From 7dd3ed26ca09df0e582be8cc2780bba588bdd11e Mon Sep 17 00:00:00 2001
From: P Dheeraj Srujan Kumar
Date: Fri, 2 Dec 2022 23:23:31 +0530
Subject: [PATCH] Update to internal 1-0.92
Signed-off-by: P Dheeraj Srujan Kumar
---
.../obmc-phosphor-full-fitimage.bbclass | 7 +-
.../u-boot/files/CVE-2022-34835.patch | 118 ++++++
.../recipes-bsp/u-boot/u-boot-%.bbappend | 1 +
.../CVE-2022-1292-Fix-openssl-c_rehash.patch | 76 ++++
...2068-Fix-file-operations-in-c_rehash.patch | 257 +++++++++++++
...ES-OCB-encryptdecrypt-for-x86-AES-NI.patch | 73 ++++
.../openssl/openssl_1.1.1l.bb | 3 +
..._s-compilation-issue-for-safec-3.5.1.patch | 4 +-
.../busybox/busybox/CVE-2022-28391_1.patch | 40 +++
.../busybox/busybox/CVE-2022-28391_2.patch | 68 ++++
.../recipes-core/busybox/busybox_%.bbappend | 2 +
.../expat/expat/CVE-2022-40674_1.patch | 49 +++
.../expat/expat/CVE-2022-40674_2.patch | 104 ++++++
.../recipes-core/expat/expat_2.4.5.bb | 2 +
...er-overflows-in-xmlBuf-and-xmlBuffer.patch | 340 ++++++++++++++++++
.../recipes-core/libxml/libxml2_%.bbappend | 1 +
...Fix-added-to-mitigate-CVE-2022-29458.patch | 65 ++++
.../recipes-core/ncurses/ncurses_%.bbappend | 4 +-
.../recipes-core/systemd/systemd_%.bbappend | 4 +
.../zlib/zlib/CVE-2022-37434_1.patch | 32 ++
.../zlib/zlib/CVE-2022-37434_2.patch | 29 ++
.../recipes-core/zlib/zlib_%.bbappend | 2 +
...e-update-fix-for-mis-aligned-sectors.patch | 82 +++++
...ossible-freeing-of-mismatched-memory.patch | 39 ++
...Key-Cancellation-Update-Capsule-Flow.patch | 224 ++++++++++++
.../recipes-devtools/mtd-util/mtd-util.bb | 5 +
.../logrotate/logrotate_3.20.1.bb | 91 +++++
.../sdbusplus/sdbusplus_%.bbappend | 2 +-
.../linux/linux-aspeed/CVE-2021-39685-1.patch | 45 +++
.../linux/linux-aspeed/CVE-2021-39685-2.patch | 93 +++++
.../linux/linux-aspeed/CVE-2021-39685.patch | 108 ++++++
.../linux/linux-aspeed/CVE-2021-39698-1.patch | 47 +++
.../linux/linux-aspeed/CVE-2021-39698.patch | 107 ++++++
.../linux/linux-aspeed/CVE-2021-4083.patch | 64 ++++
.../linux/linux-aspeed/CVE-2022-0168.patch | 335 +++++++++++++++++
.../linux/linux-aspeed/CVE-2022-1012.patch | 146 ++++++++
.../linux/linux-aspeed/CVE-2022-1184_1.patch | 81 +++++
.../linux/linux-aspeed/CVE-2022-1184_2.patch | 88 +++++
.../linux/linux-aspeed/CVE-2022-1729.patch | 71 ++++
.../linux/linux-aspeed/CVE-2022-1998.patch | 52 +++
.../linux/linux-aspeed/CVE-2022-20008.patch | 83 +++++
.../linux/linux-aspeed/CVE-2022-20368.patch | 114 ++++++
.../linux/linux-aspeed/CVE-2022-2503.patch | 35 ++
.../linux/linux-aspeed/CVE-2022-2938.patch | 249 +++++++++++++
.../linux/linux-aspeed/CVE-2022-2959.patch | 97 +++++
.../linux/linux-aspeed/CVE-2022-30594.patch | 103 ++++++
.../linux/linux-aspeed/CVE-2022-32296.patch | 61 ++++
.../linux/linux-aspeed/CVE-2022-40476.patch | 35 ++
.../linux/linux-aspeed_%.bbappend | 20 ++
...PCIeFunctions-not-showing-in-Redfish.patch | 62 ++++
.../interfaces/bmcweb_%.bbappend | 1 +
.../recipes-phosphor/pmci/nvmemi-daemon.bb | 2 +-
.../recipes-phosphor/pmci/pldmd.bb | 2 +-
...x-for-PSU2-Power-lost-RedFish-events.patch | 124 +++++++
...R-sensor-readings-if-content-is-0xFF.patch | 44 +++
.../sensors/dbus-sensors_%.bbappend | 2 +
.../telemetry/telemetry_%.bbappend | 4 +-
.../CVE-2022-32205-cookie-apply-limits.patch | 171 +++++++++
...-error-on-too-many-compression-steps.patch | 48 +++
...l_fopen-for-better-overwriting-of-fi.patch | 280 +++++++++++++++
...turn-error-properly-on-decode-errors.patch | 64 ++++
.../curl/{curl_7.79.1.bb => curl_7.83.1.bb} | 8 +-
62 files changed, 4559 insertions(+), 11 deletions(-)
create mode 100644 meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2/CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch
create mode 100644 meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch
rename meta-openbmc-mods/meta-common/recipes-support/curl/{curl_7.79.1.bb => curl_7.83.1.bb} (88%)
diff --git a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass
index 6e0411a5c9..db2e61aa8f 100644
--- a/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass
+++ b/meta-openbmc-mods/meta-common/classes/obmc-phosphor-full-fitimage.bbclass
@@ -340,8 +340,11 @@ fitimage_assemble() {
DTBS=""
ramdiskcount=${3}
setupcount=""
- #hash_type="sha256"
- hash_type=""
+ if [ ! -z ${SPL_BINARY} ]; then
+ hash_type="sha256"
+ else
+ hash_type=""
+ fi
rm -f ${1} ${2}
#
diff --git a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch
new file mode 100644
index 0000000000..be6d80521c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/files/CVE-2022-34835.patch
@@ -0,0 +1,118 @@
+From 8f8c04bf1ebbd2f72f1643e7ad9617dafa6e5409 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss
+Date: Fri, 10 Jun 2022 14:50:25 +0000
+Subject: [PATCH] i2c: fix stack buffer overflow vulnerability in i2c md
+ command
+
+When running "i2c md 0 0 80000100", the function do_i2c_md parses the
+length into an unsigned int variable named length. The value is then
+moved to a signed variable:
+
+ int nbytes = length;
+ #define DISP_LINE_LEN 16
+ int linebytes = (nbytes > DISP_LINE_LEN) ? DISP_LINE_LEN : nbytes;
+ ret = dm_i2c_read(dev, addr, linebuf, linebytes);
+
+On systems where integers are 32 bits wide, 0x80000100 is a negative
+value to "nbytes > DISP_LINE_LEN" is false and linebytes gets assigned
+0x80000100 instead of 16.
+
+The consequence is that the function which reads from the i2c device
+(dm_i2c_read or i2c_read) is called with a 16-byte stack buffer to fill
+but with a size parameter which is too large. In some cases, this could
+trigger a crash. But with some i2c drivers, such as drivers/i2c/nx_i2c.c
+(used with "nexell,s5pxx18-i2c" bus), the size is actually truncated to
+a 16-bit integer. This is because function i2c_transfer expects an
+unsigned short length. In such a case, an attacker who can control the
+response of an i2c device can overwrite the return address of a function
+and execute arbitrary code through Return-Oriented Programming.
+
+Fix this issue by using unsigned integers types in do_i2c_md. While at
+it, make also alen unsigned, as signed sizes can cause vulnerabilities
+when people forgot to check that they can be negative.
+
+Signed-off-by: Nicolas Iooss
+Reviewed-by: Heiko Schocher
+---
+ cmd/i2c.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/cmd/i2c.c b/cmd/i2c.c
+index 9050b2b8d27a..bd04b14024be 100644
+--- a/cmd/i2c.c
++++ b/cmd/i2c.c
+@@ -200,10 +200,10 @@ void i2c_init_board(void)
+ *
+ * Returns the address length.
+ */
+-static uint get_alen(char *arg, int default_len)
++static uint get_alen(char *arg, uint default_len)
+ {
+- int j;
+- int alen;
++ uint j;
++ uint alen;
+
+ alen = default_len;
+ for (j = 0; j < 8; j++) {
+@@ -247,7 +247,7 @@ static int do_i2c_read(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ uint chip;
+ uint devaddr, length;
+- int alen;
++ uint alen;
+ u_char *memaddr;
+ int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+@@ -301,7 +301,7 @@ static int do_i2c_write(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ uint chip;
+ uint devaddr, length;
+- int alen;
++ uint alen;
+ u_char *memaddr;
+ int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+@@ -469,8 +469,8 @@ static int do_i2c_md(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ uint chip;
+ uint addr, length;
+- int alen;
+- int j, nbytes, linebytes;
++ uint alen;
++ uint j, nbytes, linebytes;
+ int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+ struct udevice *dev;
+@@ -589,9 +589,9 @@ static int do_i2c_mw(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ uint chip;
+ ulong addr;
+- int alen;
++ uint alen;
+ uchar byte;
+- int count;
++ uint count;
+ int ret;
+ #if CONFIG_IS_ENABLED(DM_I2C)
+ struct udevice *dev;
+@@ -676,8 +676,8 @@ static int do_i2c_crc(struct cmd_tbl *cmdtp, int flag, int argc,
+ {
+ uint chip;
+ ulong addr;
+- int alen;
+- int count;
++ uint alen;
++ uint count;
+ uchar byte;
+ ulong crc;
+ ulong err;
+@@ -985,7 +985,7 @@ static int do_i2c_loop(struct cmd_tbl *cmdtp, int flag, int argc,
+ char *const argv[])
+ {
+ uint chip;
+- int alen;
++ uint alen;
+ uint addr;
+ uint length;
+ u_char bytes[16];
diff --git a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend
index e9093b4032..21612fe2e3 100644
--- a/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-bsp/u-boot/u-boot-%.bbappend
@@ -2,4 +2,5 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " \
file://fw_env.config \
+ file://CVE-2022-34835.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
new file mode 100644
index 0000000000..ec4daf0152
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-1292-Fix-openssl-c_rehash.patch
@@ -0,0 +1,76 @@
+From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz
+Date: Tue, 26 Apr 2022 12:40:24 +0200
+Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
+
+Except on VMS where it is safe.
+
+This fixes CVE-2022-1292.
+
+Reviewed-by: Matthias St. Pierre
+Reviewed-by: Matt Caswell
+---
+ tools/c_rehash.in | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index fa7c6c9fef..83c1cc80e0 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -152,6 +152,23 @@ sub check_file {
+ return ($is_cert, $is_crl);
+ }
+
++sub compute_hash {
++ my $fh;
++ if ( $^O eq "VMS" ) {
++ # VMS uses the open through shell
++ # The file names are safe there and list form is unsupported
++ if (!open($fh, "-|", join(' ', @_))) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ } else {
++ if (!open($fh, "-|", @_)) {
++ print STDERR "Cannot compute hash on '$fname'\n";
++ return;
++ }
++ }
++ return (<$fh>, <$fh>);
++}
+
+ # Link a certificate to its subject name hash value, each hash is of
+ # the form . where n is an integer. If the hash value already exists
+@@ -161,10 +178,12 @@ sub check_file {
+
+ sub link_hash_cert {
+ my $fname = $_[0];
+- $fname =~ s/\"/\\\"/g;
+- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
++ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+@@ -202,10 +221,12 @@ sub link_hash_cert {
+
+ sub link_hash_crl {
+ my $fname = $_[0];
+- $fname =~ s/'/'\\''/g;
+- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
++ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
+ chomp $hash;
+ chomp $fprint;
++ return if !$hash;
+ $fprint =~ s/^.*=//;
+ $fprint =~ tr/://d;
+ my $suffix = 0;
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
new file mode 100644
index 0000000000..04e75877ab
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
@@ -0,0 +1,257 @@
+From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001
+From: Daniel Fiala
+Date: Sun, 29 May 2022 20:11:24 +0200
+Subject: [PATCH] Fix file operations in c_rehash.
+
+CVE-2022-2068
+
+Reviewed-by: Matt Caswell
+Reviewed-by: Richard Levitte
+---
+ tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
+ 1 file changed, 107 insertions(+), 109 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index cfd18f5da1..9d2a6f6db7 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -104,52 +104,78 @@ foreach (@dirlist) {
+ }
+ exit($errorcount);
+
++sub copy_file {
++ my ($src_fname, $dst_fname) = @_;
++
++ if (open(my $in, "<", $src_fname)) {
++ if (open(my $out, ">", $dst_fname)) {
++ print $out $_ while (<$in>);
++ close $out;
++ } else {
++ warn "Cannot open $dst_fname for write, $!";
++ }
++ close $in;
++ } else {
++ warn "Cannot open $src_fname for read, $!";
++ }
++}
++
+ sub hash_dir {
+- my %hashlist;
+- print "Doing $_[0]\n";
+- chdir $_[0];
+- opendir(DIR, ".");
+- my @flist = sort readdir(DIR);
+- closedir DIR;
+- if ( $removelinks ) {
+- # Delete any existing symbolic links
+- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+- if (-l $_) {
+- print "unlink $_" if $verbose;
+- unlink $_ || warn "Can't unlink $_, $!\n";
+- }
+- }
+- }
+- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+- # Check to see if certificates and/or CRLs present.
+- my ($cert, $crl) = check_file($fname);
+- if (!$cert && !$crl) {
+- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+- next;
+- }
+- link_hash_cert($fname) if ($cert);
+- link_hash_crl($fname) if ($crl);
+- }
++ my $dir = shift;
++ my %hashlist;
++
++ print "Doing $dir\n";
++
++ if (!chdir $dir) {
++ print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
++ return;
++ }
++
++ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
++ my @flist = sort readdir(DIR);
++ closedir DIR;
++ if ( $removelinks ) {
++ # Delete any existing symbolic links
++ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
++ if (-l $_) {
++ print "unlink $_\n" if $verbose;
++ unlink $_ || warn "Can't unlink $_, $!\n";
++ }
++ }
++ }
++ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
++ # Check to see if certificates and/or CRLs present.
++ my ($cert, $crl) = check_file($fname);
++ if (!$cert && !$crl) {
++ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
++ next;
++ }
++ link_hash_cert($fname) if ($cert);
++ link_hash_crl($fname) if ($crl);
++ }
++
++ chdir $pwd;
+ }
+
+ sub check_file {
+- my ($is_cert, $is_crl) = (0,0);
+- my $fname = $_[0];
+- open IN, $fname;
+- while() {
+- if (/^-----BEGIN (.*)-----/) {
+- my $hdr = $1;
+- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+- $is_cert = 1;
+- last if ($is_crl);
+- } elsif ($hdr eq "X509 CRL") {
+- $is_crl = 1;
+- last if ($is_cert);
+- }
+- }
+- }
+- close IN;
+- return ($is_cert, $is_crl);
++ my ($is_cert, $is_crl) = (0,0);
++ my $fname = $_[0];
++
++ open(my $in, "<", $fname);
++ while(<$in>) {
++ if (/^-----BEGIN (.*)-----/) {
++ my $hdr = $1;
++ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
++ $is_cert = 1;
++ last if ($is_crl);
++ } elsif ($hdr eq "X509 CRL") {
++ $is_crl = 1;
++ last if ($is_cert);
++ }
++ }
++ }
++ close $in;
++ return ($is_cert, $is_crl);
+ }
+
+ sub compute_hash {
+@@ -177,76 +203,48 @@ sub compute_hash {
+ # certificate fingerprints
+
+ sub link_hash_cert {
+- my $fname = $_[0];
+- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+- "-fingerprint", "-noout",
+- "-in", $fname);
+- chomp $hash;
+- chomp $fprint;
+- return if !$hash;
+- $fprint =~ s/^.*=//;
+- $fprint =~ tr/://d;
+- my $suffix = 0;
+- # Search for an unused hash filename
+- while(exists $hashlist{"$hash.$suffix"}) {
+- # Hash matches: if fingerprint matches its a duplicate cert
+- if ($hashlist{"$hash.$suffix"} eq $fprint) {
+- print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+- return;
+- }
+- $suffix++;
+- }
+- $hash .= ".$suffix";
+- if ($symlink_exists) {
+- print "link $fname -> $hash\n" if $verbose;
+- symlink $fname, $hash || warn "Can't symlink, $!";
+- } else {
+- print "copy $fname -> $hash\n" if $verbose;
+- if (open($in, "<", $fname)) {
+- if (open($out,">", $hash)) {
+- print $out $_ while (<$in>);
+- close $out;
+- } else {
+- warn "can't open $hash for write, $!";
+- }
+- close $in;
+- } else {
+- warn "can't open $fname for read, $!";
+- }
+- }
+- $hashlist{$hash} = $fprint;
++ link_hash($_[0], 'cert');
+ }
+
+ # Same as above except for a CRL. CRL links are of the form .r
+
+ sub link_hash_crl {
+- my $fname = $_[0];
+- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+- "-fingerprint", "-noout",
+- "-in", $fname);
+- chomp $hash;
+- chomp $fprint;
+- return if !$hash;
+- $fprint =~ s/^.*=//;
+- $fprint =~ tr/://d;
+- my $suffix = 0;
+- # Search for an unused hash filename
+- while(exists $hashlist{"$hash.r$suffix"}) {
+- # Hash matches: if fingerprint matches its a duplicate cert
+- if ($hashlist{"$hash.r$suffix"} eq $fprint) {
+- print STDERR "WARNING: Skipping duplicate CRL $fname\n";
+- return;
+- }
+- $suffix++;
+- }
+- $hash .= ".r$suffix";
+- if ($symlink_exists) {
+- print "link $fname -> $hash\n" if $verbose;
+- symlink $fname, $hash || warn "Can't symlink, $!";
+- } else {
+- print "cp $fname -> $hash\n" if $verbose;
+- system ("cp", $fname, $hash);
+- warn "Can't copy, $!" if ($? >> 8) != 0;
+- }
+- $hashlist{$hash} = $fprint;
++ link_hash($_[0], 'crl');
++}
++
++sub link_hash {
++ my ($fname, $type) = @_;
++ my $is_cert = $type eq 'cert';
++
++ my ($hash, $fprint) = compute_hash($openssl,
++ $is_cert ? "x509" : "crl",
++ $is_cert ? $x509hash : $crlhash,
++ "-fingerprint", "-noout",
++ "-in", $fname);
++ chomp $hash;
++ chomp $fprint;
++ return if !$hash;
++ $fprint =~ s/^.*=//;
++ $fprint =~ tr/://d;
++ my $suffix = 0;
++ # Search for an unused hash filename
++ my $crlmark = $is_cert ? "" : "r";
++ while(exists $hashlist{"$hash.$crlmark$suffix"}) {
++ # Hash matches: if fingerprint matches its a duplicate cert
++ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
++ my $what = $is_cert ? 'certificate' : 'CRL';
++ print STDERR "WARNING: Skipping duplicate $what $fname\n";
++ return;
++ }
++ $suffix++;
++ }
++ $hash .= ".$crlmark$suffix";
++ if ($symlink_exists) {
++ print "link $fname -> $hash\n" if $verbose;
++ symlink $fname, $hash || warn "Can't symlink, $!";
++ } else {
++ print "copy $fname -> $hash\n" if $verbose;
++ copy_file($fname, $hash);
++ }
++ $hashlist{$hash} = $fprint;
+ }
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
new file mode 100644
index 0000000000..aa5bbb6043
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl/CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch
@@ -0,0 +1,73 @@
+From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001
+From: Alex Chernyakhovsky
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño
+Co-authored-by: David Benjamin
+
+Reviewed-by: Paul Dale
+Reviewed-by: Tomas Mraz
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index fe2b26542a..812758e02e 100644
+--- a/crypto/aes/asm/aesni-x86.pl
++++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ &movdqu (&QWP(-16*2,$out,$inp),$inout4);
+ &movdqu (&QWP(-16*1,$out,$inp),$inout5);
+ &cmp ($inp,$len); # done yet?
+- &jb (&label("grandloop"));
++ &jbe (&label("grandloop"));
+
+ &set_label("short");
+ &add ($len,16*6);
+@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ &pxor ($rndkey1,$inout5);
+ &movdqu (&QWP(-16*1,$out,$inp),$inout5);
+ &cmp ($inp,$len); # done yet?
+- &jb (&label("grandloop"));
++ &jbe (&label("grandloop"));
+
+ &set_label("short");
+ &add ($len,16*6);
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb
index ac5c819987..dc2a8ccff6 100644
--- a/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb
+++ b/meta-openbmc-mods/meta-common/recipes-connectivity/openssl/openssl_1.1.1l.bb
@@ -18,6 +18,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://afalg.patch \
file://reproducible.patch \
file://CVE-2022-0778.patch \
+ file://CVE-2022-1292-Fix-openssl-c_rehash.patch \
+ file://CVE-2022-2068-Fix-file-operations-in-c_rehash.patch \
+ file://CVE-2022-2097-openssl-Fix-AES-OCB-encryptdecrypt-for-x86-AES-NI.patch \
"
SRC_URI:append:class-nativesdk = " \
diff --git a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch
index 943ffb4a84..f1e7971eb1 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch
+++ b/meta-openbmc-mods/meta-common/recipes-core/at-scale-debug/files/0001-ASD-Fix-sprintf_s-compilation-issue-for-safec-3.5.1.patch
@@ -7,9 +7,9 @@ A missing macro was defined to ensure sprintf_s macro defintion is
set when safe_str_lib.h is included.
Test:
-Remove openbmc-meta-intel/meta-common/recipes-core/safec/safec_3.4.bb
+Remove meta-openbmc-mods/meta-common/recipes-core/safec/safec_3.4.bb
Compile at-scale-debug using devtool
-ASD Sanity finished successfully(SPR).
+ASD Sanity finished successfully.
Signed-off-by: Ernesto Corona
Change-Id: Idd94b4ba9ff8b4194317a045b140ce90db2ee860
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch
new file mode 100644
index 0000000000..1d1716e3b0
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_1.patch
@@ -0,0 +1,40 @@
+From 0c8da1bead8ffaf270b4b723ead2c517371405d7 Mon Sep 17 00:00:00 2001
+From: Ariadne Conill
+Date: Sun, 3 Apr 2022 12:14:33 +0000
+Subject: [PATCH 1/2] libbb: sockaddr2str: ensure only printable characters are
+ returned for the hostname part
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill
+---
+ libbb/xconnect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libbb/xconnect.c b/libbb/xconnect.c
+index 0e0b247b8..02c061e67 100644
+--- a/libbb/xconnect.c
++++ b/libbb/xconnect.c
+@@ -497,8 +497,9 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ );
+ if (rc)
+ return NULL;
++ /* ensure host contains only printable characters */
+ if (flags & IGNORE_PORT)
+- return xstrdup(host);
++ return xstrdup(printable_string(host));
+ #if ENABLE_FEATURE_IPV6
+ if (sa->sa_family == AF_INET6) {
+ if (strchr(host, ':')) /* heh, it's not a resolved hostname */
+@@ -509,7 +510,7 @@ static char* FAST_FUNC sockaddr2str(const struct sockaddr *sa, int flags)
+ #endif
+ /* For now we don't support anything else, so it has to be INET */
+ /*if (sa->sa_family == AF_INET)*/
+- return xasprintf("%s:%s", host, serv);
++ return xasprintf("%s:%s", printable_string(host), serv);
+ /*return xstrdup(host);*/
+ }
+
+--
+2.35.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch
new file mode 100644
index 0000000000..01c45c9ba6
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox/CVE-2022-28391_2.patch
@@ -0,0 +1,68 @@
+From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001
+From: Ariadne Conill
+Date: Sun, 3 Apr 2022 12:16:45 +0000
+Subject: [PATCH 2/2] nslookup: sanitize all printed strings with
+ printable_string
+
+Otherwise, terminal sequences can be injected, which enables various terminal injection
+attacks from DNS results.
+
+CVE: Pending
+Upstream-Status: Pending
+Signed-off-by: Ariadne Conill
+---
+ networking/nslookup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/networking/nslookup.c b/networking/nslookup.c
+index 6da97baf4..4bdcde1b8 100644
+--- a/networking/nslookup.c
++++ b/networking/nslookup.c
+@@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Unable to uncompress domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf(format, ns_rr_name(rr), dname);
++ printf(format, ns_rr_name(rr), printable_string(dname));
+ break;
+
+ case ns_t_mx:
+@@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ //printf("Cannot uncompress MX domain: %s\n", strerror(errno));
+ return -1;
+ }
+- printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname);
++ printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname));
+ break;
+
+ case ns_t_txt:
+@@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ if (n > 0) {
+ memset(dname, 0, sizeof(dname));
+ memcpy(dname, ns_rr_rdata(rr) + 1, n);
+- printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname);
++ printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname));
+ }
+ break;
+
+@@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ }
+
+ printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr),
+- ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname);
++ ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname));
+ break;
+
+ case ns_t_soa:
+@@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len)
+ return -1;
+ }
+
+- printf("\tmail addr = %s\n", dname);
++ printf("\tmail addr = %s\n", printable_string(dname));
+ cp += n;
+
+ printf("\tserial = %lu\n", ns_get32(cp));
+--
+2.35.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
index ee6330b69b..42a52e0d7c 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/busybox/busybox_%.bbappend
@@ -2,6 +2,8 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://disable.cfg \
file://enable.cfg \
+ file://CVE-2022-28391_1.patch \
+ file://CVE-2022-28391_2.patch \
"
SRC_URI += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'debug-tweaks','file://dev-only.cfg','',d)}"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
new file mode 100644
index 0000000000..80ddcb4f22
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_1.patch
@@ -0,0 +1,49 @@
+From 4a32da87e931ba54393d465bb77c40b5c33d343b Mon Sep 17 00:00:00 2001
+From: Rhodri James
+Date: Wed, 17 Aug 2022 18:26:18 +0100
+Subject: [PATCH] Ensure raw tagnames are safe exiting internalEntityParser
+
+It is possible to concoct a situation in which parsing is
+suspended while substituting in an internal entity, so that
+XML_ResumeParser directly uses internalEntityProcessor as
+its processor. If the subsequent parse includes some unclosed
+tags, this will return without calling storeRawNames to ensure
+that the raw versions of the tag names are stored in memory other
+than the parse buffer itself. If the parse buffer is then changed
+or reallocated (for example if processing a file line by line),
+badness will ensue.
+
+This patch ensures storeRawNames is always called when needed
+after calling doContent. The earlier call do doContent does
+not need the same protection; it only deals with entity
+substitution, which cannot leave unbalanced tags, and in any
+case the raw names will be pointing into the stored entity
+value not the parse buffer.
+---
+ lib/xmlparse.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 7bcabf7f4..d73f419cf 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5826,10 +5826,15 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ {
+ parser->m_processor = contentProcessor;
+ /* see externalEntityContentProcessor vs contentProcessor */
+- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
+- s, end, nextPtr,
+- (XML_Bool)! parser->m_parsingStatus.finalBuffer,
+- XML_ACCOUNT_DIRECT);
++ result = doContent(parser, parser->m_parentParser ? 1 : 0,
++ parser->m_encoding, s, end, nextPtr,
++ (XML_Bool)! parser->m_parsingStatus.finalBuffer,
++ XML_ACCOUNT_DIRECT);
++ if (result == XML_ERROR_NONE) {
++ if (! storeRawNames(parser))
++ return XML_ERROR_NO_MEMORY;
++ }
++ return result;
+ }
+ }
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
new file mode 100644
index 0000000000..affd97faf4
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/expat/expat/CVE-2022-40674_2.patch
@@ -0,0 +1,104 @@
+From a7ce80a013f2a08cb1ac4aac368f2250eea03ebf Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Sun, 11 Sep 2022 19:34:33 +0200
+Subject: [PATCH 1/2] tests: Cover heap use-after-free issue in doContent
+
+---
+ tests/runtests.c | 74 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index ea371b42f..ab3aff65b 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -4990,6 +4990,78 @@ START_TEST(test_suspend_resume_internal_entity) {
+ }
+ END_TEST
+
++void
++suspending_comment_handler(void *userData, const XML_Char *data) {
++ UNUSED_P(data);
++ XML_Parser parser = (XML_Parser)userData;
++ XML_StopParser(parser, XML_TRUE);
++}
++
++START_TEST(test_suspend_resume_internal_entity_issue_629) {
++ const char *const text
++ = "a'>]>&e;\n"
++ "<"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++ "/>"
++ "";
++ const size_t firstChunkSizeBytes = 54;
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ XML_SetUserData(parser, parser);
++ XML_SetCommentHandler(parser, suspending_comment_handler);
++
++ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
++ != XML_STATUS_SUSPENDED)
++ xml_failure(parser);
++ if (XML_ResumeParser(parser) != XML_STATUS_OK)
++ xml_failure(parser);
++ if (XML_Parse(parser, text + firstChunkSizeBytes,
++ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ /* Test syntax error is caught at parse resumption */
+ START_TEST(test_resume_entity_with_syntax_error) {
+ const char *text = "
+Date: Tue, 8 Mar 2022 20:10:02 +0100
+Subject: [PATCH] [CVE-2022-29824] Fix integer overflows
+
+In several places, the code handling string buffers didn't check for
+integer overflow or used wrong types for buffer sizes. This could
+result in out-of-bounds writes or other memory errors when working on
+large, multi-gigabyte buffers.
+
+Thanks to Felix Wilhelm for the report.
+---
+ buf.c | 86 +++++++++++++++++++++++-----------------------------------
+ tree.c | 72 ++++++++++++++++++------------------------------
+ 2 files changed, 61 insertions(+), 97 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 24368d37..40a5ee06 100644
+--- a/buf.c
++++ b/buf.c
+@@ -30,6 +30,10 @@
+ #include /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
++
+ #define WITH_BUFFER_COMPAT
+
+ /**
+@@ -156,6 +160,8 @@ xmlBufPtr
+ xmlBufCreateSize(size_t size) {
+ xmlBufPtr ret;
+
++ if (size == SIZE_MAX)
++ return(NULL);
+ ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
+ if (ret == NULL) {
+ xmlBufMemoryError(NULL, "creating buffer");
+@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
+ ret->error = 0;
+ ret->buffer = NULL;
+ ret->alloc = xmlBufferAllocScheme;
+- ret->size = (size ? size+2 : 0); /* +1 for ending null */
+- ret->compat_size = (int) ret->size;
++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
++ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
+ if (ret->size){
+ ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+ if (ret->content == NULL) {
+@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+ CHECK_COMPAT(buf)
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+- if (buf->use + len < buf->size)
++ if (len < buf->size - buf->use)
+ return(buf->size - buf->use);
++ if (len > SIZE_MAX - buf->use)
++ return(0);
+
+- /*
+- * Windows has a BIG problem on realloc timing, so we try to double
+- * the buffer size (if that's enough) (bug 146697)
+- * Apparently BSD too, and it's probably best for linux too
+- * On an embedded system this may be something to change
+- */
+-#if 1
+- if (buf->size > (size_t) len)
+- size = buf->size * 2;
+- else
+- size = buf->use + len + 100;
+-#else
+- size = buf->use + len + 100;
+-#endif
++ if (buf->size > (size_t) len) {
++ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
++ } else {
++ size = buf->use + len;
++ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
++ }
+
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
+ int
+ xmlBufResize(xmlBufPtr buf, size_t size)
+ {
+- unsigned int newSize;
++ size_t newSize;
+ xmlChar* rebuf = NULL;
+ size_t start_buf;
+
+@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size*2 : size + 10);
++ if (buf->size == 0) {
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
++ } else {
++ newSize = buf->size;
++ }
+ while (size > newSize) {
+- if (newSize > UINT_MAX / 2) {
++ if (newSize > SIZE_MAX / 2) {
+ xmlBufMemoryError(buf, "growing buffer");
+ return 0;
+ }
+@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ }
+ break;
+ case XML_BUFFER_ALLOC_EXACT:
+- newSize = size+10;
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ break;
+ case XML_BUFFER_ALLOC_HYBRID:
+ if (buf->use < BASE_BUFFER_SIZE)
+ newSize = size;
+ else {
+- newSize = buf->size * 2;
++ newSize = buf->size;
+ while (size > newSize) {
+- if (newSize > UINT_MAX / 2) {
++ if (newSize > SIZE_MAX / 2) {
+ xmlBufMemoryError(buf, "growing buffer");
+ return 0;
+ }
+@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ break;
+
+ default:
+- newSize = size+10;
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ break;
+ }
+
+@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ */
+ int
+ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+- unsigned int needSize;
++ size_t needSize;
+
+ if ((str == NULL) || (buf == NULL) || (buf->error))
+ return -1;
+@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ if (len < 0) return -1;
+ if (len == 0) return 0;
+
+- needSize = buf->use + len + 2;
+- if (needSize > buf->size){
++ if ((size_t) len >= buf->size - buf->use) {
++ if ((size_t) len >= SIZE_MAX - buf->use)
++ return(-1);
++ needSize = buf->use + len + 1;
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
+ */
+ int
+ xmlBufCCat(xmlBufPtr buf, const char *str) {
+- const char *cur;
+-
+- if ((buf == NULL) || (buf->error))
+- return(-1);
+- CHECK_COMPAT(buf)
+- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+- if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+- xmlGenericError(xmlGenericErrorContext,
+- "xmlBufCCat: str == NULL\n");
+-#endif
+- return -1;
+- }
+- for (cur = str;*cur != 0;cur++) {
+- if (buf->use + 10 >= buf->size) {
+- if (!xmlBufResize(buf, buf->use+10)){
+- xmlBufMemoryError(buf, "growing buffer");
+- return XML_ERR_NO_MEMORY;
+- }
+- }
+- buf->content[buf->use++] = *cur;
+- }
+- buf->content[buf->use] = 0;
+- UPDATE_COMPAT(buf)
+- return 0;
++ return xmlBufCat(buf, (const xmlChar *) str);
+ }
+
+ /**
+diff --git a/tree.c b/tree.c
+index 9d94aa42..86afb7d6 100644
+--- a/tree.c
++++ b/tree.c
+@@ -7104,6 +7104,8 @@ xmlBufferPtr
+ xmlBufferCreateSize(size_t size) {
+ xmlBufferPtr ret;
+
++ if (size >= UINT_MAX)
++ return(NULL);
+ ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+ if (ret == NULL) {
+ xmlTreeErrMemory("creating buffer");
+@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
+ }
+ ret->use = 0;
+ ret->alloc = xmlBufferAllocScheme;
+- ret->size = (size ? size+2 : 0); /* +1 for ending null */
++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
+ if (ret->size){
+ ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+ if (ret->content == NULL) {
+@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
+
+ if ((mem == NULL) || (size == 0))
+ return(NULL);
++ if (size > UINT_MAX)
++ return(NULL);
+
+ ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+ if (ret == NULL) {
+@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
+ */
+ int
+ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
+- int size;
++ unsigned int size;
+ xmlChar *newbuf;
+
+ if (buf == NULL) return(-1);
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+- if (len + buf->use < buf->size) return(0);
++ if (len < buf->size - buf->use)
++ return(0);
++ if (len > UINT_MAX - buf->use)
++ return(-1);
+
+- /*
+- * Windows has a BIG problem on realloc timing, so we try to double
+- * the buffer size (if that's enough) (bug 146697)
+- * Apparently BSD too, and it's probably best for linux too
+- * On an embedded system this may be something to change
+- */
+-#if 1
+- if (buf->size > len)
+- size = buf->size * 2;
+- else
+- size = buf->use + len + 100;
+-#else
+- size = buf->use + len + 100;
+-#endif
++ if (buf->size > (size_t) len) {
++ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
++ } else {
++ size = buf->use + len;
++ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
++ }
+
+ if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+ size_t start_buf = buf->content - buf->contentIO;
+@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size : size + 10);
++ if (buf->size == 0)
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
++ else
++ newSize = buf->size;
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ }
+ break;
+ case XML_BUFFER_ALLOC_EXACT:
+- newSize = size+10;
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ break;
+ case XML_BUFFER_ALLOC_HYBRID:
+ if (buf->use < BASE_BUFFER_SIZE)
+@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ break;
+
+ default:
+- newSize = size+10;
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ break;
+ }
+
+@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
+ if (len < 0) return -1;
+ if (len == 0) return 0;
+
+- needSize = buf->use + len + 2;
+- if (needSize > buf->size){
++ if ((unsigned) len >= buf->size - buf->use) {
++ if ((unsigned) len >= UINT_MAX - buf->use)
++ return XML_ERR_NO_MEMORY;
++ needSize = buf->use + len + 1;
+ if (!xmlBufferResize(buf, needSize)){
+ xmlTreeErrMemory("growing buffer");
+ return XML_ERR_NO_MEMORY;
+@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
+ */
+ int
+ xmlBufferCCat(xmlBufferPtr buf, const char *str) {
+- const char *cur;
+-
+- if (buf == NULL)
+- return(-1);
+- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+- if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+- xmlGenericError(xmlGenericErrorContext,
+- "xmlBufferCCat: str == NULL\n");
+-#endif
+- return -1;
+- }
+- for (cur = str;*cur != 0;cur++) {
+- if (buf->use + 10 >= buf->size) {
+- if (!xmlBufferResize(buf, buf->use+10)){
+- xmlTreeErrMemory("growing buffer");
+- return XML_ERR_NO_MEMORY;
+- }
+- }
+- buf->content[buf->use++] = *cur;
+- }
+- buf->content[buf->use] = 0;
+- return 0;
++ return xmlBufferCat(buf, (const xmlChar *) str);
+ }
+
+ /**
+--
+GitLab
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend
index d26a47f4cf..4011c87594 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/libxml/libxml2_%.bbappend
@@ -1,4 +1,5 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://CVE-2022-23308-Use-after-free-of-ID-and-IDREF.patch \
+ file://CVE-2022-29824-Fix-integer-overflows-in-xmlBuf-and-xmlBuffer.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch
new file mode 100644
index 0000000000..1cef2e8109
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses/0002-Fix-added-to-mitigate-CVE-2022-29458.patch
@@ -0,0 +1,65 @@
+From 0ed8a4953f9179d0f077f24779f1cb51c8e9a126 Mon Sep 17 00:00:00 2001
+From: ankita prasad
+Date: Tue, 12 Jul 2022 17:51:01 +0000
+Subject: [PATCH] Fix added to mitigate CVE-2022-29458
+
+ncurses 6.3 before patch 20220416 has an out-of-bounds read
+and segmentation violation in convert_strings in tinfo/read_entry.c
+in the terminfo library.
+The fix is picked from - https://github.com/mirror/ncurses/commit/4c9f63c460cb7134f142aa65f6866c175ed77605
+for the file tinfo/read_entry.c.
+
+Signed-off-by: Ankita Prasad
+---
+ ncurses/tinfo/read_entry.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..06c0c437 100644
+--- a/ncurses/tinfo/read_entry.c
++++ b/ncurses/tinfo/read_entry.c
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+ int i;
+ char *p;
++ bool corrupt = FALSE;
+
+ for (i = 0; i < count; i++) {
+ if (IS_NEG1(buf + 2 * i)) {
+@@ -154,17 +155,29 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ } else if (MyNumber(buf + 2 * i) > size) {
+ Strings[i] = ABSENT_STRING;
+ } else {
+- Strings[i] = (MyNumber(buf + 2 * i) + table);
+- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
++ int nn = MyNumber(buf + 2 * i);
++ if (nn >= 0 && nn < size) {
++ Strings[i] = (nn + table);
++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
++ _nc_visbuf(Strings[i])));
++ } else {
++ if (!corrupt) {
++ corrupt = TRUE;
++ TR(TRACE_DATABASE,
++ ("ignore out-of-range index %d to Strings[]", nn));
++ _nc_warning("corrupt data found in convert_strings");
++ }
++ Strings[i] = ABSENT_STRING;
++ }
+ }
+
+ /* make sure all strings are NUL terminated */
+ if (VALID_STRING(Strings[i])) {
+- for (p = Strings[i]; p <= table + size; p++)
++ for (p = Strings[i]; p < table + size; p++)
+ if (*p == '\0')
+ break;
+ /* if there is no NUL, ignore the string */
+- if (p > table + size)
++ if (p >= table + size)
+ Strings[i] = ABSENT_STRING;
+ }
+ }
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend
index e60bd9a6b9..7f1ce36c2d 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/ncurses/ncurses_%.bbappend
@@ -1,2 +1,4 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch"
+SRC_URI += "file://0001-Fix-heap-buffer-overflow-in-captoinfo.patch \
+ file://0002-Fix-added-to-mitigate-CVE-2022-29458.patch \
+ "
diff --git a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend
index 6b7cc8a0de..262f557e0f 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/systemd/systemd_%.bbappend
@@ -10,3 +10,7 @@ SRC_URI += "file://0002-Add-event-log-for-system-time-synchronization.patch \
PACKAGECONFIG:remove = "kmod"
# Add systemd-logind service to get shutdown inhibition support
PACKAGECONFIG:append = " logind"
+
+do_install:append() {
+ sed -i -e"s/Also=systemd-networkd-wait-online.service//g" ${D}${systemd_system_unitdir}/systemd-networkd.service
+}
diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch
new file mode 100644
index 0000000000..dc84d3a1d3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_1.patch
@@ -0,0 +1,32 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
++ len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+- state->head->extra != Z_NULL) {
+- len = state->head->extra_len - state->length;
++ state->head->extra != Z_NULL &&
++ len < state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch
new file mode 100644
index 0000000000..c5c95a92b2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib/CVE-2022-37434_2.patch
@@ -0,0 +1,29 @@
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
diff --git a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend
index 09dea7c00b..482197c4f3 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/zlib/zlib_%.bbappend
@@ -2,4 +2,6 @@ FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://CVE-2018-25032.patch \
+ file://CVE-2022-37434_1.patch \
+ file://CVE-2022-37434_2.patch \
"
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch
new file mode 100644
index 0000000000..aebd776d4c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0001-Firmware-update-fix-for-mis-aligned-sectors.patch
@@ -0,0 +1,82 @@
+From d58245421fec0ac212382164bd5cc0e881bc389f Mon Sep 17 00:00:00 2001
+From: Snehalatha Venkatesh
+Date: Fri, 27 May 2022 04:23:21 +0000
+Subject: [PATCH] Firmware update fix for mis-aligned sectors
+
+Firmware update breaks due to mis-aligned calculations bug in
+erase and write sector boundaries, which was corrupting the
+next sectors though it wasn't part of erase bit-map (in case of
+increased u-boot image size, its region update is corrupting the
+neighbouring other fw region). This fix validates the erase and
+write boundaries properly now and allows the erase of needed sectors.
+
+Tested: Tested firmware update on platform.
+
+Signed-off-by: Vikram Bodireddy
+Signed-off-by: Snehalatha Venkatesh
+Signed-off-by: Jayaprakash Mutyala
+---
+ pfr.hpp | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/pfr.hpp b/pfr.hpp
+index 23a73b3..efe737a 100644
+--- a/pfr.hpp
++++ b/pfr.hpp
+@@ -412,6 +412,7 @@ bool pfr_write(mtd& dev, const std::string& filename,
+ uint32_t wr_count = 1;
+ uint32_t er_count = 1;
+ uint32_t erase_end_addr = 0;
++ uint32_t write_end_addr = 0;
+ for (uint32_t blk = 0; blk < pbc_hdr->bitmap_size; blk += wr_count)
+ {
+ if ((blk % 8) == 0)
+@@ -504,28 +505,37 @@ bool pfr_write(mtd& dev, const std::string& filename,
+ FWDEBUG("erase(" << std::hex << pfr_blk_size * blk << ", "
+ << pfr_blk_size * er_count + dev_offset << ")");
+ dev.erase(pfr_blk_size * blk + dev_offset, pfr_blk_size * er_count);
+- erase_end_addr = (pfr_blk_size * (blk + er_count));
++ erase_end_addr = (pfr_blk_size * (blk + er_count)) - 1;
++ FWDEBUG("erase_end_addr: " << std::hex << erase_end_addr);
+ }
+
+ if (copy)
+ {
+ cbspan data(offset, offset + pfr_blk_size * wr_count);
+- // DUMP(PRINT_ERROR, data);
+- FWDEBUG("write(" << std::hex << pfr_blk_size * blk << ", "
+- << pfr_blk_size * wr_count << "), offset = 0x"
+- << (offset - map_base) + dev_offset);
++ write_end_addr = (pfr_blk_size * (blk + wr_count)) - 1;
++ FWDEBUG("write_end_addr: " << std::hex << write_end_addr);
++
+ // Check if current write address wasn't part of previous 64K sector
+ // erase. and erase it here.
+- if (((pfr_blk_size * (blk + wr_count)) >= erase_end_addr) ||
+- ((pfr_blk_size * blk) >= erase_end_addr))
++ if ((write_end_addr > erase_end_addr) ||
++ ((pfr_blk_size * blk) > erase_end_addr))
+ {
+ // Currently 4K erases are not working hence making it always
+ // 64K erase.
+ // TODO: Fix 4K erase issue and fix the below logic to do
+ // incremental 4K erases.
+- dev.erase(erase_end_addr + dev_offset, pfr_blk_size * 16);
++ FWDEBUG("erase(" << std::hex
++ << (erase_end_addr + 1) + dev_offset << ", "
++ << pfr_blk_size * 16 << ")");
++
++ dev.erase((erase_end_addr + 1) + dev_offset, pfr_blk_size * 16);
+ erase_end_addr += pfr_blk_size * 16;
++ FWDEBUG("erase_end_addr: " << std::hex << erase_end_addr);
+ }
++ // DUMP(PRINT_ERROR, data);
++ FWDEBUG("write(" << std::hex << pfr_blk_size * blk << ", "
++ << pfr_blk_size * wr_count << "), offset = 0x"
++ << (offset - map_base) + dev_offset);
+ dev.write_raw(pfr_blk_size * blk + dev_offset, data);
+
+ offset += pfr_blk_size * wr_count;
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch
new file mode 100644
index 0000000000..1c5bc5843e
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch
@@ -0,0 +1,39 @@
+From 5606cfc0857dc6fe1071c14f6906d866048f6c18 Mon Sep 17 00:00:00 2001
+From: AkshayRav
+Date: Thu, 28 Apr 2022 13:57:32 +0530
+Subject: [PATCH] Add fix for possible freeing of mismatched memory (#8)
+
+* Add fix for possible freeing of mismatched memory
+
+Memory referenced by "buf" was allocated through function
+"new[]" and released through function "delete". The fix changes the
+release function to "delete[]" to remove the possible freeing of
+mismatched memory.
+
+Signed-off-by: AKSHAY RAVEENDRAN K
+---
+ mtd-util.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mtd-util.cpp b/mtd-util.cpp
+index 7f2f98d..d6136f0 100644
+--- a/mtd-util.cpp
++++ b/mtd-util.cpp
+@@ -391,7 +391,7 @@ int main(int argc, char* argv[])
+ {
+ std::cerr << "failed to parse '" << argv[optind]
+ << "' as integer" << std::endl;
+- delete buf;
++ delete[] buf;
+ return 1;
+ }
+ optind++;
+@@ -473,7 +473,7 @@ int main(int argc, char* argv[])
+ break;
+ case ACTION_WRITE_TO_FLASH:
+ ret = buf_to_flash(dev, buf, start, len);
+- delete buf;
++ delete[] buf;
+ break;
+ #endif /* DEVELOPER_OPTIONS */
+ case ACTION_CP_TO_FILE:
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch
new file mode 100644
index 0000000000..ca6402ed2d
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/files/0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch
@@ -0,0 +1,224 @@
+From a3eba12b5c85add20a248bb95d1b9e884a1f6262 Mon Sep 17 00:00:00 2001
+From: Ankita Vilas Gawade
+Date: Tue, 26 Jul 2022 20:22:10 +0000
+Subject: [PATCH] Fix Key Cancellation Update Capsule Flow
+
+In the current code flow, the block 1 component of key cancellation
+capsule is not being mapped to the correct structure which results
+in failure of key cancellation update as improper value would be picked up.
+
+This commit fixes the above issue by introducing an union, using which
+the correct block 1 strcuture can be picked up depending on the type of
+capsule.
+
+This commit also fixes the check on contents of cancellation payload and
+corrects the payload length.
+
+Tested
+1.Posted a key cancellation capsule to cancel CSK ID 2(For BMC and PFM)
+2.Performed BMC Firmware update with the image signed with CSK ID 2.
+3.Firmware Update failed succesfully implying CSK key being cancelled.
+
+Signed-off-by: Ankita Vilas Gawade
+---
+ pfr.cpp | 33 ++++++++++++++++-----------------
+ pfr.hpp | 27 +++++++++++++++++----------
+ 2 files changed, 33 insertions(+), 27 deletions(-)
+
+diff --git a/pfr.cpp b/pfr.cpp
+index 4ec9638..b74c166 100644
+--- a/pfr.cpp
++++ b/pfr.cpp
+@@ -599,18 +599,18 @@ static bool is_block0_sig_entry_valid(uint32_t curve, const uint8_t* root_key_x,
+ *
+ * @return bool true if this Block 1 is valid; false, otherwise
+ */
+-static bool is_block1_valid(const blk0* b0, const blk1* b1,
++static bool is_block1_valid(const blk0* b0, const sig_blk1* sig,
+ bool is_key_cancellation_cert, bool check_root_key)
+ {
+ // Verify magic number
+- if (b1->magic != blk1_magic)
++ if (sig->b1.magic != blk1_magic)
+ {
+ FWERROR("b1 magic invalid");
+ return false;
+ }
+
+ // Validate Block1 Root Entry
+- const key_entry* root_entry = &b1->root_key;
++ const key_entry* root_entry = &sig->b1.root_key;
+ if (!is_root_entry_valid(root_entry, check_root_key))
+ {
+ FWERROR("root_entry invalid");
+@@ -621,7 +621,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1,
+ {
+ // In the signature of the Key Cancellation Certificate, there's no CSK
+ // entry
+- const block0_sig_entry* b0_entry = &b1->block0_sig;
++ const block0_sig_entry* b0_entry = &sig->cncl_b1.block0_sig;
+
+ // Validate Block 0 Entry in Block 1
+ return is_block0_sig_entry_valid(root_entry->curve, root_entry->key_x,
+@@ -629,7 +629,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1,
+ }
+
+ // Validate Block1 CSK Entry
+- const csk_entry* csk = &b1->csk;
++ const csk_entry* csk = &sig->b1.csk;
+ if (!is_csk_entry_valid(root_entry, csk, b0->pc_type))
+ {
+ FWERROR("csk_entry invalid");
+@@ -637,7 +637,7 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1,
+ }
+
+ // Validate Block 0 Entry in Block 1
+- const block0_sig_entry* block0_sig = &b1->block0_sig;
++ const block0_sig_entry* block0_sig = &sig->b1.block0_sig;
+ if (is_block0_sig_entry_valid(root_entry->curve, csk->key.key_x,
+ csk->key.key_y, block0_sig, b0))
+ {
+@@ -657,23 +657,21 @@ static bool is_block1_valid(const blk0* b0, const blk1* b1,
+ * @return uint32_t 1 if this key cancellation certificate is valid; 0,
+ * otherwise
+ */
+-static uint32_t is_key_can_cert_valid(const cancel_cert* cert)
++static uint32_t is_key_can_cert_valid(const cancel_payload* cert)
+ {
+ // Check for the 0s in the reserved field
+ // This reduces the degree of freedom for attackers
+- const uint32_t* key_can_cert_reserved = cert->rsvd;
+- for (uint32_t word_i = 0; word_i < cancel_pad_size / 4; word_i++)
++ const uint32_t* key_can_cert_reserved = cert->padding;
++ for (uint32_t word_i = 0; word_i < cancel_payload_pad_size; word_i++)
+ {
+ if (key_can_cert_reserved[word_i] != 0)
+ {
+ return 0;
+ }
+ }
+- const cancel_payload* cancel =
+- reinterpret_cast(cert + 1);
+
+ // If the key ID is within 0-127 (inclusive), return 1
+- return cancel->csk_id <= pfr_max_key_id;
++ return cert->csk_id <= pfr_max_key_id;
+ }
+
+ /**
+@@ -692,11 +690,11 @@ static uint32_t is_key_can_cert_valid(const cancel_cert* cert)
+ static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key)
+ {
+ const blk0* b0 = &sig->b0;
+- const blk1* b1 = &sig->b1;
+ bool is_key_cancellation_cert = b0->pc_type & pfr_pc_type_cancel_cert;
+
+ // Get pointer to protected content
+ const uint8_t* pc = reinterpret_cast(sig + 1);
++
+ if (is_key_cancellation_cert)
+ {
+ // Check the size of the cancellation certificate
+@@ -706,7 +704,7 @@ static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key)
+ }
+
+ // Validate the cancellation certificate content
+- if (!is_key_can_cert_valid(reinterpret_cast(pc)))
++ if (!is_key_can_cert_valid(reinterpret_cast(pc)))
+ {
+ FWERROR("cancel cert invalid");
+ return false;
+@@ -717,7 +715,8 @@ static bool is_signature_valid(const b0b1_signature* sig, bool check_root_key)
+ if (is_block0_valid(b0, pc))
+ {
+ // Validate block1 (contains the signature chain used to sign block0)
+- if (is_block1_valid(b0, b1, is_key_cancellation_cert, check_root_key))
++ if (is_block1_valid(b0, &sig->b1_sig, is_key_cancellation_cert,
++ check_root_key))
+ {
+ return true;
+ }
+@@ -753,7 +752,7 @@ static bool fvm_authenticate(const b0b1_signature* img_sig)
+ // but it is authenticated as follows:
+ const b0b1_signature* sig = img_sig + 1;
+ const blk0* b0 = &sig->b0;
+- const blk1* b1 = &sig->b1;
++ const blk1* b1 = &sig->b1_sig.b1;
+ const uint8_t* pc = reinterpret_cast(sig + 1);
+
+ if (!is_block0_valid(b0, pc))
+@@ -762,7 +761,7 @@ static bool fvm_authenticate(const b0b1_signature* img_sig)
+ return false;
+ }
+ // Validate block1 (contains the signature chain used to sign block0)
+- if (!is_block1_valid(b0, b1, false, false))
++ if (!is_block1_valid(b0, &sig->b1_sig, false, false))
+ {
+ FWERROR("block1 failed authentication");
+ return false;
+diff --git a/pfr.hpp b/pfr.hpp
+index efe737a..94b7e45 100644
+--- a/pfr.hpp
++++ b/pfr.hpp
+@@ -62,7 +62,7 @@ constexpr size_t pfr_cpld_update_size = 1 * 1024 * 1024; // 1 MB
+ constexpr size_t pfr_pch_max_size = 24 * 1024 * 1024; // 24 MB
+ constexpr size_t pfr_bmc_max_size = 32 * 1024 * 1024; // 32 MB
+ constexpr size_t pfr_afm_max_size = 128 * 1024; // 128KB
+-constexpr size_t pfr_cancel_cert_size = 8;
++constexpr size_t pfr_cancel_cert_size = 128;
+ constexpr uint32_t pfr_max_key_id = 127;
+
+ constexpr uint32_t curve_secp256r1 = 0xc7b88c74;
+@@ -179,14 +179,6 @@ struct blk1
+ uint32_t rsvd[blk1_pad_size];
+ } __attribute__((packed));
+
+-struct b0b1_signature
+-{
+- blk0 b0;
+- blk1 b1;
+-} __attribute__((packed));
+-static_assert(sizeof(b0b1_signature) == 1024,
+- "block0 + block1 size is not 1024 bytes");
+-
+ constexpr size_t cancel_pad_size = 9;
+ struct cancel_cert
+ {
+@@ -200,11 +192,12 @@ struct cancel_cert
+
+ constexpr size_t cancel_sig_pad_size =
+ (blk0blk1_size - sizeof(cancel_cert) - sizeof(uint32_t) -
+- sizeof(key_entry) - sizeof(block0_sig_entry)) /
++ (3 * sizeof(uint32_t)) - sizeof(key_entry) - sizeof(block0_sig_entry)) /
+ sizeof(uint32_t);
+ struct cancel_sig
+ {
+ uint32_t magic;
++ uint32_t pad[3];
+ key_entry root_key;
+ block0_sig_entry block0_sig;
+ uint32_t rsvd[cancel_sig_pad_size];
+@@ -219,6 +212,20 @@ struct cancel_payload
+ uint32_t padding[cancel_payload_pad_size];
+ } __attribute__((packed));
+
++union sig_blk1
++{
++ blk1 b1;
++ cancel_sig cncl_b1;
++};
++
++struct b0b1_signature
++{
++ blk0 b0;
++ sig_blk1 b1_sig;
++} __attribute__((packed));
++static_assert(sizeof(b0b1_signature) == 1024,
++ "block0 + block1 size is not 1024 bytes");
++
+ constexpr uint32_t pfm_magic = 0x02b3ce1d;
+ constexpr uint32_t afm_magic = 0x8883ce1d;
+ constexpr size_t pfm_block_size = 128;
+--
+2.25.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb
index c925c522d5..b3472d7658 100644
--- a/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb
+++ b/meta-openbmc-mods/meta-common/recipes-devtools/mtd-util/mtd-util.bb
@@ -8,6 +8,11 @@ SRC_URI = "git://git@github.com/Intel-BMC/mtd-util.git;protocol=ssh"
PV = "1.0+git${SRCPV}"
SRCREV = "708072b62a3cecb520eeaacac88b4f2c2e101fe4"
+SRC_URI += " \
+ file://0001-Firmware-update-fix-for-mis-aligned-sectors.patch \
+ file://0002-Add-fix-for-possible-freeing-of-mismatched-memory.patch \
+ file://0003-Fix-Key-Cancellation-Update-Capsule-Flow.patch \
+ "
S = "${WORKDIR}/git"
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb b/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb
new file mode 100644
index 0000000000..35977535aa
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-extended/logrotate/logrotate_3.20.1.bb
@@ -0,0 +1,91 @@
+SUMMARY = "Rotates, compresses, removes and mails system log files"
+SECTION = "console/utils"
+HOMEPAGE = "https://github.com/logrotate/logrotate/"
+DESCRIPTION = "The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files."
+LICENSE = "GPL-2.0-only"
+
+# TODO: Document coreutils dependency. Why not RDEPENDS? Why not busybox?
+
+DEPENDS="coreutils popt"
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases"
+UPSTREAM_CHECK_REGEX = "logrotate-(?P\d+(\.\d+)+).tar"
+
+SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz"
+
+SRC_URI[sha256sum] = "742f6d6e18eceffa49a4bacd933686d3e42931cfccfb694d7f6369b704e5d094"
+
+# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
+CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
+
+PACKAGECONFIG[acl] = ",,acl"
+PACKAGECONFIG[selinux] = ",,libselinux"
+
+CONFFILES:${PN} += "${localstatedir}/lib/logrotate.status \
+ ${sysconfdir}/logrotate.conf \
+ ${sysconfdir}/logrotate.d/btmp \
+ ${sysconfdir}/logrotate.d/wtmp"
+
+# If RPM_OPT_FLAGS is unset, it adds -g itself rather than obeying our
+# optimization variables, so use it rather than EXTRA_CFLAGS.
+EXTRA_OEMAKE = "\
+ LFS= \
+ OS_NAME='${OS_NAME}' \
+ 'CC=${CC}' \
+ 'RPM_OPT_FLAGS=${CFLAGS}' \
+ 'EXTRA_LDFLAGS=${LDFLAGS}' \
+ ${@bb.utils.contains('PACKAGECONFIG', 'acl', 'WITH_ACL=yes', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'selinux', 'WITH_SELINUX=yes', '', d)} \
+"
+
+# OS_NAME in the makefile defaults to `uname -s`. The behavior for
+# freebsd/netbsd is questionable, so leave it as Linux, which only sets
+# INSTALL=install and BASEDIR=/usr.
+OS_NAME = "Linux"
+
+inherit autotools systemd
+
+SYSTEMD_SERVICE:${PN} = "\
+ ${BPN}.service \
+ ${BPN}.timer \
+"
+
+LOGROTATE_OPTIONS ?= ""
+
+LOGROTATE_SYSTEMD_TIMER_BASIS ?= "daily"
+LOGROTATE_SYSTEMD_TIMER_ACCURACY ?= "12h"
+LOGROTATE_SYSTEMD_TIMER_PERSISTENT ?= "true"
+
+do_install(){
+ oe_runmake install DESTDIR=${D} PREFIX=${D} MANDIR=${mandir}
+ mkdir -p ${D}${sysconfdir}/logrotate.d
+ mkdir -p ${D}${localstatedir}/lib
+ install -p -m 644 ${S}/examples/logrotate.conf ${D}${sysconfdir}/logrotate.conf
+ install -p -m 644 ${S}/examples/btmp ${D}${sysconfdir}/logrotate.d/btmp
+ install -p -m 644 ${S}/examples/wtmp ${D}${sysconfdir}/logrotate.d/wtmp
+ touch ${D}${localstatedir}/lib/logrotate.status
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 0644 ${S}/examples/logrotate.service ${D}${systemd_system_unitdir}/logrotate.service
+ install -m 0644 ${S}/examples/logrotate.timer ${D}${systemd_system_unitdir}/logrotate.timer
+ [ -z "${LOGROTATE_OPTIONS}" ] ||
+ sed -ri \
+ -e 's|(ExecStart=.*/logrotate.*)$|\1 ${LOGROTATE_OPTIONS}|g' \
+ ${D}${systemd_system_unitdir}/logrotate.service
+ sed -ri \
+ -e 's|(OnCalendar=).*$|\1${LOGROTATE_SYSTEMD_TIMER_BASIS}|g' \
+ -e 's|(AccuracySec=).*$|\1${LOGROTATE_SYSTEMD_TIMER_ACCURACY}|g' \
+ -e 's|(Persistent=).*$|\1${LOGROTATE_SYSTEMD_TIMER_PERSISTENT}|g' \
+ ${D}${systemd_system_unitdir}/logrotate.timer
+ fi
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+ mkdir -p ${D}${sysconfdir}/cron.daily
+ install -p -m 0755 ${S}/examples/logrotate.cron ${D}${sysconfdir}/cron.daily/logrotate
+ fi
+}
diff --git a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend
index 36539fbdac..e795efe25c 100644
--- a/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-extended/sdbusplus/sdbusplus_%.bbappend
@@ -6,4 +6,4 @@ SRC_URI += " \
"
# Temporary pin to resolve build breaks
-SRCREV="6adfe948ee55ffde8457047042d0d55aa3d8b4a7"
+SRCREV="90fab6bb667460053cfc4587b58c987f74b1bf58"
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch
new file mode 100644
index 0000000000..5e963a9894
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-1.patch
@@ -0,0 +1,45 @@
+From 6eea4ace62fa6414432692ee44f0c0a3d541d97a Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman
+Date: Thu, 9 Dec 2021 19:02:15 +0100
+Subject: [PATCH] USB: gadget: zero allocate endpoint 0 buffers
+
+commit 86ebbc11bb3f60908a51f3e41a17e3f477c2eaa3 upstream.
+
+Under some conditions, USB gadget devices can show allocated buffer
+contents to a host. Fix this up by zero-allocating them so that any
+extra data will all just be zeros.
+
+Reported-by: Szymon Heidrich
+Tested-by: Szymon Heidrich
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/usb/gadget/composite.c | 2 +-
+ drivers/usb/gadget/legacy/dbgp.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 1ef7922b57b62e..284eea9f6e4d8d 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2221,7 +2221,7 @@ int composite_dev_prepare(struct usb_composite_driver *composite,
+ if (!cdev->req)
+ return -ENOMEM;
+
+- cdev->req->buf = kmalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
++ cdev->req->buf = kzalloc(USB_COMP_EP0_BUFSIZ, GFP_KERNEL);
+ if (!cdev->req->buf)
+ goto fail;
+
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index e567afcb2794c0..355bc7dab9d5f6 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -137,7 +137,7 @@ static int dbgp_enable_ep_req(struct usb_ep *ep)
+ goto fail_1;
+ }
+
+- req->buf = kmalloc(DBGP_REQ_LEN, GFP_KERNEL);
++ req->buf = kzalloc(DBGP_REQ_LEN, GFP_KERNEL);
+ if (!req->buf) {
+ err = -ENOMEM;
+ stp = 2;
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch
new file mode 100644
index 0000000000..44337588ae
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685-2.patch
@@ -0,0 +1,93 @@
+From abd3a33b3f2bff26fa531da668b041bef980f238 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman
+Date: Tue, 14 Dec 2021 19:46:21 +0100
+Subject: [PATCH] USB: gadget: bRequestType is a bitfield, not a enum
+
+[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]
+
+Szymon rightly pointed out that the previous check for the endpoint
+direction in bRequestType was not looking at only the bit involved, but
+rather the whole value. Normally this is ok, but for some request
+types, bits other than bit 8 could be set and the check for the endpoint
+length could not stall correctly.
+
+Fix that up by only checking the single bit.
+
+Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
+Cc: Felipe Balbi
+Reported-by: Szymon Heidrich
+Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman
+Signed-off-by: Sasha Levin
+---
+ drivers/usb/gadget/composite.c | 6 +++---
+ drivers/usb/gadget/legacy/dbgp.c | 6 +++---
+ drivers/usb/gadget/legacy/inode.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 284eea9f6e4d8d..3789c329183ca6 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ u8 endp;
+
+ if (w_length > USB_COMP_EP0_BUFSIZ) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- goto done;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
+ w_length = USB_COMP_EP0_BUFSIZ;
++ } else {
++ goto done;
+ }
+ }
+
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index 355bc7dab9d5f6..6bcbad38258020 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
+ u16 len = 0;
+
+ if (length > DBGP_REQ_LEN) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- return err;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(DBGP_REQ_LEN);
+ length = DBGP_REQ_LEN;
++ } else {
++ return err;
+ }
+ }
+
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index 0a4041552ed193..1b223cba4c2c92 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1337,14 +1337,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ u16 w_length = le16_to_cpu(ctrl->wLength);
+
+ if (w_length > RBUF_SIZE) {
+- if (ctrl->bRequestType == USB_DIR_OUT) {
+- return value;
+- } else {
++ if (ctrl->bRequestType & USB_DIR_IN) {
+ /* Cast away the const, we are going to overwrite on purpose. */
+ __le16 *temp = (__le16 *)&ctrl->wLength;
+
+ *temp = cpu_to_le16(RBUF_SIZE);
+ w_length = RBUF_SIZE;
++ } else {
++ return value;
+ }
+ }
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch
new file mode 100644
index 0000000000..f94ac946bf
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39685.patch
@@ -0,0 +1,108 @@
+From 36dfdf11af49d3c009c711fb16f5c6e7a274505d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman
+Date: Thu, 9 Dec 2021 18:59:27 +0100
+Subject: [PATCH] USB: gadget: detect too-big endpoint 0 requests
+
+commit 153a2d7e3350cc89d406ba2d35be8793a64c2038 upstream.
+
+Sometimes USB hosts can ask for buffers that are too large from endpoint
+0, which should not be allowed. If this happens for OUT requests, stall
+the endpoint, but for IN requests, trim the request size to the endpoint
+buffer size.
+
+Co-developed-by: Szymon Heidrich
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/usb/gadget/composite.c | 12 ++++++++++++
+ drivers/usb/gadget/legacy/dbgp.c | 13 +++++++++++++
+ drivers/usb/gadget/legacy/inode.c | 16 +++++++++++++++-
+ 3 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
+index 504c1cbc255d14..1ef7922b57b62e 100644
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1679,6 +1679,18 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ struct usb_function *f = NULL;
+ u8 endp;
+
++ if (w_length > USB_COMP_EP0_BUFSIZ) {
++ if (ctrl->bRequestType == USB_DIR_OUT) {
++ goto done;
++ } else {
++ /* Cast away the const, we are going to overwrite on purpose. */
++ __le16 *temp = (__le16 *)&ctrl->wLength;
++
++ *temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
++ w_length = USB_COMP_EP0_BUFSIZ;
++ }
++ }
++
+ /* partial re-init of the response message; the function or the
+ * gadget might need to intercept e.g. a control-OUT completion
+ * when we delegate to it.
+diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
+index e1d566c9918ae5..e567afcb2794c0 100644
+--- a/drivers/usb/gadget/legacy/dbgp.c
++++ b/drivers/usb/gadget/legacy/dbgp.c
+@@ -345,6 +345,19 @@ static int dbgp_setup(struct usb_gadget *gadget,
+ void *data = NULL;
+ u16 len = 0;
+
++ if (length > DBGP_REQ_LEN) {
++ if (ctrl->bRequestType == USB_DIR_OUT) {
++ return err;
++ } else {
++ /* Cast away the const, we are going to overwrite on purpose. */
++ __le16 *temp = (__le16 *)&ctrl->wLength;
++
++ *temp = cpu_to_le16(DBGP_REQ_LEN);
++ length = DBGP_REQ_LEN;
++ }
++ }
++
++
+ if (request == USB_REQ_GET_DESCRIPTOR) {
+ switch (value>>8) {
+ case USB_DT_DEVICE:
+diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
+index 539220d7f5b620..0a4041552ed193 100644
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -110,6 +110,8 @@ enum ep0_state {
+ /* enough for the whole queue: most events invalidate others */
+ #define N_EVENT 5
+
++#define RBUF_SIZE 256
++
+ struct dev_data {
+ spinlock_t lock;
+ refcount_t count;
+@@ -144,7 +146,7 @@ struct dev_data {
+ struct dentry *dentry;
+
+ /* except this scratch i/o buffer for ep0 */
+- u8 rbuf [256];
++ u8 rbuf[RBUF_SIZE];
+ };
+
+ static inline void get_dev (struct dev_data *data)
+@@ -1334,6 +1336,18 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
+ u16 w_value = le16_to_cpu(ctrl->wValue);
+ u16 w_length = le16_to_cpu(ctrl->wLength);
+
++ if (w_length > RBUF_SIZE) {
++ if (ctrl->bRequestType == USB_DIR_OUT) {
++ return value;
++ } else {
++ /* Cast away the const, we are going to overwrite on purpose. */
++ __le16 *temp = (__le16 *)&ctrl->wLength;
++
++ *temp = cpu_to_le16(RBUF_SIZE);
++ w_length = RBUF_SIZE;
++ }
++ }
++
+ spin_lock (&dev->lock);
+ dev->setup_abort = 0;
+ if (dev->state == STATE_DEV_UNCONNECTED) {
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch
new file mode 100644
index 0000000000..444fb10354
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698-1.patch
@@ -0,0 +1,47 @@
+From 8d6760fd5d1604df29dd7651033167ef99a7698d Mon Sep 17 00:00:00 2001
+From: Eric Biggers
+Date: Wed, 8 Dec 2021 17:04:53 -0800
+Subject: [PATCH] signalfd: use wake_up_pollfree()
+
+commit 9537bae0da1f8d1e2361ab6d0479e8af7824e160 upstream.
+
+wake_up_poll() uses nr_exclusive=1, so it's not guaranteed to wake up
+all exclusive waiters. Yet, POLLFREE *must* wake up all waiters. epoll
+and aio poll are fortunately not affected by this, but it's very
+fragile. Thus, the new function wake_up_pollfree() has been introduced.
+
+Convert signalfd to use wake_up_pollfree().
+
+Reported-by: Linus Torvalds
+Fixes: d80e731ecab4 ("epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211209010455.42744-4-ebiggers@kernel.org
+Signed-off-by: Eric Biggers
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/signalfd.c | 12 +-----------
+ 1 file changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/fs/signalfd.c b/fs/signalfd.c
+index 040e1cf9052826..65ce0e72e7b958 100644
+--- a/fs/signalfd.c
++++ b/fs/signalfd.c
+@@ -35,17 +35,7 @@
+
+ void signalfd_cleanup(struct sighand_struct *sighand)
+ {
+- wait_queue_head_t *wqh = &sighand->signalfd_wqh;
+- /*
+- * The lockless check can race with remove_wait_queue() in progress,
+- * but in this case its caller should run under rcu_read_lock() and
+- * sighand_cachep is SLAB_TYPESAFE_BY_RCU, we can safely return.
+- */
+- if (likely(!waitqueue_active(wqh)))
+- return;
+-
+- /* wait_queue_entry_t->func(POLLFREE) should do remove_wait_queue() */
+- wake_up_poll(wqh, EPOLLHUP | POLLFREE);
++ wake_up_pollfree(&sighand->signalfd_wqh);
+ }
+
+ struct signalfd_ctx {
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch
new file mode 100644
index 0000000000..9a72505667
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-39698.patch
@@ -0,0 +1,107 @@
+From 1ebb6cd8c754bfe1a5f9539027980756bce7cb08 Mon Sep 17 00:00:00 2001
+From: Eric Biggers
+Date: Wed, 8 Dec 2021 17:04:51 -0800
+Subject: [PATCH] wait: add wake_up_pollfree()
+
+commit 42288cb44c4b5fff7653bc392b583a2b8bd6a8c0 upstream.
+
+Several ->poll() implementations are special in that they use a
+waitqueue whose lifetime is the current task, rather than the struct
+file as is normally the case. This is okay for blocking polls, since a
+blocking poll occurs within one task; however, non-blocking polls
+require another solution. This solution is for the queue to be cleared
+before it is freed, using 'wake_up_poll(wq, EPOLLHUP | POLLFREE);'.
+
+However, that has a bug: wake_up_poll() calls __wake_up() with
+nr_exclusive=1. Therefore, if there are multiple "exclusive" waiters,
+and the wakeup function for the first one returns a positive value, only
+that one will be called. That's *not* what's needed for POLLFREE;
+POLLFREE is special in that it really needs to wake up everyone.
+
+Considering the three non-blocking poll systems:
+
+- io_uring poll doesn't handle POLLFREE at all, so it is broken anyway.
+
+- aio poll is unaffected, since it doesn't support exclusive waits.
+ However, that's fragile, as someone could add this feature later.
+
+- epoll doesn't appear to be broken by this, since its wakeup function
+ returns 0 when it sees POLLFREE. But this is fragile.
+
+Although there is a workaround (see epoll), it's better to define a
+function which always sends POLLFREE to all waiters. Add such a
+function. Also make it verify that the queue really becomes empty after
+all waiters have been woken up.
+
+Reported-by: Linus Torvalds
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20211209010455.42744-2-ebiggers@kernel.org
+Signed-off-by: Eric Biggers
+Signed-off-by: Greg Kroah-Hartman
+---
+ include/linux/wait.h | 26 ++++++++++++++++++++++++++
+ kernel/sched/wait.c | 7 +++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/include/linux/wait.h b/include/linux/wait.h
+index 93dab0e9580f8d..d22cf2985b8fd6 100644
+--- a/include/linux/wait.h
++++ b/include/linux/wait.h
+@@ -217,6 +217,7 @@ void __wake_up_sync_key(struct wait_queue_head *wq_head, unsigned int mode, void
+ void __wake_up_locked_sync_key(struct wait_queue_head *wq_head, unsigned int mode, void *key);
+ void __wake_up_locked(struct wait_queue_head *wq_head, unsigned int mode, int nr);
+ void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode);
++void __wake_up_pollfree(struct wait_queue_head *wq_head);
+
+ #define wake_up(x) __wake_up(x, TASK_NORMAL, 1, NULL)
+ #define wake_up_nr(x, nr) __wake_up(x, TASK_NORMAL, nr, NULL)
+@@ -245,6 +246,31 @@ void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode);
+ #define wake_up_interruptible_sync_poll_locked(x, m) \
+ __wake_up_locked_sync_key((x), TASK_INTERRUPTIBLE, poll_to_key(m))
+
++/**
++ * wake_up_pollfree - signal that a polled waitqueue is going away
++ * @wq_head: the wait queue head
++ *
++ * In the very rare cases where a ->poll() implementation uses a waitqueue whose
++ * lifetime is tied to a task rather than to the 'struct file' being polled,
++ * this function must be called before the waitqueue is freed so that
++ * non-blocking polls (e.g. epoll) are notified that the queue is going away.
++ *
++ * The caller must also RCU-delay the freeing of the wait_queue_head, e.g. via
++ * an explicit synchronize_rcu() or call_rcu(), or via SLAB_TYPESAFE_BY_RCU.
++ */
++static inline void wake_up_pollfree(struct wait_queue_head *wq_head)
++{
++ /*
++ * For performance reasons, we don't always take the queue lock here.
++ * Therefore, we might race with someone removing the last entry from
++ * the queue, and proceed while they still hold the queue lock.
++ * However, rcu_read_lock() is required to be held in such cases, so we
++ * can safely proceed with an RCU-delayed free.
++ */
++ if (waitqueue_active(wq_head))
++ __wake_up_pollfree(wq_head);
++}
++
+ #define ___wait_cond_timeout(condition) \
+ ({ \
+ bool __cond = (condition); \
+diff --git a/kernel/sched/wait.c b/kernel/sched/wait.c
+index 76577d1642a5dc..eca38107b32f16 100644
+--- a/kernel/sched/wait.c
++++ b/kernel/sched/wait.c
+@@ -238,6 +238,13 @@ void __wake_up_sync(struct wait_queue_head *wq_head, unsigned int mode)
+ }
+ EXPORT_SYMBOL_GPL(__wake_up_sync); /* For internal use only */
+
++void __wake_up_pollfree(struct wait_queue_head *wq_head)
++{
++ __wake_up(wq_head, TASK_NORMAL, 0, poll_to_key(EPOLLHUP | POLLFREE));
++ /* POLLFREE must have cleared the queue. */
++ WARN_ON_ONCE(waitqueue_active(wq_head));
++}
++
+ /*
+ * Note: we use "set_current_state()" _after_ the wait-queue add,
+ * because we need a memory barrier there on SMP, so that any
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch
new file mode 100644
index 0000000000..233085359c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-4083.patch
@@ -0,0 +1,64 @@
+From 6fe4eadd54da3040cf6f6579ae157ae1395dc0f8 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds
+Date: Wed, 1 Dec 2021 10:06:14 -0800
+Subject: [PATCH] fget: check that the fd still exists after getting a ref to
+ it
+
+commit 054aa8d439b9185d4f5eb9a90282d1ce74772969 upstream.
+
+Jann Horn points out that there is another possible race wrt Unix domain
+socket garbage collection, somewhat reminiscent of the one fixed in
+commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK").
+
+See the extended comment about the garbage collection requirements added
+to unix_peek_fds() by that commit for details.
+
+The race comes from how we can locklessly look up a file descriptor just
+as it is in the process of being closed, and with the right artificial
+timing (Jann added a few strategic 'mdelay(500)' calls to do that), the
+Unix domain socket garbage collector could see the reference count
+decrement of the close() happen before fget() took its reference to the
+file and the file was attached onto a new file descriptor.
+
+This is all (intentionally) correct on the 'struct file *' side, with
+RCU lookups and lockless reference counting very much part of the
+design. Getting that reference count out of order isn't a problem per
+se.
+
+But the garbage collector can get confused by seeing this situation of
+having seen a file not having any remaining external references and then
+seeing it being attached to an fd.
+
+In commit cbcf01128d0a ("af_unix: fix garbage collect vs MSG_PEEK") the
+fix was to serialize the file descriptor install with the garbage
+collector by taking and releasing the unix_gc_lock.
+
+That's not really an option here, but since this all happens when we are
+in the process of looking up a file descriptor, we can instead simply
+just re-check that the file hasn't been closed in the meantime, and just
+re-do the lookup if we raced with a concurrent close() of the same file
+descriptor.
+
+Reported-and-tested-by: Jann Horn
+Acked-by: Miklos Szeredi
+Signed-off-by: Linus Torvalds
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/file.c b/fs/file.c
+index 8627dacfc4246f..ad4a8bf3cf109f 100644
+--- a/fs/file.c
++++ b/fs/file.c
+@@ -858,6 +858,10 @@ static struct file *__fget_files(struct files_struct *files, unsigned int fd,
+ file = NULL;
+ else if (!get_file_rcu_many(file, refs))
+ goto loop;
++ else if (files_lookup_fd_raw(files, fd) != file) {
++ fput_many(file, refs);
++ goto loop;
++ }
+ }
+ rcu_read_unlock();
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch
new file mode 100644
index 0000000000..68e56b224c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-0168.patch
@@ -0,0 +1,335 @@
+From eee9254fe110ed2cb4593abb6eceb3a72cb92fe9 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara
+Date: Tue, 29 Mar 2022 16:20:06 -0300
+Subject: [PATCH] cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
+
+commit d6f5e358452479fa8a773b5c6ccc9e4ec5a20880 upstream.
+
+When calling smb2_ioctl_query_info() with invalid
+smb_query_info::flags, a NULL ptr dereference is triggered when trying
+to kfree() uninitialised rqst[n].rq_iov array.
+
+This also fixes leaked paths that are created in SMB2_open_init()
+which required SMB2_open_free() to properly free them.
+
+Here is a small C reproducer that triggers it
+
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ #define die(s) perror(s), exit(1)
+ #define QUERY_INFO 0xc018cf07
+
+ int main(int argc, char *argv[])
+ {
+ int fd;
+
+ if (argc < 2)
+ exit(1);
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1)
+ die("open");
+ if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
+ die("ioctl");
+ close(fd);
+ return 0;
+ }
+
+ mount.cifs //srv/share /mnt -o ...
+ gcc repro.c && ./a.out /mnt/f0
+
+ [ 1832.124468] CIFS: VFS: \\w22-dc.zelda.test\test Invalid passthru query flags: 0x4
+ [ 1832.125043] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 1832.125764] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
+ [ 1832.126241] CPU: 3 PID: 1133 Comm: a.out Not tainted 5.17.0-rc8 #2
+ [ 1832.126630] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
+ [ 1832.127322] RIP: 0010:smb2_ioctl_query_info+0x7a3/0xe30 [cifs]
+ [ 1832.127749] Code: 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 6c 05 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 74 24 28 4c 89 f2 48 c1 ea 03 <80> 3c 02 00 0f 85 cb 04 00 00 49 8b 3e e8 bb fc fa ff 48 89 da 48
+ [ 1832.128911] RSP: 0018:ffffc90000957b08 EFLAGS: 00010256
+ [ 1832.129243] RAX: dffffc0000000000 RBX: ffff888117e9b850 RCX: ffffffffa020580d
+ [ 1832.129691] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a2c0
+ [ 1832.130137] RBP: ffff888117e9b878 R08: 0000000000000001 R09: 0000000000000003
+ [ 1832.130585] R10: fffffbfff4087458 R11: 0000000000000001 R12: ffff888117e9b800
+ [ 1832.131037] R13: 00000000ffffffea R14: 0000000000000000 R15: ffff888117e9b8a8
+ [ 1832.131485] FS: 00007fcee9900740(0000) GS:ffff888151a00000(0000) knlGS:0000000000000000
+ [ 1832.131993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 1832.132354] CR2: 00007fcee9a1ef5e CR3: 0000000114cd2000 CR4: 0000000000350ee0
+ [ 1832.132801] Call Trace:
+ [ 1832.132962]
+ [ 1832.133104] ? smb2_query_reparse_tag+0x890/0x890 [cifs]
+ [ 1832.133489] ? cifs_mapchar+0x460/0x460 [cifs]
+ [ 1832.133822] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.134125] ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
+ [ 1832.134502] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.134760] ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
+ [ 1832.135170] ? smb2_check_message+0x1080/0x1080 [cifs]
+ [ 1832.135545] cifs_ioctl+0x1577/0x3320 [cifs]
+ [ 1832.135864] ? lock_downgrade+0x6f0/0x6f0
+ [ 1832.136125] ? cifs_readdir+0x2e60/0x2e60 [cifs]
+ [ 1832.136468] ? rcu_read_lock_sched_held+0x3f/0x70
+ [ 1832.136769] ? __rseq_handle_notify_resume+0x80b/0xbe0
+ [ 1832.137096] ? __up_read+0x192/0x710
+ [ 1832.137327] ? __ia32_sys_rseq+0xf0/0xf0
+ [ 1832.137578] ? __x64_sys_openat+0x11f/0x1d0
+ [ 1832.137850] __x64_sys_ioctl+0x127/0x190
+ [ 1832.138103] do_syscall_64+0x3b/0x90
+ [ 1832.138378] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ [ 1832.138702] RIP: 0033:0x7fcee9a253df
+ [ 1832.138937] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
+ [ 1832.140107] RSP: 002b:00007ffeba94a8a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ [ 1832.140606] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcee9a253df
+ [ 1832.141058] RDX: 00007ffeba94a910 RSI: 00000000c018cf07 RDI: 0000000000000003
+ [ 1832.141503] RBP: 00007ffeba94a930 R08: 00007fcee9b24db0 R09: 00007fcee9b45c4e
+ [ 1832.141948] R10: 00007fcee9918d40 R11: 0000000000000246 R12: 00007ffeba94aa48
+ [ 1832.142396] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007fcee9b78000
+ [ 1832.142851]
+ [ 1832.142994] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload [last unloaded: cifs]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE)
+Signed-off-by: Steve French
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/cifs/smb2ops.c | 130 +++++++++++++++++++++++++---------------------
+ 1 file changed, 70 insertions(+), 60 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index bda606dc72b1..db3ead52ec7c 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1631,6 +1631,7 @@ smb2_ioctl_query_info(const unsigned int xid,
+ unsigned int size[2];
+ void *data[2];
+ int create_options = is_dir ? CREATE_NOT_FILE : CREATE_NOT_DIR;
++ void (*free_req1_func)(struct smb_rqst *r);
+
+ vars = kzalloc(sizeof(*vars), GFP_ATOMIC);
+ if (vars == NULL)
+@@ -1640,27 +1641,29 @@ smb2_ioctl_query_info(const unsigned int xid,
+
+ resp_buftype[0] = resp_buftype[1] = resp_buftype[2] = CIFS_NO_BUFFER;
+
+- if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
+- goto e_fault;
+-
++ if (copy_from_user(&qi, arg, sizeof(struct smb_query_info))) {
++ rc = -EFAULT;
++ goto free_vars;
++ }
+ if (qi.output_buffer_length > 1024) {
+- kfree(vars);
+- return -EINVAL;
++ rc = -EINVAL;
++ goto free_vars;
+ }
+
+ if (!ses || !server) {
+- kfree(vars);
+- return -EIO;
++ rc = -EIO;
++ goto free_vars;
+ }
+
+ if (smb3_encryption_required(tcon))
+ flags |= CIFS_TRANSFORM_REQ;
+
+- buffer = memdup_user(arg + sizeof(struct smb_query_info),
+- qi.output_buffer_length);
+- if (IS_ERR(buffer)) {
+- kfree(vars);
+- return PTR_ERR(buffer);
++ if (qi.output_buffer_length) {
++ buffer = memdup_user(arg + sizeof(struct smb_query_info), qi.output_buffer_length);
++ if (IS_ERR(buffer)) {
++ rc = PTR_ERR(buffer);
++ goto free_vars;
++ }
+ }
+
+ /* Open */
+@@ -1698,45 +1701,45 @@ smb2_ioctl_query_info(const unsigned int xid,
+ rc = SMB2_open_init(tcon, server,
+ &rqst[0], &oplock, &oparms, path);
+ if (rc)
+- goto iqinf_exit;
++ goto free_output_buffer;
+ smb2_set_next_command(tcon, &rqst[0]);
+
+ /* Query */
+ if (qi.flags & PASSTHRU_FSCTL) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else {
+- rqst[1].rq_iov = &vars->io_iov[0];
+- rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
+-
+- rc = SMB2_ioctl_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- qi.info_type, true, buffer,
+- qi.output_buffer_length,
+- CIFSMaxBufSize -
+- MAX_SMB2_CREATE_RESPONSE_SIZE -
+- MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ goto free_open_req;
+ }
++ rqst[1].rq_iov = &vars->io_iov[0];
++ rqst[1].rq_nvec = SMB2_IOCTL_IOV_SIZE;
++
++ rc = SMB2_ioctl_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ qi.info_type, true, buffer, qi.output_buffer_length,
++ CIFSMaxBufSize - MAX_SMB2_CREATE_RESPONSE_SIZE -
++ MAX_SMB2_CLOSE_RESPONSE_SIZE);
++ free_req1_func = SMB2_ioctl_free;
+ } else if (qi.flags == PASSTHRU_SET_INFO) {
+ /* Can eventually relax perm check since server enforces too */
+- if (!capable(CAP_SYS_ADMIN))
++ if (!capable(CAP_SYS_ADMIN)) {
+ rc = -EPERM;
+- else {
+- rqst[1].rq_iov = &vars->si_iov[0];
+- rqst[1].rq_nvec = 1;
+-
+- size[0] = 8;
+- data[0] = buffer;
+-
+- rc = SMB2_set_info_init(tcon, server,
+- &rqst[1],
+- COMPOUND_FID, COMPOUND_FID,
+- current->tgid,
+- FILE_END_OF_FILE_INFORMATION,
+- SMB2_O_INFO_FILE, 0, data, size);
++ goto free_open_req;
+ }
++ if (qi.output_buffer_length < 8) {
++ rc = -EINVAL;
++ goto free_open_req;
++ }
++ rqst[1].rq_iov = &vars->si_iov[0];
++ rqst[1].rq_nvec = 1;
++
++ /* MS-FSCC 2.4.13 FileEndOfFileInformation */
++ size[0] = 8;
++ data[0] = buffer;
++
++ rc = SMB2_set_info_init(tcon, server, &rqst[1], COMPOUND_FID, COMPOUND_FID,
++ current->tgid, FILE_END_OF_FILE_INFORMATION,
++ SMB2_O_INFO_FILE, 0, data, size);
++ free_req1_func = SMB2_set_info_free;
+ } else if (qi.flags == PASSTHRU_QUERY_INFO) {
+ rqst[1].rq_iov = &vars->qi_iov[0];
+ rqst[1].rq_nvec = 1;
+@@ -1747,6 +1750,7 @@ smb2_ioctl_query_info(const unsigned int xid,
+ qi.info_type, qi.additional_information,
+ qi.input_buffer_length,
+ qi.output_buffer_length, buffer);
++ free_req1_func = SMB2_query_info_free;
+ } else { /* unknown flags */
+ cifs_tcon_dbg(VFS, "Invalid passthru query flags: 0x%x\n",
+ qi.flags);
+@@ -1754,7 +1758,7 @@ smb2_ioctl_query_info(const unsigned int xid,
+ }
+
+ if (rc)
+- goto iqinf_exit;
++ goto free_open_req;
+ smb2_set_next_command(tcon, &rqst[1]);
+ smb2_set_related(&rqst[1]);
+
+@@ -1765,14 +1769,14 @@ smb2_ioctl_query_info(const unsigned int xid,
+ rc = SMB2_close_init(tcon, server,
+ &rqst[2], COMPOUND_FID, COMPOUND_FID, false);
+ if (rc)
+- goto iqinf_exit;
++ goto free_req_1;
+ smb2_set_related(&rqst[2]);
+
+ rc = compound_send_recv(xid, ses, server,
+ flags, 3, rqst,
+ resp_buftype, rsp_iov);
+ if (rc)
+- goto iqinf_exit;
++ goto out;
+
+ /* No need to bump num_remote_opens since handle immediately closed */
+ if (qi.flags & PASSTHRU_FSCTL) {
+@@ -1782,18 +1786,22 @@ smb2_ioctl_query_info(const unsigned int xid,
+ qi.input_buffer_length = le32_to_cpu(io_rsp->OutputCount);
+ if (qi.input_buffer_length > 0 &&
+ le32_to_cpu(io_rsp->OutputOffset) + qi.input_buffer_length
+- > rsp_iov[1].iov_len)
+- goto e_fault;
++ > rsp_iov[1].iov_len) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user((void __user *)pqi + sizeof(struct smb_query_info),
+ (const void *)io_rsp + le32_to_cpu(io_rsp->OutputOffset),
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ } else {
+ pqi = (struct smb_query_info __user *)arg;
+ qi_rsp = (struct smb2_query_info_rsp *)rsp_iov[1].iov_base;
+@@ -1801,28 +1809,30 @@ smb2_ioctl_query_info(const unsigned int xid,
+ qi.input_buffer_length = le32_to_cpu(qi_rsp->OutputBufferLength);
+ if (copy_to_user(&pqi->input_buffer_length,
+ &qi.input_buffer_length,
+- sizeof(qi.input_buffer_length)))
+- goto e_fault;
++ sizeof(qi.input_buffer_length))) {
++ rc = -EFAULT;
++ goto out;
++ }
+
+ if (copy_to_user(pqi + 1, qi_rsp->Buffer,
+ qi.input_buffer_length))
+- goto e_fault;
++ rc = -EFAULT;
+ }
+
+- iqinf_exit:
+- cifs_small_buf_release(rqst[0].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[1].rq_iov[0].iov_base);
+- cifs_small_buf_release(rqst[2].rq_iov[0].iov_base);
++out:
+ free_rsp_buf(resp_buftype[0], rsp_iov[0].iov_base);
+ free_rsp_buf(resp_buftype[1], rsp_iov[1].iov_base);
+ free_rsp_buf(resp_buftype[2], rsp_iov[2].iov_base);
+- kfree(vars);
++ SMB2_close_free(&rqst[2]);
++free_req_1:
++ free_req1_func(&rqst[1]);
++free_open_req:
++ SMB2_open_free(&rqst[0]);
++free_output_buffer:
+ kfree(buffer);
++free_vars:
++ kfree(vars);
+ return rc;
+-
+-e_fault:
+- rc = -EFAULT;
+- goto iqinf_exit;
+ }
+
+ static ssize_t
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch
new file mode 100644
index 0000000000..3a8831e60d
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1012.patch
@@ -0,0 +1,146 @@
+From 1a8ee547da2b64d6a2aedbd38a691578eff14718 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau
+Date: Mon, 2 May 2022 10:46:08 +0200
+Subject: [PATCH] secure_seq: use the 64 bits of the siphash for port offset
+ calculation
+
+[ Upstream commit b2d057560b8107c633b39aabe517ff9d93f285e3 ]
+
+SipHash replaced MD5 in secure_ipv{4,6}_port_ephemeral() via commit
+7cd23e5300c1 ("secure_seq: use SipHash in place of MD5"), but the output
+remained truncated to 32-bit only. In order to exploit more bits from the
+hash, let's make the functions return the full 64-bit of siphash_3u32().
+We also make sure the port offset calculation in __inet_hash_connect()
+remains done on 32-bit to avoid the need for div_u64_rem() and an extra
+cost on 32-bit systems.
+
+Cc: Jason A. Donenfeld
+Cc: Moshe Kol
+Cc: Yossi Gilad
+Cc: Amit Klein
+Reviewed-by: Eric Dumazet
+Signed-off-by: Willy Tarreau
+Signed-off-by: Jakub Kicinski
+Signed-off-by: Sasha Levin
+---
+ include/net/inet_hashtables.h | 2 +-
+ include/net/secure_seq.h | 4 ++--
+ net/core/secure_seq.c | 4 ++--
+ net/ipv4/inet_hashtables.c | 10 ++++++----
+ net/ipv6/inet6_hashtables.c | 4 ++--
+ 5 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
+index f72ec113ae568a..98e1ec1a14f038 100644
+--- a/include/net/inet_hashtables.h
++++ b/include/net/inet_hashtables.h
+@@ -425,7 +425,7 @@ static inline void sk_rcv_saddr_set(struct sock *sk, __be32 addr)
+ }
+
+ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+- struct sock *sk, u32 port_offset,
++ struct sock *sk, u64 port_offset,
+ int (*check_established)(struct inet_timewait_death_row *,
+ struct sock *, __u16,
+ struct inet_timewait_sock **));
+diff --git a/include/net/secure_seq.h b/include/net/secure_seq.h
+index d7d2495f83c27c..dac91aa38c5af3 100644
+--- a/include/net/secure_seq.h
++++ b/include/net/secure_seq.h
+@@ -4,8 +4,8 @@
+
+ #include
+
+-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
+-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+ __be16 dport);
+ u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
+ __be16 sport, __be16 dport);
+diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
+index b5bc680d475536..444cce0184c372 100644
+--- a/net/core/secure_seq.c
++++ b/net/core/secure_seq.c
+@@ -94,7 +94,7 @@ u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
+ }
+ EXPORT_SYMBOL(secure_tcpv6_seq);
+
+-u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
++u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
+ __be16 dport)
+ {
+ const struct {
+@@ -142,7 +142,7 @@ u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
+ }
+ EXPORT_SYMBOL_GPL(secure_tcp_seq);
+
+-u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
++u64 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
+ {
+ net_secret_init();
+ return siphash_3u32((__force u32)saddr, (__force u32)daddr,
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index 7bd1e10086f0a4..606a4220ebb9d4 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -504,7 +504,7 @@ static int __inet_check_established(struct inet_timewait_death_row *death_row,
+ return -EADDRNOTAVAIL;
+ }
+
+-static u32 inet_sk_port_offset(const struct sock *sk)
++static u64 inet_sk_port_offset(const struct sock *sk)
+ {
+ const struct inet_sock *inet = inet_sk(sk);
+
+@@ -734,7 +734,7 @@ EXPORT_SYMBOL_GPL(inet_unhash);
+ static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT];
+
+ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+- struct sock *sk, u32 port_offset,
++ struct sock *sk, u64 port_offset,
+ int (*check_established)(struct inet_timewait_death_row *,
+ struct sock *, __u16, struct inet_timewait_sock **))
+ {
+@@ -777,7 +777,9 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ net_get_random_once(table_perturb, sizeof(table_perturb));
+ index = hash_32(port_offset, INET_TABLE_PERTURB_SHIFT);
+
+- offset = (READ_ONCE(table_perturb[index]) + port_offset) % remaining;
++ offset = READ_ONCE(table_perturb[index]) + port_offset;
++ offset %= remaining;
++
+ /* In first pass we try ports of @low parity.
+ * inet_csk_get_port() does the opposite choice.
+ */
+@@ -859,7 +861,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+ int inet_hash_connect(struct inet_timewait_death_row *death_row,
+ struct sock *sk)
+ {
+- u32 port_offset = 0;
++ u64 port_offset = 0;
+
+ if (!inet_sk(sk)->inet_num)
+ port_offset = inet_sk_port_offset(sk);
+diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
+index 0a2e7f22839110..40203255ed88b9 100644
+--- a/net/ipv6/inet6_hashtables.c
++++ b/net/ipv6/inet6_hashtables.c
+@@ -308,7 +308,7 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row,
+ return -EADDRNOTAVAIL;
+ }
+
+-static u32 inet6_sk_port_offset(const struct sock *sk)
++static u64 inet6_sk_port_offset(const struct sock *sk)
+ {
+ const struct inet_sock *inet = inet_sk(sk);
+
+@@ -320,7 +320,7 @@ static u32 inet6_sk_port_offset(const struct sock *sk)
+ int inet6_hash_connect(struct inet_timewait_death_row *death_row,
+ struct sock *sk)
+ {
+- u32 port_offset = 0;
++ u64 port_offset = 0;
+
+ if (!inet_sk(sk)->inet_num)
+ port_offset = inet6_sk_port_offset(sk);
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch
new file mode 100644
index 0000000000..b08f7e043a
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_1.patch
@@ -0,0 +1,81 @@
+From 3a3ce941645407cd0b0b7f01ad9e2ea3770f46cc Mon Sep 17 00:00:00 2001
+From: Jan Kara
+Date: Wed, 18 May 2022 11:33:29 +0200
+Subject: [PATCH] ext4: avoid cycles in directory h-tree
+
+commit 3ba733f879c2a88910744647e41edeefbc0d92b2 upstream.
+
+A maliciously corrupted filesystem can contain cycles in the h-tree
+stored inside a directory. That can easily lead to the kernel corrupting
+tree nodes that were already verified under its hands while doing a node
+split and consequently accessing unallocated memory. Fix the problem by
+verifying traversed block numbers are unique.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara
+Link: https://lore.kernel.org/r/20220518093332.13986-2-jack@suse.cz
+Signed-off-by: Theodore Ts'o
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/ext4/namei.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 1deeaf56645130..7c286cd9fe0304 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -777,12 +777,14 @@ static struct dx_frame *
+ dx_probe(struct ext4_filename *fname, struct inode *dir,
+ struct dx_hash_info *hinfo, struct dx_frame *frame_in)
+ {
+- unsigned count, indirect;
++ unsigned count, indirect, level, i;
+ struct dx_entry *at, *entries, *p, *q, *m;
+ struct dx_root *root;
+ struct dx_frame *frame = frame_in;
+ struct dx_frame *ret_err = ERR_PTR(ERR_BAD_DX_DIR);
+ u32 hash;
++ ext4_lblk_t block;
++ ext4_lblk_t blocks[EXT4_HTREE_LEVEL];
+
+ memset(frame_in, 0, EXT4_HTREE_LEVEL * sizeof(frame_in[0]));
+ frame->bh = ext4_read_dirblock(dir, 0, INDEX);
+@@ -854,6 +856,8 @@ dx_probe(struct ext4_filename *fname, struct inode *dir,
+ }
+
+ dxtrace(printk("Look up %x", hash));
++ level = 0;
++ blocks[0] = 0;
+ while (1) {
+ count = dx_get_count(entries);
+ if (!count || count > dx_get_limit(entries)) {
+@@ -882,15 +886,27 @@ dx_probe(struct ext4_filename *fname, struct inode *dir,
+ dx_get_block(at)));
+ frame->entries = entries;
+ frame->at = at;
+- if (!indirect--)
++
++ block = dx_get_block(at);
++ for (i = 0; i <= level; i++) {
++ if (blocks[i] == block) {
++ ext4_warning_inode(dir,
++ "dx entry: tree cycle block %u points back to block %u",
++ blocks[level], block);
++ goto fail;
++ }
++ }
++ if (++level > indirect)
+ return frame;
++ blocks[level] = block;
+ frame++;
+- frame->bh = ext4_read_dirblock(dir, dx_get_block(at), INDEX);
++ frame->bh = ext4_read_dirblock(dir, block, INDEX);
+ if (IS_ERR(frame->bh)) {
+ ret_err = (struct dx_frame *) frame->bh;
+ frame->bh = NULL;
+ goto fail;
+ }
++
+ entries = ((struct dx_node *) frame->bh->b_data)->entries;
+
+ if (dx_get_limit(entries) != dx_node_limit(dir)) {
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch
new file mode 100644
index 0000000000..753272b2a3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1184_2.patch
@@ -0,0 +1,88 @@
+From ca17db384762be0ec38373a12460081d22a8b42d Mon Sep 17 00:00:00 2001
+From: Jan Kara
+Date: Wed, 18 May 2022 11:33:28 +0200
+Subject: [PATCH] ext4: verify dir block before splitting it
+
+commit 46c116b920ebec58031f0a78c5ea9599b0d2a371 upstream.
+
+Before splitting a directory block verify its directory entries are sane
+so that the splitting code does not access memory it should not.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Kara
+Link: https://lore.kernel.org/r/20220518093332.13986-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/ext4/namei.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 7f8abd77bc0f79..1deeaf56645130 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -277,9 +277,9 @@ static struct dx_frame *dx_probe(struct ext4_filename *fname,
+ struct dx_hash_info *hinfo,
+ struct dx_frame *frame);
+ static void dx_release(struct dx_frame *frames);
+-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
+- unsigned blocksize, struct dx_hash_info *hinfo,
+- struct dx_map_entry map[]);
++static int dx_make_map(struct inode *dir, struct buffer_head *bh,
++ struct dx_hash_info *hinfo,
++ struct dx_map_entry *map_tail);
+ static void dx_sort_map(struct dx_map_entry *map, unsigned count);
+ static struct ext4_dir_entry_2 *dx_move_dirents(struct inode *dir, char *from,
+ char *to, struct dx_map_entry *offsets,
+@@ -1249,15 +1249,23 @@ static inline int search_dirblock(struct buffer_head *bh,
+ * Create map of hash values, offsets, and sizes, stored at end of block.
+ * Returns number of entries mapped.
+ */
+-static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
+- unsigned blocksize, struct dx_hash_info *hinfo,
++static int dx_make_map(struct inode *dir, struct buffer_head *bh,
++ struct dx_hash_info *hinfo,
+ struct dx_map_entry *map_tail)
+ {
+ int count = 0;
+- char *base = (char *) de;
++ struct ext4_dir_entry_2 *de = (struct ext4_dir_entry_2 *)bh->b_data;
++ unsigned int buflen = bh->b_size;
++ char *base = bh->b_data;
+ struct dx_hash_info h = *hinfo;
+
+- while ((char *) de < base + blocksize) {
++ if (ext4_has_metadata_csum(dir->i_sb))
++ buflen -= sizeof(struct ext4_dir_entry_tail);
++
++ while ((char *) de < base + buflen) {
++ if (ext4_check_dir_entry(dir, NULL, de, bh, base, buflen,
++ ((char *)de) - base))
++ return -EFSCORRUPTED;
+ if (de->name_len && de->inode) {
+ if (ext4_hash_in_dirent(dir))
+ h.hash = EXT4_DIRENT_HASH(de);
+@@ -1270,8 +1278,7 @@ static int dx_make_map(struct inode *dir, struct ext4_dir_entry_2 *de,
+ count++;
+ cond_resched();
+ }
+- /* XXX: do we need to check rec_len == 0 case? -Chris */
+- de = ext4_next_entry(de, blocksize);
++ de = ext4_next_entry(de, dir->i_sb->s_blocksize);
+ }
+ return count;
+ }
+@@ -1943,8 +1950,11 @@ static struct ext4_dir_entry_2 *do_split(handle_t *handle, struct inode *dir,
+
+ /* create map in the end of data2 block */
+ map = (struct dx_map_entry *) (data2 + blocksize);
+- count = dx_make_map(dir, (struct ext4_dir_entry_2 *) data1,
+- blocksize, hinfo, map);
++ count = dx_make_map(dir, *bh, hinfo, map);
++ if (count < 0) {
++ err = count;
++ goto journal_error;
++ }
+ map -= count;
+ dx_sort_map(map, count);
+ /* Ensure that neither split block is over half full */
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch
new file mode 100644
index 0000000000..074be5ec4c
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1729.patch
@@ -0,0 +1,71 @@
+From e085354dde254bc6c83ee604ea66c2b36f9f9067 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra
+Date: Fri, 20 May 2022 20:38:06 +0200
+Subject: [PATCH] perf: Fix sys_perf_event_open() race against self
+
+commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream.
+
+Norbert reported that it's possible to race sys_perf_event_open() such
+that the looser ends up in another context from the group leader,
+triggering many WARNs.
+
+The move_group case checks for races against itself, but the
+!move_group case doesn't, seemingly relying on the previous
+group_leader->ctx == ctx check. However, that check is racy due to not
+holding any locks at that time.
+
+Therefore, re-check the result after acquiring locks and bailing
+if they no longer match.
+
+Additionally, clarify the not_move_group case from the
+move_group-vs-move_group race.
+
+Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
+Reported-by: Norbert Slusarek
+Signed-off-by: Peter Zijlstra (Intel)
+Signed-off-by: Linus Torvalds
+Signed-off-by: Greg Kroah-Hartman
+---
+ kernel/events/core.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 7c891a8eb32341..565910de92e9b6 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -12283,6 +12283,9 @@ SYSCALL_DEFINE5(perf_event_open,
+ * Do not allow to attach to a group in a different task
+ * or CPU context. If we're moving SW events, we'll fix
+ * this up later, so allow that.
++ *
++ * Racy, not holding group_leader->ctx->mutex, see comment with
++ * perf_event_ctx_lock().
+ */
+ if (!move_group && group_leader->ctx != ctx)
+ goto err_context;
+@@ -12348,6 +12351,7 @@ SYSCALL_DEFINE5(perf_event_open,
+ } else {
+ perf_event_ctx_unlock(group_leader, gctx);
+ move_group = 0;
++ goto not_move_group;
+ }
+ }
+
+@@ -12364,7 +12368,17 @@ SYSCALL_DEFINE5(perf_event_open,
+ }
+ } else {
+ mutex_lock(&ctx->mutex);
++
++ /*
++ * Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx,
++ * see the group_leader && !move_group test earlier.
++ */
++ if (group_leader && group_leader->ctx != ctx) {
++ err = -EINVAL;
++ goto err_locked;
++ }
+ }
++not_move_group:
+
+ if (ctx->task == TASK_TOMBSTONE) {
+ err = -ESRCH;
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch
new file mode 100644
index 0000000000..3af84d90db
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-1998.patch
@@ -0,0 +1,52 @@
+From 60765e43e40fbf7a1df828116172440510fcc3e4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter
+Date: Fri, 28 Jan 2022 22:57:01 +0300
+Subject: [PATCH] fanotify: Fix stale file descriptor in copy_event_to_user()
+
+commit ee12595147ac1fbfb5bcb23837e26dd58d94b15d upstream.
+
+This code calls fd_install() which gives the userspace access to the fd.
+Then if copy_info_records_to_user() fails it calls put_unused_fd(fd) but
+that will not release it and leads to a stale entry in the file
+descriptor table.
+
+Generally you can't trust the fd after a call to fd_install(). The fix
+is to delay the fd_install() until everything else has succeeded.
+
+Fortunately it requires CAP_SYS_ADMIN to reach this code so the security
+impact is less.
+
+Fixes: f644bc449b37 ("fanotify: fix copy_event_to_user() fid error clean up")
+Link: https://lore.kernel.org/r/20220128195656.GA26981@kili
+Signed-off-by: Dan Carpenter
+Reviewed-by: Mathias Krause
+Signed-off-by: Jan Kara
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/notify/fanotify/fanotify_user.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
+index 6facdf476255d1..84ec851211d91c 100644
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -611,9 +611,6 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
+ if (fanotify_is_perm_event(event->mask))
+ FANOTIFY_PERM(event)->fd = fd;
+
+- if (f)
+- fd_install(fd, f);
+-
+ if (info_mode) {
+ ret = copy_info_records_to_user(event, info, info_mode, pidfd,
+ buf, count);
+@@ -621,6 +618,9 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
+ goto out_close_fd;
+ }
+
++ if (f)
++ fd_install(fd, f);
++
+ return metadata.event_len;
+
+ out_close_fd:
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch
new file mode 100644
index 0000000000..1ac478c679
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20008.patch
@@ -0,0 +1,83 @@
+From f3ff5f75d8f6367eac7556c9db1227bb43e5c615 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20L=C3=B6hle?=
+Date: Fri, 4 Feb 2022 15:11:37 +0000
+Subject: [PATCH] mmc: block: fix read single on recovery logic
+
+commit 54309fde1a352ad2674ebba004a79f7d20b9f037 upstream.
+
+On reads with MMC_READ_MULTIPLE_BLOCK that fail,
+the recovery handler will use MMC_READ_SINGLE_BLOCK for
+each of the blocks, up to MMC_READ_SINGLE_RETRIES times each.
+The logic for this is fixed to never report unsuccessful reads
+as success to the block layer.
+
+On command error with retries remaining, blk_update_request was
+called with whatever value error was set last to.
+In case it was last set to BLK_STS_OK (default), the read will be
+reported as success, even though there was no data read from the device.
+This could happen on a CRC mismatch for the response,
+a card rejecting the command (e.g. again due to a CRC mismatch).
+In case it was last set to BLK_STS_IOERR, the error is reported correctly,
+but no retries will be attempted.
+
+Fixes: 81196976ed946c ("mmc: block: Add blk-mq support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Loehle
+Reviewed-by: Adrian Hunter
+Link: https://lore.kernel.org/r/bc706a6ab08c4fe2834ba0c05a804672@hyperstone.com
+Signed-off-by: Ulf Hansson
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/mmc/core/block.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
+index 431af5e8be2f89..b575d0bfd0d68c 100644
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -1682,31 +1682,31 @@ static void mmc_blk_read_single(struct mmc_queue *mq, struct request *req)
+ struct mmc_card *card = mq->card;
+ struct mmc_host *host = card->host;
+ blk_status_t error = BLK_STS_OK;
+- int retries = 0;
+
+ do {
+ u32 status;
+ int err;
++ int retries = 0;
+
+- mmc_blk_rw_rq_prep(mqrq, card, 1, mq);
++ while (retries++ <= MMC_READ_SINGLE_RETRIES) {
++ mmc_blk_rw_rq_prep(mqrq, card, 1, mq);
+
+- mmc_wait_for_req(host, mrq);
++ mmc_wait_for_req(host, mrq);
+
+- err = mmc_send_status(card, &status);
+- if (err)
+- goto error_exit;
+-
+- if (!mmc_host_is_spi(host) &&
+- !mmc_ready_for_data(status)) {
+- err = mmc_blk_fix_state(card, req);
++ err = mmc_send_status(card, &status);
+ if (err)
+ goto error_exit;
+- }
+
+- if (mrq->cmd->error && retries++ < MMC_READ_SINGLE_RETRIES)
+- continue;
++ if (!mmc_host_is_spi(host) &&
++ !mmc_ready_for_data(status)) {
++ err = mmc_blk_fix_state(card, req);
++ if (err)
++ goto error_exit;
++ }
+
+- retries = 0;
++ if (!mrq->cmd->error)
++ break;
++ }
+
+ if (mrq->cmd->error ||
+ mrq->data->error ||
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch
new file mode 100644
index 0000000000..99a7655bd7
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-20368.patch
@@ -0,0 +1,114 @@
+From a055f5f2841f7522b44a2b1eccb1951b4b03d51a Mon Sep 17 00:00:00 2001
+From: Eric Dumazet
+Date: Sat, 12 Mar 2022 15:29:58 -0800
+Subject: [PATCH] net/packet: fix slab-out-of-bounds access in packet_recvmsg()
+
+[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ]
+
+syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
+and mmap operations, tpacket_rcv() is queueing skbs with
+garbage in skb->cb[], triggering a too big copy [1]
+
+Presumably, users of af_packet using mmap() already gets correct
+metadata from the mapped buffer, we can simply make sure
+to clear 12 bytes that might be copied to user space later.
+
+BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
+BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
+Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
+
+CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
+ print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
+ __kasan_report mm/kasan/report.c:442 [inline]
+ kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
+ memcpy+0x39/0x60 mm/kasan/shadow.c:66
+ memcpy include/linux/fortify-string.h:225 [inline]
+ packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
+ sock_recvmsg_nosec net/socket.c:948 [inline]
+ sock_recvmsg net/socket.c:966 [inline]
+ sock_recvmsg net/socket.c:962 [inline]
+ ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
+ ___sys_recvmsg+0x127/0x200 net/socket.c:2674
+ __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
+ do_syscall_x64 arch/x86/entry/common.c:50 [inline]
+ do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7fdfd5954c29
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
+RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
+RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
+R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
+
+
+addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
+ ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246
+
+this frame has 1 object:
+ [32, 160) 'addr'
+
+Memory state around the buggy address:
+ ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
+ ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
+>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
+ ^
+ ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
+ ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
+==================================================================
+
+Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
+Signed-off-by: Eric Dumazet
+Reported-by: syzbot
+Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski
+Signed-off-by: Sasha Levin
+---
+ net/packet/af_packet.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index e00c38f242c320..c0d4a65931de56 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2281,8 +2281,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
+ copy_skb = skb_get(skb);
+ skb_head = skb->data;
+ }
+- if (copy_skb)
++ if (copy_skb) {
++ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
++ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll));
+ skb_set_owner_r(copy_skb, sk);
++ }
+ }
+ snaplen = po->rx_ring.frame_size - macoff;
+ if ((int)snaplen < 0) {
+@@ -3434,6 +3437,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ sock_recv_ts_and_drops(msg, sk, skb);
+
+ if (msg->msg_name) {
++ const size_t max_len = min(sizeof(skb->cb),
++ sizeof(struct sockaddr_storage));
+ int copy_len;
+
+ /* If the address length field is there to be filled
+@@ -3456,6 +3461,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ msg->msg_namelen = sizeof(struct sockaddr_ll);
+ }
+ }
++ if (WARN_ON_ONCE(copy_len > max_len)) {
++ copy_len = max_len;
++ msg->msg_namelen = copy_len;
++ }
+ memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
+ }
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch
new file mode 100644
index 0000000000..189b6ce194
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2503.patch
@@ -0,0 +1,35 @@
+From 69712b170237ec5979f168149cd31e851a465853 Mon Sep 17 00:00:00 2001
+From: Sarthak Kukreti
+Date: Tue, 31 May 2022 15:56:40 -0400
+Subject: [PATCH] dm verity: set DM_TARGET_IMMUTABLE feature flag
+
+commit 4caae58406f8ceb741603eee460d79bacca9b1b5 upstream.
+
+The device-mapper framework provides a mechanism to mark targets as
+immutable (and hence fail table reloads that try to change the target
+type). Add the DM_TARGET_IMMUTABLE flag to the dm-verity target's
+feature flags to prevent switching the verity target with a different
+target type.
+
+Fixes: a4ffc152198e ("dm: add verity target")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sarthak Kukreti
+Reviewed-by: Kees Cook
+Signed-off-by: Mike Snitzer
+Signed-off-by: Greg Kroah-Hartman
+---
+ drivers/md/dm-verity-target.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
+index 88288c8d6bc8c0..426299ceb33d7d 100644
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -1312,6 +1312,7 @@ static int verity_ctr(struct dm_target *ti, unsigned argc, char **argv)
+
+ static struct target_type verity_target = {
+ .name = "verity",
++ .features = DM_TARGET_IMMUTABLE,
+ .version = {1, 8, 0},
+ .module = THIS_MODULE,
+ .ctr = verity_ctr,
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch
new file mode 100644
index 0000000000..5f231cfe47
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2938.patch
@@ -0,0 +1,249 @@
+From d3e4c61e143e69671803ef3f52140cf7a7258ee7 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan
+Date: Tue, 11 Jan 2022 15:23:09 -0800
+Subject: [PATCH] psi: Fix uaf issue when psi trigger is destroyed while being
+ polled
+
+commit a06247c6804f1a7c86a2e5398a4c1f1db1471848 upstream.
+
+With write operation on psi files replacing old trigger with a new one,
+the lifetime of its waitqueue is totally arbitrary. Overwriting an
+existing trigger causes its waitqueue to be freed and pending poll()
+will stumble on trigger->event_wait which was destroyed.
+Fix this by disallowing to redefine an existing psi trigger. If a write
+operation is used on a file descriptor with an already existing psi
+trigger, the operation will fail with EBUSY error.
+Also bypass a check for psi_disabled in the psi_trigger_destroy as the
+flag can be flipped after the trigger is created, leading to a memory
+leak.
+
+Fixes: 0e94682b73bf ("psi: introduce psi monitor")
+Reported-by: syzbot+cdb5dd11c97cc532efad@syzkaller.appspotmail.com
+Suggested-by: Linus Torvalds
+Analyzed-by: Eric Biggers
+Signed-off-by: Suren Baghdasaryan
+Signed-off-by: Peter Zijlstra (Intel)
+Reviewed-by: Eric Biggers
+Acked-by: Johannes Weiner
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20220111232309.1786347-1-surenb@google.com
+Signed-off-by: Greg Kroah-Hartman
+---
+ Documentation/accounting/psi.rst | 3 +-
+ include/linux/psi.h | 2 +-
+ include/linux/psi_types.h | 3 --
+ kernel/cgroup/cgroup.c | 11 ++++--
+ kernel/sched/psi.c | 66 ++++++++++++++------------------
+ 5 files changed, 40 insertions(+), 45 deletions(-)
+
+diff --git a/Documentation/accounting/psi.rst b/Documentation/accounting/psi.rst
+index f2b3439edcc2cc..860fe651d6453e 100644
+--- a/Documentation/accounting/psi.rst
++++ b/Documentation/accounting/psi.rst
+@@ -92,7 +92,8 @@ Triggers can be set on more than one psi metric and more than one trigger
+ for the same psi metric can be specified. However for each trigger a separate
+ file descriptor is required to be able to poll it separately from others,
+ therefore for each trigger a separate open() syscall should be made even
+-when opening the same psi interface file.
++when opening the same psi interface file. Write operations to a file descriptor
++with an already existing psi trigger will fail with EBUSY.
+
+ Monitors activate only when system enters stall state for the monitored
+ psi metric and deactivates upon exit from the stall state. While system is
+diff --git a/include/linux/psi.h b/include/linux/psi.h
+index 65eb1476ac7056..74f7148dfb9f4c 100644
+--- a/include/linux/psi.h
++++ b/include/linux/psi.h
+@@ -32,7 +32,7 @@ void cgroup_move_task(struct task_struct *p, struct css_set *to);
+
+ struct psi_trigger *psi_trigger_create(struct psi_group *group,
+ char *buf, size_t nbytes, enum psi_res res);
+-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *t);
++void psi_trigger_destroy(struct psi_trigger *t);
+
+ __poll_t psi_trigger_poll(void **trigger_ptr, struct file *file,
+ poll_table *wait);
+diff --git a/include/linux/psi_types.h b/include/linux/psi_types.h
+index 0819c82dba920a..6f190002a20224 100644
+--- a/include/linux/psi_types.h
++++ b/include/linux/psi_types.h
+@@ -140,9 +140,6 @@ struct psi_trigger {
+ * events to one per window
+ */
+ u64 last_event_time;
+-
+- /* Refcounting to prevent premature destruction */
+- struct kref refcount;
+ };
+
+ struct psi_group {
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index bb1a78ff14374e..de8b4fa1e1fd68 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -3642,6 +3642,12 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
+ cgroup_get(cgrp);
+ cgroup_kn_unlock(of->kn);
+
++ /* Allow only one trigger per file descriptor */
++ if (ctx->psi.trigger) {
++ cgroup_put(cgrp);
++ return -EBUSY;
++ }
++
+ psi = cgroup_ino(cgrp) == 1 ? &psi_system : &cgrp->psi;
+ new = psi_trigger_create(psi, buf, nbytes, res);
+ if (IS_ERR(new)) {
+@@ -3649,8 +3655,7 @@ static ssize_t cgroup_pressure_write(struct kernfs_open_file *of, char *buf,
+ return PTR_ERR(new);
+ }
+
+- psi_trigger_replace(&ctx->psi.trigger, new);
+-
++ smp_store_release(&ctx->psi.trigger, new);
+ cgroup_put(cgrp);
+
+ return nbytes;
+@@ -3689,7 +3694,7 @@ static void cgroup_pressure_release(struct kernfs_open_file *of)
+ {
+ struct cgroup_file_ctx *ctx = of->priv;
+
+- psi_trigger_replace(&ctx->psi.trigger, NULL);
++ psi_trigger_destroy(ctx->psi.trigger);
+ }
+
+ bool cgroup_psi_enabled(void)
+diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
+index 69b19d3af690ff..ab460f8b77d13a 100644
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -1162,7 +1162,6 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
+ t->event = 0;
+ t->last_event_time = 0;
+ init_waitqueue_head(&t->event_wait);
+- kref_init(&t->refcount);
+
+ mutex_lock(&group->trigger_lock);
+
+@@ -1191,15 +1190,19 @@ struct psi_trigger *psi_trigger_create(struct psi_group *group,
+ return t;
+ }
+
+-static void psi_trigger_destroy(struct kref *ref)
++void psi_trigger_destroy(struct psi_trigger *t)
+ {
+- struct psi_trigger *t = container_of(ref, struct psi_trigger, refcount);
+- struct psi_group *group = t->group;
++ struct psi_group *group;
+ struct task_struct *task_to_destroy = NULL;
+
+- if (static_branch_likely(&psi_disabled))
++ /*
++ * We do not check psi_disabled since it might have been disabled after
++ * the trigger got created.
++ */
++ if (!t)
+ return;
+
++ group = t->group;
+ /*
+ * Wakeup waiters to stop polling. Can happen if cgroup is deleted
+ * from under a polling process.
+@@ -1235,9 +1238,9 @@ static void psi_trigger_destroy(struct kref *ref)
+ mutex_unlock(&group->trigger_lock);
+
+ /*
+- * Wait for both *trigger_ptr from psi_trigger_replace and
+- * poll_task RCUs to complete their read-side critical sections
+- * before destroying the trigger and optionally the poll_task
++ * Wait for psi_schedule_poll_work RCU to complete its read-side
++ * critical section before destroying the trigger and optionally the
++ * poll_task.
+ */
+ synchronize_rcu();
+ /*
+@@ -1254,18 +1257,6 @@ static void psi_trigger_destroy(struct kref *ref)
+ kfree(t);
+ }
+
+-void psi_trigger_replace(void **trigger_ptr, struct psi_trigger *new)
+-{
+- struct psi_trigger *old = *trigger_ptr;
+-
+- if (static_branch_likely(&psi_disabled))
+- return;
+-
+- rcu_assign_pointer(*trigger_ptr, new);
+- if (old)
+- kref_put(&old->refcount, psi_trigger_destroy);
+-}
+-
+ __poll_t psi_trigger_poll(void **trigger_ptr,
+ struct file *file, poll_table *wait)
+ {
+@@ -1275,24 +1266,15 @@ __poll_t psi_trigger_poll(void **trigger_ptr,
+ if (static_branch_likely(&psi_disabled))
+ return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
+
+- rcu_read_lock();
+-
+- t = rcu_dereference(*(void __rcu __force **)trigger_ptr);
+- if (!t) {
+- rcu_read_unlock();
++ t = smp_load_acquire(trigger_ptr);
++ if (!t)
+ return DEFAULT_POLLMASK | EPOLLERR | EPOLLPRI;
+- }
+- kref_get(&t->refcount);
+-
+- rcu_read_unlock();
+
+ poll_wait(file, &t->event_wait, wait);
+
+ if (cmpxchg(&t->event, 1, 0) == 1)
+ ret |= EPOLLPRI;
+
+- kref_put(&t->refcount, psi_trigger_destroy);
+-
+ return ret;
+ }
+
+@@ -1316,14 +1298,24 @@ static ssize_t psi_write(struct file *file, const char __user *user_buf,
+
+ buf[buf_size - 1] = '\0';
+
+- new = psi_trigger_create(&psi_system, buf, nbytes, res);
+- if (IS_ERR(new))
+- return PTR_ERR(new);
+-
+ seq = file->private_data;
++
+ /* Take seq->lock to protect seq->private from concurrent writes */
+ mutex_lock(&seq->lock);
+- psi_trigger_replace(&seq->private, new);
++
++ /* Allow only one trigger per file descriptor */
++ if (seq->private) {
++ mutex_unlock(&seq->lock);
++ return -EBUSY;
++ }
++
++ new = psi_trigger_create(&psi_system, buf, nbytes, res);
++ if (IS_ERR(new)) {
++ mutex_unlock(&seq->lock);
++ return PTR_ERR(new);
++ }
++
++ smp_store_release(&seq->private, new);
+ mutex_unlock(&seq->lock);
+
+ return nbytes;
+@@ -1358,7 +1350,7 @@ static int psi_fop_release(struct inode *inode, struct file *file)
+ {
+ struct seq_file *seq = file->private_data;
+
+- psi_trigger_replace(&seq->private, NULL);
++ psi_trigger_destroy(seq->private);
+ return single_release(inode, file);
+ }
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch
new file mode 100644
index 0000000000..f8117d0a71
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-2959.patch
@@ -0,0 +1,97 @@
+From 189b0ddc245139af81198d1a3637cac74f96e13a Mon Sep 17 00:00:00 2001
+From: David Howells
+Date: Thu, 26 May 2022 07:34:52 +0100
+Subject: [PATCH] pipe: Fix missing lock in pipe_resize_ring()
+
+pipe_resize_ring() needs to take the pipe->rd_wait.lock spinlock to
+prevent post_one_notification() from trying to insert into the ring
+whilst the ring is being replaced.
+
+The occupancy check must be done after the lock is taken, and the lock
+must be taken after the new ring is allocated.
+
+The bug can lead to an oops looking something like:
+
+ BUG: KASAN: use-after-free in post_one_notification.isra.0+0x62e/0x840
+ Read of size 4 at addr ffff88801cc72a70 by task poc/27196
+ ...
+ Call Trace:
+ post_one_notification.isra.0+0x62e/0x840
+ __post_watch_notification+0x3b7/0x650
+ key_create_or_update+0xb8b/0xd20
+ __do_sys_add_key+0x175/0x340
+ __x64_sys_add_key+0xbe/0x140
+ do_syscall_64+0x5c/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Reported by Selim Enes Karaduman @Enesdex working with Trend Micro Zero
+Day Initiative.
+
+Fixes: c73be61cede5 ("pipe: Add general notification queue support")
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-17291
+Signed-off-by: David Howells
+Signed-off-by: Linus Torvalds
+---
+ fs/pipe.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index e140ea150bbb14..11358569a7779a 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -1245,30 +1245,33 @@ unsigned int round_pipe_size(unsigned long size)
+
+ /*
+ * Resize the pipe ring to a number of slots.
++ *
++ * Note the pipe can be reduced in capacity, but only if the current
++ * occupancy doesn't exceed nr_slots; if it does, EBUSY will be
++ * returned instead.
+ */
+ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
+ {
+ struct pipe_buffer *bufs;
+ unsigned int head, tail, mask, n;
+
+- /*
+- * We can shrink the pipe, if arg is greater than the ring occupancy.
+- * Since we don't expect a lot of shrink+grow operations, just free and
+- * allocate again like we would do for growing. If the pipe currently
+- * contains more buffers than arg, then return busy.
+- */
+- mask = pipe->ring_size - 1;
+- head = pipe->head;
+- tail = pipe->tail;
+- n = pipe_occupancy(pipe->head, pipe->tail);
+- if (nr_slots < n)
+- return -EBUSY;
+-
+ bufs = kcalloc(nr_slots, sizeof(*bufs),
+ GFP_KERNEL_ACCOUNT | __GFP_NOWARN);
+ if (unlikely(!bufs))
+ return -ENOMEM;
+
++ spin_lock_irq(&pipe->rd_wait.lock);
++ mask = pipe->ring_size - 1;
++ head = pipe->head;
++ tail = pipe->tail;
++
++ n = pipe_occupancy(head, tail);
++ if (nr_slots < n) {
++ spin_unlock_irq(&pipe->rd_wait.lock);
++ kfree(bufs);
++ return -EBUSY;
++ }
++
+ /*
+ * The pipe array wraps around, so just start the new one at zero
+ * and adjust the indices.
+@@ -1300,6 +1303,8 @@ int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
+ pipe->tail = tail;
+ pipe->head = head;
+
++ spin_unlock_irq(&pipe->rd_wait.lock);
++
+ /* This might have made more room for writers */
+ wake_up_interruptible(&pipe->wr_wait);
+ return 0;
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch
new file mode 100644
index 0000000000..9e9da26d02
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-30594.patch
@@ -0,0 +1,103 @@
+From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001
+From: Jann Horn
+Date: Sat, 19 Mar 2022 02:08:37 +0100
+Subject: [PATCH] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
+ PTRACE_SEIZE
+
+Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged
+operation because it allows the tracee to completely bypass all seccomp
+filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to
+be settable by a process with global CAP_SYS_ADMIN, and only if that
+process is not subject to any seccomp filters at all.
+
+However, while these permission checks were done on the PTRACE_SETOPTIONS
+path, they were missing on the PTRACE_SEIZE path, which also sets
+user-specified ptrace flags.
+
+Move the permissions checks out into a helper function and let both
+ptrace_attach() and ptrace_setoptions() call it.
+
+Cc: stable@kernel.org
+Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume")
+Signed-off-by: Jann Horn
+Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com
+Signed-off-by: Eric W. Biederman
+---
+ kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 15 deletions(-)
+
+diff --git a/kernel/ptrace.c b/kernel/ptrace.c
+index eea265082e9752..ccc4b465775b82 100644
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struct *task, unsigned int mode)
+ return !err;
+ }
+
++static int check_ptrace_options(unsigned long data)
++{
++ if (data & ~(unsigned long)PTRACE_O_MASK)
++ return -EINVAL;
++
++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
++ !IS_ENABLED(CONFIG_SECCOMP))
++ return -EINVAL;
++
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED ||
++ current->ptrace & PT_SUSPEND_SECCOMP)
++ return -EPERM;
++ }
++ return 0;
++}
++
+ static int ptrace_attach(struct task_struct *task, long request,
+ unsigned long addr,
+ unsigned long flags)
+@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_struct *task, long request,
+ if (seize) {
+ if (addr != 0)
+ goto out;
++ /*
++ * This duplicates the check in check_ptrace_options() because
++ * ptrace_attach() and ptrace_setoptions() have historically
++ * used different error codes for unknown ptrace options.
++ */
+ if (flags & ~(unsigned long)PTRACE_O_MASK)
+ goto out;
++ retval = check_ptrace_options(flags);
++ if (retval)
++ return retval;
+ flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT);
+ } else {
+ flags = PT_PTRACED;
+@@ -654,22 +682,11 @@ int ptrace_writedata(struct task_struct *tsk, char __user *src, unsigned long ds
+ static int ptrace_setoptions(struct task_struct *child, unsigned long data)
+ {
+ unsigned flags;
++ int ret;
+
+- if (data & ~(unsigned long)PTRACE_O_MASK)
+- return -EINVAL;
+-
+- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) {
+- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) ||
+- !IS_ENABLED(CONFIG_SECCOMP))
+- return -EINVAL;
+-
+- if (!capable(CAP_SYS_ADMIN))
+- return -EPERM;
+-
+- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED ||
+- current->ptrace & PT_SUSPEND_SECCOMP)
+- return -EPERM;
+- }
++ ret = check_ptrace_options(data);
++ if (ret)
++ return ret;
+
+ /* Avoid intermediate state when all opts are cleared */
+ flags = child->ptrace;
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch
new file mode 100644
index 0000000000..5772f7e130
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-32296.patch
@@ -0,0 +1,61 @@
+From dff5a6126ede802f8df7485b122bf265ad7c69aa Mon Sep 17 00:00:00 2001
+From: Manish Baing
+Date: Tue, 21 Jun 2022 05:44:53 +0000
+Subject: [PATCH] tcp: increase source port perturb table to 2^16
+
+Moshe Kol, Amit Klein, and Yossi Gilad reported being able to accurately
+identify a client by forcing it to emit only 40 times more connections
+than there are entries in the table_perturb[] table. The previous two
+improvements consisting in resalting the secret every 10s and adding
+randomness to each port selection only slightly improved the situation,
+and the current value of 2^8 was too small as it's not very difficult
+to make a client emit 10k connections in less than 10 seconds.
+
+Thus we're increasing the perturb table from 2^8 to 2^16 so that the
+same precision now requires 2.6M connections, which is more difficult in
+this time frame and harder to hide as a background activity. The impact
+is that the table now uses 256 kB instead of 1 kB, which could mostly
+affect devices making frequent outgoing connections. However such
+components usually target a small set of destinations (load balancers,
+database clients, perf assessment tools), and in practice only a few
+entries will be visited, like before.
+
+A live test at 1 million connections per second showed no performance
+difference from the previous value.
+
+Reported-by: Moshe Kol
+Reported-by: Yossi Gilad
+Reported-by: Amit Klein
+Reviewed-by: Eric Dumazet
+Signed-off-by: Willy Tarreau
+Signed-off-by: Jakub Kicinski
+
+Source: https://github.com/openbmc/linux/commit/4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5
+---
+ net/ipv4/inet_hashtables.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
+index bfb522e51346..86efce0cf4eb 100644
+--- a/net/ipv4/inet_hashtables.c
++++ b/net/ipv4/inet_hashtables.c
+@@ -715,11 +715,12 @@ EXPORT_SYMBOL_GPL(inet_unhash);
+ * Note that we use 32bit integers (vs RFC 'short integers')
+ * because 2^16 is not a multiple of num_ephemeral and this
+ * property might be used by clever attacker.
+- * RFC claims using TABLE_LENGTH=10 buckets gives an improvement,
+- * we use 256 instead to really give more isolation and
+- * privacy, this only consumes 1 KB of kernel memory.
++ * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
++ * attacks were since demonstrated, thus we use 65536 instead to really
++ * give more isolation and privacy, at the expense of 256kB of kernel
++ * memory.
+ */
+-#define INET_TABLE_PERTURB_SHIFT 8
++#define INET_TABLE_PERTURB_SHIFT 16
+ static u32 table_perturb[1 << INET_TABLE_PERTURB_SHIFT];
+
+ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch
new file mode 100644
index 0000000000..66f34dcb1e
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2022-40476.patch
@@ -0,0 +1,35 @@
+From 3746d62ecf1c872a520c4866118edccb121c44fd Mon Sep 17 00:00:00 2001
+From: Jens Axboe
+Date: Thu, 23 Jun 2022 11:06:43 -0600
+Subject: [PATCH] io_uring: use original request task for inflight tracking
+
+commit 386e4fb6962b9f248a80f8870aea0870ca603e89 upstream.
+
+In prior kernels, we did file assignment always at prep time. This meant
+that req->task == current. But after deferring that assignment and then
+pushing the inflight tracking back in, we've got the inflight tracking
+using current when it should in fact now be using req->task.
+
+Fixup that error introduced by adding the inflight tracking back after
+file assignments got modifed.
+
+Fixes: 9cae36a094e7 ("io_uring: reinstate the inflight tracking")
+Signed-off-by: Jens Axboe
+Signed-off-by: Greg Kroah-Hartman
+---
+ fs/io_uring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 0ce1587df43221..89f24b54fe5e8d 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -1405,7 +1405,7 @@ static void io_req_track_inflight(struct io_kiocb *req)
+ {
+ if (!(req->flags & REQ_F_INFLIGHT)) {
+ req->flags |= REQ_F_INFLIGHT;
+- atomic_inc(¤t->io_uring->inflight_tracked);
++ atomic_inc(&req->task->io_uring->inflight_tracked);
+ }
+ }
+
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend
index 1ddfbd7261..a8d09586ba 100644
--- a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed_%.bbappend
@@ -29,6 +29,26 @@ SRC_URI += " \
file://CVE-2021-4197-003.patch\
file://CVE-2021-44733.patch\
file://CVE-2022-29582.patch\
+ file://CVE-2022-30594.patch\
+ file://CVE-2022-20008.patch\
+ file://CVE-2022-1998.patch\
+ file://CVE-2022-32296.patch\
+ file://CVE-2021-39685.patch\
+ file://CVE-2021-39685-1.patch\
+ file://CVE-2021-39685-2.patch\
+ file://CVE-2021-39698.patch\
+ file://CVE-2021-39698-1.patch\
+ file://CVE-2021-4083.patch\
+ file://CVE-2022-1729.patch\
+ file://CVE-2022-1184_1.patch\
+ file://CVE-2022-1184_2.patch\
+ file://CVE-2022-2938.patch\
+ file://CVE-2022-2959.patch\
+ file://CVE-2022-1012.patch\
+ file://CVE-2022-2503.patch\
+ file://CVE-2022-20368.patch\
+ file://CVE-2022-0168.patch\
+ file://CVE-2022-40476.patch\
"
SRC_URI += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', 'file://1000-128MB-flashmap-for-PFR.patch', '', d)}"
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch
new file mode 100644
index 0000000000..d88d45ff50
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb/0036-PCIeFunctions-not-showing-in-Redfish.patch
@@ -0,0 +1,62 @@
+From 2939f827a10f0104d06d74d9744dffeae6b1af7a Mon Sep 17 00:00:00 2001
+From: "D M, Karthik"
+Date: Tue, 14 Jun 2022 09:46:20 +0530
+Subject: [PATCH] PCIeFunctions not showing in Redfish
+
+For PCIe devices which do not have PCIeType, will not get
+PCIeFunctions populated due to a "return" statement while parsing
+for PCIeType.
+
+Missing Data:
+"PCIeFunctions": {
+"@odata.id": "/redfish/v1/Systems/system/PCIeDevices//PCIeFunctions"
+}
+
+Tested for all 3 PCIe devices, PCIeFunction details after fixing
+{
+"@odata.id": "/redfish/v1/Systems/system/PCIeDevices/S0B3D0",
+"@odata.type": "#PCIeDevice.v1_4_0.PCIeDevice",
+"DeviceType": "SingleFunction",
+"Id": "S0B3D0",
+"Manufacturer": "ASPEED Technology Inc.",
+"Name": "PCIe Device",
+"PCIeFunctions": {
+"@odata.id": "/redfish/v1/Systems/system/PCIeDevices/S0B3D0/PCIeFunctions"
+}
+}
+
+Signed-off-by: D M, Karthik
+---
+ redfish-core/lib/pcie.hpp | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/redfish-core/lib/pcie.hpp b/redfish-core/lib/pcie.hpp
+index 1b9e28e..95c2b2c 100644
+--- a/redfish-core/lib/pcie.hpp
++++ b/redfish-core/lib/pcie.hpp
+@@ -176,6 +176,11 @@ inline void requestRoutesSystemPCIeDevice(App& app)
+ {"Name", "PCIe Device"},
+ {"Id", device}};
+
++ asyncResp->res.jsonValue["PCIeFunctions"] = {
++ {"@odata.id",
++ "/redfish/v1/Systems/system/PCIeDevices/" +
++ device + "/PCIeFunctions"}};
++
+ if (std::string* property = std::get_if(
+ &pcieDevProperties["Manufacturer"]);
+ property)
+@@ -226,10 +231,6 @@ inline void requestRoutesSystemPCIeDevice(App& app)
+ .jsonValue["PCIeInterface"]["PCIeType"] =
+ *generationInUse;
+ }
+- asyncResp->res.jsonValue["PCIeFunctions"] = {
+- {"@odata.id",
+- "/redfish/v1/Systems/system/PCIeDevices/" +
+- device + "/PCIeFunctions"}};
+ };
+ std::string escapedPath = std::string(pciePath) + "/" + device;
+ dbus::utility::escapePathForDbus(escapedPath);
+--
+2.20.0.windows.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend
index 45622be308..d5e7a6dd29 100644
--- a/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/interfaces/bmcweb_%.bbappend
@@ -31,6 +31,7 @@ SRC_URI += "file://0001-Firmware-update-configuration-changes.patch \
file://0033-Add-message-registry-entry-for-Memhot-event.patch \
file://0034-Update-odata.type-version-of-redfish-v1-AccountService.patch \
file://0035-Add-MemoryMetrics-schema-file.patch \
+ file://0036-PCIeFunctions-not-showing-in-Redfish.patch \
"
# OOB Bios Config:
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb
index 1573b53470..5ea48b2348 100644
--- a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/nvmemi-daemon.bb
@@ -5,7 +5,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
SRC_URI = "git://git@github.com/Intel-BMC/nvme-mi.git;protocol=ssh;branch=master"
-SRCREV = "8bcc5ef307ac4445d9589d0c866d13455c46b811"
+SRCREV = "b6f50e04516962a4e94fe9340251999f154197c4"
S = "${WORKDIR}/git"
PV = "1.0+git${SRCPV}"
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb
index fccf18cb93..2ef0b4e95b 100644
--- a/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/pmci/pldmd.bb
@@ -5,7 +5,7 @@ LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
SRC_URI += "git://git@github.com/Intel-BMC/pldmd.git;protocol=ssh;branch=1-release"
-SRCREV = "dd493b97dd7b243738e2d00c983a82a8a6d05db0"
+SRCREV = "2c3522ec89828d5abed265b4f460e77b4c580ae4"
S = "${WORKDIR}/git"
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch
new file mode 100644
index 0000000000..f4282a767b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0015-Fix-for-PSU2-Power-lost-RedFish-events.patch
@@ -0,0 +1,124 @@
+From bb67f9718411fc9e485d945b8ec13a61f5fec2be Mon Sep 17 00:00:00 2001
+From: Jitendra Tripathy
+Date: Fri, 24 Jun 2022 09:13:30 +0000
+Subject: [PATCH] Fix for PSU2 Power-lost RedFish events
+
+In a dual power supply system, after Removing the PSU2 power
+cable/module, power-lost RedFish events are not getting logged in the
+RedFish logs. Only SEL entries are getting logged for PSU2. But all the
+events are getting logged for PSU1 in the redfish logs.
+
+To get PSU2 events also, replace async_wait instead of async_read_until
+while reading the hwmon files.
+
+Tested:
+1. The system should have connected with dual PSU's which are drawing
+same power.
+2. Verified both PSU are connected by executing below ipmitool command.
+"ipmitool fru"
+3. Removed one of 1600W PSU, which server holding 2 PSU's drawing 1600W.
+4. Above step try for both PSU1 and PSU2 by removing and connecting.
+5. Verified for both PSU1 and PSU2, eventlogs generated on Redfish
+respectively.
+Get: https:///redfish/v1/Systems/system/LogServices/
+ EventLog/Entries
+
+Signed-off-by: Jitendra Tripathy
+---
+ include/PSUEvent.hpp | 1 -
+ src/PSUEvent.cpp | 42 +++++++++++++++++++++---------------------
+ 2 files changed, 21 insertions(+), 22 deletions(-)
+
+diff --git a/include/PSUEvent.hpp b/include/PSUEvent.hpp
+index 3a39164..72abbae 100644
+--- a/include/PSUEvent.hpp
++++ b/include/PSUEvent.hpp
+@@ -57,7 +57,6 @@ class PSUSubEvent : public std::enable_shared_from_this
+
+ PowerState readState;
+ boost::asio::deadline_timer waitTimer;
+- std::shared_ptr readBuf;
+ void restartRead();
+ void handleResponse(const boost::system::error_code& err);
+ void updateValue(const int& newValue);
+diff --git a/src/PSUEvent.cpp b/src/PSUEvent.cpp
+index 44275a3..446f14f 100644
+--- a/src/PSUEvent.cpp
++++ b/src/PSUEvent.cpp
+@@ -157,7 +157,7 @@ PSUSubEvent::PSUSubEvent(
+ {
+ eventPollMs = static_cast(pollRate * 1000);
+ }
+- fd = open(path.c_str(), O_RDONLY);
++ fd = open(path.c_str(), O_RDONLY | O_NONBLOCK);
+ if (fd < 0)
+ {
+ std::cerr << "PSU sub event failed to open file\n";
+@@ -205,20 +205,15 @@ void PSUSubEvent::setupRead(void)
+ return;
+ }
+
+- std::shared_ptr buffer =
+- std::make_shared();
+ std::weak_ptr weakRef = weak_from_this();
+- boost::asio::async_read_until(
+- inputDev, *buffer, '\n',
+- [weakRef, buffer](const boost::system::error_code& ec,
+- std::size_t /*bytes_transfered*/) {
+- std::shared_ptr self = weakRef.lock();
+- if (self)
+- {
+- self->readBuf = buffer;
+- self->handleResponse(ec);
+- }
+- });
++ inputDev.async_wait(boost::asio::posix::descriptor_base::wait_read,
++ [weakRef](const boost::system::error_code& ec) {
++ std::shared_ptr self = weakRef.lock();
++ if (self)
++ {
++ self->handleResponse(ec);
++ }
++ });
+ }
+
+ void PSUSubEvent::restartRead()
+@@ -238,23 +233,28 @@ void PSUSubEvent::restartRead()
+ });
+ }
+
++// Create a buffer expected to be able to hold more characters than will be
++// present in the input file.
++static constexpr uint32_t psuBufLen = 128;
+ void PSUSubEvent::handleResponse(const boost::system::error_code& err)
+ {
+ if ((err == boost::system::errc::bad_file_descriptor) ||
+ (err == boost::asio::error::misc_errors::not_found))
+ {
++ std::cerr << "Bad file descriptor for " << path << "\n";
+ return;
+ }
+- std::istream responseStream(readBuf.get());
+- if (!err)
++
++ std::string buffer;
++ buffer.resize(psuBufLen);
++ lseek(fd, 0, SEEK_SET);
++ int rdLen = read(fd, buffer.data(), psuBufLen);
++
++ if (rdLen > 0)
+ {
+- std::string response;
+ try
+ {
+- std::getline(responseStream, response);
+- int nvalue = std::stoi(response);
+- responseStream.clear();
+-
++ int nvalue = std::stoi(buffer);
+ updateValue(nvalue);
+ errCount = 0;
+ }
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch
new file mode 100644
index 0000000000..b7141513b4
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors/0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch
@@ -0,0 +1,44 @@
+From d8583d8b347b2f4c3d6e84f333df4cd137085189 Mon Sep 17 00:00:00 2001
+From: Jayaprakash Mutyala
+Date: Mon, 4 Jul 2022 16:03:35 +0000
+Subject: [PATCH] Ignore VR sensor readings if content is 0xFF
+
+As per NM 6.0 specification SPS FW will return 0xFF in certain
+erroneous condition with error code stating transaction successful.
+BMC need to ignore such readings.
+
+Tested:
+Verified by monitoring more than 1 hour, ignored VR sensor readings when
+content is 0xFF.
+
+Signed-off-by: Vikash Chandola vikash.chandola@intel.com
+Signed-off-by: Jayaprakash Mutyala
+---
+ src/IpmbSensor.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/IpmbSensor.cpp b/src/IpmbSensor.cpp
+index 2cb2495..a41209d 100644
+--- a/src/IpmbSensor.cpp
++++ b/src/IpmbSensor.cpp
+@@ -321,7 +321,16 @@ void IpmbSensor::checkThresholds(void)
+
+ bool IpmbSensor::processReading(const std::vector& data, double& resp)
+ {
+-
++ if (isReadMe && data.size() >= 5)
++ {
++ // This is VR sensor. Mark failure if byte at index 3 and 4 are 0xFF
++ if (data[3] == 0xFF && data[4] == 0xFF)
++ {
++ std::cerr << name << " value is 0xFFFF. Marking error\n";
++ markFunctional(false);
++ return false;
++ }
++ }
+ switch (readingFormat)
+ {
+ case (ReadingFormat::byte0):
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend
index 8f7440120e..a9d4a7627e 100644
--- a/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/sensors/dbus-sensors_%.bbappend
@@ -20,6 +20,8 @@ SRC_URI += "\
file://0012-Serialize-cpusensor-polling.patch \
file://0013-Add-dummy-cpu-sensor-flag.patch \
file://0014-Treat-zero-temperatures-readings-as-errors-in-IpmbSe.patch \
+ file://0015-Fix-for-PSU2-Power-lost-RedFish-events.patch \
+ file://0016-Ignore-VR-sensor-readings-if-content-is-0xFF.patch \
"
DEPENDS:append = " libgpiod libmctp"
diff --git a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend
index 0f2db3f1a4..5e2ba584ce 100644
--- a/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-phosphor/telemetry/telemetry_%.bbappend
@@ -1,6 +1,8 @@
SRC_URI = "git://github.com/openbmc/telemetry.git"
-SRCREV = "51f0fd501f4b772533271d15cb27d396186a7192"
+SRCREV = "aa4a9dc5ccae9f210d0d63f99b22154c97e53c19"
EXTRA_OEMESON += " -Dmax-reports=10"
+EXTRA_OEMESON += " -Dmax-triggers=0"
+EXTRA_OEMESON += " -Dmax-append-limit=0"
EXTRA_OEMESON += " -Dmax-reading-parameters=200"
EXTRA_OEMESON += " -Dmin-interval=1000"
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch
new file mode 100644
index 0000000000..dc7b59f7f2
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch
@@ -0,0 +1,171 @@
+From 48d7064a49148f03942380967da739dcde1cdc24 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Sun, 26 Jun 2022 11:00:48 +0200
+Subject: [PATCH] cookie: apply limits
+
+- Send no more than 150 cookies per request
+- Cap the max length used for a cookie: header to 8K
+- Cap the max number of received Set-Cookie: headers to 50
+
+Bug: https://curl.se/docs/CVE-2022-32205.html
+CVE-2022-32205
+Reported-by: Harry Sintonen
+Closes #9048
+---
+ lib/cookie.c | 14 ++++++++++++--
+ lib/cookie.h | 21 +++++++++++++++++++--
+ lib/http.c | 13 +++++++++++--
+ lib/urldata.h | 1 +
+ 4 files changed, 43 insertions(+), 6 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index a308346a777bc..a1ab89532033b 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -482,6 +482,10 @@ Curl_cookie_add(struct Curl_easy *data,
+ (void)data;
+ #endif
+
++ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */
++ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT)
++ return NULL;
++
+ /* First, alloc and init a new struct for it */
+ co = calloc(1, sizeof(struct Cookie));
+ if(!co)
+@@ -821,7 +825,7 @@ Curl_cookie_add(struct Curl_easy *data,
+ freecookie(co);
+ return NULL;
+ }
+-
++ data->req.setcookies++;
+ }
+ else {
+ /*
+@@ -1375,7 +1379,8 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+ *
+ * It shall only return cookies that haven't expired.
+ */
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
++ struct CookieInfo *c,
+ const char *host, const char *path,
+ bool secure)
+ {
+@@ -1430,6 +1435,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
+ mainco = newco;
+
+ matches++;
++ if(matches >= MAX_COOKIE_SEND_AMOUNT) {
++ infof(data, "Included max number of cookies (%u) in request!",
++ matches);
++ break;
++ }
+ }
+ else
+ goto fail;
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 453dfced8a342..abc0a2e8a01ad 100644
+--- a/lib/cookie.h
++++ b/lib/cookie.h
+@@ -83,10 +83,26 @@ struct CookieInfo {
+ */
+ #define MAX_COOKIE_LINE 5000
+
+-/* This is the maximum length of a cookie name or content we deal with: */
++/* Maximum length of an incoming cookie name or content we deal with. Longer
++ cookies are ignored. */
+ #define MAX_NAME 4096
+ #define MAX_NAME_TXT "4095"
+
++/* Maximum size for an outgoing cookie line libcurl will use in an http
++ request. This is the default maximum length used in some versions of Apache
++ httpd. */
++#define MAX_COOKIE_HEADER_LEN 8190
++
++/* Maximum number of cookies libcurl will send in a single request, even if
++ there might be more cookies that match. One reason to cap the number is to
++ keep the maximum HTTP request within the maximum allowed size. */
++#define MAX_COOKIE_SEND_AMOUNT 150
++
++/* Maximum number of Set-Cookie: lines accepted in a single response. If more
++ such header lines are received, they are ignored. This value must be less
++ than 256 since an unsigned char is used to count. */
++#define MAX_SET_COOKIE_AMOUNT 50
++
+ struct Curl_easy;
+ /*
+ * Add a cookie to the internal list of cookies. The domain and path arguments
+@@ -99,7 +115,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data,
+ const char *domain, const char *path,
+ bool secure);
+
+-struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host,
++struct Cookie *Curl_cookie_getlist(struct Curl_easy *data,
++ struct CookieInfo *c, const char *host,
+ const char *path, bool secure);
+ void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+diff --git a/lib/http.c b/lib/http.c
+index 5284475ba92c4..258722a602e40 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2711,12 +2711,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn,
+ }
+
+ #if !defined(CURL_DISABLE_COOKIES)
++
+ CURLcode Curl_http_cookies(struct Curl_easy *data,
+ struct connectdata *conn,
+ struct dynbuf *r)
+ {
+ CURLcode result = CURLE_OK;
+ char *addcookies = NULL;
++ bool linecap = FALSE;
+ if(data->set.str[STRING_COOKIE] &&
+ !Curl_checkheaders(data, STRCONST("Cookie")))
+ addcookies = data->set.str[STRING_COOKIE];
+@@ -2734,7 +2736,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+ !strcmp(host, "127.0.0.1") ||
+ !strcmp(host, "[::1]") ? TRUE : FALSE;
+ Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE);
+- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path,
++ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path,
+ secure_context);
+ Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE);
+ }
+@@ -2748,6 +2750,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+ if(result)
+ break;
+ }
++ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >=
++ MAX_COOKIE_HEADER_LEN) {
++ infof(data, "Restricted outgoing cookies due to header size, "
++ "'%s' not sent", co->name);
++ linecap = TRUE;
++ break;
++ }
+ result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"",
+ co->name, co->value);
+ if(result)
+@@ -2758,7 +2767,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data,
+ }
+ Curl_cookie_freelist(store);
+ }
+- if(addcookies && !result) {
++ if(addcookies && !result && !linecap) {
+ if(!count)
+ result = Curl_dyn_addn(r, STRCONST("Cookie: "));
+ if(!result) {
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 17fe25720be33..bcb4d460c2fe6 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -698,6 +698,7 @@ struct SingleRequest {
+ #ifndef CURL_DISABLE_DOH
+ struct dohdata *doh; /* DoH specific data for this request */
+ #endif
++ unsigned char setcookies;
+ BIT(header); /* incoming data has HTTP header */
+ BIT(content_range); /* set TRUE if Content-Range: was found */
+ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch
new file mode 100644
index 0000000000..bdf3ba35e3
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32206-return-error-on-too-many-compression-steps.patch
@@ -0,0 +1,48 @@
+From 3a09fbb7f264c67c438d01a30669ce325aa508e2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Mon, 16 May 2022 16:28:13 +0200
+Subject: [PATCH] content_encoding: return error on too many compression steps
+
+The max allowed steps is arbitrarily set to 5.
+
+Bug: https://curl.se/docs/CVE-2022-32206.html
+CVE-2022-32206
+Reported-by: Harry Sintonen
+Closes #9049
+---
+ lib/content_encoding.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/content_encoding.c b/lib/content_encoding.c
+index c5591ca48ac78..95ba48a2dd563 100644
+--- a/lib/content_encoding.c
++++ b/lib/content_encoding.c
+@@ -1028,12 +1028,16 @@ static const struct content_encoding *find_encoding(const char *name,
+ return NULL;
+ }
+
++/* allow no more than 5 "chained" compression steps */
++#define MAX_ENCODE_STACK 5
++
+ /* Set-up the unencoding stack from the Content-Encoding header value.
+ * See RFC 7231 section 3.1.2.2. */
+ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+ const char *enclist, int maybechunked)
+ {
+ struct SingleRequest *k = &data->req;
++ int counter = 0;
+
+ do {
+ const char *name;
+@@ -1068,6 +1072,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
+ if(!encoding)
+ encoding = &error_encoding; /* Defer error at stack use. */
+
++ if(++counter >= MAX_ENCODE_STACK) {
++ failf(data, "Reject response due to %u content encodings",
++ counter);
++ return CURLE_BAD_CONTENT_ENCODING;
++ }
+ /* Stack the unencoding stage. */
+ writer = new_unencoding_writer(data, encoding, k->writer_stack);
+ if(!writer)
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch
new file mode 100644
index 0000000000..9b4c128d9e
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch
@@ -0,0 +1,280 @@
+From 20f9dd6bae50b7223171b17ba7798946e74f877f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Wed, 25 May 2022 10:09:53 +0200
+Subject: [PATCH] fopen: add Curl_fopen() for better overwriting of files
+
+Bug: https://curl.se/docs/CVE-2022-32207.html
+CVE-2022-32207
+Reported-by: Harry Sintonen
+Closes #9050
+---
+ CMakeLists.txt | 1 +
+ configure.ac | 1 +
+ lib/Makefile.inc | 2 +
+ lib/cookie.c | 19 ++-----
+ lib/curl_config.h.cmake | 3 ++
+ lib/fopen.c | 113 ++++++++++++++++++++++++++++++++++++++++
+ lib/fopen.h | 30 +++++++++++
+ 7 files changed, 154 insertions(+), 15 deletions(-)
+ create mode 100644 lib/fopen.c
+ create mode 100644 lib/fopen.h
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 45d763d5a9c1d..ad20777f3d688 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -1067,6 +1067,7 @@ elseif(HAVE_LIBSOCKET)
+ set(CMAKE_REQUIRED_LIBRARIES socket)
+ endif()
+
++check_symbol_exists(fchmod "${CURL_INCLUDES}" HAVE_FCHMOD)
+ check_symbol_exists(basename "${CURL_INCLUDES}" HAVE_BASENAME)
+ check_symbol_exists(socket "${CURL_INCLUDES}" HAVE_SOCKET)
+ check_symbol_exists(select "${CURL_INCLUDES}" HAVE_SELECT)
+diff --git a/configure.ac b/configure.ac
+index b0245b99a669f..de2dee5a484ed 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3438,6 +3438,7 @@ AC_CHECK_DECLS([getpwuid_r], [], [AC_DEFINE(HAVE_DECL_GETPWUID_R_MISSING, 1, "Se
+
+
+ AC_CHECK_FUNCS([fnmatch \
++ fchmod \
+ geteuid \
+ getpass_r \
+ getppid \
+diff --git a/lib/Makefile.inc b/lib/Makefile.inc
+index 533e16df97020..9bd8e324bd1c1 100644
+--- a/lib/Makefile.inc
++++ b/lib/Makefile.inc
+@@ -137,6 +137,7 @@ LIB_CFILES = \
+ escape.c \
+ file.c \
+ fileinfo.c \
++ fopen.c \
+ formdata.c \
+ ftp.c \
+ ftplistparser.c \
+@@ -270,6 +271,7 @@ LIB_HFILES = \
+ escape.h \
+ file.h \
+ fileinfo.h \
++ fopen.h \
+ formdata.h \
+ ftp.h \
+ ftplistparser.h \
+diff --git a/lib/cookie.c b/lib/cookie.c
+index a1ab89532033b..cb57b86387191 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -99,8 +99,8 @@ Example set of cookies:
+ #include "curl_get_line.h"
+ #include "curl_memrchr.h"
+ #include "parsedate.h"
+-#include "rand.h"
+ #include "rename.h"
++#include "fopen.h"
+
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+@@ -1641,20 +1641,9 @@ static CURLcode cookie_output(struct Curl_easy *data,
+ use_stdout = TRUE;
+ }
+ else {
+- unsigned char randsuffix[9];
+-
+- if(Curl_rand_hex(data, randsuffix, sizeof(randsuffix)))
+- return 2;
+-
+- tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
+- if(!tempstore)
+- return CURLE_OUT_OF_MEMORY;
+-
+- out = fopen(tempstore, FOPEN_WRITETEXT);
+- if(!out) {
+- error = CURLE_WRITE_ERROR;
++ error = Curl_fopen(data, filename, &out, &tempstore);
++ if(error)
+ goto error;
+- }
+ }
+
+ fputs("# Netscape HTTP Cookie File\n"
+@@ -1701,7 +1690,7 @@ static CURLcode cookie_output(struct Curl_easy *data,
+ if(!use_stdout) {
+ fclose(out);
+ out = NULL;
+- if(Curl_rename(tempstore, filename)) {
++ if(tempstore && Curl_rename(tempstore, filename)) {
+ unlink(tempstore);
+ error = CURLE_WRITE_ERROR;
+ goto error;
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index cd4b568d89948..eb2c62b971453 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -159,6 +159,9 @@
+ /* Define to 1 if you have the header file. */
+ #cmakedefine HAVE_ASSERT_H 1
+
++/* Define to 1 if you have the `fchmod' function. */
++#cmakedefine HAVE_FCHMOD 1
++
+ /* Define to 1 if you have the `basename' function. */
+ #cmakedefine HAVE_BASENAME 1
+
+diff --git a/lib/fopen.c b/lib/fopen.c
+new file mode 100644
+index 0000000000000..ad3691ba9d158
+--- /dev/null
++++ b/lib/fopen.c
+@@ -0,0 +1,113 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++#include "curl_setup.h"
++
++#if !defined(CURL_DISABLE_COOKIES) || !defined(CURL_DISABLE_ALTSVC) || \
++ !defined(CURL_DISABLE_HSTS)
++
++#ifdef HAVE_FCNTL_H
++#include
++#endif
++
++#include "urldata.h"
++#include "rand.h"
++#include "fopen.h"
++/* The last 3 #include files should be in this order */
++#include "curl_printf.h"
++#include "curl_memory.h"
++#include "memdebug.h"
++
++/*
++ * Curl_fopen() opens a file for writing with a temp name, to be renamed
++ * to the final name when completed. If there is an existing file using this
++ * name at the time of the open, this function will clone the mode from that
++ * file. if 'tempname' is non-NULL, it needs a rename after the file is
++ * written.
++ */
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++ FILE **fh, char **tempname)
++{
++ CURLcode result = CURLE_WRITE_ERROR;
++ unsigned char randsuffix[9];
++ char *tempstore = NULL;
++ struct_stat sb;
++ int fd = -1;
++ *tempname = NULL;
++
++ if(stat(filename, &sb) == -1 || !S_ISREG(sb.st_mode)) {
++ /* a non-regular file, fallback to direct fopen() */
++ *fh = fopen(filename, FOPEN_WRITETEXT);
++ if(*fh)
++ return CURLE_OK;
++ goto fail;
++ }
++
++ result = Curl_rand_hex(data, randsuffix, sizeof(randsuffix));
++ if(result)
++ goto fail;
++
++ tempstore = aprintf("%s.%s.tmp", filename, randsuffix);
++ if(!tempstore) {
++ result = CURLE_OUT_OF_MEMORY;
++ goto fail;
++ }
++
++ result = CURLE_WRITE_ERROR;
++ fd = open(tempstore, O_WRONLY | O_CREAT | O_EXCL, 0600);
++ if(fd == -1)
++ goto fail;
++
++#ifdef HAVE_FCHMOD
++ {
++ struct_stat nsb;
++ if((fstat(fd, &nsb) != -1) &&
++ (nsb.st_uid == sb.st_uid) && (nsb.st_gid == sb.st_gid)) {
++ /* if the user and group are the same, clone the original mode */
++ if(fchmod(fd, sb.st_mode) == -1)
++ goto fail;
++ }
++ }
++#endif
++
++ *fh = fdopen(fd, FOPEN_WRITETEXT);
++ if(!*fh)
++ goto fail;
++
++ *tempname = tempstore;
++ return CURLE_OK;
++
++fail:
++ if(fd != -1) {
++ close(fd);
++ unlink(tempstore);
++ }
++
++ free(tempstore);
++
++ *tempname = NULL;
++ return result;
++}
++
++#endif /* ! disabled */
+diff --git a/lib/fopen.h b/lib/fopen.h
+new file mode 100644
+index 0000000000000..289e55f2afd24
+--- /dev/null
++++ b/lib/fopen.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_CURL_FOPEN_H
++#define HEADER_CURL_FOPEN_H
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***************************************************************************/
++
++CURLcode Curl_fopen(struct Curl_easy *data, const char *filename,
++ FILE **fh, char **tempname);
++
++#endif
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch
new file mode 100644
index 0000000000..be9f52d861
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch
@@ -0,0 +1,64 @@
+From 6ecdf5136b52af747e7bda08db9a748256b1cd09 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 9 Jun 2022 09:27:24 +0200
+Subject: [PATCH] krb5: return error properly on decode errors
+
+Bug: https://curl.se/docs/CVE-2022-32208.html
+CVE-2022-32208
+Reported-by: Harry Sintonen
+Closes #9051
+---
+ lib/krb5.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/krb5.c b/lib/krb5.c
+index e289595c9e1dd..517491c4658bf 100644
+--- a/lib/krb5.c
++++ b/lib/krb5.c
+@@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len,
+ enc.value = buf;
+ enc.length = len;
+ maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
+- if(maj != GSS_S_COMPLETE) {
+- if(len >= 4)
+- strcpy(buf, "599 ");
++ if(maj != GSS_S_COMPLETE)
+ return -1;
+- }
+
+ memcpy(buf, dec.value, dec.length);
+ len = curlx_uztosi(dec.length);
+@@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn,
+ {
+ int len;
+ CURLcode result;
++ int nread;
+
+ result = socket_read(fd, &len, sizeof(len));
+ if(result)
+@@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn,
+ if(len) {
+ /* only realloc if there was a length */
+ len = ntohl(len);
+- buf->data = Curl_saferealloc(buf->data, len);
++ if(len > CURL_MAX_INPUT_LENGTH)
++ len = 0;
++ else
++ buf->data = Curl_saferealloc(buf->data, len);
+ }
+ if(!len || !buf->data)
+ return CURLE_OUT_OF_MEMORY;
+@@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn,
+ result = socket_read(fd, buf->data, len);
+ if(result)
+ return result;
+- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+- conn->data_prot, conn);
++ nread = conn->mech->decode(conn->app_data, buf->data, len,
++ conn->data_prot, conn);
++ if(nread < 0)
++ return CURLE_RECV_ERROR;
++ buf->size = (size_t)nread;
+ buf->index = 0;
+ return CURLE_OK;
+ }
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb
similarity index 88%
rename from meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb
rename to meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb
index 365873e15b..d20b3194c7 100644
--- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.79.1.bb
+++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl_7.83.1.bb
@@ -7,13 +7,17 @@ HOMEPAGE = "http://curl.haxx.se/"
BUGTRACKER = "http://curl.haxx.se/mail/list.cgi?list=curl-tracker"
SECTION = "console/network"
LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://COPYING;md5=425f6fdc767cc067518eef9bbdf4ab7b"
+LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238"
SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
+ file://CVE-2022-32205-cookie-apply-limits.patch \
+ file://CVE-2022-32206-return-error-on-too-many-compression-steps.patch \
+ file://CVE-2022-32207-fopen-add-Curl_fopen-for-better-overwriting-of-fi.patch \
+ file://CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch \
"
-SRC_URI[sha256sum] = "de62c4ab9a9316393962e8b94777a570bb9f71feb580fb4475e412f2f9387851"
+SRC_URI[sha256sum] = "f539a36fb44a8260ec5d977e4e0dbdd2eee29ed90fcedaa9bc3c9f78a113bff0"
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"