diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core')
5 files changed, 291 insertions, 2 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0031-iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0031-iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch new file mode 100644 index 000000000..bb297d50b --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0031-iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch @@ -0,0 +1,151 @@ +From 228edd356f03bf62dcf2b1335f25d43c602ee68d Mon Sep 17 00:00:00 2001 +From: Michael Colavita <mcolavita@fb.com> +Date: Thu, 19 Nov 2020 11:44:40 -0500 +Subject: [PATCH] iconv: Fix incorrect UCS4 inner loop bounds (BZ#26923) + +Previously, in UCS4 conversion routines we limit the number of +characters we examine to the minimum of the number of characters in the +input and the number of characters in the output. This is not the +correct behavior when __GCONV_IGNORE_ERRORS is set, as we do not consume +an output character when we skip a code unit. Instead, track the input +and output pointers and terminate the loop when either reaches its +limit. + +This resolves assertion failures when resetting the input buffer in a step of +iconv, which assumes that the input will be fully consumed given sufficient +output space. +--- + iconv/Makefile | 2 +- + iconv/gconv_simple.c | 16 ++++---------- + iconv/tst-iconv8.c | 50 ++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 55 insertions(+), 13 deletions(-) + create mode 100644 iconv/tst-iconv8.c + +diff --git a/iconv/Makefile b/iconv/Makefile +index 30bf996d3a..f9b51e23ec 100644 +--- a/iconv/Makefile ++++ b/iconv/Makefile +@@ -44,7 +44,7 @@ CFLAGS-linereader.c += -DNO_TRANSLITERATION + CFLAGS-simple-hash.c += -I../locale + + tests = tst-iconv1 tst-iconv2 tst-iconv3 tst-iconv4 tst-iconv5 tst-iconv6 \ +- tst-iconv7 tst-iconv-mt tst-iconv-opt ++ tst-iconv7 tst-iconv8 tst-iconv-mt + + others = iconv_prog iconvconfig + install-others-programs = $(inst_bindir)/iconv +diff --git a/iconv/gconv_simple.c b/iconv/gconv_simple.c +index d4797fba17..963b29f246 100644 +--- a/iconv/gconv_simple.c ++++ b/iconv/gconv_simple.c +@@ -239,11 +239,9 @@ ucs4_internal_loop (struct __gconv_step *step, + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + uint32_t inval; + +@@ -307,11 +305,9 @@ ucs4_internal_loop_unaligned (struct __gconv_step *step, + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + if (__glibc_unlikely (inptr[0] > 0x80)) + { +@@ -613,11 +609,9 @@ ucs4le_internal_loop (struct __gconv_step *step, + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + uint32_t inval; + +@@ -684,11 +678,9 @@ ucs4le_internal_loop_unaligned (struct __gconv_step *step, + int flags = step_data->__flags; + const unsigned char *inptr = *inptrp; + unsigned char *outptr = *outptrp; +- size_t n_convert = MIN (inend - inptr, outend - outptr) / 4; + int result; +- size_t cnt; + +- for (cnt = 0; cnt < n_convert; ++cnt, inptr += 4) ++ for (; inptr + 4 <= inend && outptr + 4 <= outend; inptr += 4) + { + if (__glibc_unlikely (inptr[3] > 0x80)) + { +diff --git a/iconv/tst-iconv8.c b/iconv/tst-iconv8.c +new file mode 100644 +index 0000000000..0b92b19f66 +--- /dev/null ++++ b/iconv/tst-iconv8.c +@@ -0,0 +1,50 @@ ++/* Test iconv behavior on UCS4 conversions with //IGNORE. ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++/* Derived from BZ #26923 */ ++#include <errno.h> ++#include <iconv.h> ++#include <stdio.h> ++#include <support/check.h> ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "ISO-10646/UCS4/"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ /* ++ * Convert sequence beginning with an irreversible character into buffer that ++ * is too small. ++ */ ++ char input[12] = "\xe1\x80\xa1" "AAAAAAAAA"; ++ char *inptr = input; ++ size_t insize = sizeof (input); ++ char output[6]; ++ char *outptr = output; ++ size_t outsize = sizeof (output); ++ ++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == -1); ++ TEST_VERIFY (errno == E2BIG); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +-- +2.27.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0032-Fix-buffer-overrun-in-EUC-KR-conversion-module-BZ-24973.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0032-Fix-buffer-overrun-in-EUC-KR-conversion-module-BZ-24973.patch new file mode 100644 index 000000000..82ae284d2 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0032-Fix-buffer-overrun-in-EUC-KR-conversion-module-BZ-24973.patch @@ -0,0 +1,133 @@ +From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Mon, 21 Dec 2020 08:56:43 +0530 +Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973) + +The byte 0xfe as input to the EUC-KR conversion denotes a user-defined +area and is not allowed. The from_euc_kr function used to skip two bytes +when told to skip over the unknown designation, potentially running over +the buffer end. +--- + iconvdata/Makefile | 3 ++- + iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ + iconvdata/euc-kr.c | 6 +---- + iconvdata/ksc5601.h | 6 ++--- + 4 files changed, 59 insertions(+), 9 deletions(-) + create mode 100644 iconvdata/bug-iconv13.c + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 4ec2741cdc..85009f3390 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules)) + ifeq (yes,$(build-shared)) + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ +- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 ++ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ ++ bug-iconv13 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c +new file mode 100644 +index 0000000000..87aaff398e +--- /dev/null ++++ b/iconvdata/bug-iconv13.c +@@ -0,0 +1,53 @@ ++/* bug 24973: Test EUC-KR module ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <iconv.h> ++#include <stdio.h> ++#include <support/check.h> ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined ++ areas, which are not allowed and should be skipped over due to ++ //IGNORE. The trailing 0xfe also is an incomplete sequence, which ++ should be checked first. */ ++ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; ++ char *inptr = input; ++ size_t insize = sizeof (input); ++ char output[4]; ++ char *outptr = output; ++ size_t outsize = sizeof (output); ++ ++ /* This used to crash due to buffer overrun. */ ++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); ++ TEST_VERIFY (errno == EINVAL); ++ /* The conversion should produce one character, the converted null ++ character. */ ++ TEST_VERIFY (sizeof (output) - outsize == 1); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c +index b0d56cf3ee..1045bae926 100644 +--- a/iconvdata/euc-kr.c ++++ b/iconvdata/euc-kr.c +@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) + \ + if (ch <= 0x9f) \ + ++inptr; \ +- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ +- user-defined areas. */ \ +- else if (__builtin_expect (ch == 0xa0, 0) \ +- || __builtin_expect (ch > 0xfe, 0) \ +- || __builtin_expect (ch == 0xc9, 0)) \ ++ else if (__glibc_unlikely (ch == 0xa0)) \ + { \ + /* This is illegal. */ \ + STANDARD_FROM_LOOP_ERR_HANDLER (1); \ +diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h +index d3eb3a4ff8..f5cdc72797 100644 +--- a/iconvdata/ksc5601.h ++++ b/iconvdata/ksc5601.h +@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset) + unsigned char ch2; + int idx; + ++ if (avail < 2) ++ return 0; ++ + /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ + + if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e + || (ch - offset) == 0x49) + return __UNKNOWN_10646_CHAR; + +- if (avail < 2) +- return 0; +- + ch2 = (*s)[1]; + if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) + return __UNKNOWN_10646_CHAR; +-- +2.27.0 + diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend new file mode 100644 index 000000000..d458a6d94 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://0031-iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch \ + file://0032-Fix-buffer-overrun-in-EUC-KR-conversion-module-BZ-24973.patch \ + " diff --git a/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb b/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb index c7503ef35..f88f9957f 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb +++ b/meta-openbmc-mods/meta-common/recipes-core/interfaces/libmctp_git.bb @@ -2,7 +2,7 @@ SUMMARY = "libmctp" DESCRIPTION = "Implementation of MCTP (DTMF DSP0236)" SRC_URI = "git://github.com/openbmc/libmctp.git" -SRCREV = "b9fd597ca42b290a97a259d2d5a089981c25e72c" +SRCREV = "192752301b9d98b8699e88ede61d75e96eaed4bb" PV = "0.1+git${SRCPV}" diff --git a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend index f268ad691..995146b35 100644 --- a/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend +++ b/meta-openbmc-mods/meta-common/recipes-core/ipmi/intel-ipmi-oem_%.bbappend @@ -2,4 +2,4 @@ EXTRA_OECMAKE += "${@bb.utils.contains('IMAGE_FSTYPES', 'intel-pfr', '-DINTEL_PF EXTRA_OECMAKE += "${@bb.utils.contains('EXTRA_IMAGE_FEATURES', 'validation-unsecure', '-DBMC_VALIDATION_UNSECURE_FEATURE=ON', '', d)}" EXTRA_OECMAKE += "-DUSING_ENTITY_MANAGER_DECORATORS=OFF" SRC_URI = "git://github.com/openbmc/intel-ipmi-oem.git" -SRCREV = "6d6dc7ad721268a66adecca423716ce9fcf3838b" +SRCREV = "b910987a7d832e38e9342f0946aeb555a48f9cb0" |