ID_DATA_IN: + case UAS_PIPE_ID_DATA_OUT: ++ if (p->stream > UAS_MAX_STREAMS) { ++ goto err_stream; ++ } + if (p->stream) { + req = usb_uas_find_request(uas, p->stream); + } else { +@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ ++err_stream: ++ error_report("%s: invalid stream %d", __func__, p->stream); ++ p->status = USB_RET_STALL; ++ return; + } + + static void usb_uas_unrealize(USBDevice *dev, Error **errp) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch new file mode 100644 index 0000000000..b291ade4e3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3748.patch @@ -0,0 +1,124 @@ +From bedd7e93d01961fcb16a97ae45d93acf357e11f6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 2 Sep 2021 13:44:12 +0800 +Subject: [PATCH] virtio-net: fix use after unmap/free for sg + +When mergeable buffer is enabled, we try to set the num_buffers after +the virtqueue elem has been unmapped. This will lead several issues, +E.g a use after free when the descriptor has an address which belongs +to the non direct access region. In this case we use bounce buffer +that is allocated during address_space_map() and freed during +address_space_unmap(). + +Fixing this by storing the elems temporarily in an array and delay the +unmap after we set the the num_buffers. + +This addresses CVE-2021-3748. + +Reported-by: Alexander Bulekov +Fixes: fbe78f4f55c6 ("virtio-net support") +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang + +https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 +CVE: CVE-2021-3748 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- + 1 file changed, 32 insertions(+), 7 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 16d20cdee52a..f205331dcf8c 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1746,10 +1746,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + VirtIONet *n = qemu_get_nic_opaque(nc); + VirtIONetQueue *q = virtio_net_get_subqueue(nc); + VirtIODevice *vdev = VIRTIO_DEVICE(n); ++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; ++ size_t lens[VIRTQUEUE_MAX_SIZE]; + struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; + struct virtio_net_hdr_mrg_rxbuf mhdr; + unsigned mhdr_cnt = 0; +- size_t offset, i, guest_offset; ++ size_t offset, i, guest_offset, j; ++ ssize_t err; + + if (!virtio_net_can_receive(nc)) { + return -1; +@@ -1780,6 +1783,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + total = 0; + ++ if (i == VIRTQUEUE_MAX_SIZE) { ++ virtio_error(vdev, "virtio-net unexpected long buffer chain"); ++ err = size; ++ goto err; ++ } ++ + elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); + if (!elem) { + if (i) { +@@ -1791,7 +1800,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + n->guest_hdr_len, n->host_hdr_len, + vdev->guest_features); + } +- return -1; ++ err = -1; ++ goto err; + } + + if (elem->in_num < 1) { +@@ -1799,7 +1809,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + "virtio-net receive queue contains no in buffers"); + virtqueue_detach_element(q->rx_vq, elem, 0); + g_free(elem); +- return -1; ++ err = -1; ++ goto err; + } + + sg = elem->in_sg; +@@ -1836,12 +1847,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!n->mergeable_rx_bufs && offset < size) { + virtqueue_unpop(q->rx_vq, elem, total); + g_free(elem); +- return size; ++ err = size; ++ goto err; + } + +- /* signal other side */ +- virtqueue_fill(q->rx_vq, elem, total, i++); +- g_free(elem); ++ elems[i] = elem; ++ lens[i] = total; ++ i++; + } + + if (mhdr_cnt) { +@@ -1851,10 +1863,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + &mhdr.num_buffers, sizeof mhdr.num_buffers); + } + ++ for (j = 0; j < i; j++) { ++ /* signal other side */ ++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); ++ g_free(elems[j]); ++ } ++ + virtqueue_flush(q->rx_vq, i); + virtio_notify(vdev, q->rx_vq); + + return size; ++ ++err: ++ for (j = 0; j < i; j++) { ++ g_free(elems[j]); ++ } ++ ++ return err; + } + + static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch new file mode 100644 index 0000000000..b1b5558647 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3930.patch @@ -0,0 +1,53 @@ +From b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 4 Nov 2021 17:31:38 +0100 +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands + +This avoids an off-by-one read of 'mode_sense_valid' buffer in +hw/scsi/scsi-disk.c:mode_sense_page(). + +Fixes: CVE-2021-3930 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov +Fixes: a8f4bbe2900 ("scsi-disk: store valid mode pages in a table") +Fixes: #546 +Reported-by: Qiuhao Li +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 +CVE: CVE-2021-3930 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/scsi-disk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e8a547dbb7..d4914178ea 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1087,6 +1087,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, + uint8_t *p = *p_outbuf + 2; + int length; + ++ assert(page < ARRAY_SIZE(mode_sense_valid)); + if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { + return -1; + } +@@ -1428,6 +1429,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, + return -1; + } + ++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ ++ if (page == MODE_PAGE_ALLS) { ++ return -1; ++ } ++ + p = mode_current; + memset(mode_current, 0, inlen + 2); + len = mode_sense_page(s, page, &p, 0); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch new file mode 100644 index 0000000000..80ad49e4ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4206.patch @@ -0,0 +1,89 @@ +From fa892e9abb728e76afcf27323ab29c57fb0fe7aa Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/fa892e9a +CVE: CVE-2021-4206 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index 98c83474ad..45d06cbe25 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -515,6 +515,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch new file mode 100644 index 0000000000..8418246247 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4207.patch @@ -0,0 +1,43 @@ +From 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann + +https://gitlab.com/qemu-project/qemu/-/commit/9569f5cb +CVE: CVE-2021-4207 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch new file mode 100644 index 0000000000..6a7ce0e26c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-1.patch @@ -0,0 +1,42 @@ +From 6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Thomas Huth +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index c8773f73f7..99ea42d49b 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch new file mode 100644 index 0000000000..137906cd30 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216-2.patch @@ -0,0 +1,52 @@ +From 4367a20cc442c56b05611b4224de9a61908f9eac Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH] scsi/lsi53c895a: really fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella +Tested-by: Alexander Bulekov +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini + +https://gitlab.com/qemu-project/qemu/-/commit/4367a20cc4 +CVE: CVE-2022-0216 +Upstream-Status: Backport +Signed-off-by: Chee Yang Lee +--- + hw/scsi/lsi53c895a.c | 3 +- + 1 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 99ea42d49b..ad5f5e5f39 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +GitLab + From patchwork Wed Sep 21 02:37:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13070 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D158C6FA90 for ; Wed, 21 Sep 2022 02:37:59 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web12.2077.1663727872216919118 for ; Tue, 20 Sep 2022 19:37:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=GE+L3UDY; spf=softfail (domain: sakoman.com, ip: 209.85.215.176, mailfrom: steve@sakoman.com) Received: by mail-pg1-f176.google.com with SMTP id c7so4545102pgt.11 for ; Tue, 20 Sep 2022 19:37:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=TUedF0tnbzha/u2NqWWR97z1Im2BYdIhE9xLJm1v9GQ=; b=GE+L3UDYXhXMV0BV9Da7TmhTAv7l16jy7MMzErGFsBmZHEdwmQwjO9MgkI+UNP0YuY zex9k6DPZMXGS6016AjoVP9t436nOxeEcwo1qtZGZq3RbjzSYBRGLawIPgv13Vn+Ki34 /LnNps85bgEwmszvBbOui5tBxm4GEQOCOsIFSKgEUDPlYtPUDD5kpPDAcxdZdKAbhm/g mnZrpUwHNi6YidIi8/oyCpsykEP4AIixy1jlajqudmgGKMXO/7FSYEIhZIqvtAXQJyXh AGCFVsDsaX7Nod2qziFRpjLXvm+uuCjUHg94Sa8Kxq2n+VbESGyBcJvQOII3bqmXhD2K NNAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=TUedF0tnbzha/u2NqWWR97z1Im2BYdIhE9xLJm1v9GQ=; b=PuXChRVH4Md0icSuz8jKsyr0l0sPMku9OFj/huXqa1Cc48t1EMP9nUmJQUV4LwJTAY UepkLdmiEYqmd6gaiu6RwWy8xochJY/Dzj93F0TeSe7MxxFl73wzXcwtu1GZC1ol4Hs2 Lq/k4lo+JXmB9DwfrTo3qb6QkwKenmZyBP8DlxZb6j7ADMavFIHOGdFUDxryrr13Xi16 NJP6o8Mjq4bnWNJ/h5KqmaRjuzsx3R2qpAtJvOfVaWlTt8jay89goRGzaVw8GFGjlDLY 2wpHOQD9JiWaif9rW5I+nKP8zl/ORreQRxwIIBo6sUxGsmxTCD3J7YQ0tSrdD/y/S5nn lNvQ== X-Gm-Message-State: ACrzQf3JxxgfjhmNxAFO6F2ZuPq6cDcJV5EGbjv5M9zqiekN131RNBtD 0fXEq/xCwRSg41GdjCWQ/MCLDvTqaRCR9VyG X-Google-Smtp-Source: AMsMyM6K90uaW864Tjrt5k8c8FGw6jqO+iQ+mrsFsCSwnBtmR7Yb5cHtDK1PIx7uv9+ExuMEH7VFaw== X-Received: by 2002:aa7:91da:0:b0:552:8d8b:d275 with SMTP id z26-20020aa791da000000b005528d8bd275mr2561124pfa.30.1663727871239; Tue, 20 Sep 2022 19:37:51 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id 207-20020a6215d8000000b00537a6b81bb7sm670154pfv.148.2022.09.20.19.37.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 19:37:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/6] qemu: Define libnfs PACKAGECONFIG Date: Tue, 20 Sep 2022 16:37:16 -1000 Message-Id: <9badcf0261f6b735d65a5498bb8fbb9979d7a07f.1663727733.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Sep 2022 02:37:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170925 From: Andrei Gherzan The upstream qemu recipe uses host's pkg-config files as a solution to detecting host's SDL. This has a side effect of using other host libraries that are later queried by the configure script. This can get into a situation when the host provides libnfs (for example) and because later this dependency is not in place anymore, qemu will fail at runtime. This change adds a PACKAGECONFIG definition for libnfs that is disabled by default, in turn disabling the pkgconfig autodetection in configure. Signed-off-by: Andrei Gherzan Signed-off-by: Richard Purdie (cherry picked from commit 42b364a25fdbc987c85dd46b8427045033924d99) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c1db723e90..b432b01224 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -271,6 +271,8 @@ PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" +# libnfs is currently provided by meta-kodi +PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" INSANE_SKIP_${PN} = "arch" From patchwork Wed Sep 21 02:37:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 13069 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 419FAC54EE9 for ; Wed, 21 Sep 2022 02:37:59 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.web09.2082.1663727874220068169 for ; Tue, 20 Sep 2022 19:37:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=GYShTLcY; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d82so4510137pfd.10 for ; Tue, 20 Sep 2022 19:37:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date; bh=TPEVYYBJMjhQVHnJyuQpZIjSvpyEAr/ic6IrM2qQ3xk=; b=GYShTLcY0YWel46RvYO+wPAT9FHtGfC6ELBxRaLhbtS5MaNP9U/u4RfoX7jIDvyx8r CT3xd9uiIXoGejTfNKq4cjvTYBaLrofpiXpxbB4kbppmFiq1KWcAufXUVSbDuC5+n2U+ Nlx3Qv4qyNS7vT661YKt9Xx2929HgHz+xCZYaIUxZWbuyyPIK9HJrJpEdmLo3f2TaUo+ 3sBSZjtiJcwL2+0/r/k/LzLNCkdL/gzyine/KfphNqzpzCtwfeVBPEAn6Hj5sY1110GN 2noCaQauN8xy2aNqTdvQS7x8skjWSJJaUr55tddiAZPtymk59HZnjCyivCfXK8eKaTFU oX9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=TPEVYYBJMjhQVHnJyuQpZIjSvpyEAr/ic6IrM2qQ3xk=; b=CrHVbFucaAw3YEnV36VKk4NMBhdI769dgr2FWU+1nYx4xh9EDpKGEfgxSCtEezGtAY OWeCCGthrfUlJJeVjrQWqeUHEUyMAEuCS01UDlt0rOvyAb5Q81sxI3ziVLXAlQAe5F/q lkxH3/HnXXSKOn40F7Cv2K5jIPfVyTYx8mPN48hW+72bVJ3TLO1tnRb+AA9nvUQF3Rb4 CeWvpPn0Rxdcc/vOTVZZc5+Ef1+HHYBrFxMKesfEIxKxjRZvc8r7paFbzZ4PVLZ2bi4v F63oeT9C2aldJegpxTVJHP7woNrEKQZWQvO1pGXi65Dp9J5zjOVEC05UBQpt9QDqheul Zc7A== X-Gm-Message-State: ACrzQf3NVi4pphTdtUJ93ZxSTdoW1PGjmh2g5ErCB/wVD9/KkHjCZMft COB/sX2631M154ze8BLicItD+ykFNLKqwo0F X-Google-Smtp-Source: AMsMyM5EocYMijEhcziA/4JQrfoBHv0cwm98CDPkdHILDEAM/jedCGx8APVchEjsz7uRARdYUDMslQ== X-Received: by 2002:a62:3602:0:b0:551:b15c:1235 with SMTP id d2-20020a623602000000b00551b15c1235mr5158856pfa.14.1663727873243; Tue, 20 Sep 2022 19:37:53 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id 207-20020a6215d8000000b00537a6b81bb7sm670154pfv.148.2022.09.20.19.37.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 19:37:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/6] qemu: Add PACKAGECONFIG for brlapi Date: Tue, 20 Sep 2022 16:37:17 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 21 Sep 2022 02:37:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/170926 From: Richard Purdie Signed-off-by: Richard Purdie (cherry picked from commit 482471a617e5f682416b7ec1a920dfaeac65f1a3) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index b432b01224..368be9979a 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -273,6 +273,7 @@ PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,libseccomp" PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" # libnfs is currently provided by meta-kodi PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs" +PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" INSANE_SKIP_${PN} = "arch"