From 7dd3ed26ca09df0e582be8cc2780bba588bdd11e Mon Sep 17 00:00:00 2001 From: P Dheeraj Srujan Kumar Date: Fri, 2 Dec 2022 23:23:31 +0530 Subject: [PATCH] Update to internal 1-0.92 Signed-off-by: P Dheeraj Srujan Kumar --- .../obmc-phosphor-full-fitimage.bbclass | 7 +- .../u-boot/files/CVE-2022-34835.patch | 118 ++++++ .../recipes-bsp/u-boot/u-boot-%.bbappend | 1 + .../CVE-2022-1292-Fix-openssl-c_rehash.patch | 76 ++++ ...2068-Fix-file-operations-in-c_rehash.patch | 257 +++++++++++++ ...ES-OCB-encryptdecrypt-for-x86-AES-NI.patch | 73 ++++ .../openssl/openssl_1.1.1l.bb | 3 + ..._s-compilation-issue-for-safec-3.5.1.patch | 4 +- .../busybox/busybox/CVE-2022-28391_1.patch | 40 +++ .../busybox/busybox/CVE-2022-28391_2.patch | 68 ++++ .../recipes-core/busybox/busybox_%.bbappend | 2 + .../expat/expat/CVE-2022-40674_1.patch | 49 +++ .../expat/expat/CVE-2022-40674_2.patch | 104 ++++++ .../recipes-core/expat/expat_2.4.5.bb | 2 + ...er-overflows-in-xmlBuf-and-xmlBuffer.patch | 340 ++++++++++++++++++ .../recipes-core/libxml/libxml2_%.bbappend | 1 + ...Fix-added-to-mitigate-CVE-2022-29458.patch | 65 ++++ .../recipes-core/ncurses/ncurses_%.bbappend | 4 +- .../recipes-core/systemd/systemd_%.bbappend | 4 + .../zlib/zlib/CVE-2022-37434_1.patch | 32 ++ .../zlib/zlib/CVE-2022-37434_2.patch | 29 ++ .../recipes-core/zlib/zlib_%.bbappend | 2 + ...e-update-fix-for-mis-aligned-sectors.patch | 82 +++++ ...ossible-freeing-of-mismatched-memory.patch | 39 ++ ...Key-Cancellation-Update-Capsule-Flow.patch | 224 ++++++++++++ .../recipes-devtools/mtd-util/mtd-util.bb | 5 + .../logrotate/logrotate_3.20.1.bb | 91 +++++ .../sdbusplus/sdbusplus_%.bbappend | 2 +- .../linux/linux-aspeed/CVE-2021-39685-1.patch | 45 +++ .../linux/linux-aspeed/CVE-2021-39685-2.patch | 93 +++++ .../linux/linux-aspeed/CVE-2021-39685.patch | 108 ++++++ .../linux/linux-aspeed/CVE-2021-39698-1.patch | 47 +++ .../linux/linux-aspeed/CVE-2021-39698.patch | 107 ++++++ .../linux/linux-aspeed/CVE-2021-4083.patch | 64 ++++ .../linux/linux-aspeed/CVE-2022-0168.patch | 335 +++++++++++++++++ .../linux/linux-aspeed/CVE-2022-1012.patch | 146 ++++++++ .../linux/linux-aspeed/CVE-2022-1184_1.patch | 81 +++++ .../linux/linux-aspeed/CVE-2022-1184_2.patch | 88 +++++ .../linux/linux-aspeed/CVE-2022-1729.patch | 71 ++++ .../linux/linux-aspeed/CVE-2022-1998.patch | 52 +++ .../linux/linux-aspeed/CVE-2022-20008.patch | 83 +++++ .../linux/linux-aspeed/CVE-2022-20368.patch | 114 ++++++ .../linux/linux-aspeed/CVE-2022-2503.patch | 35 ++ .../linux/linux-aspeed/CVE-2022-2938.patch | 249 +++++++++++++ .../linux/linux-aspeed/CVE-2022-2959.patch | 97 +++++ .../linux/linux-aspeed/CVE-2022-30594.patch | 103 ++++++ .../linux/linux-aspeed/CVE-2022-32296.patch | 61 ++++ .../linux/linux-aspeed/CVE-2022-40476.patch | 35 ++ .../linux/linux-aspeed_%.bbappend | 20 ++ ...PCIeFunctions-not-showing-in-Redfish.patch | 62 ++++ .../interfaces/bmcweb_%.bbappend | 1 + .../recipes-phosphor/pmci/nvmemi-daemon.bb | 2 +- .../recipes-phosphor/pmci/pldmd.bb | 2 +- ...x-for-PSU2-Power-lost-RedFish-events.patch | 124 +++++++ ...R-sensor-readings-if-content-is-0xFF.patch | 44 +++ .../sensors/dbus-sensors_%.bbappend | 2 + .../telemetry/telemetry_%.bbappend | 4 +- .../CVE-2022-32205-cookie-apply-limits.patch | 171 +++++++++ ...-error-on-too-many-compression-steps.patch | 48 +++ ...l_fopen-for-better-overwriting-of-fi.patch | 280 +++++++++++++++ ...turn-error-properly-on-decode-errors.patch | 64 ++++ .../curl/{curl_7.79.1.bb => curl_7.83.1.bb} | 8 +- 62 files changed, 4559 insertions(+), 11 deletions(-) create mode 100644 meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch rename meta-openbmc-mods/meta-common/recipes-support/curl/{curl_7.79.1.bb => curl_7.83.1.bb} (88%) diff --git a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass index 6e0411a5c9..db2e61aa8f 100644 --- a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass +++ b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass @@ -340,8 +340,11 @@ fitimage_assemble() { DTBS="" ramdiskcount=${3} setupcount="" - #hash_type="sha256" - hash_type="" + if [ ! -z ${SPL_BINARY} ]; then + hash_type="sha256" + else + hash_type="" + fi rm -f ${1} ${2} # diff --git a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch new file mode 100644 index 0000000000..be6d80521c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch @@ -0,0 +1,118 @@ +From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 10 Jun 2022 14:50:25 +0000 +Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md + command + +When running "i2c md 0 0 80000100", the function do_i2c_md parses the +length into an unsigned int variable named length. The value is then +moved to a signed variable: + + int nbytes = length; + #define DISP_LINE_LEN 16 + int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes; + ret = dm_i2c_read(dev, addr, linebuf, linebytes); + +On systems where integers are 32 bits wide, 0x80000100 is a negative +value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned +0x80000100 instead of 16. + +The consequence is that the function which reads from the i2c device +(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill +but with a size parameter which is too large. In some cases, this could +trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c +(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to +a 16-bit integer. This is because function i2c_transfer expects an +unsigned short length. In such a case, an attacker who can control the +response of an i2c device can overwrite the return address of a function +and execute arbitrary code through Return-Oriented Programming. + +Fix this issue by using unsigned integers types in do_i2c_md. While at +it, make also alen unsigned, as signed sizes can cause vulnerabilities +when people forgot to check that they can be negative. + +Signed-off-by: Nicolas Iooss +Reviewed-by: Heiko Schocher +--- + cmd/i2c.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/cmd/i2c.c b/cmd/i2c.c +index 9050b2b8d27a..bd04b14024be 100644 +--- a/cmd/i2c.c ++++ b/cmd/i2c.c +@@ -200,10 +200,10 @@ void i2c_init_board(void) + * + * Returns the address length. + */ +-static uint get_alen(char *arg, int default_len) ++static uint get_alen(char *arg, uint default_len) + { +- int j; +- int alen; ++ uint j; ++ uint alen; + + alen = default_len; + for (j = 0; j < 8; j++) { +@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc, + { + uint chip; + uint devaddr, length; +- int alen; ++ uint alen; + u_char *memaddr; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) +@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc, + { + uint chip; + uint devaddr, length; +- int alen; ++ uint alen; + u_char *memaddr; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) +@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc, + { + uint chip; + uint addr, length; +- int alen; +- int j, nbytes, linebytes; ++ uint alen; ++ uint j, nbytes, linebytes; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) + struct udevice *dev; +@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc, + { + uint chip; + ulong addr; +- int alen; ++ uint alen; + uchar byte; +- int count; ++ uint count; + int ret; + #if CONFIG_IS_ENABLED(DM_I2C) + struct udevice *dev; +@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc, + { + uint chip; + ulong addr; +- int alen; +- int count; ++ uint alen; ++ uint count; + uchar byte; + ulong crc; + ulong err; +@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) + { + uint chip; +- int alen; ++ uint alen; + uint addr; + uint length; + u_char bytes[16]; diff --git a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend index e9093b4032..21612fe2e3 100644 --- a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend @@ -2,4 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:" SRC_URI += " \ file://fw_env.config \ + file://CVE-2022-34835.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch new file mode 100644 index 0000000000..ec4daf0152 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch @@ -0,0 +1,76 @@ +From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 26 Apr 2022 12:40:24 +0200 +Subject: [PATCH] c_rehash: Do not use shell to invoke openssl + +Except on VMS where it is safe. + +This fixes CVE-2022-1292. + +Reviewed-by: Matthias St. Pierre +Reviewed-by: Matt Caswell +--- + tools/c_rehash.in | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index fa7c6c9fef..83c1cc80e0 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -152,6 +152,23 @@ sub check_file { + return ($is_cert, $is_crl); + } + ++sub compute_hash { ++ my $fh; ++ if ( $^O eq "VMS" ) { ++ # VMS uses the open through shell ++ # The file names are safe there and list form is unsupported ++ if (!open($fh, "-|", join(' ', @_))) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } else { ++ if (!open($fh, "-|", @_)) { ++ print STDERR "Cannot compute hash on '$fname'\n"; ++ return; ++ } ++ } ++ return (<$fh>, <$fh>); ++} + + # Link a certificate to its subject name hash value, each hash is of + # the form . where n is an integer. If the hash value already exists +@@ -161,10 +178,12 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; +- $fname =~ s/\"/\\\"/g; +- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; ++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; +@@ -202,10 +221,12 @@ sub link_hash_cert { + + sub link_hash_crl { + my $fname = $_[0]; +- $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; ++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); + chomp $hash; + chomp $fprint; ++ return if !$hash; + $fprint =~ s/^.*=//; + $fprint =~ tr/://d; + my $suffix = 0; +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch new file mode 100644 index 0000000000..04e75877ab --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch @@ -0,0 +1,257 @@ +From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001 +From: Daniel Fiala +Date: Sun, 29 May 2022 20:11:24 +0200 +Subject: [PATCH] Fix file operations in c_rehash. + +CVE-2022-2068 + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +--- + tools/c_rehash.in | 216 +++++++++++++++++++++++----------------------- + 1 file changed, 107 insertions(+), 109 deletions(-) + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index cfd18f5da1..9d2a6f6db7 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -104,52 +104,78 @@ foreach (@dirlist) { + } + exit($errorcount); + ++sub copy_file { ++ my ($src_fname, $dst_fname) = @_; ++ ++ if (open(my $in, "<", $src_fname)) { ++ if (open(my $out, ">", $dst_fname)) { ++ print $out $_ while (<$in>); ++ close $out; ++ } else { ++ warn "Cannot open $dst_fname for write, $!"; ++ } ++ close $in; ++ } else { ++ warn "Cannot open $src_fname for read, $!"; ++ } ++} ++ + sub hash_dir { +- my %hashlist; +- print "Doing $_[0]\n"; +- chdir $_[0]; +- opendir(DIR, "."); +- my @flist = sort readdir(DIR); +- closedir DIR; +- if ( $removelinks ) { +- # Delete any existing symbolic links +- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { +- if (-l $_) { +- print "unlink $_" if $verbose; +- unlink $_ || warn "Can't unlink $_, $!\n"; +- } +- } +- } +- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { +- # Check to see if certificates and/or CRLs present. +- my ($cert, $crl) = check_file($fname); +- if (!$cert && !$crl) { +- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; +- next; +- } +- link_hash_cert($fname) if ($cert); +- link_hash_crl($fname) if ($crl); +- } ++ my $dir = shift; ++ my %hashlist; ++ ++ print "Doing $dir\n"; ++ ++ if (!chdir $dir) { ++ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; ++ return; ++ } ++ ++ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; ++ my @flist = sort readdir(DIR); ++ closedir DIR; ++ if ( $removelinks ) { ++ # Delete any existing symbolic links ++ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { ++ if (-l $_) { ++ print "unlink $_\n" if $verbose; ++ unlink $_ || warn "Can't unlink $_, $!\n"; ++ } ++ } ++ } ++ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { ++ # Check to see if certificates and/or CRLs present. ++ my ($cert, $crl) = check_file($fname); ++ if (!$cert && !$crl) { ++ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; ++ next; ++ } ++ link_hash_cert($fname) if ($cert); ++ link_hash_crl($fname) if ($crl); ++ } ++ ++ chdir $pwd; + } + + sub check_file { +- my ($is_cert, $is_crl) = (0,0); +- my $fname = $_[0]; +- open IN, $fname; +- while() { +- if (/^-----BEGIN (.*)-----/) { +- my $hdr = $1; +- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { +- $is_cert = 1; +- last if ($is_crl); +- } elsif ($hdr eq "X509 CRL") { +- $is_crl = 1; +- last if ($is_cert); +- } +- } +- } +- close IN; +- return ($is_cert, $is_crl); ++ my ($is_cert, $is_crl) = (0,0); ++ my $fname = $_[0]; ++ ++ open(my $in, "<", $fname); ++ while(<$in>) { ++ if (/^-----BEGIN (.*)-----/) { ++ my $hdr = $1; ++ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { ++ $is_cert = 1; ++ last if ($is_crl); ++ } elsif ($hdr eq "X509 CRL") { ++ $is_crl = 1; ++ last if ($is_cert); ++ } ++ } ++ } ++ close $in; ++ return ($is_cert, $is_crl); + } + + sub compute_hash { +@@ -177,76 +203,48 @@ sub compute_hash { + # certificate fingerprints + + sub link_hash_cert { +- my $fname = $_[0]; +- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, +- "-fingerprint", "-noout", +- "-in", $fname); +- chomp $hash; +- chomp $fprint; +- return if !$hash; +- $fprint =~ s/^.*=//; +- $fprint =~ tr/://d; +- my $suffix = 0; +- # Search for an unused hash filename +- while(exists $hashlist{"$hash.$suffix"}) { +- # Hash matches: if fingerprint matches its a duplicate cert +- if ($hashlist{"$hash.$suffix"} eq $fprint) { +- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; +- return; +- } +- $suffix++; +- } +- $hash .= ".$suffix"; +- if ($symlink_exists) { +- print "link $fname -> $hash\n" if $verbose; +- symlink $fname, $hash || warn "Can't symlink, $!"; +- } else { +- print "copy $fname -> $hash\n" if $verbose; +- if (open($in, "<", $fname)) { +- if (open($out,">", $hash)) { +- print $out $_ while (<$in>); +- close $out; +- } else { +- warn "can't open $hash for write, $!"; +- } +- close $in; +- } else { +- warn "can't open $fname for read, $!"; +- } +- } +- $hashlist{$hash} = $fprint; ++ link_hash($_[0], 'cert'); + } + + # Same as above except for a CRL. CRL links are of the form .r + + sub link_hash_crl { +- my $fname = $_[0]; +- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, +- "-fingerprint", "-noout", +- "-in", $fname); +- chomp $hash; +- chomp $fprint; +- return if !$hash; +- $fprint =~ s/^.*=//; +- $fprint =~ tr/://d; +- my $suffix = 0; +- # Search for an unused hash filename +- while(exists $hashlist{"$hash.r$suffix"}) { +- # Hash matches: if fingerprint matches its a duplicate cert +- if ($hashlist{"$hash.r$suffix"} eq $fprint) { +- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; +- return; +- } +- $suffix++; +- } +- $hash .= ".r$suffix"; +- if ($symlink_exists) { +- print "link $fname -> $hash\n" if $verbose; +- symlink $fname, $hash || warn "Can't symlink, $!"; +- } else { +- print "cp $fname -> $hash\n" if $verbose; +- system ("cp", $fname, $hash); +- warn "Can't copy, $!" if ($? >> 8) != 0; +- } +- $hashlist{$hash} = $fprint; ++ link_hash($_[0], 'crl'); ++} ++ ++sub link_hash { ++ my ($fname, $type) = @_; ++ my $is_cert = $type eq 'cert'; ++ ++ my ($hash, $fprint) = compute_hash($openssl, ++ $is_cert ? "x509" : "crl", ++ $is_cert ? $x509hash : $crlhash, ++ "-fingerprint", "-noout", ++ "-in", $fname); ++ chomp $hash; ++ chomp $fprint; ++ return if !$hash; ++ $fprint =~ s/^.*=//; ++ $fprint =~ tr/://d; ++ my $suffix = 0; ++ # Search for an unused hash filename ++ my $crlmark = $is_cert ? "" : "r"; ++ while(exists $hashlist{"$hash.$crlmark$suffix"}) { ++ # Hash matches: if fingerprint matches its a duplicate cert ++ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { ++ my $what = $is_cert ? 'certificate' : 'CRL'; ++ print STDERR "WARNING: Skipping duplicate $what $fname\n"; ++ return; ++ } ++ $suffix++; ++ } ++ $hash .= ".$crlmark$suffix"; ++ if ($symlink_exists) { ++ print "link $fname -> $hash\n" if $verbose; ++ symlink $fname, $hash || warn "Can't symlink, $!"; ++ } else { ++ print "copy $fname -> $hash\n" if $verbose; ++ copy_file($fname, $hash); ++ } ++ $hashlist{$hash} = $fprint; + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch new file mode 100644 index 0000000000..aa5bbb6043 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch @@ -0,0 +1,73 @@ +From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 +From: Alex Chernyakhovsky +Date: Thu, 16 Jun 2022 12:00:22 +1000 +Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path +that performs operations on 6 16-byte blocks concurrently (the +"grandloop") and then proceeds to handle the "short" tail (which can +be anywhere from 0 to 5 blocks) that remain. + +As part of initialization, the assembly initializes $len to the true +length, less 96 bytes and converts it to a pointer so that the $inp +can be compared to it. Each iteration of "grandloop" checks to see if +there's a full 96-byte chunk to process, and if so, continues. Once +this has been exhausted, it falls through to "short", which handles +the remaining zero to five blocks. + +Unfortunately, the jump at the end of "grandloop" had a fencepost +error, doing a `jb` ("jump below") rather than `jbe` (jump below or +equal). This should be `jbe`, as $inp is pointing to the *end* of the +chunk currently being handled. If $inp == $len, that means that +there's a whole 96-byte chunk waiting to be handled. If $inp > $len, +then there's 5 or fewer 16-byte blocks left to be handled, and the +fall-through is intended. + +The net effect of `jb` instead of `jbe` is that the last 16-byte block +of the last 96-byte chunk was completely omitted. The contents of +`out` in this position were never written to. Additionally, since +those bytes were never processed, the authentication tag generated is +also incorrect. + +The same fencepost error, and identical logic, exists in both +aesni_ocb_encrypt and aesni_ocb_decrypt. + +This addresses CVE-2022-2097. + +Co-authored-by: Alejandro Sedeño +Co-authored-by: David Benjamin + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +--- + crypto/aes/asm/aesni-x86.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl +index fe2b26542a..812758e02e 100644 +--- a/crypto/aes/asm/aesni-x86.pl ++++ b/crypto/aes/asm/aesni-x86.pl +@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &movdqu (&QWP(-16*2,$out,$inp),$inout4); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out); + &pxor ($rndkey1,$inout5); + &movdqu (&QWP(-16*1,$out,$inp),$inout5); + &cmp ($inp,$len); # done yet? +- &jb (&label("grandloop")); ++ &jbe (&label("grandloop")); + + &set_label("short"); + &add ($len,16*6); +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb index ac5c819987..dc2a8ccff6 100644 --- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb @@ -18,6 +18,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://reproducible.patch \ file://CVE-2022-0778.patch \ + file://CVE-2022-1292-Fix-openssl-c_rehash.patch \ + file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \ + file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \ " SRC_URI:append:class-nativesdk = " \ diff --git a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch index 943ffb4a84..f1e7971eb1 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch +++ b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch @@ -7,9 +7,9 @@ A missing macro was defined to ensure sprintf_s macro defintion is set when safe_str_lib.h is included. Test: -Remove openbmc-meta-intel/meta-common/recipes-core/safec/safec_3.4.bb +Remove meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb Compile at-scale-debug using devtool -ASD Sanity finished successfully(SPR). +ASD Sanity finished successfully. Signed-off-by: Ernesto Corona Change-Id: Idd94b4ba9ff8b4194317a045b140ce90db2ee860 diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch new file mode 100644 index 0000000000..1d1716e3b0 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch @@ -0,0 +1,40 @@ +From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:14:33 +0000 +Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are + returned for the hostname part + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +--- + libbb/xconnect.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/libbb/xconnect.c b/libbb/xconnect.c +index 0e0b247b8..02c061e67 100644 +--- a/libbb/xconnect.c ++++ b/libbb/xconnect.c +@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + ); + if (rc) + return NULL; ++ /* ensure host contains only printable characters */ + if (flags & IGNORE_PORT) +- return xstrdup(host); ++ return xstrdup(printable_string(host)); + #if ENABLE_FEATURE_IPV6 + if (sa->sa_family == AF_INET6) { + if (strchr(host, ':')) /* heh, it's not a resolved hostname */ +@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags) + #endif + /* For now we don't support anything else, so it has to be INET */ + /*if (sa->sa_family == AF_INET)*/ +- return xasprintf("%s:%s", host, serv); ++ return xasprintf("%s:%s", printable_string(host), serv); + /*return xstrdup(host);*/ + } + +-- +2.35.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch new file mode 100644 index 0000000000..01c45c9ba6 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch @@ -0,0 +1,68 @@ +From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill +Date: Sun, 3 Apr 2022 12:16:45 +0000 +Subject: [PATCH 2/2] nslookup: sanitize all printed strings with + printable_string + +Otherwise, terminal sequences can be injected, which enables various terminal injection +attacks from DNS results. + +CVE: Pending +Upstream-Status: Pending +Signed-off-by: Ariadne Conill +--- + networking/nslookup.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/networking/nslookup.c b/networking/nslookup.c +index 6da97baf4..4bdcde1b8 100644 +--- a/networking/nslookup.c ++++ b/networking/nslookup.c +@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Unable to uncompress domain: %s\n", strerror(errno)); + return -1; + } +- printf(format, ns_rr_name(rr), dname); ++ printf(format, ns_rr_name(rr), printable_string(dname)); + break; + + case ns_t_mx: +@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); + return -1; + } +- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); ++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); + break; + + case ns_t_txt: +@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + if (n > 0) { + memset(dname, 0, sizeof(dname)); + memcpy(dname, ns_rr_rdata(rr) + 1, n); +- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); ++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); + } + break; + +@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + } + + printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), +- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); ++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); + break; + + case ns_t_soa: +@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) + return -1; + } + +- printf("\tmail addr = %s\n", dname); ++ printf("\tmail addr = %s\n", printable_string(dname)); + cp += n; + + printf("\tserial = %lu\n", ns_get32(cp)); +-- +2.35.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend index ee6330b69b..42a52e0d7c 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend @@ -2,6 +2,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ file://disable.cfg \ file://enable.cfg \ + file://CVE-2022-28391_1.patch \ + file://CVE-2022-28391_2.patch \ " SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch new file mode 100644 index 0000000000..80ddcb4f22 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch @@ -0,0 +1,49 @@ +From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001 +From: Rhodri James +Date: Wed, 17 Aug 2022 18:26:18 +0100 +Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser + +It is possible to concoct a situation in which parsing is +suspended while substituting in an internal entity, so that +XML_ResumeParser directly uses internalEntityProcessor as +its processor. If the subsequent parse includes some unclosed +tags, this will return without calling storeRawNames to ensure +that the raw versions of the tag names are stored in memory other +than the parse buffer itself. If the parse buffer is then changed +or reallocated (for example if processing a file line by line), +badness will ensue. + +This patch ensures storeRawNames is always called when needed +after calling doContent. The earlier call do doContent does +not need the same protection; it only deals with entity +substitution, which cannot leave unbalanced tags, and in any +case the raw names will be pointing into the stored entity +value not the parse buffer. +--- + lib/xmlparse.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 7bcabf7f4..d73f419cf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + { + parser->m_processor = contentProcessor; + /* see externalEntityContentProcessor vs contentProcessor */ +- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, +- s, end, nextPtr, +- (XML_Bool)! parser->m_parsingStatus.finalBuffer, +- XML_ACCOUNT_DIRECT); ++ result = doContent(parser, parser->m_parentParser ? 1 : 0, ++ parser->m_encoding, s, end, nextPtr, ++ (XML_Bool)! parser->m_parsingStatus.finalBuffer, ++ XML_ACCOUNT_DIRECT); ++ if (result == XML_ERROR_NONE) { ++ if (! storeRawNames(parser)) ++ return XML_ERROR_NO_MEMORY; ++ } ++ return result; + } + } + diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch new file mode 100644 index 0000000000..affd97faf4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch @@ -0,0 +1,104 @@ +From a7ce80a013f2a08cb1ac4aac368f2250eea03ebf Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Sun, 11 Sep 2022 19:34:33 +0200 +Subject: [PATCH 1/2] tests: Cover heap use-after-free issue in doContent + +--- + tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/tests/runtests.c b/tests/runtests.c +index ea371b42f..ab3aff65b 100644 +--- a/tests/runtests.c ++++ b/tests/runtests.c +@@ -4990,6 +4990,78 @@ START_TEST(test_suspend_resume_internal_entity) { + } + END_TEST + ++void ++suspending_comment_handler(void *userData, const XML_Char *data) { ++ UNUSED_P(data); ++ XML_Parser parser = (XML_Parser)userData; ++ XML_StopParser(parser, XML_TRUE); ++} ++ ++START_TEST(test_suspend_resume_internal_entity_issue_629) { ++ const char *const text ++ = "a'>]>&e;\n" ++ "<" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ "/>" ++ ""; ++ const size_t firstChunkSizeBytes = 54; ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_SetUserData(parser, parser); ++ XML_SetCommentHandler(parser, suspending_comment_handler); ++ ++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE) ++ != XML_STATUS_SUSPENDED) ++ xml_failure(parser); ++ if (XML_ResumeParser(parser) != XML_STATUS_OK) ++ xml_failure(parser); ++ if (XML_Parse(parser, text + firstChunkSizeBytes, ++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE) ++ != XML_STATUS_OK) ++ xml_failure(parser); ++ XML_ParserFree(parser); ++} ++END_TEST ++ + /* Test syntax error is caught at parse resumption */ + START_TEST(test_resume_entity_with_syntax_error) { + const char *text = " +Date: Tue, 8 Mar 2022 20:10:02 +0100 +Subject: [PATCH] [CVE-2022-29824] Fix integer overflows + +In several places, the code handling string buffers didn't check for +integer overflow or used wrong types for buffer sizes. This could +result in out-of-bounds writes or other memory errors when working on +large, multi-gigabyte buffers. + +Thanks to Felix Wilhelm for the report. +--- + buf.c | 86 +++++++++++++++++++++++----------------------------------- + tree.c | 72 ++++++++++++++++++------------------------------ + 2 files changed, 61 insertions(+), 97 deletions(-) + +diff --git a/buf.c b/buf.c +index 24368d37..40a5ee06 100644 +--- a/buf.c ++++ b/buf.c +@@ -30,6 +30,10 @@ + #include /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t) -1) ++#endif ++ + #define WITH_BUFFER_COMPAT + + /** +@@ -156,6 +160,8 @@ xmlBufPtr + xmlBufCreateSize(size_t size) { + xmlBufPtr ret; + ++ if (size == SIZE_MAX) ++ return(NULL); + ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf)); + if (ret == NULL) { + xmlBufMemoryError(NULL, "creating buffer"); +@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) { + ret->error = 0; + ret->buffer = NULL; + ret->alloc = xmlBufferAllocScheme; +- ret->size = (size ? size+2 : 0); /* +1 for ending null */ +- ret->compat_size = (int) ret->size; ++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ ++ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size); + if (ret->size){ + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); +- if (buf->use + len < buf->size) ++ if (len < buf->size - buf->use) + return(buf->size - buf->use); ++ if (len > SIZE_MAX - buf->use) ++ return(0); + +- /* +- * Windows has a BIG problem on realloc timing, so we try to double +- * the buffer size (if that's enough) (bug 146697) +- * Apparently BSD too, and it's probably best for linux too +- * On an embedded system this may be something to change +- */ +-#if 1 +- if (buf->size > (size_t) len) +- size = buf->size * 2; +- else +- size = buf->use + len + 100; +-#else +- size = buf->use + len + 100; +-#endif ++ if (buf->size > (size_t) len) { ++ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2; ++ } else { ++ size = buf->use + len; ++ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100; ++ } + + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* +@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf) + int + xmlBufResize(xmlBufPtr buf, size_t size) + { +- unsigned int newSize; ++ size_t newSize; + xmlChar* rebuf = NULL; + size_t start_buf; + +@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size) + case XML_BUFFER_ALLOC_IO: + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ +- newSize = (buf->size ? buf->size*2 : size + 10); ++ if (buf->size == 0) { ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); ++ } else { ++ newSize = buf->size; ++ } + while (size > newSize) { +- if (newSize > UINT_MAX / 2) { ++ if (newSize > SIZE_MAX / 2) { + xmlBufMemoryError(buf, "growing buffer"); + return 0; + } +@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + } + break; + case XML_BUFFER_ALLOC_EXACT: +- newSize = size+10; ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); + break; + case XML_BUFFER_ALLOC_HYBRID: + if (buf->use < BASE_BUFFER_SIZE) + newSize = size; + else { +- newSize = buf->size * 2; ++ newSize = buf->size; + while (size > newSize) { +- if (newSize > UINT_MAX / 2) { ++ if (newSize > SIZE_MAX / 2) { + xmlBufMemoryError(buf, "growing buffer"); + return 0; + } +@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) + break; + + default: +- newSize = size+10; ++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10); + break; + } + +@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size) + */ + int + xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { +- unsigned int needSize; ++ size_t needSize; + + if ((str == NULL) || (buf == NULL) || (buf->error)) + return -1; +@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + +- needSize = buf->use + len + 2; +- if (needSize > buf->size){ ++ if ((size_t) len >= buf->size - buf->use) { ++ if ((size_t) len >= SIZE_MAX - buf->use) ++ return(-1); ++ needSize = buf->use + len + 1; + if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { + /* + * Used to provide parsing limits +@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) { + */ + int + xmlBufCCat(xmlBufPtr buf, const char *str) { +- const char *cur; +- +- if ((buf == NULL) || (buf->error)) +- return(-1); +- CHECK_COMPAT(buf) +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; +- if (str == NULL) { +-#ifdef DEBUG_BUFFER +- xmlGenericError(xmlGenericErrorContext, +- "xmlBufCCat: str == NULL\n"); +-#endif +- return -1; +- } +- for (cur = str;*cur != 0;cur++) { +- if (buf->use + 10 >= buf->size) { +- if (!xmlBufResize(buf, buf->use+10)){ +- xmlBufMemoryError(buf, "growing buffer"); +- return XML_ERR_NO_MEMORY; +- } +- } +- buf->content[buf->use++] = *cur; +- } +- buf->content[buf->use] = 0; +- UPDATE_COMPAT(buf) +- return 0; ++ return xmlBufCat(buf, (const xmlChar *) str); + } + + /** +diff --git a/tree.c b/tree.c +index 9d94aa42..86afb7d6 100644 +--- a/tree.c ++++ b/tree.c +@@ -7104,6 +7104,8 @@ xmlBufferPtr + xmlBufferCreateSize(size_t size) { + xmlBufferPtr ret; + ++ if (size >= UINT_MAX) ++ return(NULL); + ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); + if (ret == NULL) { + xmlTreeErrMemory("creating buffer"); +@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) { + } + ret->use = 0; + ret->alloc = xmlBufferAllocScheme; +- ret->size = (size ? size+2 : 0); /* +1 for ending null */ ++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */ + if (ret->size){ + ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar)); + if (ret->content == NULL) { +@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) { + + if ((mem == NULL) || (size == 0)) + return(NULL); ++ if (size > UINT_MAX) ++ return(NULL); + + ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer)); + if (ret == NULL) { +@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) { + */ + int + xmlBufferGrow(xmlBufferPtr buf, unsigned int len) { +- int size; ++ unsigned int size; + xmlChar *newbuf; + + if (buf == NULL) return(-1); + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); +- if (len + buf->use < buf->size) return(0); ++ if (len < buf->size - buf->use) ++ return(0); ++ if (len > UINT_MAX - buf->use) ++ return(-1); + +- /* +- * Windows has a BIG problem on realloc timing, so we try to double +- * the buffer size (if that's enough) (bug 146697) +- * Apparently BSD too, and it's probably best for linux too +- * On an embedded system this may be something to change +- */ +-#if 1 +- if (buf->size > len) +- size = buf->size * 2; +- else +- size = buf->use + len + 100; +-#else +- size = buf->use + len + 100; +-#endif ++ if (buf->size > (size_t) len) { ++ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2; ++ } else { ++ size = buf->use + len; ++ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100; ++ } + + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; +@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + case XML_BUFFER_ALLOC_IO: + case XML_BUFFER_ALLOC_DOUBLEIT: + /*take care of empty case*/ +- newSize = (buf->size ? buf->size : size + 10); ++ if (buf->size == 0) ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10); ++ else ++ newSize = buf->size; + while (size > newSize) { + if (newSize > UINT_MAX / 2) { + xmlTreeErrMemory("growing buffer"); +@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + } + break; + case XML_BUFFER_ALLOC_EXACT: +- newSize = size+10; ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; + break; + case XML_BUFFER_ALLOC_HYBRID: + if (buf->use < BASE_BUFFER_SIZE) +@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size) + break; + + default: +- newSize = size+10; ++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);; + break; + } + +@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) { + if (len < 0) return -1; + if (len == 0) return 0; + +- needSize = buf->use + len + 2; +- if (needSize > buf->size){ ++ if ((unsigned) len >= buf->size - buf->use) { ++ if ((unsigned) len >= UINT_MAX - buf->use) ++ return XML_ERR_NO_MEMORY; ++ needSize = buf->use + len + 1; + if (!xmlBufferResize(buf, needSize)){ + xmlTreeErrMemory("growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) { + */ + int + xmlBufferCCat(xmlBufferPtr buf, const char *str) { +- const char *cur; +- +- if (buf == NULL) +- return(-1); +- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1; +- if (str == NULL) { +-#ifdef DEBUG_BUFFER +- xmlGenericError(xmlGenericErrorContext, +- "xmlBufferCCat: str == NULL\n"); +-#endif +- return -1; +- } +- for (cur = str;*cur != 0;cur++) { +- if (buf->use + 10 >= buf->size) { +- if (!xmlBufferResize(buf, buf->use+10)){ +- xmlTreeErrMemory("growing buffer"); +- return XML_ERR_NO_MEMORY; +- } +- } +- buf->content[buf->use++] = *cur; +- } +- buf->content[buf->use] = 0; +- return 0; ++ return xmlBufferCat(buf, (const xmlChar *) str); + } + + /** +-- +GitLab + diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend index d26a47f4cf..4011c87594 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend @@ -1,4 +1,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += "file://CVE-2022-23308-Use-after-free-of-ID-and-IDREF.patch \ + file://CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch new file mode 100644 index 0000000000..1cef2e8109 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch @@ -0,0 +1,65 @@ +From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001 +From: ankita prasad +Date: Tue, 12 Jul 2022 17:51:01 +0000 +Subject: [PATCH] Fix added to mitigate CVE-2022-29458 + +ncurses 6.3 before patch 20220416 has an out-of-bounds read +and segmentation violation in convert_strings in tinfo/read_entry.c +in the terminfo library. +The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605 +for the file tinfo/read_entry.c. + +Signed-off-by: Ankita Prasad +--- + ncurses/tinfo/read_entry.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c +index 5b570b0f..06c0c437 100644 +--- a/ncurses/tinfo/read_entry.c ++++ b/ncurses/tinfo/read_entry.c +@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + { + int i; + char *p; ++ bool corrupt = FALSE; + + for (i = 0; i < count; i++) { + if (IS_NEG1(buf + 2 * i)) { +@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table) + } else if (MyNumber(buf + 2 * i) > size) { + Strings[i] = ABSENT_STRING; + } else { +- Strings[i] = (MyNumber(buf + 2 * i) + table); +- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i]))); ++ int nn = MyNumber(buf + 2 * i); ++ if (nn >= 0 && nn < size) { ++ Strings[i] = (nn + table); ++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i, ++ _nc_visbuf(Strings[i]))); ++ } else { ++ if (!corrupt) { ++ corrupt = TRUE; ++ TR(TRACE_DATABASE, ++ ("ignore out-of-range index %d to Strings[]", nn)); ++ _nc_warning("corrupt data found in convert_strings"); ++ } ++ Strings[i] = ABSENT_STRING; ++ } + } + + /* make sure all strings are NUL terminated */ + if (VALID_STRING(Strings[i])) { +- for (p = Strings[i]; p <= table + size; p++) ++ for (p = Strings[i]; p < table + size; p++) + if (*p == '\0') + break; + /* if there is no NUL, ignore the string */ +- if (p > table + size) ++ if (p >= table + size) + Strings[i] = ABSENT_STRING; + } + } +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend index e60bd9a6b9..7f1ce36c2d 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend @@ -1,2 +1,4 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" -SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch" +SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch \ + file://0002-Fix-added-to-mitigate-CVE-2022-29458.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend index 6b7cc8a0de..262f557e0f 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend @@ -10,3 +10,7 @@ SRC_URI += "file://0002-Add-event-log-for-system-time-synchronization.patch \ PACKAGECONFIG:remove = "kmod" # Add systemd-logind service to get shutdown inhibition support PACKAGECONFIG:append = " logind" + +do_install:append() { + sed -i -e"s/Also=systemd-networkd-wait-online.service//g" ${D}${systemd_system_unitdir}/systemd-networkd.service +} diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch new file mode 100644 index 0000000000..dc84d3a1d3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch @@ -0,0 +1,32 @@ +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7be8c6366..7a7289749 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch new file mode 100644 index 0000000000..c5c95a92b2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch @@ -0,0 +1,29 @@ +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a7289749..2a3c4fe98 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend index 09dea7c00b..482197c4f3 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend @@ -2,4 +2,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" SRC_URI += " \ file://CVE-2018-25032.patch \ + file://CVE-2022-37434_1.patch \ + file://CVE-2022-37434_2.patch \ " diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch new file mode 100644 index 0000000000..aebd776d4c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch @@ -0,0 +1,82 @@ +From d58245421fec0ac212382164bd5cc0e881bc389f Mon Sep 17 00:00:00 2001 +From: Snehalatha Venkatesh +Date: Fri, 27 May 2022 04:23:21 +0000 +Subject: [PATCH] Firmware update fix for mis-aligned sectors + +Firmware update breaks due to mis-aligned calculations bug in +erase and write sector boundaries, which was corrupting the +next sectors though it wasn't part of erase bit-map (in case of +increased u-boot image size, its region update is corrupting the +neighbouring other fw region). This fix validates the erase and +write boundaries properly now and allows the erase of needed sectors. + +Tested: Tested firmware update on platform. + +Signed-off-by: Vikram Bodireddy +Signed-off-by: Snehalatha Venkatesh +Signed-off-by: Jayaprakash Mutyala +--- + pfr.hpp | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/pfr.hpp b/pfr.hpp +index 23a73b3..efe737a 100644 +--- a/pfr.hpp ++++ b/pfr.hpp +@@ -412,6 +412,7 @@ bool pfr_write(mtd& dev, const std::string& filename, + uint32_t wr_count = 1; + uint32_t er_count = 1; + uint32_t erase_end_addr = 0; ++ uint32_t write_end_addr = 0; + for (uint32_t blk = 0; blk < pbc_hdr->bitmap_size; blk += wr_count) + { + if ((blk % 8) == 0) +@@ -504,28 +505,37 @@ bool pfr_write(mtd& dev, const std::string& filename, + FWDEBUG("erase(" << std::hex << pfr_blk_size * blk << ", " + << pfr_blk_size * er_count + dev_offset << ")"); + dev.erase(pfr_blk_size * blk + dev_offset, pfr_blk_size * er_count); +- erase_end_addr = (pfr_blk_size * (blk + er_count)); ++ erase_end_addr = (pfr_blk_size * (blk + er_count)) - 1; ++ FWDEBUG("erase_end_addr: " << std::hex << erase_end_addr); + } + + if (copy) + { + cbspan data(offset, offset + pfr_blk_size * wr_count); +- // DUMP(PRINT_ERROR, data); +- FWDEBUG("write(" << std::hex << pfr_blk_size * blk << ", " +- << pfr_blk_size * wr_count << "), offset = 0x" +- << (offset - map_base) + dev_offset); ++ write_end_addr = (pfr_blk_size * (blk + wr_count)) - 1; ++ FWDEBUG("write_end_addr: " << std::hex << write_end_addr); ++ + // Check if current write address wasn't part of previous 64K sector + // erase. and erase it here. +- if (((pfr_blk_size * (blk + wr_count)) >= erase_end_addr) || +- ((pfr_blk_size * blk) >= erase_end_addr)) ++ if ((write_end_addr > erase_end_addr) || ++ ((pfr_blk_size * blk) > erase_end_addr)) + { + // Currently 4K erases are not working hence making it always + // 64K erase. + // TODO: Fix 4K erase issue and fix the below logic to do + // incremental 4K erases. +- dev.erase(erase_end_addr + dev_offset, pfr_blk_size * 16); ++ FWDEBUG("erase(" << std::hex ++ << (erase_end_addr + 1) + dev_offset << ", " ++ << pfr_blk_size * 16 << ")"); ++ ++ dev.erase((erase_end_addr + 1) + dev_offset, pfr_blk_size * 16); + erase_end_addr += pfr_blk_size * 16; ++ FWDEBUG("erase_end_addr: " << std::hex << erase_end_addr); + } ++ // DUMP(PRINT_ERROR, data); ++ FWDEBUG("write(" << std::hex << pfr_blk_size * blk << ", " ++ << pfr_blk_size * wr_count << "), offset = 0x" ++ << (offset - map_base) + dev_offset); + dev.write_raw(pfr_blk_size * blk + dev_offset, data); + + offset += pfr_blk_size * wr_count; +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch new file mode 100644 index 0000000000..1c5bc5843e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch @@ -0,0 +1,39 @@ +From 5606cfc0857dc6fe1071c14f6906d866048f6c18 Mon Sep 17 00:00:00 2001 +From: AkshayRav +Date: Thu, 28 Apr 2022 13:57:32 +0530 +Subject: [PATCH] Add fix for possible freeing of mismatched memory (#8) + +* Add fix for possible freeing of mismatched memory + +Memory referenced by "buf" was allocated through function +"new[]" and released through function "delete". The fix changes the +release function to "delete[]" to remove the possible freeing of +mismatched memory. + +Signed-off-by: AKSHAY RAVEENDRAN K +--- + mtd-util.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/mtd-util.cpp b/mtd-util.cpp +index 7f2f98d..d6136f0 100644 +--- a/mtd-util.cpp ++++ b/mtd-util.cpp +@@ -391,7 +391,7 @@ int main(int argc, char* argv[]) + { + std::cerr << "failed to parse '" << argv[optind] + << "' as integer" << std::endl; +- delete buf; ++ delete[] buf; + return 1; + } + optind++; +@@ -473,7 +473,7 @@ int main(int argc, char* argv[]) + break; + case ACTION_WRITE_TO_FLASH: + ret = buf_to_flash(dev, buf, start, len); +- delete buf; ++ delete[] buf; + break; + #endif /* DEVELOPER_OPTIONS */ + case ACTION_CP_TO_FILE: diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch new file mode 100644 index 0000000000..ca6402ed2d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch @@ -0,0 +1,224 @@ +From a3eba12b5c85add20a248bb95d1b9e884a1f6262 Mon Sep 17 00:00:00 2001 +From: Ankita Vilas Gawade +Date: Tue, 26 Jul 2022 20:22:10 +0000 +Subject: [PATCH] Fix Key Cancellation Update Capsule Flow + +In the current code flow, the block 1 component of key cancellation +capsule is not being mapped to the correct structure which results +in failure of key cancellation update as improper value would be picked up. + +This commit fixes the above issue by introducing an union, using which +the correct block 1 strcuture can be picked up depending on the type of +capsule. + +This commit also fixes the check on contents of cancellation payload and +corrects the payload length. + +Tested +1.Posted a key cancellation capsule to cancel CSK ID 2(For BMC and PFM) +2.Performed BMC Firmware update with the image signed with CSK ID 2. +3.Firmware Update failed succesfully implying CSK key being cancelled. + +Signed-off-by: Ankita Vilas Gawade +--- + pfr.cpp | 33 ++++++++++++++++----------------- + pfr.hpp | 27 +++++++++++++++++---------- + 2 files changed, 33 insertions(+), 27 deletions(-) + +diff --git a/pfr.cpp b/pfr.cpp +index 4ec9638..b74c166 100644 +--- a/pfr.cpp ++++ b/pfr.cpp +@@ -599,18 +599,18 @@ static bool is_block0_sig_entry_valid(uint32_t curve, const uint8_t* root_key_x, + * + * @return bool true if this Block 1 is valid; false, otherwise + */ +-static bool is_block1_valid(const blk0* b0, const blk1* b1, ++static bool is_block1_valid(const blk0* b0, const sig_blk1* sig, + bool is_key_cancellation_cert, bool check_root_key) + { + // Verify magic number +- if (b1->magic != blk1_magic) ++ if (sig->b1.magic != blk1_magic) + { + FWERROR("b1 magic invalid"); + return false; + } + + // Validate Block1 Root Entry +- const key_entry* root_entry = &b1->root_key; ++ const key_entry* root_entry = &sig->b1.root_key; + if (!is_root_entry_valid(root_entry, check_root_key)) + { + FWERROR("root_entry invalid"); +@@ -621,7 +621,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1, + { + // In the signature of the Key Cancellation Certificate, there's no CSK + // entry +- const block0_sig_entry* b0_entry = &b1->block0_sig; ++ const block0_sig_entry* b0_entry = &sig->cncl_b1.block0_sig; + + // Validate Block 0 Entry in Block 1 + return is_block0_sig_entry_valid(root_entry->curve, root_entry->key_x, +@@ -629,7 +629,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1, + } + + // Validate Block1 CSK Entry +- const csk_entry* csk = &b1->csk; ++ const csk_entry* csk = &sig->b1.csk; + if (!is_csk_entry_valid(root_entry, csk, b0->pc_type)) + { + FWERROR("csk_entry invalid"); +@@ -637,7 +637,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1, + } + + // Validate Block 0 Entry in Block 1 +- const block0_sig_entry* block0_sig = &b1->block0_sig; ++ const block0_sig_entry* block0_sig = &sig->b1.block0_sig; + if (is_block0_sig_entry_valid(root_entry->curve, csk->key.key_x, + csk->key.key_y, block0_sig, b0)) + { +@@ -657,23 +657,21 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1, + * @return uint32_t 1 if this key cancellation certificate is valid; 0, + * otherwise + */ +-static uint32_t is_key_can_cert_valid(const cancel_cert* cert) ++static uint32_t is_key_can_cert_valid(const cancel_payload* cert) + { + // Check for the 0s in the reserved field + // This reduces the degree of freedom for attackers +- const uint32_t* key_can_cert_reserved = cert->rsvd; +- for (uint32_t word_i = 0; word_i < cancel_pad_size / 4; word_i++) ++ const uint32_t* key_can_cert_reserved = cert->padding; ++ for (uint32_t word_i = 0; word_i < cancel_payload_pad_size; word_i++) + { + if (key_can_cert_reserved[word_i] != 0) + { + return 0; + } + } +- const cancel_payload* cancel = +- reinterpret_cast(cert + 1); + + // If the key ID is within 0-127 (inclusive), return 1 +- return cancel->csk_id <= pfr_max_key_id; ++ return cert->csk_id <= pfr_max_key_id; + } + + /** +@@ -692,11 +690,11 @@ static uint32_t is_key_can_cert_valid(const cancel_cert* cert) + static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key) + { + const blk0* b0 = &sig->b0; +- const blk1* b1 = &sig->b1; + bool is_key_cancellation_cert = b0->pc_type & pfr_pc_type_cancel_cert; + + // Get pointer to protected content + const uint8_t* pc = reinterpret_cast(sig + 1); ++ + if (is_key_cancellation_cert) + { + // Check the size of the cancellation certificate +@@ -706,7 +704,7 @@ static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key) + } + + // Validate the cancellation certificate content +- if (!is_key_can_cert_valid(reinterpret_cast(pc))) ++ if (!is_key_can_cert_valid(reinterpret_cast(pc))) + { + FWERROR("cancel cert invalid"); + return false; +@@ -717,7 +715,8 @@ static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key) + if (is_block0_valid(b0, pc)) + { + // Validate block1 (contains the signature chain used to sign block0) +- if (is_block1_valid(b0, b1, is_key_cancellation_cert, check_root_key)) ++ if (is_block1_valid(b0, &sig->b1_sig, is_key_cancellation_cert, ++ check_root_key)) + { + return true; + } +@@ -753,7 +752,7 @@ static bool fvm_authenticate(const b0b1_signature* img_sig) + // but it is authenticated as follows: + const b0b1_signature* sig = img_sig + 1; + const blk0* b0 = &sig->b0; +- const blk1* b1 = &sig->b1; ++ const blk1* b1 = &sig->b1_sig.b1; + const uint8_t* pc = reinterpret_cast(sig + 1); + + if (!is_block0_valid(b0, pc)) +@@ -762,7 +761,7 @@ static bool fvm_authenticate(const b0b1_signature* img_sig) + return false; + } + // Validate block1 (contains the signature chain used to sign block0) +- if (!is_block1_valid(b0, b1, false, false)) ++ if (!is_block1_valid(b0, &sig->b1_sig, false, false)) + { + FWERROR("block1 failed authentication"); + return false; +diff --git a/pfr.hpp b/pfr.hpp +index efe737a..94b7e45 100644 +--- a/pfr.hpp ++++ b/pfr.hpp +@@ -62,7 +62,7 @@ constexpr size_t pfr_cpld_update_size = 1 * 1024 * 1024; // 1 MB + constexpr size_t pfr_pch_max_size = 24 * 1024 * 1024; // 24 MB + constexpr size_t pfr_bmc_max_size = 32 * 1024 * 1024; // 32 MB + constexpr size_t pfr_afm_max_size = 128 * 1024; // 128KB +-constexpr size_t pfr_cancel_cert_size = 8; ++constexpr size_t pfr_cancel_cert_size = 128; + constexpr uint32_t pfr_max_key_id = 127; + + constexpr uint32_t curve_secp256r1 = 0xc7b88c74; +@@ -179,14 +179,6 @@ struct blk1 + uint32_t rsvd[blk1_pad_size]; + } __attribute__((packed)); + +-struct b0b1_signature +-{ +- blk0 b0; +- blk1 b1; +-} __attribute__((packed)); +-static_assert(sizeof(b0b1_signature) == 1024, +- "block0 + block1 size is not 1024 bytes"); +- + constexpr size_t cancel_pad_size = 9; + struct cancel_cert + { +@@ -200,11 +192,12 @@ struct cancel_cert + + constexpr size_t cancel_sig_pad_size = + (blk0blk1_size - sizeof(cancel_cert) - sizeof(uint32_t) - +- sizeof(key_entry) - sizeof(block0_sig_entry)) / ++ (3 * sizeof(uint32_t)) - sizeof(key_entry) - sizeof(block0_sig_entry)) / + sizeof(uint32_t); + struct cancel_sig + { + uint32_t magic; ++ uint32_t pad[3]; + key_entry root_key; + block0_sig_entry block0_sig; + uint32_t rsvd[cancel_sig_pad_size]; +@@ -219,6 +212,20 @@ struct cancel_payload + uint32_t padding[cancel_payload_pad_size]; + } __attribute__((packed)); + ++union sig_blk1 ++{ ++ blk1 b1; ++ cancel_sig cncl_b1; ++}; ++ ++struct b0b1_signature ++{ ++ blk0 b0; ++ sig_blk1 b1_sig; ++} __attribute__((packed)); ++static_assert(sizeof(b0b1_signature) == 1024, ++ "block0 + block1 size is not 1024 bytes"); ++ + constexpr uint32_t pfm_magic = 0x02b3ce1d; + constexpr uint32_t afm_magic = 0x8883ce1d; + constexpr size_t pfm_block_size = 128; +-- +2.25.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb index c925c522d5..b3472d7658 100644 --- a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb +++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb @@ -8,6 +8,11 @@ SRC_URI = "git://git@github.com/Intel-BMC/mtd-util.git;protocol=ssh" PV = "1.0+git${SRCPV}" SRCREV = "708072b62a3cecb520eeaacac88b4f2c2e101fe4" +SRC_URI += " \ + file://0001-Firmware-update-fix-for-mis-aligned-sectors.patch \ + file://0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch \ + file://0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch \ + " S = "${WORKDIR}/git" diff --git a/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb b/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb new file mode 100644 index 0000000000..35977535aa --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb @@ -0,0 +1,91 @@ +SUMMARY = "Rotates, compresses, removes and mails system log files" +SECTION = "console/utils" +HOMEPAGE = "https://github.com/logrotate/logrotate/" +DESCRIPTION = "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files." +LICENSE = "GPL-2.0-only" + +# TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox? + +DEPENDS="coreutils popt" + +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" + +UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" +UPSTREAM_CHECK_REGEX = "logrotate-(?P\d+(\.\d+)+).tar" + +SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz" + +SRC_URI[sha256sum] = "742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094" + +# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used +CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" + +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" + +PACKAGECONFIG[acl] = ",,acl" +PACKAGECONFIG[selinux] = ",,libselinux" + +CONFFILES:${PN} += "${localstatedir}/lib/logrotate.status \ + ${sysconfdir}/logrotate.conf \ + ${sysconfdir}/logrotate.d/btmp \ + ${sysconfdir}/logrotate.d/wtmp" + +# If RPM_OPT_FLAGS is unset, it adds -g itself rather than obeying our +# optimization variables, so use it rather than EXTRA_CFLAGS. +EXTRA_OEMAKE = "\ + LFS= \ + OS_NAME='${OS_NAME}' \ + 'CC=${CC}' \ + 'RPM_OPT_FLAGS=${CFLAGS}' \ + 'EXTRA_LDFLAGS=${LDFLAGS}' \ + ${@bb.utils.contains('PACKAGECONFIG', 'acl', 'WITH_ACL=yes', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'selinux', 'WITH_SELINUX=yes', '', d)} \ +" + +# OS_NAME in the makefile defaults to `uname -s`. The behavior for +# freebsd/netbsd is questionable, so leave it as Linux, which only sets +# INSTALL=install and BASEDIR=/usr. +OS_NAME = "Linux" + +inherit autotools systemd + +SYSTEMD_SERVICE:${PN} = "\ + ${BPN}.service \ + ${BPN}.timer \ +" + +LOGROTATE_OPTIONS ?= "" + +LOGROTATE_SYSTEMD_TIMER_BASIS ?= "daily" +LOGROTATE_SYSTEMD_TIMER_ACCURACY ?= "12h" +LOGROTATE_SYSTEMD_TIMER_PERSISTENT ?= "true" + +do_install(){ + oe_runmake install DESTDIR=${D} PREFIX=${D} MANDIR=${mandir} + mkdir -p ${D}${sysconfdir}/logrotate.d + mkdir -p ${D}${localstatedir}/lib + install -p -m 644 ${S}/examples/logrotate.conf ${D}${sysconfdir}/logrotate.conf + install -p -m 644 ${S}/examples/btmp ${D}${sysconfdir}/logrotate.d/btmp + install -p -m 644 ${S}/examples/wtmp ${D}${sysconfdir}/logrotate.d/wtmp + touch ${D}${localstatedir}/lib/logrotate.status + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${S}/examples/logrotate.service ${D}${systemd_system_unitdir}/logrotate.service + install -m 0644 ${S}/examples/logrotate.timer ${D}${systemd_system_unitdir}/logrotate.timer + [ -z "${LOGROTATE_OPTIONS}" ] || + sed -ri \ + -e 's|(ExecStart=.*/logrotate.*)$|\1 ${LOGROTATE_OPTIONS}|g' \ + ${D}${systemd_system_unitdir}/logrotate.service + sed -ri \ + -e 's|(OnCalendar=).*$|\1${LOGROTATE_SYSTEMD_TIMER_BASIS}|g' \ + -e 's|(AccuracySec=).*$|\1${LOGROTATE_SYSTEMD_TIMER_ACCURACY}|g' \ + -e 's|(Persistent=).*$|\1${LOGROTATE_SYSTEMD_TIMER_PERSISTENT}|g' \ + ${D}${systemd_system_unitdir}/logrotate.timer + fi + + if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + mkdir -p ${D}${sysconfdir}/cron.daily + install -p -m 0755 ${S}/examples/logrotate.cron ${D}${sysconfdir}/cron.daily/logrotate + fi +} diff --git a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend index 36539fbdac..e795efe25c 100644 --- a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend @@ -6,4 +6,4 @@ SRC_URI += " \ " # Temporary pin to resolve build breaks -SRCREV="6adfe948ee55ffde8457047042d0d55aa3d8b4a7" +SRCREV="90fab6bb667460053cfc4587b58c987f74b1bf58" diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch new file mode 100644 index 0000000000..5e963a9894 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch @@ -0,0 +1,45 @@ +From 6eea4ace62fa6414432692ee44f0c0a3d541d97a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 19:02:15 +0100 +Subject: [PATCH] USB: gadget: zero allocate endpoint 0 buffers + +commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream. + +Under some conditions, USB gadget devices can show allocated buffer +contents to a host. Fix this up by zero-allocating them so that any +extra data will all just be zeros. + +Reported-by: Szymon Heidrich +Tested-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 2 +- + drivers/usb/gadget/legacy/dbgp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 1ef7922b57b62e..284eea9f6e4d8d 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite, + if (!cdev->req) + return -ENOMEM; + +- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); ++ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL); + if (!cdev->req->buf) + goto fail; + +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index e567afcb2794c0..355bc7dab9d5f6 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep) + goto fail_1; + } + +- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL); ++ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL); + if (!req->buf) { + err = -ENOMEM; + stp = 2; diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch new file mode 100644 index 0000000000..44337588ae --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch @@ -0,0 +1,93 @@ +From abd3a33b3f2bff26fa531da668b041bef980f238 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 14 Dec 2021 19:46:21 +0100 +Subject: [PATCH] USB: gadget: bRequestType is a bitfield, not a enum + +[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ] + +Szymon rightly pointed out that the previous check for the endpoint +direction in bRequestType was not looking at only the bit involved, but +rather the whole value. Normally this is ok, but for some request +types, bits other than bit 8 could be set and the check for the endpoint +length could not stall correctly. + +Fix that up by only checking the single bit. + +Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests") +Cc: Felipe Balbi +Reported-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/composite.c | 6 +++--- + drivers/usb/gadget/legacy/dbgp.c | 6 +++--- + drivers/usb/gadget/legacy/inode.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 284eea9f6e4d8d..3789c329183ca6 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u8 endp; + + if (w_length > USB_COMP_EP0_BUFSIZ) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- goto done; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); + w_length = USB_COMP_EP0_BUFSIZ; ++ } else { ++ goto done; + } + } + +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index 355bc7dab9d5f6..6bcbad38258020 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget, + u16 len = 0; + + if (length > DBGP_REQ_LEN) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return err; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(DBGP_REQ_LEN); + length = DBGP_REQ_LEN; ++ } else { ++ return err; + } + } + +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 0a4041552ed193..1b223cba4c2c92 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -1337,14 +1337,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u16 w_length = le16_to_cpu(ctrl->wLength); + + if (w_length > RBUF_SIZE) { +- if (ctrl->bRequestType == USB_DIR_OUT) { +- return value; +- } else { ++ if (ctrl->bRequestType & USB_DIR_IN) { + /* Cast away the const, we are going to overwrite on purpose. */ + __le16 *temp = (__le16 *)&ctrl->wLength; + + *temp = cpu_to_le16(RBUF_SIZE); + w_length = RBUF_SIZE; ++ } else { ++ return value; + } + } + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch new file mode 100644 index 0000000000..f94ac946bf --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch @@ -0,0 +1,108 @@ +From 36dfdf11af49d3c009c711fb16f5c6e7a274505d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Dec 2021 18:59:27 +0100 +Subject: [PATCH] USB: gadget: detect too-big endpoint 0 requests + +commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream. + +Sometimes USB hosts can ask for buffers that are too large from endpoint +0, which should not be allowed. If this happens for OUT requests, stall +the endpoint, but for IN requests, trim the request size to the endpoint +buffer size. + +Co-developed-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 12 ++++++++++++ + drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++ + drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++- + 3 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c +index 504c1cbc255d14..1ef7922b57b62e 100644 +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1679,6 +1679,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + struct usb_function *f = NULL; + u8 endp; + ++ if (w_length > USB_COMP_EP0_BUFSIZ) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ goto done; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ); ++ w_length = USB_COMP_EP0_BUFSIZ; ++ } ++ } ++ + /* partial re-init of the response message; the function or the + * gadget might need to intercept e.g. a control-OUT completion + * when we delegate to it. +diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c +index e1d566c9918ae5..e567afcb2794c0 100644 +--- a/drivers/usb/gadget/legacy/dbgp.c ++++ b/drivers/usb/gadget/legacy/dbgp.c +@@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget *gadget, + void *data = NULL; + u16 len = 0; + ++ if (length > DBGP_REQ_LEN) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return err; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(DBGP_REQ_LEN); ++ length = DBGP_REQ_LEN; ++ } ++ } ++ ++ + if (request == USB_REQ_GET_DESCRIPTOR) { + switch (value>>8) { + case USB_DT_DEVICE: +diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c +index 539220d7f5b620..0a4041552ed193 100644 +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -110,6 +110,8 @@ enum ep0_state { + /* enough for the whole queue: most events invalidate others */ + #define N_EVENT 5 + ++#define RBUF_SIZE 256 ++ + struct dev_data { + spinlock_t lock; + refcount_t count; +@@ -144,7 +146,7 @@ struct dev_data { + struct dentry *dentry; + + /* except this scratch i/o buffer for ep0 */ +- u8 rbuf [256]; ++ u8 rbuf[RBUF_SIZE]; + }; + + static inline void get_dev (struct dev_data *data) +@@ -1334,6 +1336,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl) + u16 w_value = le16_to_cpu(ctrl->wValue); + u16 w_length = le16_to_cpu(ctrl->wLength); + ++ if (w_length > RBUF_SIZE) { ++ if (ctrl->bRequestType == USB_DIR_OUT) { ++ return value; ++ } else { ++ /* Cast away the const, we are going to overwrite on purpose. */ ++ __le16 *temp = (__le16 *)&ctrl->wLength; ++ ++ *temp = cpu_to_le16(RBUF_SIZE); ++ w_length = RBUF_SIZE; ++ } ++ } ++ + spin_lock (&dev->lock); + dev->setup_abort = 0; + if (dev->state == STATE_DEV_UNCONNECTED) { diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch new file mode 100644 index 0000000000..444fb10354 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch @@ -0,0 +1,47 @@ +From 8d6760fd5d1604df29dd7651033167ef99a7698d Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 8 Dec 2021 17:04:53 -0800 +Subject: [PATCH] signalfd: use wake_up_pollfree() + +commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream. + +wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up +all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll +and aio poll are fortunately not affected by this, but it's very +fragile. Thus, the new function wake_up_pollfree() has been introduced. + +Convert signalfd to use wake_up_pollfree(). + +Reported-by: Linus Torvalds +Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211209010455.42744-4-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + fs/signalfd.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/fs/signalfd.c b/fs/signalfd.c +index 040e1cf9052826..65ce0e72e7b958 100644 +--- a/fs/signalfd.c ++++ b/fs/signalfd.c +@@ -35,17 +35,7 @@ + + void signalfd_cleanup(struct sighand_struct *sighand) + { +- wait_queue_head_t *wqh = &sighand->signalfd_wqh; +- /* +- * The lockless check can race with remove_wait_queue() in progress, +- * but in this case its caller should run under rcu_read_lock() and +- * sighand_cachep is SLAB_TYPESAFE_BY_RCU, we can safely return. +- */ +- if (likely(!waitqueue_active(wqh))) +- return; +- +- /* wait_queue_entry_t->func(POLLFREE) should do remove_wait_queue() */ +- wake_up_poll(wqh, EPOLLHUP | POLLFREE); ++ wake_up_pollfree(&sighand->signalfd_wqh); + } + + struct signalfd_ctx { diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch new file mode 100644 index 0000000000..9a72505667 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch @@ -0,0 +1,107 @@ +From 1ebb6cd8c754bfe1a5f9539027980756bce7cb08 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 8 Dec 2021 17:04:51 -0800 +Subject: [PATCH] wait: add wake_up_pollfree() + +commit 42288cb44c4b5fff7653bc392b583a2b8bd6a8c0 upstream. + +Several ->poll() implementations are special in that they use a +waitqueue whose lifetime is the current task, rather than the struct +file as is normally the case. This is okay for blocking polls, since a +blocking poll occurs within one task; however, non-blocking polls +require another solution. This solution is for the queue to be cleared +before it is freed, using 'wake_up_poll(wq, EPOLLHUP | POLLFREE);'. + +However, that has a bug: wake_up_poll() calls __wake_up() with +nr_exclusive=1. Therefore, if there are multiple "exclusive" waiters, +and the wakeup function for the first one returns a positive value, only +that one will be called. That's *not* what's needed for POLLFREE; +POLLFREE is special in that it really needs to wake up everyone. + +Considering the three non-blocking poll systems: + +- io_uring poll doesn't handle POLLFREE at all, so it is broken anyway. + +- aio poll is unaffected, since it doesn't support exclusive waits. + However, that's fragile, as someone could add this feature later. + +- epoll doesn't appear to be broken by this, since its wakeup function + returns 0 when it sees POLLFREE. But this is fragile. + +Although there is a workaround (see epoll), it's better to define a +function which always sends POLLFREE to all waiters. Add such a +function. Also make it verify that the queue really becomes empty after +all waiters have been woken up. + +Reported-by: Linus Torvalds +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211209010455.42744-2-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/wait.h | 26 ++++++++++++++++++++++++++ + kernel/sched/wait.c | 7 +++++++ + 2 files changed, 33 insertions(+) + +diff --git a/include/linux/wait.h b/include/linux/wait.h +index 93dab0e9580f8d..d22cf2985b8fd6 100644 +--- a/include/linux/wait.h ++++ b/include/linux/wait.h +@@ -217,6 +217,7 @@ void __wake_up_sync_key(struct wait_queue_head *wq_head, unsigned int mode, void + void __wake_up_locked_sync_key(struct wait_queue_head *wq_head, unsigned int mode, void *key); + void __wake_up_locked(struct wait_queue_head *wq_head, unsigned int mode, int nr); + void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode); ++void __wake_up_pollfree(struct wait_queue_head *wq_head); + + #define wake_up(x) __wake_up(x, TASK_NORMAL, 1, NULL) + #define wake_up_nr(x, nr) __wake_up(x, TASK_NORMAL, nr, NULL) +@@ -245,6 +246,31 @@ void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode); + #define wake_up_interruptible_sync_poll_locked(x, m) \ + __wake_up_locked_sync_key((x), TASK_INTERRUPTIBLE, poll_to_key(m)) + ++/** ++ * wake_up_pollfree - signal that a polled waitqueue is going away ++ * @wq_head: the wait queue head ++ * ++ * In the very rare cases where a ->poll() implementation uses a waitqueue whose ++ * lifetime is tied to a task rather than to the 'struct file' being polled, ++ * this function must be called before the waitqueue is freed so that ++ * non-blocking polls (e.g. epoll) are notified that the queue is going away. ++ * ++ * The caller must also RCU-delay the freeing of the wait_queue_head, e.g. via ++ * an explicit synchronize_rcu() or call_rcu(), or via SLAB_TYPESAFE_BY_RCU. ++ */ ++static inline void wake_up_pollfree(struct wait_queue_head *wq_head) ++{ ++ /* ++ * For performance reasons, we don't always take the queue lock here. ++ * Therefore, we might race with someone removing the last entry from ++ * the queue, and proceed while they still hold the queue lock. ++ * However, rcu_read_lock() is required to be held in such cases, so we ++ * can safely proceed with an RCU-delayed free. ++ */ ++ if (waitqueue_active(wq_head)) ++ __wake_up_pollfree(wq_head); ++} ++ + #define ___wait_cond_timeout(condition) \ + ({ \ + bool __cond = (condition); \ +diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c +index 76577d1642a5dc..eca38107b32f16 100644 +--- a/kernel/sched/wait.c ++++ b/kernel/sched/wait.c +@@ -238,6 +238,13 @@ void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode) + } + EXPORT_SYMBOL_GPL(__wake_up_sync); /* For internal use only */ + ++void __wake_up_pollfree(struct wait_queue_head *wq_head) ++{ ++ __wake_up(wq_head, TASK_NORMAL, 0, poll_to_key(EPOLLHUP | POLLFREE)); ++ /* POLLFREE must have cleared the queue. */ ++ WARN_ON_ONCE(waitqueue_active(wq_head)); ++} ++ + /* + * Note: we use "set_current_state()" _after_ the wait-queue add, + * because we need a memory barrier there on SMP, so that any diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch new file mode 100644 index 0000000000..233085359c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch @@ -0,0 +1,64 @@ +From 6fe4eadd54da3040cf6f6579ae157ae1395dc0f8 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Wed, 1 Dec 2021 10:06:14 -0800 +Subject: [PATCH] fget: check that the fd still exists after getting a ref to + it + +commit 054aa8d439b9185d4f5eb9a90282d1ce74772969 upstream. + +Jann Horn points out that there is another possible race wrt Unix domain +socket garbage collection, somewhat reminiscent of the one fixed in +commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK"). + +See the extended comment about the garbage collection requirements added +to unix_peek_fds() by that commit for details. + +The race comes from how we can locklessly look up a file descriptor just +as it is in the process of being closed, and with the right artificial +timing (Jann added a few strategic 'mdelay(500)' calls to do that), the +Unix domain socket garbage collector could see the reference count +decrement of the close() happen before fget() took its reference to the +file and the file was attached onto a new file descriptor. + +This is all (intentionally) correct on the 'struct file *' side, with +RCU lookups and lockless reference counting very much part of the +design. Getting that reference count out of order isn't a problem per +se. + +But the garbage collector can get confused by seeing this situation of +having seen a file not having any remaining external references and then +seeing it being attached to an fd. + +In commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK") the +fix was to serialize the file descriptor install with the garbage +collector by taking and releasing the unix_gc_lock. + +That's not really an option here, but since this all happens when we are +in the process of looking up a file descriptor, we can instead simply +just re-check that the file hasn't been closed in the meantime, and just +re-do the lookup if we raced with a concurrent close() of the same file +descriptor. + +Reported-and-tested-by: Jann Horn +Acked-by: Miklos Szeredi +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/file.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/file.c b/fs/file.c +index 8627dacfc4246f..ad4a8bf3cf109f 100644 +--- a/fs/file.c ++++ b/fs/file.c +@@ -858,6 +858,10 @@ static struct file *__fget_files(struct files_struct *files, unsigned int fd, + file = NULL; + else if (!get_file_rcu_many(file, refs)) + goto loop; ++ else if (files_lookup_fd_raw(files, fd) != file) { ++ fput_many(file, refs); ++ goto loop; ++ } + } + rcu_read_unlock(); + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch new file mode 100644 index 0000000000..68e56b224c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch @@ -0,0 +1,335 @@ +From eee9254fe110ed2cb4593abb6eceb3a72cb92fe9 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Tue, 29 Mar 2022 16:20:06 -0300 +Subject: [PATCH] cifs: fix NULL ptr dereference in smb2_ioctl_query_info() + +commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream. + +When calling smb2_ioctl_query_info() with invalid +smb_query_info::flags, a NULL ptr dereference is triggered when trying +to kfree() uninitialised rqst[n].rq_iov array. + +This also fixes leaked paths that are created in SMB2_open_init() +which required SMB2_open_free() to properly free them. + +Here is a small C reproducer that triggers it + + #include + #include + #include + #include + #include + #include + + #define die(s) perror(s), exit(1) + #define QUERY_INFO 0xc018cf07 + + int main(int argc, char *argv[]) + { + int fd; + + if (argc < 2) + exit(1); + fd = open(argv[1], O_RDONLY); + if (fd == -1) + die("open"); + if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1) + die("ioctl"); + close(fd); + return 0; + } + + mount.cifs //srv/share /mnt -o ... + gcc repro.c && ./a.out /mnt/f0 + + [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4 + [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI + [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2 + [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 + [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs] + [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48 + [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256 + [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d + [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0 + [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003 + [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800 + [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8 + [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000 + [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0 + [ 1832.132801] Call Trace: + [ 1832.132962] + [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs] + [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs] + [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs] + [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs] + [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs] + [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs] + [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0 + [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs] + [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70 + [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0 + [ 1832.137096] ? __up_read+0x192/0x710 + [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0 + [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0 + [ 1832.137850] __x64_sys_ioctl+0x127/0x190 + [ 1832.138103] do_syscall_64+0x3b/0x90 + [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae + [ 1832.138702] RIP: 0033:0x7fcee9a253df + [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 + [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df + [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003 + [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e + [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48 + [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000 + [ 1832.142851] + [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs] + +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 130 +++++++++++++++++++++++++--------------------- + 1 file changed, 70 insertions(+), 60 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index bda606dc72b1..db3ead52ec7c 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1631,6 +1631,7 @@ smb2_ioctl_query_info(const unsigned int xid, + unsigned int size[2]; + void *data[2]; + int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR; ++ void (*free_req1_func)(struct smb_rqst *r); + + vars = kzalloc(sizeof(*vars), GFP_ATOMIC); + if (vars == NULL) +@@ -1640,27 +1641,29 @@ smb2_ioctl_query_info(const unsigned int xid, + + resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER; + +- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) +- goto e_fault; +- ++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) { ++ rc = -EFAULT; ++ goto free_vars; ++ } + if (qi.output_buffer_length > 1024) { +- kfree(vars); +- return -EINVAL; ++ rc = -EINVAL; ++ goto free_vars; + } + + if (!ses || !server) { +- kfree(vars); +- return -EIO; ++ rc = -EIO; ++ goto free_vars; + } + + if (smb3_encryption_required(tcon)) + flags |= CIFS_TRANSFORM_REQ; + +- buffer = memdup_user(arg + sizeof(struct smb_query_info), +- qi.output_buffer_length); +- if (IS_ERR(buffer)) { +- kfree(vars); +- return PTR_ERR(buffer); ++ if (qi.output_buffer_length) { ++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length); ++ if (IS_ERR(buffer)) { ++ rc = PTR_ERR(buffer); ++ goto free_vars; ++ } + } + + /* Open */ +@@ -1698,45 +1701,45 @@ smb2_ioctl_query_info(const unsigned int xid, + rc = SMB2_open_init(tcon, server, + &rqst[0], &oplock, &oparms, path); + if (rc) +- goto iqinf_exit; ++ goto free_output_buffer; + smb2_set_next_command(tcon, &rqst[0]); + + /* Query */ + if (qi.flags & PASSTHRU_FSCTL) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else { +- rqst[1].rq_iov = &vars->io_iov[0]; +- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; +- +- rc = SMB2_ioctl_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- qi.info_type, true, buffer, +- qi.output_buffer_length, +- CIFSMaxBufSize - +- MAX_SMB2_CREATE_RESPONSE_SIZE - +- MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ goto free_open_req; + } ++ rqst[1].rq_iov = &vars->io_iov[0]; ++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE; ++ ++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ qi.info_type, true, buffer, qi.output_buffer_length, ++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE - ++ MAX_SMB2_CLOSE_RESPONSE_SIZE); ++ free_req1_func = SMB2_ioctl_free; + } else if (qi.flags == PASSTHRU_SET_INFO) { + /* Can eventually relax perm check since server enforces too */ +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN)) { + rc = -EPERM; +- else { +- rqst[1].rq_iov = &vars->si_iov[0]; +- rqst[1].rq_nvec = 1; +- +- size[0] = 8; +- data[0] = buffer; +- +- rc = SMB2_set_info_init(tcon, server, +- &rqst[1], +- COMPOUND_FID, COMPOUND_FID, +- current->tgid, +- FILE_END_OF_FILE_INFORMATION, +- SMB2_O_INFO_FILE, 0, data, size); ++ goto free_open_req; + } ++ if (qi.output_buffer_length < 8) { ++ rc = -EINVAL; ++ goto free_open_req; ++ } ++ rqst[1].rq_iov = &vars->si_iov[0]; ++ rqst[1].rq_nvec = 1; ++ ++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */ ++ size[0] = 8; ++ data[0] = buffer; ++ ++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID, ++ current->tgid, FILE_END_OF_FILE_INFORMATION, ++ SMB2_O_INFO_FILE, 0, data, size); ++ free_req1_func = SMB2_set_info_free; + } else if (qi.flags == PASSTHRU_QUERY_INFO) { + rqst[1].rq_iov = &vars->qi_iov[0]; + rqst[1].rq_nvec = 1; +@@ -1747,6 +1750,7 @@ smb2_ioctl_query_info(const unsigned int xid, + qi.info_type, qi.additional_information, + qi.input_buffer_length, + qi.output_buffer_length, buffer); ++ free_req1_func = SMB2_query_info_free; + } else { /* unknown flags */ + cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n", + qi.flags); +@@ -1754,7 +1758,7 @@ smb2_ioctl_query_info(const unsigned int xid, + } + + if (rc) +- goto iqinf_exit; ++ goto free_open_req; + smb2_set_next_command(tcon, &rqst[1]); + smb2_set_related(&rqst[1]); + +@@ -1765,14 +1769,14 @@ smb2_ioctl_query_info(const unsigned int xid, + rc = SMB2_close_init(tcon, server, + &rqst[2], COMPOUND_FID, COMPOUND_FID, false); + if (rc) +- goto iqinf_exit; ++ goto free_req_1; + smb2_set_related(&rqst[2]); + + rc = compound_send_recv(xid, ses, server, + flags, 3, rqst, + resp_buftype, rsp_iov); + if (rc) +- goto iqinf_exit; ++ goto out; + + /* No need to bump num_remote_opens since handle immediately closed */ + if (qi.flags & PASSTHRU_FSCTL) { +@@ -1782,18 +1786,22 @@ smb2_ioctl_query_info(const unsigned int xid, + qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount); + if (qi.input_buffer_length > 0 && + le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length +- > rsp_iov[1].iov_len) +- goto e_fault; ++ > rsp_iov[1].iov_len) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info), + (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset), + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } else { + pqi = (struct smb_query_info __user *)arg; + qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base; +@@ -1801,28 +1809,30 @@ smb2_ioctl_query_info(const unsigned int xid, + qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength); + if (copy_to_user(&pqi->input_buffer_length, + &qi.input_buffer_length, +- sizeof(qi.input_buffer_length))) +- goto e_fault; ++ sizeof(qi.input_buffer_length))) { ++ rc = -EFAULT; ++ goto out; ++ } + + if (copy_to_user(pqi + 1, qi_rsp->Buffer, + qi.input_buffer_length)) +- goto e_fault; ++ rc = -EFAULT; + } + +- iqinf_exit: +- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base); +- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base); ++out: + free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base); + free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base); + free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base); +- kfree(vars); ++ SMB2_close_free(&rqst[2]); ++free_req_1: ++ free_req1_func(&rqst[1]); ++free_open_req: ++ SMB2_open_free(&rqst[0]); ++free_output_buffer: + kfree(buffer); ++free_vars: ++ kfree(vars); + return rc; +- +-e_fault: +- rc = -EFAULT; +- goto iqinf_exit; + } + + static ssize_t +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch new file mode 100644 index 0000000000..3a8831e60d --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch @@ -0,0 +1,146 @@ +From 1a8ee547da2b64d6a2aedbd38a691578eff14718 Mon Sep 17 00:00:00 2001 +From: Willy Tarreau +Date: Mon, 2 May 2022 10:46:08 +0200 +Subject: [PATCH] secure_seq: use the 64 bits of the siphash for port offset + calculation + +[ Upstream commit b2d057560b8107c633b39aabe517ff9d93f285e3 ] + +SipHash replaced MD5 in secure_ipv{4,6}_port_ephemeral() via commit +7cd23e5300c1 ("secure_seq: use SipHash in place of MD5"), but the output +remained truncated to 32-bit only. In order to exploit more bits from the +hash, let's make the functions return the full 64-bit of siphash_3u32(). +We also make sure the port offset calculation in __inet_hash_connect() +remains done on 32-bit to avoid the need for div_u64_rem() and an extra +cost on 32-bit systems. + +Cc: Jason A. Donenfeld +Cc: Moshe Kol +Cc: Yossi Gilad +Cc: Amit Klein +Reviewed-by: Eric Dumazet +Signed-off-by: Willy Tarreau +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/inet_hashtables.h | 2 +- + include/net/secure_seq.h | 4 ++-- + net/core/secure_seq.c | 4 ++-- + net/ipv4/inet_hashtables.c | 10 ++++++---- + net/ipv6/inet6_hashtables.c | 4 ++-- + 5 files changed, 13 insertions(+), 11 deletions(-) + +diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h +index f72ec113ae568a..98e1ec1a14f038 100644 +--- a/include/net/inet_hashtables.h ++++ b/include/net/inet_hashtables.h +@@ -425,7 +425,7 @@ static inline void sk_rcv_saddr_set(struct sock *sk, __be32 addr) + } + + int __inet_hash_connect(struct inet_timewait_death_row *death_row, +- struct sock *sk, u32 port_offset, ++ struct sock *sk, u64 port_offset, + int (*check_established)(struct inet_timewait_death_row *, + struct sock *, __u16, + struct inet_timewait_sock **)); +diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h +index d7d2495f83c27c..dac91aa38c5af3 100644 +--- a/include/net/secure_seq.h ++++ b/include/net/secure_seq.h +@@ -4,8 +4,8 @@ + + #include + +-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); +-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, ++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); ++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport); + u32 secure_tcp_seq(__be32 saddr, __be32 daddr, + __be16 sport, __be16 dport); +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index b5bc680d475536..444cce0184c372 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -94,7 +94,7 @@ u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr, + } + EXPORT_SYMBOL(secure_tcpv6_seq); + +-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, ++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, + __be16 dport) + { + const struct { +@@ -142,7 +142,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr, + } + EXPORT_SYMBOL_GPL(secure_tcp_seq); + +-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) ++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport) + { + net_secret_init(); + return siphash_3u32((__force u32)saddr, (__force u32)daddr, +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 7bd1e10086f0a4..606a4220ebb9d4 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -504,7 +504,7 @@ static int __inet_check_established(struct inet_timewait_death_row *death_row, + return -EADDRNOTAVAIL; + } + +-static u32 inet_sk_port_offset(const struct sock *sk) ++static u64 inet_sk_port_offset(const struct sock *sk) + { + const struct inet_sock *inet = inet_sk(sk); + +@@ -734,7 +734,7 @@ EXPORT_SYMBOL_GPL(inet_unhash); + static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; + + int __inet_hash_connect(struct inet_timewait_death_row *death_row, +- struct sock *sk, u32 port_offset, ++ struct sock *sk, u64 port_offset, + int (*check_established)(struct inet_timewait_death_row *, + struct sock *, __u16, struct inet_timewait_sock **)) + { +@@ -777,7 +777,9 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + net_get_random_once(table_perturb, sizeof(table_perturb)); + index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT); + +- offset = (READ_ONCE(table_perturb[index]) + port_offset) % remaining; ++ offset = READ_ONCE(table_perturb[index]) + port_offset; ++ offset %= remaining; ++ + /* In first pass we try ports of @low parity. + * inet_csk_get_port() does the opposite choice. + */ +@@ -859,7 +861,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + int inet_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk) + { +- u32 port_offset = 0; ++ u64 port_offset = 0; + + if (!inet_sk(sk)->inet_num) + port_offset = inet_sk_port_offset(sk); +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index 0a2e7f22839110..40203255ed88b9 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -308,7 +308,7 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row, + return -EADDRNOTAVAIL; + } + +-static u32 inet6_sk_port_offset(const struct sock *sk) ++static u64 inet6_sk_port_offset(const struct sock *sk) + { + const struct inet_sock *inet = inet_sk(sk); + +@@ -320,7 +320,7 @@ static u32 inet6_sk_port_offset(const struct sock *sk) + int inet6_hash_connect(struct inet_timewait_death_row *death_row, + struct sock *sk) + { +- u32 port_offset = 0; ++ u64 port_offset = 0; + + if (!inet_sk(sk)->inet_num) + port_offset = inet6_sk_port_offset(sk); diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch new file mode 100644 index 0000000000..b08f7e043a --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch @@ -0,0 +1,81 @@ +From 3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 18 May 2022 11:33:29 +0200 +Subject: [PATCH] ext4: avoid cycles in directory h-tree + +commit 3ba733f879c2a88910744647e41edeefbc0d92b2 upstream. + +A maliciously corrupted filesystem can contain cycles in the h-tree +stored inside a directory. That can easily lead to the kernel corrupting +tree nodes that were already verified under its hands while doing a node +split and consequently accessing unallocated memory. Fix the problem by +verifying traversed block numbers are unique. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220518093332.13986-2-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 22 +++++++++++++++++++--- + 1 file changed, 19 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 1deeaf56645130..7c286cd9fe0304 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -777,12 +777,14 @@ static struct dx_frame * + dx_probe(struct ext4_filename *fname, struct inode *dir, + struct dx_hash_info *hinfo, struct dx_frame *frame_in) + { +- unsigned count, indirect; ++ unsigned count, indirect, level, i; + struct dx_entry *at, *entries, *p, *q, *m; + struct dx_root *root; + struct dx_frame *frame = frame_in; + struct dx_frame *ret_err = ERR_PTR(ERR_BAD_DX_DIR); + u32 hash; ++ ext4_lblk_t block; ++ ext4_lblk_t blocks[EXT4_HTREE_LEVEL]; + + memset(frame_in, 0, EXT4_HTREE_LEVEL * sizeof(frame_in[0])); + frame->bh = ext4_read_dirblock(dir, 0, INDEX); +@@ -854,6 +856,8 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + } + + dxtrace(printk("Look up %x", hash)); ++ level = 0; ++ blocks[0] = 0; + while (1) { + count = dx_get_count(entries); + if (!count || count > dx_get_limit(entries)) { +@@ -882,15 +886,27 @@ dx_probe(struct ext4_filename *fname, struct inode *dir, + dx_get_block(at))); + frame->entries = entries; + frame->at = at; +- if (!indirect--) ++ ++ block = dx_get_block(at); ++ for (i = 0; i <= level; i++) { ++ if (blocks[i] == block) { ++ ext4_warning_inode(dir, ++ "dx entry: tree cycle block %u points back to block %u", ++ blocks[level], block); ++ goto fail; ++ } ++ } ++ if (++level > indirect) + return frame; ++ blocks[level] = block; + frame++; +- frame->bh = ext4_read_dirblock(dir, dx_get_block(at), INDEX); ++ frame->bh = ext4_read_dirblock(dir, block, INDEX); + if (IS_ERR(frame->bh)) { + ret_err = (struct dx_frame *) frame->bh; + frame->bh = NULL; + goto fail; + } ++ + entries = ((struct dx_node *) frame->bh->b_data)->entries; + + if (dx_get_limit(entries) != dx_node_limit(dir)) { diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch new file mode 100644 index 0000000000..753272b2a3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch @@ -0,0 +1,88 @@ +From ca17db384762be0ec38373a12460081d22a8b42d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 18 May 2022 11:33:28 +0200 +Subject: [PATCH] ext4: verify dir block before splitting it + +commit 46c116b920ebec58031f0a78c5ea9599b0d2a371 upstream. + +Before splitting a directory block verify its directory entries are sane +so that the splitting code does not access memory it should not. + +Cc: stable@vger.kernel.org +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/namei.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c +index 7f8abd77bc0f79..1deeaf56645130 100644 +--- a/fs/ext4/namei.c ++++ b/fs/ext4/namei.c +@@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname, + struct dx_hash_info *hinfo, + struct dx_frame *frame); + static void dx_release(struct dx_frame *frames); +-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, +- unsigned blocksize, struct dx_hash_info *hinfo, +- struct dx_map_entry map[]); ++static int dx_make_map(struct inode *dir, struct buffer_head *bh, ++ struct dx_hash_info *hinfo, ++ struct dx_map_entry *map_tail); + static void dx_sort_map(struct dx_map_entry *map, unsigned count); + static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from, + char *to, struct dx_map_entry *offsets, +@@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh, + * Create map of hash values, offsets, and sizes, stored at end of block. + * Returns number of entries mapped. + */ +-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, +- unsigned blocksize, struct dx_hash_info *hinfo, ++static int dx_make_map(struct inode *dir, struct buffer_head *bh, ++ struct dx_hash_info *hinfo, + struct dx_map_entry *map_tail) + { + int count = 0; +- char *base = (char *) de; ++ struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data; ++ unsigned int buflen = bh->b_size; ++ char *base = bh->b_data; + struct dx_hash_info h = *hinfo; + +- while ((char *) de < base + blocksize) { ++ if (ext4_has_metadata_csum(dir->i_sb)) ++ buflen -= sizeof(struct ext4_dir_entry_tail); ++ ++ while ((char *) de < base + buflen) { ++ if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen, ++ ((char *)de) - base)) ++ return -EFSCORRUPTED; + if (de->name_len && de->inode) { + if (ext4_hash_in_dirent(dir)) + h.hash = EXT4_DIRENT_HASH(de); +@@ -1270,8 +1278,7 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de, + count++; + cond_resched(); + } +- /* XXX: do we need to check rec_len == 0 case? -Chris */ +- de = ext4_next_entry(de, blocksize); ++ de = ext4_next_entry(de, dir->i_sb->s_blocksize); + } + return count; + } +@@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir, + + /* create map in the end of data2 block */ + map = (struct dx_map_entry *) (data2 + blocksize); +- count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1, +- blocksize, hinfo, map); ++ count = dx_make_map(dir, *bh, hinfo, map); ++ if (count < 0) { ++ err = count; ++ goto journal_error; ++ } + map -= count; + dx_sort_map(map, count); + /* Ensure that neither split block is over half full */ diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch new file mode 100644 index 0000000000..074be5ec4c --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch @@ -0,0 +1,71 @@ +From e085354dde254bc6c83ee604ea66c2b36f9f9067 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 20 May 2022 20:38:06 +0200 +Subject: [PATCH] perf: Fix sys_perf_event_open() race against self + +commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream. + +Norbert reported that it's possible to race sys_perf_event_open() such +that the looser ends up in another context from the group leader, +triggering many WARNs. + +The move_group case checks for races against itself, but the +!move_group case doesn't, seemingly relying on the previous +group_leader->ctx == ctx check. However, that check is racy due to not +holding any locks at that time. + +Therefore, re-check the result after acquiring locks and bailing +if they no longer match. + +Additionally, clarify the not_move_group case from the +move_group-vs-move_group race. + +Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") +Reported-by: Norbert Slusarek +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 7c891a8eb32341..565910de92e9b6 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -12283,6 +12283,9 @@ SYSCALL_DEFINE5(perf_event_open, + * Do not allow to attach to a group in a different task + * or CPU context. If we're moving SW events, we'll fix + * this up later, so allow that. ++ * ++ * Racy, not holding group_leader->ctx->mutex, see comment with ++ * perf_event_ctx_lock(). + */ + if (!move_group && group_leader->ctx != ctx) + goto err_context; +@@ -12348,6 +12351,7 @@ SYSCALL_DEFINE5(perf_event_open, + } else { + perf_event_ctx_unlock(group_leader, gctx); + move_group = 0; ++ goto not_move_group; + } + } + +@@ -12364,7 +12368,17 @@ SYSCALL_DEFINE5(perf_event_open, + } + } else { + mutex_lock(&ctx->mutex); ++ ++ /* ++ * Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx, ++ * see the group_leader && !move_group test earlier. ++ */ ++ if (group_leader && group_leader->ctx != ctx) { ++ err = -EINVAL; ++ goto err_locked; ++ } + } ++not_move_group: + + if (ctx->task == TASK_TOMBSTONE) { + err = -ESRCH; diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch new file mode 100644 index 0000000000..3af84d90db --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch @@ -0,0 +1,52 @@ +From 60765e43e40fbf7a1df828116172440510fcc3e4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 28 Jan 2022 22:57:01 +0300 +Subject: [PATCH] fanotify: Fix stale file descriptor in copy_event_to_user() + +commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream. + +This code calls fd_install() which gives the userspace access to the fd. +Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but +that will not release it and leads to a stale entry in the file +descriptor table. + +Generally you can't trust the fd after a call to fd_install(). The fix +is to delay the fd_install() until everything else has succeeded. + +Fortunately it requires CAP_SYS_ADMIN to reach this code so the security +impact is less. + +Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up") +Link: https://lore.kernel.org/r/20220128195656.GA26981@kili +Signed-off-by: Dan Carpenter +Reviewed-by: Mathias Krause +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fanotify/fanotify_user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 6facdf476255d1..84ec851211d91c 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -611,9 +611,6 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + if (fanotify_is_perm_event(event->mask)) + FANOTIFY_PERM(event)->fd = fd; + +- if (f) +- fd_install(fd, f); +- + if (info_mode) { + ret = copy_info_records_to_user(event, info, info_mode, pidfd, + buf, count); +@@ -621,6 +618,9 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group, + goto out_close_fd; + } + ++ if (f) ++ fd_install(fd, f); ++ + return metadata.event_len; + + out_close_fd: diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch new file mode 100644 index 0000000000..1ac478c679 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch @@ -0,0 +1,83 @@ +From f3ff5f75d8f6367eac7556c9db1227bb43e5c615 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20L=C3=B6hle?= +Date: Fri, 4 Feb 2022 15:11:37 +0000 +Subject: [PATCH] mmc: block: fix read single on recovery logic + +commit 54309fde1a352ad2674ebba004a79f7d20b9f037 upstream. + +On reads with MMC_READ_MULTIPLE_BLOCK that fail, +the recovery handler will use MMC_READ_SINGLE_BLOCK for +each of the blocks, up to MMC_READ_SINGLE_RETRIES times each. +The logic for this is fixed to never report unsuccessful reads +as success to the block layer. + +On command error with retries remaining, blk_update_request was +called with whatever value error was set last to. +In case it was last set to BLK_STS_OK (default), the read will be +reported as success, even though there was no data read from the device. +This could happen on a CRC mismatch for the response, +a card rejecting the command (e.g. again due to a CRC mismatch). +In case it was last set to BLK_STS_IOERR, the error is reported correctly, +but no retries will be attempted. + +Fixes: 81196976ed946c ("mmc: block: Add blk-mq support") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Loehle +Reviewed-by: Adrian Hunter +Link: https://lore.kernel.org/r/bc706a6ab08c4fe2834ba0c05a804672@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c +index 431af5e8be2f89..b575d0bfd0d68c 100644 +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -1682,31 +1682,31 @@ static void mmc_blk_read_single(struct mmc_queue *mq, struct request *req) + struct mmc_card *card = mq->card; + struct mmc_host *host = card->host; + blk_status_t error = BLK_STS_OK; +- int retries = 0; + + do { + u32 status; + int err; ++ int retries = 0; + +- mmc_blk_rw_rq_prep(mqrq, card, 1, mq); ++ while (retries++ <= MMC_READ_SINGLE_RETRIES) { ++ mmc_blk_rw_rq_prep(mqrq, card, 1, mq); + +- mmc_wait_for_req(host, mrq); ++ mmc_wait_for_req(host, mrq); + +- err = mmc_send_status(card, &status); +- if (err) +- goto error_exit; +- +- if (!mmc_host_is_spi(host) && +- !mmc_ready_for_data(status)) { +- err = mmc_blk_fix_state(card, req); ++ err = mmc_send_status(card, &status); + if (err) + goto error_exit; +- } + +- if (mrq->cmd->error && retries++ < MMC_READ_SINGLE_RETRIES) +- continue; ++ if (!mmc_host_is_spi(host) && ++ !mmc_ready_for_data(status)) { ++ err = mmc_blk_fix_state(card, req); ++ if (err) ++ goto error_exit; ++ } + +- retries = 0; ++ if (!mrq->cmd->error) ++ break; ++ } + + if (mrq->cmd->error || + mrq->data->error || diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch new file mode 100644 index 0000000000..99a7655bd7 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch @@ -0,0 +1,114 @@ +From a055f5f2841f7522b44a2b1eccb1951b4b03d51a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 12 Mar 2022 15:29:58 -0800 +Subject: [PATCH] net/packet: fix slab-out-of-bounds access in packet_recvmsg() + +[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ] + +syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH +and mmap operations, tpacket_rcv() is queueing skbs with +garbage in skb->cb[], triggering a too big copy [1] + +Presumably, users of af_packet using mmap() already gets correct +metadata from the mapped buffer, we can simply make sure +to clear 12 bytes that might be copied to user space later. + +BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 +Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 + +CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 + memcpy+0x39/0x60 mm/kasan/shadow.c:66 + memcpy include/linux/fortify-string.h:225 [inline] + packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_recvmsg net/socket.c:962 [inline] + ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 + ___sys_recvmsg+0x127/0x200 net/socket.c:2674 + __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fdfd5954c29 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 +RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 +R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 + + +addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: + ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 + +this frame has 1 object: + [32, 160) 'addr' + +Memory state around the buggy address: + ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 + ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 +>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 + ^ + ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 + ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 +================================================================== + +Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index e00c38f242c320..c0d4a65931de56 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2281,8 +2281,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + copy_skb = skb_get(skb); + skb_head = skb->data; + } +- if (copy_skb) ++ if (copy_skb) { ++ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0, ++ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); + skb_set_owner_r(copy_skb, sk); ++ } + } + snaplen = po->rx_ring.frame_size - macoff; + if ((int)snaplen < 0) { +@@ -3434,6 +3437,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + sock_recv_ts_and_drops(msg, sk, skb); + + if (msg->msg_name) { ++ const size_t max_len = min(sizeof(skb->cb), ++ sizeof(struct sockaddr_storage)); + int copy_len; + + /* If the address length field is there to be filled +@@ -3456,6 +3461,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + msg->msg_namelen = sizeof(struct sockaddr_ll); + } + } ++ if (WARN_ON_ONCE(copy_len > max_len)) { ++ copy_len = max_len; ++ msg->msg_namelen = copy_len; ++ } + memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); + } + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch new file mode 100644 index 0000000000..189b6ce194 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch @@ -0,0 +1,35 @@ +From 69712b170237ec5979f168149cd31e851a465853 Mon Sep 17 00:00:00 2001 +From: Sarthak Kukreti +Date: Tue, 31 May 2022 15:56:40 -0400 +Subject: [PATCH] dm verity: set DM_TARGET_IMMUTABLE feature flag + +commit 4caae58406f8ceb741603eee460d79bacca9b1b5 upstream. + +The device-mapper framework provides a mechanism to mark targets as +immutable (and hence fail table reloads that try to change the target +type). Add the DM_TARGET_IMMUTABLE flag to the dm-verity target's +feature flags to prevent switching the verity target with a different +target type. + +Fixes: a4ffc152198e ("dm: add verity target") +Cc: stable@vger.kernel.org +Signed-off-by: Sarthak Kukreti +Reviewed-by: Kees Cook +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-target.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c +index 88288c8d6bc8c0..426299ceb33d7d 100644 +--- a/drivers/md/dm-verity-target.c ++++ b/drivers/md/dm-verity-target.c +@@ -1312,6 +1312,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv) + + static struct target_type verity_target = { + .name = "verity", ++ .features = DM_TARGET_IMMUTABLE, + .version = {1, 8, 0}, + .module = THIS_MODULE, + .ctr = verity_ctr, diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch new file mode 100644 index 0000000000..5f231cfe47 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch @@ -0,0 +1,249 @@ +From d3e4c61e143e69671803ef3f52140cf7a7258ee7 Mon Sep 17 00:00:00 2001 +From: Suren Baghdasaryan +Date: Tue, 11 Jan 2022 15:23:09 -0800 +Subject: [PATCH] psi: Fix uaf issue when psi trigger is destroyed while being + polled + +commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream. + +With write operation on psi files replacing old trigger with a new one, +the lifetime of its waitqueue is totally arbitrary. Overwriting an +existing trigger causes its waitqueue to be freed and pending poll() +will stumble on trigger->event_wait which was destroyed. +Fix this by disallowing to redefine an existing psi trigger. If a write +operation is used on a file descriptor with an already existing psi +trigger, the operation will fail with EBUSY error. +Also bypass a check for psi_disabled in the psi_trigger_destroy as the +flag can be flipped after the trigger is created, leading to a memory +leak. + +Fixes: 0e94682b73bf ("psi: introduce psi monitor") +Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com +Suggested-by: Linus Torvalds +Analyzed-by: Eric Biggers +Signed-off-by: Suren Baghdasaryan +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Eric Biggers +Acked-by: Johannes Weiner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/accounting/psi.rst | 3 +- + include/linux/psi.h | 2 +- + include/linux/psi_types.h | 3 -- + kernel/cgroup/cgroup.c | 11 ++++-- + kernel/sched/psi.c | 66 ++++++++++++++------------------ + 5 files changed, 40 insertions(+), 45 deletions(-) + +diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst +index f2b3439edcc2cc..860fe651d6453e 100644 +--- a/Documentation/accounting/psi.rst ++++ b/Documentation/accounting/psi.rst +@@ -92,7 +92,8 @@ Triggers can be set on more than one psi metric and more than one trigger + for the same psi metric can be specified. However for each trigger a separate + file descriptor is required to be able to poll it separately from others, + therefore for each trigger a separate open() syscall should be made even +-when opening the same psi interface file. ++when opening the same psi interface file. Write operations to a file descriptor ++with an already existing psi trigger will fail with EBUSY. + + Monitors activate only when system enters stall state for the monitored + psi metric and deactivates upon exit from the stall state. While system is +diff --git a/include/linux/psi.h b/include/linux/psi.h +index 65eb1476ac7056..74f7148dfb9f4c 100644 +--- a/include/linux/psi.h ++++ b/include/linux/psi.h +@@ -32,7 +32,7 @@ void cgroup_move_task(struct task_struct *p, struct css_set *to); + + struct psi_trigger *psi_trigger_create(struct psi_group *group, + char *buf, size_t nbytes, enum psi_res res); +-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t); ++void psi_trigger_destroy(struct psi_trigger *t); + + __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file, + poll_table *wait); +diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h +index 0819c82dba920a..6f190002a20224 100644 +--- a/include/linux/psi_types.h ++++ b/include/linux/psi_types.h +@@ -140,9 +140,6 @@ struct psi_trigger { + * events to one per window + */ + u64 last_event_time; +- +- /* Refcounting to prevent premature destruction */ +- struct kref refcount; + }; + + struct psi_group { +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index bb1a78ff14374e..de8b4fa1e1fd68 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3642,6 +3642,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, + cgroup_get(cgrp); + cgroup_kn_unlock(of->kn); + ++ /* Allow only one trigger per file descriptor */ ++ if (ctx->psi.trigger) { ++ cgroup_put(cgrp); ++ return -EBUSY; ++ } ++ + psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi; + new = psi_trigger_create(psi, buf, nbytes, res); + if (IS_ERR(new)) { +@@ -3649,8 +3655,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf, + return PTR_ERR(new); + } + +- psi_trigger_replace(&ctx->psi.trigger, new); +- ++ smp_store_release(&ctx->psi.trigger, new); + cgroup_put(cgrp); + + return nbytes; +@@ -3689,7 +3694,7 @@ static void cgroup_pressure_release(struct kernfs_open_file *of) + { + struct cgroup_file_ctx *ctx = of->priv; + +- psi_trigger_replace(&ctx->psi.trigger, NULL); ++ psi_trigger_destroy(ctx->psi.trigger); + } + + bool cgroup_psi_enabled(void) +diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c +index 69b19d3af690ff..ab460f8b77d13a 100644 +--- a/kernel/sched/psi.c ++++ b/kernel/sched/psi.c +@@ -1162,7 +1162,6 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + t->event = 0; + t->last_event_time = 0; + init_waitqueue_head(&t->event_wait); +- kref_init(&t->refcount); + + mutex_lock(&group->trigger_lock); + +@@ -1191,15 +1190,19 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group, + return t; + } + +-static void psi_trigger_destroy(struct kref *ref) ++void psi_trigger_destroy(struct psi_trigger *t) + { +- struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount); +- struct psi_group *group = t->group; ++ struct psi_group *group; + struct task_struct *task_to_destroy = NULL; + +- if (static_branch_likely(&psi_disabled)) ++ /* ++ * We do not check psi_disabled since it might have been disabled after ++ * the trigger got created. ++ */ ++ if (!t) + return; + ++ group = t->group; + /* + * Wakeup waiters to stop polling. Can happen if cgroup is deleted + * from under a polling process. +@@ -1235,9 +1238,9 @@ static void psi_trigger_destroy(struct kref *ref) + mutex_unlock(&group->trigger_lock); + + /* +- * Wait for both *trigger_ptr from psi_trigger_replace and +- * poll_task RCUs to complete their read-side critical sections +- * before destroying the trigger and optionally the poll_task ++ * Wait for psi_schedule_poll_work RCU to complete its read-side ++ * critical section before destroying the trigger and optionally the ++ * poll_task. + */ + synchronize_rcu(); + /* +@@ -1254,18 +1257,6 @@ static void psi_trigger_destroy(struct kref *ref) + kfree(t); + } + +-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new) +-{ +- struct psi_trigger *old = *trigger_ptr; +- +- if (static_branch_likely(&psi_disabled)) +- return; +- +- rcu_assign_pointer(*trigger_ptr, new); +- if (old) +- kref_put(&old->refcount, psi_trigger_destroy); +-} +- + __poll_t psi_trigger_poll(void **trigger_ptr, + struct file *file, poll_table *wait) + { +@@ -1275,24 +1266,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr, + if (static_branch_likely(&psi_disabled)) + return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; + +- rcu_read_lock(); +- +- t = rcu_dereference(*(void __rcu __force **)trigger_ptr); +- if (!t) { +- rcu_read_unlock(); ++ t = smp_load_acquire(trigger_ptr); ++ if (!t) + return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI; +- } +- kref_get(&t->refcount); +- +- rcu_read_unlock(); + + poll_wait(file, &t->event_wait, wait); + + if (cmpxchg(&t->event, 1, 0) == 1) + ret |= EPOLLPRI; + +- kref_put(&t->refcount, psi_trigger_destroy); +- + return ret; + } + +@@ -1316,14 +1298,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf, + + buf[buf_size - 1] = '\0'; + +- new = psi_trigger_create(&psi_system, buf, nbytes, res); +- if (IS_ERR(new)) +- return PTR_ERR(new); +- + seq = file->private_data; ++ + /* Take seq->lock to protect seq->private from concurrent writes */ + mutex_lock(&seq->lock); +- psi_trigger_replace(&seq->private, new); ++ ++ /* Allow only one trigger per file descriptor */ ++ if (seq->private) { ++ mutex_unlock(&seq->lock); ++ return -EBUSY; ++ } ++ ++ new = psi_trigger_create(&psi_system, buf, nbytes, res); ++ if (IS_ERR(new)) { ++ mutex_unlock(&seq->lock); ++ return PTR_ERR(new); ++ } ++ ++ smp_store_release(&seq->private, new); + mutex_unlock(&seq->lock); + + return nbytes; +@@ -1358,7 +1350,7 @@ static int psi_fop_release(struct inode *inode, struct file *file) + { + struct seq_file *seq = file->private_data; + +- psi_trigger_replace(&seq->private, NULL); ++ psi_trigger_destroy(seq->private); + return single_release(inode, file); + } + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch new file mode 100644 index 0000000000..f8117d0a71 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch @@ -0,0 +1,97 @@ +From 189b0ddc245139af81198d1a3637cac74f96e13a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 26 May 2022 07:34:52 +0100 +Subject: [PATCH] pipe: Fix missing lock in pipe_resize_ring() + +pipe_resize_ring() needs to take the pipe->rd_wait.lock spinlock to +prevent post_one_notification() from trying to insert into the ring +whilst the ring is being replaced. + +The occupancy check must be done after the lock is taken, and the lock +must be taken after the new ring is allocated. + +The bug can lead to an oops looking something like: + + BUG: KASAN: use-after-free in post_one_notification.isra.0+0x62e/0x840 + Read of size 4 at addr ffff88801cc72a70 by task poc/27196 + ... + Call Trace: + post_one_notification.isra.0+0x62e/0x840 + __post_watch_notification+0x3b7/0x650 + key_create_or_update+0xb8b/0xd20 + __do_sys_add_key+0x175/0x340 + __x64_sys_add_key+0xbe/0x140 + do_syscall_64+0x5c/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Reported by Selim Enes Karaduman @Enesdex working with Trend Micro Zero +Day Initiative. + +Fixes: c73be61cede5 ("pipe: Add general notification queue support") +Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17291 +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +--- + fs/pipe.c | 31 ++++++++++++++++++------------- + 1 file changed, 18 insertions(+), 13 deletions(-) + +diff --git a/fs/pipe.c b/fs/pipe.c +index e140ea150bbb14..11358569a7779a 100644 +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -1245,30 +1245,33 @@ unsigned int round_pipe_size(unsigned long size) + + /* + * Resize the pipe ring to a number of slots. ++ * ++ * Note the pipe can be reduced in capacity, but only if the current ++ * occupancy doesn't exceed nr_slots; if it does, EBUSY will be ++ * returned instead. + */ + int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) + { + struct pipe_buffer *bufs; + unsigned int head, tail, mask, n; + +- /* +- * We can shrink the pipe, if arg is greater than the ring occupancy. +- * Since we don't expect a lot of shrink+grow operations, just free and +- * allocate again like we would do for growing. If the pipe currently +- * contains more buffers than arg, then return busy. +- */ +- mask = pipe->ring_size - 1; +- head = pipe->head; +- tail = pipe->tail; +- n = pipe_occupancy(pipe->head, pipe->tail); +- if (nr_slots < n) +- return -EBUSY; +- + bufs = kcalloc(nr_slots, sizeof(*bufs), + GFP_KERNEL_ACCOUNT | __GFP_NOWARN); + if (unlikely(!bufs)) + return -ENOMEM; + ++ spin_lock_irq(&pipe->rd_wait.lock); ++ mask = pipe->ring_size - 1; ++ head = pipe->head; ++ tail = pipe->tail; ++ ++ n = pipe_occupancy(head, tail); ++ if (nr_slots < n) { ++ spin_unlock_irq(&pipe->rd_wait.lock); ++ kfree(bufs); ++ return -EBUSY; ++ } ++ + /* + * The pipe array wraps around, so just start the new one at zero + * and adjust the indices. +@@ -1300,6 +1303,8 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots) + pipe->tail = tail; + pipe->head = head; + ++ spin_unlock_irq(&pipe->rd_wait.lock); ++ + /* This might have made more room for writers */ + wake_up_interruptible(&pipe->wr_wait); + return 0; diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch new file mode 100644 index 0000000000..9e9da26d02 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch @@ -0,0 +1,103 @@ +From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: [PATCH] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on + PTRACE_SEIZE + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index eea265082e9752..ccc4b465775b82 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode) + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_struct *task, long request, + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -654,22 +682,11 @@ int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long ds + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch new file mode 100644 index 0000000000..5772f7e130 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch @@ -0,0 +1,61 @@ +From dff5a6126ede802f8df7485b122bf265ad7c69aa Mon Sep 17 00:00:00 2001 +From: Manish Baing +Date: Tue, 21 Jun 2022 05:44:53 +0000 +Subject: [PATCH] tcp: increase source port perturb table to 2^16 + +Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately +identify a client by forcing it to emit only 40 times more connections +than there are entries in the table_perturb[] table. The previous two +improvements consisting in resalting the secret every 10s and adding +randomness to each port selection only slightly improved the situation, +and the current value of 2^8 was too small as it's not very difficult +to make a client emit 10k connections in less than 10 seconds. + +Thus we're increasing the perturb table from 2^8 to 2^16 so that the +same precision now requires 2.6M connections, which is more difficult in +this time frame and harder to hide as a background activity. The impact +is that the table now uses 256 kB instead of 1 kB, which could mostly +affect devices making frequent outgoing connections. However such +components usually target a small set of destinations (load balancers, +database clients, perf assessment tools), and in practice only a few +entries will be visited, like before. + +A live test at 1 million connections per second showed no performance +difference from the previous value. + +Reported-by: Moshe Kol +Reported-by: Yossi Gilad +Reported-by: Amit Klein +Reviewed-by: Eric Dumazet +Signed-off-by: Willy Tarreau +Signed-off-by: Jakub Kicinski + +Source: https://github.com/openbmc/linux/commit/4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5 +--- + net/ipv4/inet_hashtables.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index bfb522e51346..86efce0cf4eb 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -715,11 +715,12 @@ EXPORT_SYMBOL_GPL(inet_unhash); + * Note that we use 32bit integers (vs RFC 'short integers') + * because 2^16 is not a multiple of num_ephemeral and this + * property might be used by clever attacker. +- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, +- * we use 256 instead to really give more isolation and +- * privacy, this only consumes 1 KB of kernel memory. ++ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though ++ * attacks were since demonstrated, thus we use 65536 instead to really ++ * give more isolation and privacy, at the expense of 256kB of kernel ++ * memory. + */ +-#define INET_TABLE_PERTURB_SHIFT 8 ++#define INET_TABLE_PERTURB_SHIFT 16 + static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT]; + + int __inet_hash_connect(struct inet_timewait_death_row *death_row, +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch new file mode 100644 index 0000000000..66f34dcb1e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch @@ -0,0 +1,35 @@ +From 3746d62ecf1c872a520c4866118edccb121c44fd Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 23 Jun 2022 11:06:43 -0600 +Subject: [PATCH] io_uring: use original request task for inflight tracking + +commit 386e4fb6962b9f248a80f8870aea0870ca603e89 upstream. + +In prior kernels, we did file assignment always at prep time. This meant +that req->task == current. But after deferring that assignment and then +pushing the inflight tracking back in, we've got the inflight tracking +using current when it should in fact now be using req->task. + +Fixup that error introduced by adding the inflight tracking back after +file assignments got modifed. + +Fixes: 9cae36a094e7 ("io_uring: reinstate the inflight tracking") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 0ce1587df43221..89f24b54fe5e8d 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1405,7 +1405,7 @@ static void io_req_track_inflight(struct io_kiocb *req) + { + if (!(req->flags & REQ_F_INFLIGHT)) { + req->flags |= REQ_F_INFLIGHT; +- atomic_inc(¤t->io_uring->inflight_tracked); ++ atomic_inc(&req->task->io_uring->inflight_tracked); + } + } + diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend index 1ddfbd7261..a8d09586ba 100644 --- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend @@ -29,6 +29,26 @@ SRC_URI += " \ file://CVE-2021-4197-003.patch\ file://CVE-2021-44733.patch\ file://CVE-2022-29582.patch\ + file://CVE-2022-30594.patch\ + file://CVE-2022-20008.patch\ + file://CVE-2022-1998.patch\ + file://CVE-2022-32296.patch\ + file://CVE-2021-39685.patch\ + file://CVE-2021-39685-1.patch\ + file://CVE-2021-39685-2.patch\ + file://CVE-2021-39698.patch\ + file://CVE-2021-39698-1.patch\ + file://CVE-2021-4083.patch\ + file://CVE-2022-1729.patch\ + file://CVE-2022-1184_1.patch\ + file://CVE-2022-1184_2.patch\ + file://CVE-2022-2938.patch\ + file://CVE-2022-2959.patch\ + file://CVE-2022-1012.patch\ + file://CVE-2022-2503.patch\ + file://CVE-2022-20368.patch\ + file://CVE-2022-0168.patch\ + file://CVE-2022-40476.patch\ " SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch new file mode 100644 index 0000000000..d88d45ff50 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch @@ -0,0 +1,62 @@ +From 2939f827a10f0104d06d74d9744dffeae6b1af7a Mon Sep 17 00:00:00 2001 +From: "D M, Karthik" +Date: Tue, 14 Jun 2022 09:46:20 +0530 +Subject: [PATCH] PCIeFunctions not showing in Redfish + +For PCIe devices which do not have PCIeType, will not get +PCIeFunctions populated due to a "return" statement while parsing +for PCIeType. + +Missing Data: +"PCIeFunctions": { +"@odata.id": "/redfish/v1/Systems/system/PCIeDevices//PCIeFunctions" +} + +Tested for all 3 PCIe devices, PCIeFunction details after fixing +{ +"@odata.id": "/redfish/v1/Systems/system/PCIeDevices/S0B3D0", +"@odata.type": "#PCIeDevice.v1_4_0.PCIeDevice", +"DeviceType": "SingleFunction", +"Id": "S0B3D0", +"Manufacturer": "ASPEED Technology Inc.", +"Name": "PCIe Device", +"PCIeFunctions": { +"@odata.id": "/redfish/v1/Systems/system/PCIeDevices/S0B3D0/PCIeFunctions" +} +} + +Signed-off-by: D M, Karthik +--- + redfish-core/lib/pcie.hpp | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/redfish-core/lib/pcie.hpp b/redfish-core/lib/pcie.hpp +index 1b9e28e..95c2b2c 100644 +--- a/redfish-core/lib/pcie.hpp ++++ b/redfish-core/lib/pcie.hpp +@@ -176,6 +176,11 @@ inline void requestRoutesSystemPCIeDevice(App& app) + {"Name", "PCIe Device"}, + {"Id", device}}; + ++ asyncResp->res.jsonValue["PCIeFunctions"] = { ++ {"@odata.id", ++ "/redfish/v1/Systems/system/PCIeDevices/" + ++ device + "/PCIeFunctions"}}; ++ + if (std::string* property = std::get_if( + &pcieDevProperties["Manufacturer"]); + property) +@@ -226,10 +231,6 @@ inline void requestRoutesSystemPCIeDevice(App& app) + .jsonValue["PCIeInterface"]["PCIeType"] = + *generationInUse; + } +- asyncResp->res.jsonValue["PCIeFunctions"] = { +- {"@odata.id", +- "/redfish/v1/Systems/system/PCIeDevices/" + +- device + "/PCIeFunctions"}}; + }; + std::string escapedPath = std::string(pciePath) + "/" + device; + dbus::utility::escapePathForDbus(escapedPath); +-- +2.20.0.windows.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend index 45622be308..d5e7a6dd29 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend @@ -31,6 +31,7 @@ SRC_URI += "file://0001-Firmware-update-configuration-changes.patch \ file://0033-Add-message-registry-entry-for-Memhot-event.patch \ file://0034-Update-odata.type-version-of-redfish-v1-AccountService.patch \ file://0035-Add-MemoryMetrics-schema-file.patch \ + file://0036-PCIeFunctions-not-showing-in-Redfish.patch \ " # OOB Bios Config: diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb index 1573b53470..5ea48b2348 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb @@ -5,7 +5,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" SRC_URI = "git://git@github.com/Intel-BMC/nvme-mi.git;protocol=ssh;branch=master" -SRCREV = "8bcc5ef307ac4445d9589d0c866d13455c46b811" +SRCREV = "b6f50e04516962a4e94fe9340251999f154197c4" S = "${WORKDIR}/git" PV = "1.0+git${SRCPV}" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb index fccf18cb93..2ef0b4e95b 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb @@ -5,7 +5,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327" SRC_URI += "git://git@github.com/Intel-BMC/pldmd.git;protocol=ssh;branch=1-release" -SRCREV = "dd493b97dd7b243738e2d00c983a82a8a6d05db0" +SRCREV = "2c3522ec89828d5abed265b4f460e77b4c580ae4" S = "${WORKDIR}/git" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch new file mode 100644 index 0000000000..f4282a767b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch @@ -0,0 +1,124 @@ +From bb67f9718411fc9e485d945b8ec13a61f5fec2be Mon Sep 17 00:00:00 2001 +From: Jitendra Tripathy +Date: Fri, 24 Jun 2022 09:13:30 +0000 +Subject: [PATCH] Fix for PSU2 Power-lost RedFish events + +In a dual power supply system, after Removing the PSU2 power +cable/module, power-lost RedFish events are not getting logged in the +RedFish logs. Only SEL entries are getting logged for PSU2. But all the +events are getting logged for PSU1 in the redfish logs. + +To get PSU2 events also, replace async_wait instead of async_read_until +while reading the hwmon files. + +Tested: +1. The system should have connected with dual PSU's which are drawing +same power. +2. Verified both PSU are connected by executing below ipmitool command. +"ipmitool fru" +3. Removed one of 1600W PSU, which server holding 2 PSU's drawing 1600W. +4. Above step try for both PSU1 and PSU2 by removing and connecting. +5. Verified for both PSU1 and PSU2, eventlogs generated on Redfish +respectively. +Get: https:///redfish/v1/Systems/system/LogServices/ + EventLog/Entries + +Signed-off-by: Jitendra Tripathy +--- + include/PSUEvent.hpp | 1 - + src/PSUEvent.cpp | 42 +++++++++++++++++++++--------------------- + 2 files changed, 21 insertions(+), 22 deletions(-) + +diff --git a/include/PSUEvent.hpp b/include/PSUEvent.hpp +index 3a39164..72abbae 100644 +--- a/include/PSUEvent.hpp ++++ b/include/PSUEvent.hpp +@@ -57,7 +57,6 @@ class PSUSubEvent : public std::enable_shared_from_this + + PowerState readState; + boost::asio::deadline_timer waitTimer; +- std::shared_ptr readBuf; + void restartRead(); + void handleResponse(const boost::system::error_code& err); + void updateValue(const int& newValue); +diff --git a/src/PSUEvent.cpp b/src/PSUEvent.cpp +index 44275a3..446f14f 100644 +--- a/src/PSUEvent.cpp ++++ b/src/PSUEvent.cpp +@@ -157,7 +157,7 @@ PSUSubEvent::PSUSubEvent( + { + eventPollMs = static_cast(pollRate * 1000); + } +- fd = open(path.c_str(), O_RDONLY); ++ fd = open(path.c_str(), O_RDONLY | O_NONBLOCK); + if (fd < 0) + { + std::cerr << "PSU sub event failed to open file\n"; +@@ -205,20 +205,15 @@ void PSUSubEvent::setupRead(void) + return; + } + +- std::shared_ptr buffer = +- std::make_shared(); + std::weak_ptr weakRef = weak_from_this(); +- boost::asio::async_read_until( +- inputDev, *buffer, '\n', +- [weakRef, buffer](const boost::system::error_code& ec, +- std::size_t /*bytes_transfered*/) { +- std::shared_ptr self = weakRef.lock(); +- if (self) +- { +- self->readBuf = buffer; +- self->handleResponse(ec); +- } +- }); ++ inputDev.async_wait(boost::asio::posix::descriptor_base::wait_read, ++ [weakRef](const boost::system::error_code& ec) { ++ std::shared_ptr self = weakRef.lock(); ++ if (self) ++ { ++ self->handleResponse(ec); ++ } ++ }); + } + + void PSUSubEvent::restartRead() +@@ -238,23 +233,28 @@ void PSUSubEvent::restartRead() + }); + } + ++// Create a buffer expected to be able to hold more characters than will be ++// present in the input file. ++static constexpr uint32_t psuBufLen = 128; + void PSUSubEvent::handleResponse(const boost::system::error_code& err) + { + if ((err == boost::system::errc::bad_file_descriptor) || + (err == boost::asio::error::misc_errors::not_found)) + { ++ std::cerr << "Bad file descriptor for " << path << "\n"; + return; + } +- std::istream responseStream(readBuf.get()); +- if (!err) ++ ++ std::string buffer; ++ buffer.resize(psuBufLen); ++ lseek(fd, 0, SEEK_SET); ++ int rdLen = read(fd, buffer.data(), psuBufLen); ++ ++ if (rdLen > 0) + { +- std::string response; + try + { +- std::getline(responseStream, response); +- int nvalue = std::stoi(response); +- responseStream.clear(); +- ++ int nvalue = std::stoi(buffer); + updateValue(nvalue); + errCount = 0; + } +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch new file mode 100644 index 0000000000..b7141513b4 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch @@ -0,0 +1,44 @@ +From d8583d8b347b2f4c3d6e84f333df4cd137085189 Mon Sep 17 00:00:00 2001 +From: Jayaprakash Mutyala +Date: Mon, 4 Jul 2022 16:03:35 +0000 +Subject: [PATCH] Ignore VR sensor readings if content is 0xFF + +As per NM 6.0 specification SPS FW will return 0xFF in certain +erroneous condition with error code stating transaction successful. +BMC need to ignore such readings. + +Tested: +Verified by monitoring more than 1 hour, ignored VR sensor readings when +content is 0xFF. + +Signed-off-by: Vikash Chandola vikash.chandola@intel.com +Signed-off-by: Jayaprakash Mutyala +--- + src/IpmbSensor.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/IpmbSensor.cpp b/src/IpmbSensor.cpp +index 2cb2495..a41209d 100644 +--- a/src/IpmbSensor.cpp ++++ b/src/IpmbSensor.cpp +@@ -321,7 +321,16 @@ void IpmbSensor::checkThresholds(void) + + bool IpmbSensor::processReading(const std::vector& data, double& resp) + { +- ++ if (isReadMe && data.size() >= 5) ++ { ++ // This is VR sensor. Mark failure if byte at index 3 and 4 are 0xFF ++ if (data[3] == 0xFF && data[4] == 0xFF) ++ { ++ std::cerr << name << " value is 0xFFFF. Marking error\n"; ++ markFunctional(false); ++ return false; ++ } ++ } + switch (readingFormat) + { + case (ReadingFormat::byte0): +-- +2.17.1 + diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend index 8f7440120e..a9d4a7627e 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend @@ -20,6 +20,8 @@ SRC_URI += "\ file://0012-Serialize-cpusensor-polling.patch \ file://0013-Add-dummy-cpu-sensor-flag.patch \ file://0014-Treat-zero-temperatures-readings-as-errors-in-IpmbSe.patch \ + file://0015-Fix-for-PSU2-Power-lost-RedFish-events.patch \ + file://0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch \ " DEPENDS:append = " libgpiod libmctp" diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend index 0f2db3f1a4..5e2ba584ce 100644 --- a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend @@ -1,6 +1,8 @@ SRC_URI = "git://github.com/openbmc/telemetry.git" -SRCREV = "51f0fd501f4b772533271d15cb27d396186a7192" +SRCREV = "aa4a9dc5ccae9f210d0d63f99b22154c97e53c19" EXTRA_OEMESON += " -Dmax-reports=10" +EXTRA_OEMESON += " -Dmax-triggers=0" +EXTRA_OEMESON += " -Dmax-append-limit=0" EXTRA_OEMESON += " -Dmax-reading-parameters=200" EXTRA_OEMESON += " -Dmin-interval=1000" diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch new file mode 100644 index 0000000000..dc7b59f7f2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch @@ -0,0 +1,171 @@ +From 48d7064a49148f03942380967da739dcde1cdc24 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 26 Jun 2022 11:00:48 +0200 +Subject: [PATCH] cookie: apply limits + +- Send no more than 150 cookies per request +- Cap the max length used for a cookie: header to 8K +- Cap the max number of received Set-Cookie: headers to 50 + +Bug: https://curl.se/docs/CVE-2022-32205.html +CVE-2022-32205 +Reported-by: Harry Sintonen +Closes #9048 +--- + lib/cookie.c | 14 ++++++++++++-- + lib/cookie.h | 21 +++++++++++++++++++-- + lib/http.c | 13 +++++++++++-- + lib/urldata.h | 1 + + 4 files changed, 43 insertions(+), 6 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index a308346a777bc..a1ab89532033b 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -482,6 +482,10 @@ Curl_cookie_add(struct Curl_easy *data, + (void)data; + #endif + ++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ ++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) ++ return NULL; ++ + /* First, alloc and init a new struct for it */ + co = calloc(1, sizeof(struct Cookie)); + if(!co) +@@ -821,7 +825,7 @@ Curl_cookie_add(struct Curl_easy *data, + freecookie(co); + return NULL; + } +- ++ data->req.setcookies++; + } + else { + /* +@@ -1375,7 +1379,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) + * + * It shall only return cookies that haven't expired. + */ +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, + const char *host, const char *path, + bool secure) + { +@@ -1430,6 +1435,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, + mainco = newco; + + matches++; ++ if(matches >= MAX_COOKIE_SEND_AMOUNT) { ++ infof(data, "Included max number of cookies (%u) in request!", ++ matches); ++ break; ++ } + } + else + goto fail; +diff --git a/lib/cookie.h b/lib/cookie.h +index 453dfced8a342..abc0a2e8a01ad 100644 +--- a/lib/cookie.h ++++ b/lib/cookie.h +@@ -83,10 +83,26 @@ struct CookieInfo { + */ + #define MAX_COOKIE_LINE 5000 + +-/* This is the maximum length of a cookie name or content we deal with: */ ++/* Maximum length of an incoming cookie name or content we deal with. Longer ++ cookies are ignored. */ + #define MAX_NAME 4096 + #define MAX_NAME_TXT "4095" + ++/* Maximum size for an outgoing cookie line libcurl will use in an http ++ request. This is the default maximum length used in some versions of Apache ++ httpd. */ ++#define MAX_COOKIE_HEADER_LEN 8190 ++ ++/* Maximum number of cookies libcurl will send in a single request, even if ++ there might be more cookies that match. One reason to cap the number is to ++ keep the maximum HTTP request within the maximum allowed size. */ ++#define MAX_COOKIE_SEND_AMOUNT 150 ++ ++/* Maximum number of Set-Cookie: lines accepted in a single response. If more ++ such header lines are received, they are ignored. This value must be less ++ than 256 since an unsigned char is used to count. */ ++#define MAX_SET_COOKIE_AMOUNT 50 ++ + struct Curl_easy; + /* + * Add a cookie to the internal list of cookies. The domain and path arguments +@@ -99,7 +115,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, + const char *domain, const char *path, + bool secure); + +-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, ++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, ++ struct CookieInfo *c, const char *host, + const char *path, bool secure); + void Curl_cookie_freelist(struct Cookie *cookies); + void Curl_cookie_clearall(struct CookieInfo *cookies); +diff --git a/lib/http.c b/lib/http.c +index 5284475ba92c4..258722a602e40 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -2711,12 +2711,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, + } + + #if !defined(CURL_DISABLE_COOKIES) ++ + CURLcode Curl_http_cookies(struct Curl_easy *data, + struct connectdata *conn, + struct dynbuf *r) + { + CURLcode result = CURLE_OK; + char *addcookies = NULL; ++ bool linecap = FALSE; + if(data->set.str[STRING_COOKIE] && + !Curl_checkheaders(data, STRCONST("Cookie"))) + addcookies = data->set.str[STRING_COOKIE]; +@@ -2734,7 +2736,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + !strcmp(host, "127.0.0.1") || + !strcmp(host, "[::1]") ? TRUE : FALSE; + Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); +- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, ++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, + secure_context); + Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); + } +@@ -2748,6 +2750,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + if(result) + break; + } ++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= ++ MAX_COOKIE_HEADER_LEN) { ++ infof(data, "Restricted outgoing cookies due to header size, " ++ "'%s' not sent", co->name); ++ linecap = TRUE; ++ break; ++ } + result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", + co->name, co->value); + if(result) +@@ -2758,7 +2767,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, + } + Curl_cookie_freelist(store); + } +- if(addcookies && !result) { ++ if(addcookies && !result && !linecap) { + if(!count) + result = Curl_dyn_addn(r, STRCONST("Cookie: ")); + if(!result) { +diff --git a/lib/urldata.h b/lib/urldata.h +index 17fe25720be33..bcb4d460c2fe6 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -698,6 +698,7 @@ struct SingleRequest { + #ifndef CURL_DISABLE_DOH + struct dohdata *doh; /* DoH specific data for this request */ + #endif ++ unsigned char setcookies; + BIT(header); /* incoming data has HTTP header */ + BIT(content_range); /* set TRUE if Content-Range: was found */ + BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch new file mode 100644 index 0000000000..bdf3ba35e3 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch @@ -0,0 +1,48 @@ +From 3a09fbb7f264c67c438d01a30669ce325aa508e2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 16 May 2022 16:28:13 +0200 +Subject: [PATCH] content_encoding: return error on too many compression steps + +The max allowed steps is arbitrarily set to 5. + +Bug: https://curl.se/docs/CVE-2022-32206.html +CVE-2022-32206 +Reported-by: Harry Sintonen +Closes #9049 +--- + lib/content_encoding.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/lib/content_encoding.c b/lib/content_encoding.c +index c5591ca48ac78..95ba48a2dd563 100644 +--- a/lib/content_encoding.c ++++ b/lib/content_encoding.c +@@ -1028,12 +1028,16 @@ static const struct content_encoding *find_encoding(const char *name, + return NULL; + } + ++/* allow no more than 5 "chained" compression steps */ ++#define MAX_ENCODE_STACK 5 ++ + /* Set-up the unencoding stack from the Content-Encoding header value. + * See RFC 7231 section 3.1.2.2. */ + CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + const char *enclist, int maybechunked) + { + struct SingleRequest *k = &data->req; ++ int counter = 0; + + do { + const char *name; +@@ -1068,6 +1072,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, + if(!encoding) + encoding = &error_encoding; /* Defer error at stack use. */ + ++ if(++counter >= MAX_ENCODE_STACK) { ++ failf(data, "Reject response due to %u content encodings", ++ counter); ++ return CURLE_BAD_CONTENT_ENCODING; ++ } + /* Stack the unencoding stage. */ + writer = new_unencoding_writer(data, encoding, k->writer_stack); + if(!writer) diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch new file mode 100644 index 0000000000..9b4c128d9e --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch @@ -0,0 +1,280 @@ +From 20f9dd6bae50b7223171b17ba7798946e74f877f Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 25 May 2022 10:09:53 +0200 +Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files + +Bug: https://curl.se/docs/CVE-2022-32207.html +CVE-2022-32207 +Reported-by: Harry Sintonen +Closes #9050 +--- + CMakeLists.txt | 1 + + configure.ac | 1 + + lib/Makefile.inc | 2 + + lib/cookie.c | 19 ++----- + lib/curl_config.h.cmake | 3 ++ + lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++ + lib/fopen.h | 30 +++++++++++ + 7 files changed, 154 insertions(+), 15 deletions(-) + create mode 100644 lib/fopen.c + create mode 100644 lib/fopen.h + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 45d763d5a9c1d..ad20777f3d688 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1067,6 +1067,7 @@ elseif(HAVE_LIBSOCKET) + set(CMAKE_REQUIRED_LIBRARIES socket) + endif() + ++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD) + check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME) + check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET) + check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT) +diff --git a/configure.ac b/configure.ac +index b0245b99a669f..de2dee5a484ed 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3438,6 +3438,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se + + + AC_CHECK_FUNCS([fnmatch \ ++ fchmod \ + geteuid \ + getpass_r \ + getppid \ +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index 533e16df97020..9bd8e324bd1c1 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -137,6 +137,7 @@ LIB_CFILES = \ + escape.c \ + file.c \ + fileinfo.c \ ++ fopen.c \ + formdata.c \ + ftp.c \ + ftplistparser.c \ +@@ -270,6 +271,7 @@ LIB_HFILES = \ + escape.h \ + file.h \ + fileinfo.h \ ++ fopen.h \ + formdata.h \ + ftp.h \ + ftplistparser.h \ +diff --git a/lib/cookie.c b/lib/cookie.c +index a1ab89532033b..cb57b86387191 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -99,8 +99,8 @@ Example set of cookies: + #include "curl_get_line.h" + #include "curl_memrchr.h" + #include "parsedate.h" +-#include "rand.h" + #include "rename.h" ++#include "fopen.h" + + /* The last 3 #include files should be in this order */ + #include "curl_printf.h" +@@ -1641,20 +1641,9 @@ static CURLcode cookie_output(struct Curl_easy *data, + use_stdout = TRUE; + } + else { +- unsigned char randsuffix[9]; +- +- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix))) +- return 2; +- +- tempstore = aprintf("%s.%s.tmp", filename, randsuffix); +- if(!tempstore) +- return CURLE_OUT_OF_MEMORY; +- +- out = fopen(tempstore, FOPEN_WRITETEXT); +- if(!out) { +- error = CURLE_WRITE_ERROR; ++ error = Curl_fopen(data, filename, &out, &tempstore); ++ if(error) + goto error; +- } + } + + fputs("# Netscape HTTP Cookie File\n" +@@ -1701,7 +1690,7 @@ static CURLcode cookie_output(struct Curl_easy *data, + if(!use_stdout) { + fclose(out); + out = NULL; +- if(Curl_rename(tempstore, filename)) { ++ if(tempstore && Curl_rename(tempstore, filename)) { + unlink(tempstore); + error = CURLE_WRITE_ERROR; + goto error; +diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake +index cd4b568d89948..eb2c62b971453 100644 +--- a/lib/curl_config.h.cmake ++++ b/lib/curl_config.h.cmake +@@ -159,6 +159,9 @@ + /* Define to 1 if you have the header file. */ + #cmakedefine HAVE_ASSERT_H 1 + ++/* Define to 1 if you have the `fchmod' function. */ ++#cmakedefine HAVE_FCHMOD 1 ++ + /* Define to 1 if you have the `basename' function. */ + #cmakedefine HAVE_BASENAME 1 + +diff --git a/lib/fopen.c b/lib/fopen.c +new file mode 100644 +index 0000000000000..ad3691ba9d158 +--- /dev/null ++++ b/lib/fopen.c +@@ -0,0 +1,113 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++#include "curl_setup.h" ++ ++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \ ++ !defined(CURL_DISABLE_HSTS) ++ ++#ifdef HAVE_FCNTL_H ++#include ++#endif ++ ++#include "urldata.h" ++#include "rand.h" ++#include "fopen.h" ++/* The last 3 #include files should be in this order */ ++#include "curl_printf.h" ++#include "curl_memory.h" ++#include "memdebug.h" ++ ++/* ++ * Curl_fopen() opens a file for writing with a temp name, to be renamed ++ * to the final name when completed. If there is an existing file using this ++ * name at the time of the open, this function will clone the mode from that ++ * file. if 'tempname' is non-NULL, it needs a rename after the file is ++ * written. ++ */ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname) ++{ ++ CURLcode result = CURLE_WRITE_ERROR; ++ unsigned char randsuffix[9]; ++ char *tempstore = NULL; ++ struct_stat sb; ++ int fd = -1; ++ *tempname = NULL; ++ ++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) { ++ /* a non-regular file, fallback to direct fopen() */ ++ *fh = fopen(filename, FOPEN_WRITETEXT); ++ if(*fh) ++ return CURLE_OK; ++ goto fail; ++ } ++ ++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix)); ++ if(result) ++ goto fail; ++ ++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix); ++ if(!tempstore) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto fail; ++ } ++ ++ result = CURLE_WRITE_ERROR; ++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600); ++ if(fd == -1) ++ goto fail; ++ ++#ifdef HAVE_FCHMOD ++ { ++ struct_stat nsb; ++ if((fstat(fd, &nsb) != -1) && ++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) { ++ /* if the user and group are the same, clone the original mode */ ++ if(fchmod(fd, sb.st_mode) == -1) ++ goto fail; ++ } ++ } ++#endif ++ ++ *fh = fdopen(fd, FOPEN_WRITETEXT); ++ if(!*fh) ++ goto fail; ++ ++ *tempname = tempstore; ++ return CURLE_OK; ++ ++fail: ++ if(fd != -1) { ++ close(fd); ++ unlink(tempstore); ++ } ++ ++ free(tempstore); ++ ++ *tempname = NULL; ++ return result; ++} ++ ++#endif /* ! disabled */ +diff --git a/lib/fopen.h b/lib/fopen.h +new file mode 100644 +index 0000000000000..289e55f2afd24 +--- /dev/null ++++ b/lib/fopen.h +@@ -0,0 +1,30 @@ ++#ifndef HEADER_CURL_FOPEN_H ++#define HEADER_CURL_FOPEN_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ * SPDX-License-Identifier: curl ++ * ++ ***************************************************************************/ ++ ++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename, ++ FILE **fh, char **tempname); ++ ++#endif diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch new file mode 100644 index 0000000000..be9f52d861 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch @@ -0,0 +1,64 @@ +From 6ecdf5136b52af747e7bda08db9a748256b1cd09 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index e289595c9e1dd..517491c4658bf 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb similarity index 88% rename from meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb rename to meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb index 365873e15b..d20b3194c7 100644 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb @@ -7,13 +7,17 @@ HOMEPAGE = "http://curl.haxx.se/" BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker" SECTION = "console/network" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b" +LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ + file://CVE-2022-32205-cookie-apply-limits.patch \ + file://CVE-2022-32206-return-error-on-too-many-compression-steps.patch \ + file://CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch \ + file://CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch \ " -SRC_URI[sha256sum] = "de62c4ab9a9316393962e8b94777a570bb9f71feb580fb4475e412f2f9387851" +SRC_URI[sha256sum] = "f539a36fb44a8260ec5d977e4e0dbdd2eee29ed90fcedaa9bc3c9f78a113bff0" # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"