diff options
257 files changed, 5175 insertions, 2645 deletions
diff --git a/meta-openembedded/README b/meta-openembedded/README index 7318f09cdb..0d86dcce87 100644 --- a/meta-openembedded/README +++ b/meta-openembedded/README @@ -1,6 +1,6 @@ Collection of layers for the OE-core universe -Main layer maintainer: Khem Raj <raj.khem@gmail.com> +hardknott maintainer: Armin Kuster <akuster808@gmail.com> This repository is a collection of layers to suppliment OE-Core with additional packages, Each layer have designated maintainer diff --git a/meta-openembedded/meta-filesystems/README b/meta-openembedded/meta-filesystems/README index edcf8bfeef..14b223e432 100644 --- a/meta-openembedded/meta-filesystems/README +++ b/meta-openembedded/meta-filesystems/README @@ -11,26 +11,26 @@ This layer depends on: URI: git://git.openembedded.org/openembedded-core layers: meta - branch: master + branch: hardknott URI: git://git.openembedded.org/meta-openembedded layers: meta-oe - branch: master + branch: hardknott Patches ======= Please submit any patches against the filesystems layer to the OpenEmbedded development mailing list (openembedded-devel@lists.openembedded.org) -with '[meta-filesystems]' in the subject. +with '[meta-filesystems][hardknott]' in the subject. -Layer maintainer: Khem Raj <raj.khem@gmail.com> +hardknott maintainer: Armin Kuster <akuster808@gmail.com> When sending single patches, please use something like: git send-email -1 -M \ --to openembedded-devel@lists.openembedded.org \ - --subject-prefix=meta-filesystems][PATCH + --subject-prefix=meta-filesystems][hardknott][PATCH Table of Contents diff --git a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.2.bb b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.3.bb index 91d0e373b6..72d0cd3e49 100644 --- a/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.2.bb +++ b/meta-openembedded/meta-filesystems/recipes-support/fuse/fuse3_3.10.3.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://GPL2.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/fuse-${PV}/fuse-${PV}.tar.xz \ " -SRC_URI[sha256sum] = "736e8d1ce65c09cb435fbbb500d53dc75f4d6e93bd325d22adc890951cf56337" +SRC_URI[sha256sum] = "eb8373f208b05a39702f9f437f6e49caf4b1ace26a9acb68110b49912078560f" S = "${WORKDIR}/fuse-${PV}" diff --git a/meta-openembedded/meta-gnome/README b/meta-openembedded/meta-gnome/README index a11815fb15..fda2a52fb8 100644 --- a/meta-openembedded/meta-gnome/README +++ b/meta-openembedded/meta-gnome/README @@ -3,16 +3,16 @@ Dependencies This layer depends on: URI: git://github.com/openembedded/oe-core.git -branch: master +branch: hardknott revision: HEAD URI: git://github.com/openembedded/meta-oe.git -branch: master +branch: hardknott revision: HEAD -Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-gnome]' in the subject' +Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-gnome][hardknott]' in the subject' When sending single patches, please using something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-gnome][PATCH' +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-gnome][hardknott][PATCH' -Layer maintainer: Andreas Müller <schnitzeltony@gmail.com> +maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb b/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb index aa5112add6..717716e1f9 100644 --- a/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb +++ b/meta-openembedded/meta-gnome/recipes-gimp/gimp/gimp_2.10.22.bb @@ -53,8 +53,9 @@ EXTRA_OECONF = "--disable-python \ --disable-check-update \ --without-wmf" -EXTRA_OECONF_append_libc-musl_mipsarch = " --disable-vector-icons" +EXTRA_OECONF_append_mipsarch = " --disable-vector-icons" EXTRA_OECONF_append_libc-musl_riscv32 = " --disable-vector-icons" +EXTRA_OECONF_append_libc-musl_x86 = " --disable-vector-icons" EXTRA_OECONF_append_arm = " --disable-vector-icons" do_configure_append() { diff --git a/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb b/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb index ad5dab5ecc..c8c16a3c52 100644 --- a/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb +++ b/meta-openembedded/meta-gnome/recipes-gnome/gvfs/gvfs_1.44.1.bb @@ -8,6 +8,8 @@ inherit gnomebase gsettings bash-completion gettext upstream-version-is-even fea DEPENDS += "libsecret glib-2.0 glib-2.0-native libgudev shadow-native \ gsettings-desktop-schemas dbus" +RDEPENDS_${PN} += "gsettings-desktop-schemas" + SRC_URI = "https://download.gnome.org/sources/${BPN}/${@gnome_verdir("${PV}")}/${BPN}-${PV}.tar.xz;name=archive" SRC_URI[archive.md5sum] = "72383474f52d05c21ef2be96d0b91974" SRC_URI[archive.sha256sum] = "50ef3245d1b03666a40455109169a2a1bd51419fd2d51f9fa6cfd4f89f04fb46" diff --git a/meta-openembedded/meta-initramfs/README b/meta-openembedded/meta-initramfs/README index 79244d43f0..baa15d23a6 100644 --- a/meta-openembedded/meta-initramfs/README +++ b/meta-openembedded/meta-initramfs/README @@ -12,7 +12,7 @@ Dependencies This layer depends on: URI: git://github.com/openembedded/oe-core.git -branch: master +branch: hardknott revision: HEAD @@ -20,12 +20,12 @@ Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org -with '[meta-initramfs]' in the subject. +with '[meta-initramfs][hardknott]' in the subject. When sending single patches, please using something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-initramfs][PATCH' +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-initramfs][hardknott][PATCH' -Interm layer maintainer: Khem Raj <raj.khem@gmail.com> +hardknott maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/meta-openembedded/meta-multimedia/README b/meta-openembedded/meta-multimedia/README index b4c2455a11..c4d665f354 100644 --- a/meta-openembedded/meta-multimedia/README +++ b/meta-openembedded/meta-multimedia/README @@ -1,19 +1,19 @@ This layer depends on: URI: git://github.com/openembedded/oe-core.git -branch: master +branch: hardknott revision: HEAD URI: git://github.com/openembedded/meta-oe.git layers: meta-oe -branch: master +branch: hardknott revision: HEAD -Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-multimedia]' in the subject' +Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-multimedia][hardknott]' in the subject' When sending single patches, please use something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-multimedia][PATCH +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-multimedia][hardknott][PATCH You are encouraged to fork the mirror on github https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch. Other services like GitLab, repo.or.cz or self hosted setups are of course accepted as well, 'git fetch <remote>' works the same on all of them. We recommend github because it is free, easy to use, has been proven to be reliable and has a really good web GUI. -Layer maintainer: Andreas Müller <schnitzeltony@gmail.com> +hardknott maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-openembedded/meta-networking/MAINTAINERS b/meta-openembedded/meta-networking/MAINTAINERS index 5c4c4ce052..64e920be5a 100644 --- a/meta-openembedded/meta-networking/MAINTAINERS +++ b/meta-openembedded/meta-networking/MAINTAINERS @@ -2,38 +2,12 @@ This file contains a list of maintainers for the meta-networking layer. Please submit any patches against meta-networking to the OpenEmbedded development mailing list (openembedded-devel@lists.openembedded.org) with -'[meta-networking]' in the subject. +'[meta-networking][hardknott]' in the subject. When sending single patches, please use something like: git send-email -1 -M \ --to openembedded-devel@lists.openembedded.org \ - --subject-prefix=meta-networking][PATCH + --subject-prefix=meta-networking][hardknott][PATCH -You may also contact the maintainers directly. - -Descriptions of section entries: - - M: Mail patches to: FullName <address@domain> - F: Files and directories with wildcard patterns. - A trailing slash includes all files and subdirectory files. - F: recipes-devtools/ all files in and below recipes-devtools - F: recipes-selinux/* all files in recipes-selinux, but not below - One pattern per line. Multiple F: lines acceptable. - -Please keep this list in alphabetical order. - -Maintainers List (try to look for most precise areas first) - -COMMON -M: Khem Raj <raj.khem@gmail.com> -M: "Joe MacDonald (backup)" <joe@deserted.net> -L: openembedded-devel@lists.openembedded.org -Q: https://patchwork.openembedded.org/project/oe/ -S: Maintained -F: conf -F: recipes-* - -NETKIT -M: Armin Kuster <akuster808@gmail.com> -F: recipes-netkit +hardknott Maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-openembedded/meta-networking/README b/meta-openembedded/meta-networking/README index e1ba27d83b..ab4d809073 100644 --- a/meta-openembedded/meta-networking/README +++ b/meta-openembedded/meta-networking/README @@ -18,19 +18,19 @@ Dependencies This layer depends on: URI: git://github.com/openembedded/openembedded-core.git -branch: master +branch: hardknott revision: HEAD For some recipes, the meta-oe layer is required: URI: git://github.com/openembedded/meta-openembedded.git subdirectory: meta-oe -branch: master +branch: hardknott revision: HEAD URI: git://github.com/openembedded/meta-openembedded.git subdirectory: meta-python -branch: master +branch: hardknott revision: HEAD Maintenance diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch new file mode 100644 index 0000000000..fcadae93a0 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/files/check-openssl-cmds-in-script-bootstrap.patch @@ -0,0 +1,38 @@ +bootstrap: check commands of openssl exist + +It calls openssl commands dhparam and pkcs12 in script bootstrap. These +commands are configurable based on configure options 'no-dh' and +'no-des', and may not be provided by openssl. So check existence of +these commands. If not, abort running of script bootstrap. + +1. https://github.com/openssl/openssl/blob/master/apps/build.info#L37 +2. https://github.com/openssl/openssl/blob/master/apps/build.info#L22 + +Upstream-Status: Denied [https://github.com/FreeRADIUS/freeradius-server/pull/4059] + The maintainer commented in the pull that the script could + be run on a host which provides these openssl commands. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + raddb/certs/bootstrap | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap +index 0f719aafd4..17feddbeeb 100755 +--- a/raddb/certs/bootstrap ++++ b/raddb/certs/bootstrap +@@ -13,6 +13,14 @@ + umask 027 + cd `dirname $0` + ++# check commands of openssl exist ++for cmd in dhparam pkcs12; do ++ if ! openssl ${cmd} -help >/dev/null 2>&1; then ++ echo "Error: command ${cmd} is not supported by openssl." ++ exit 1 ++ fi ++done ++ + make -h > /dev/null 2>&1 + + # diff --git a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb index 864a4e9447..a6df2aeb03 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.21.bb @@ -31,6 +31,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0 file://0001-workaround-error-with-autoconf-2.7.patch \ file://radiusd.service \ file://radiusd-volatiles.conf \ + file://check-openssl-cmds-in-script-bootstrap.patch \ " SRCREV = "af428abda249b2279ba0582180985a9f6f4a144a" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.2.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.4.bb index ec3bdd22bd..7c07b0a34d 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.2.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.30.4.bb @@ -31,7 +31,7 @@ SRC_URI_append_libc-musl = " \ file://musl/0001-Fix-build-with-musl-systemd-specific.patch \ file://musl/0002-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "0c8e80e77877860e4a4e6ab4a0f7cdc1186e356b65b042a751897188b88944d2" +SRC_URI[sha256sum] = "6050b724212ea3ce7386113359bea9afa1f679a54f60d999a5999892e672c190" S = "${WORKDIR}/NetworkManager-${PV}" diff --git a/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.0.bb b/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.1.bb index 83406f5077..76a5fd75cf 100644 --- a/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.0.bb +++ b/meta-openembedded/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.7.1.bb @@ -14,7 +14,7 @@ RPROVIDES_${PN} = "cyassl" SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https \ " -SRCREV = "830de9a9fb99e30f9ac9caa0a7f7bba29c3b4863" +SRCREV = "95b91d89133a712a3d0f389442924612c103da24" S = "${WORKDIR}/git" inherit autotools diff --git a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20201112.bb b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20210219.bb index 64958a75b2..0525b4135a 100644 --- a/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20201112.bb +++ b/meta-openembedded/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20210219.bb @@ -1,6 +1,6 @@ require wireguard.inc -SRCREV = "fe402261666821514377d06c2c68ed9bc19e7634" +SRCREV = "122f06bfd8fc7b06a0899fa9adc4ce8e06900d98" SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat" @@ -31,3 +31,4 @@ module_do_install() { # OE-core post dunfell has moved to use kernel 5.8 which now means we cant build this module in world builds # for reference machines e.g. qemu EXCLUDE_FROM_WORLD = "1" + diff --git a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.12.bb b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb index c68b474cc6..41a9b8e76a 100644 --- a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.12.bb +++ b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb @@ -4,7 +4,7 @@ SECTION = "otherosfs" LICENSE = "GPLv3 & LGPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" -SRCREV = "73008e3292e4d46fde3eab5d5f618886210ec4a1" +SRCREV = "464a60344a324311a6f5bb326fdf5f422a3c9005" SRC_URI = "git://git.samba.org/cifs-utils.git" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb deleted file mode 100644 index 3dd9154f3d..0000000000 --- a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.84.bb +++ /dev/null @@ -1,8 +0,0 @@ -require dnsmasq.inc - -SRC_URI[dnsmasq-2.84.md5sum] = "6bf24b5bcf9293db2941fbdb545c1133" -SRC_URI[dnsmasq-2.84.sha256sum] = "4caf385376f34fae5c55244a1f870dcf6f90e037bb7c4487210933dc497f9c36" -SRC_URI += "\ - file://lua.patch \ -" - diff --git a/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb new file mode 100644 index 0000000000..023dda3e53 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/dnsmasq/dnsmasq_2.85.bb @@ -0,0 +1,8 @@ +require dnsmasq.inc + +SRC_URI[dnsmasq-2.85.md5sum] = "4079e1e6e1065e4bd14ded268cdd7bd7" +SRC_URI[dnsmasq-2.85.sha256sum] = "f36b93ecac9397c15f461de9b1689ee5a2ed6b5135db0085916233053ff3f886" +SRC_URI += "\ + file://lua.patch \ +" + diff --git a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.5.bb b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.6.bb index a6070ccf85..067911b4ea 100644 --- a/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.5.bb +++ b/meta-openembedded/meta-networking/recipes-support/nbdkit/nbdkit_1.25.6.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9dcc2d8acdde215fa4bd6ac12bb14f0" SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \ " -SRCREV = "c828c6d48ff6b69454cad98054a1920d03c4b4c7" +SRCREV = "023dac3e09a0e39d6f91dea4b7f8efb8f5faae36" S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb index dd50fba3dd..c178b4cdac 100644 --- a/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/strongswan/strongswan_5.9.2.bb @@ -24,7 +24,7 @@ EXTRA_OECONF = " \ EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemdsystemunitdir=${systemd_unitdir}/system/', '--without-systemdsystemunitdir', d)}" -PACKAGECONFIG ??= "curl gmp openssl sqlite3 swanctl \ +PACKAGECONFIG ?= "curl gmp openssl sqlite3 swanctl \ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-charon', 'charon', d)} \ " PACKAGECONFIG[aesni] = "--enable-aesni,--disable-aesni,,${PN}-plugin-aesni" diff --git a/meta-openembedded/meta-oe/README b/meta-openembedded/meta-oe/README index 98f671d7c2..e03146974b 100644 --- a/meta-openembedded/meta-oe/README +++ b/meta-openembedded/meta-oe/README @@ -4,7 +4,7 @@ meta-oe This layer depends on: URI: git://github.com/openembedded/openembedded-core.git -branch: master +branch: hardknott revision: HEAD luajit recipe requires host compiler to be able to generate 32bit code when target is 32bit @@ -20,7 +20,7 @@ sudo apt-get install gcc-multilib Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-oe]' in the subject' When sending single patches, please use something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix="meta-oe][PATCH"' +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix="meta-oe][hardknott][PATCH"' You are encouraged to fork the mirror on GitHub https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch. @@ -29,4 +29,4 @@ Other services like GitLab, repo.or.cz or self-hosted setups are of course accep 'git fetch <remote>' works the same on all of them. We recommend GitHub because it is free, easy to use, has been proven to be reliable and has a really good web GUI. -layer maintainer: Khem Raj <raj.khem@gmail.com> +Branch maintainer: Armin Kuster <akuster@gmail.com> diff --git a/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.2.bb b/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.3.bb index 1c5a912f27..c95741cd94 100644 --- a/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.2.bb +++ b/meta-openembedded/meta-oe/recipes-connectivity/irssi/irssi_1.2.3.bb @@ -6,8 +6,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55fdc1113306167d6ea2561404ce02f8" DEPENDS = "glib-2.0 ncurses openssl" SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz" -SRC_URI[md5sum] = "8547f89e014e23e1bbbb665bcf7e2f70" -SRC_URI[sha256sum] = "6727060c918568ba2ff4295ad736128dba0b995d7b20491bca11f593bd857578" +SRC_URI[md5sum] = "381d3af259ad15d658be50c0a01f0c28" +SRC_URI[sha256sum] = "a647bfefed14d2221fa77b6edac594934dc672c4a560417b1abcbbc6b88d769f" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch deleted file mode 100644 index 0cf4d5ed60..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7069.patch +++ /dev/null @@ -1,158 +0,0 @@ -Subject: Fix bug #79601 (Wrong ciphertext/tag in AES-CCM encryption - for a 12 bytes IV) - ---- - ext/openssl/openssl.c | 10 ++++----- - ext/openssl/tests/cipher_tests.inc | 21 +++++++++++++++++ - ext/openssl/tests/openssl_decrypt_ccm.phpt | 22 +++++++++++------- - ext/openssl/tests/openssl_encrypt_ccm.phpt | 26 ++++++++++++++-------- - 4 files changed, 57 insertions(+), 22 deletions(-) - -diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c -index 04cb9b0f..fdad2c3b 100644 ---- a/ext/openssl/openssl.c -+++ b/ext/openssl/openssl.c -@@ -6521,11 +6521,6 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - { - char *iv_new; - -- /* Best case scenario, user behaved */ -- if (*piv_len == iv_required_len) { -- return SUCCESS; -- } -- - if (mode->is_aead) { - if (EVP_CIPHER_CTX_ctrl(cipher_ctx, mode->aead_ivlen_flag, *piv_len, NULL) != 1) { - php_error_docref(NULL, E_WARNING, "Setting of IV length for AEAD mode failed"); -@@ -6534,6 +6529,11 @@ static int php_openssl_validate_iv(char **piv, size_t *piv_len, size_t iv_requir - return SUCCESS; - } - -+ /* Best case scenario, user behaved */ -+ if (*piv_len == iv_required_len) { -+ return SUCCESS; -+ } -+ - iv_new = ecalloc(1, iv_required_len + 1); - - if (*piv_len == 0) { -diff --git a/ext/openssl/tests/cipher_tests.inc b/ext/openssl/tests/cipher_tests.inc -index b1e46b41..779bfa85 100644 ---- a/ext/openssl/tests/cipher_tests.inc -+++ b/ext/openssl/tests/cipher_tests.inc -@@ -1,5 +1,26 @@ - <?php - $php_openssl_cipher_tests = array( -+ 'aes-128-ccm' => array( -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '1011121314151617', -+ 'aad' => '000102030405060708090a0b0c0d0e0f', -+ 'tag' => '1fc64fbfaccd', -+ 'pt' => '202122232425262728292a2b2c2d2e2f', -+ 'ct' => 'd2a1f0e051ea5f62081a7792073d593d', -+ ), -+ array( -+ 'key' => '404142434445464748494a4b4c4d4e4f', -+ 'iv' => '101112131415161718191a1b', -+ 'aad' => '000102030405060708090a0b0c0d0e0f' . -+ '10111213', -+ 'tag' => '484392fbc1b09951', -+ 'pt' => '202122232425262728292a2b2c2d2e2f' . -+ '3031323334353637', -+ 'ct' => 'e3b201a9f5b71a7a9b1ceaeccd97e70b' . -+ '6176aad9a4428aa5', -+ ), -+ ), - 'aes-256-ccm' => array( - array( - 'key' => '1bde3251d41a8b5ea013c195ae128b21' . -diff --git a/ext/openssl/tests/openssl_decrypt_ccm.phpt b/ext/openssl/tests/openssl_decrypt_ccm.phpt -index a5f01b87..08ef5bb7 100644 ---- a/ext/openssl/tests/openssl_decrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_decrypt_ccm.phpt -@@ -10,14 +10,16 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - <?php - require_once __DIR__ . "/cipher_tests.inc"; --$method = 'aes-256-ccm'; --$tests = openssl_get_cipher_tests($method); -+$methods = ['aes-128-ccm', 'aes-256-ccm']; - --foreach ($tests as $idx => $test) { -- echo "TEST $idx\n"; -- $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $test['tag'], $test['aad']); -- var_dump($test['pt'] === $pt); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $pt = openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $test['tag'], $test['aad']); -+ var_dump($test['pt'] === $pt); -+ } - } - - // no IV -@@ -32,7 +34,11 @@ var_dump(openssl_decrypt($test['ct'], $method, $test['key'], OPENSSL_RAW_DATA, - - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - - Warning: openssl_decrypt(): Setting of IV length for AEAD mode failed in %s on line %d -diff --git a/ext/openssl/tests/openssl_encrypt_ccm.phpt b/ext/openssl/tests/openssl_encrypt_ccm.phpt -index fb5dbbc8..8c4c41f8 100644 ---- a/ext/openssl/tests/openssl_encrypt_ccm.phpt -+++ b/ext/openssl/tests/openssl_encrypt_ccm.phpt -@@ -10,15 +10,17 @@ if (!in_array('aes-256-ccm', openssl_get_cipher_methods())) - --FILE-- - <?php - require_once __DIR__ . "/cipher_tests.inc"; --$method = 'aes-256-ccm'; --$tests = openssl_get_cipher_tests($method); -+$methods = ['aes-128-ccm', 'aes-256-ccm']; - --foreach ($tests as $idx => $test) { -- echo "TEST $idx\n"; -- $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -- $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -- var_dump($test['ct'] === $ct); -- var_dump($test['tag'] === $tag); -+foreach ($methods as $method) { -+ $tests = openssl_get_cipher_tests($method); -+ foreach ($tests as $idx => $test) { -+ echo "$method - TEST $idx\n"; -+ $ct = openssl_encrypt($test['pt'], $method, $test['key'], OPENSSL_RAW_DATA, -+ $test['iv'], $tag, $test['aad'], strlen($test['tag'])); -+ var_dump($test['ct'] === $ct); -+ var_dump($test['tag'] === $tag); -+ } - } - - // Empty IV error -@@ -32,7 +34,13 @@ var_dump(strlen($tag)); - var_dump(openssl_encrypt('data', $method, 'password', 0, str_repeat('x', 16), $tag, '', 1024)); - ?> - --EXPECTF-- --TEST 0 -+aes-128-ccm - TEST 0 -+bool(true) -+bool(true) -+aes-128-ccm - TEST 1 -+bool(true) -+bool(true) -+aes-256-ccm - TEST 0 - bool(true) - bool(true) - --- -2.25.1 - diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch b/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch deleted file mode 100644 index e5b527f989..0000000000 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php/CVE-2020-7070.patch +++ /dev/null @@ -1,24 +0,0 @@ -Subject: Patch fix-urldecode for HTTP related Bug #79699 - ---- - main/php_variables.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/main/php_variables.c b/main/php_variables.c -index 1a40c2a1..cbdc7cf1 100644 ---- a/main/php_variables.c -+++ b/main/php_variables.c -@@ -514,7 +514,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data) - } - - val = estrndup(val, val_len); -- php_url_decode(var, strlen(var)); -+ if (arg != PARSE_COOKIE) { -+ php_url_decode(var, strlen(var)); -+ } - if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) { - php_register_variable_safe(var, val, new_val_len, &array); - } --- -2.25.1 - diff --git a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.9.bb b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb index e19d5dd21c..821d9cd046 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.9.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/php/php_7.4.16.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://www.php.net" SECTION = "console/network" LICENSE = "PHP-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=7e571b888d585b31f9ef5edcc647fa30" +LIC_FILES_CHKSUM = "file://LICENSE;md5=99532e0f6620bc9bca34f12fadaee33c" BBCLASSEXTEND = "native" DEPENDS = "zlib bzip2 libxml2 virtual/libiconv php-native lemon-native" @@ -30,13 +30,10 @@ SRC_URI_append_class-target = " \ file://phar-makefile.patch \ file://0001-opcache-config.m4-enable-opcache.patch \ file://xfail_two_bug_tests.patch \ - file://CVE-2020-7070.patch \ - file://CVE-2020-7069.patch \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[md5sum] = "e68a66c54b080d108831f6dc2e1e403d" -SRC_URI[sha256sum] = "2e270958a4216480da7886743438ccc92b6acf32ea96fefda88d07e0a5095deb" +SRC_URI[sha256sum] = "85710f007cfd0fae94e13a02a3a036f4e81ef43693260cae8a2e1ca93659ce3e" inherit autotools pkgconfig python3native gettext diff --git a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb index c382ad87f2..32aa842ff3 100644 --- a/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb +++ b/meta-openembedded/meta-oe/recipes-extended/ostree/ostree_2021.1.bb @@ -22,7 +22,7 @@ DEPENDS = " \ PREMIRRORS = "" SRC_URI = " \ - gitsm://github.com/ostreedev/ostree \ + gitsm://github.com/ostreedev/ostree;branch=main \ file://run-ptest \ " SRCREV = "e9e4b9112083228b8c385ad26924b6c4623f4179" diff --git a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.1.bb b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb index 89990df3de..65b525709e 100644 --- a/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.1.bb +++ b/meta-openembedded/meta-oe/recipes-extended/redis/redis_6.2.2.bb @@ -17,7 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ " -SRC_URI[sha256sum] = "cd222505012cce20b25682fca931ec93bd21ae92cb4abfe742cf7b76aa907520" +SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init b/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init index ccc3aafe3a..28082f7ff0 100755 --- a/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init +++ b/meta-openembedded/meta-oe/recipes-extended/zram/zram/zram-swap-init @@ -24,3 +24,8 @@ modprobe -q zram || true zramctl -a ${ZRAM_ALGORITHM} -s ${memzram}KB $device mkswap -L "zram-swap" $device + +devname="${device##*/}" +if [ ! -z ${ZRAM_SIZE_LIMIT+x} ]; then + echo ${ZRAM_SIZE_LIMIT} > /sys/block/$devname/mem_limit +fi diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch index 4e875ba82b..5a42e67d06 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch +++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0002-do-not-build-tests-sub-directory.patch @@ -1,29 +1,30 @@ -From c3460d63f0b6cd50b9a64265f420f0439e12a1d5 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Tue, 25 Apr 2017 01:36:44 -0400 -Subject: [PATCH 2/4] do not build tests sub directory +From 076d0e12a7be6cd2108e4ca0dcde1cb658918fa5 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Mon, 19 Apr 2021 23:02:45 -0700 +Subject: [PATCH] do not build tests sub directory -Upstream-Status: Inappropriate [oe specific] +Upstream-Status: Inappropriate [OE Specific] -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +Signed-off-by: Hongxu Jia <Hongxu.Jia@windriver.com> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- CMakeLists.txt | 3 --- 1 file changed, 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index 94ec2ef..fb72a00 100644 +index 7bf99441..bda80598 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -300,9 +300,6 @@ if(BUILD_VIEWER) +@@ -304,9 +304,6 @@ if(BUILD_VIEWER) add_subdirectory(media) endif() -add_subdirectory(tests) - - - include(cmake/BuildPackages.cmake) + add_subdirectory(release) # uninstall -- -2.7.4 +2.30.2 diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch index 97b0a388a2..5f14665b8d 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch +++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/files/0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch @@ -1,44 +1,34 @@ -From 9563b69640227da2220ee0c39077afb736cc96d1 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Thu, 20 Jul 2017 17:12:17 +0800 -Subject: [PATCH 4/4] tigervnc: add fPIC option to COMPILE_FLAGS +From 7f8acd59bb2e54f9be25a98dd71534700a9e355a Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Mon, 19 Apr 2021 23:14:28 -0700 +Subject: [PATCH] tigervnc: add fPIC option to COMPILE_FLAGS -The static libraries in Xregion/network/rdr/rfb were linked by shared +The static libraries in network/rdr/rfb were linked by shared library libvnc.so, so we should add fPIC option to COMPILE_FLAGS to fix relocation issue. Upstream-Status: Pending Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- - common/Xregion/CMakeLists.txt | 1 + common/network/CMakeLists.txt | 1 + common/rdr/CMakeLists.txt | 1 + common/rfb/CMakeLists.txt | 1 + - 4 files changed, 4 insertions(+) + 3 files changed, 3 insertions(+) -diff --git a/common/Xregion/CMakeLists.txt b/common/Xregion/CMakeLists.txt -index 40ca97e..9411328 100644 ---- a/common/Xregion/CMakeLists.txt -+++ b/common/Xregion/CMakeLists.txt -@@ -3,4 +3,5 @@ add_library(Xregion STATIC - - if(UNIX) - libtool_create_control_file(Xregion) -+ set_target_properties(Xregion PROPERTIES COMPILE_FLAGS -fPIC) - endif() diff --git a/common/network/CMakeLists.txt b/common/network/CMakeLists.txt -index b624c8e..6c06ec9 100644 +index d00ca452..e84e0290 100644 --- a/common/network/CMakeLists.txt +++ b/common/network/CMakeLists.txt -@@ -9,4 +9,5 @@ endif() +@@ -16,4 +16,5 @@ endif() if(UNIX) libtool_create_control_file(network) + set_target_properties(network PROPERTIES COMPILE_FLAGS -fPIC) endif() diff --git a/common/rdr/CMakeLists.txt b/common/rdr/CMakeLists.txt -index 989ba2f..20f6489 100644 +index 989ba2f4..20f6489d 100644 --- a/common/rdr/CMakeLists.txt +++ b/common/rdr/CMakeLists.txt @@ -27,4 +27,5 @@ target_link_libraries(rdr ${RDR_LIBRARIES}) @@ -48,15 +38,15 @@ index 989ba2f..20f6489 100644 + set_target_properties(rdr PROPERTIES COMPILE_FLAGS -fPIC) endif() diff --git a/common/rfb/CMakeLists.txt b/common/rfb/CMakeLists.txt -index 5047e5e..88838ab 100644 +index fc5a37bf..7f5ce131 100644 --- a/common/rfb/CMakeLists.txt +++ b/common/rfb/CMakeLists.txt -@@ -98,4 +98,5 @@ target_link_libraries(rfb ${RFB_LIBRARIES}) +@@ -99,4 +99,5 @@ target_link_libraries(rfb ${RFB_LIBRARIES}) if(UNIX) libtool_create_control_file(rfb) + set_target_properties(rfb PROPERTIES COMPILE_FLAGS -fPIC) endif() -- -2.7.4 +2.30.2 diff --git a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb index f97c2b2d6c..ce6c59bc39 100644 --- a/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.10.1.bb +++ b/meta-openembedded/meta-oe/recipes-graphics/tigervnc/tigervnc_1.11.0.bb @@ -2,22 +2,22 @@ DESCRIPTION = "TigerVNC remote display system" HOMEPAGE = "http://www.tigervnc.com/" LICENSE = "GPLv2+" SECTION = "x11/utils" -DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk" -RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl" +DEPENDS = "xserver-xorg gnutls jpeg libxtst gettext-native fltk libpam" +RDEPENDS_${PN} = "coreutils hicolor-icon-theme perl bash" LIC_FILES_CHKSUM = "file://LICENCE.TXT;md5=75b02c2872421380bbd47781d2bd75d3" S = "${WORKDIR}/git" inherit features_check -REQUIRED_DISTRO_FEATURES = "x11" +REQUIRED_DISTRO_FEATURES = "x11 pam" inherit autotools cmake B = "${S}" -SRCREV = "4739493b635372bd40a34640a719f79fa90e4dba" +SRCREV = "540bfc3278e396321124d4b18a798ac2bc18b6ca" -SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.10-branch \ +SRC_URI = "git://github.com/TigerVNC/tigervnc.git;branch=1.11-branch \ file://0002-do-not-build-tests-sub-directory.patch \ file://0003-add-missing-dynamic-library-to-FLTK_LIBRARIES.patch \ file://0004-tigervnc-add-fPIC-option-to-COMPILE_FLAGS.patch \ @@ -83,6 +83,8 @@ EXTRA_OECONF = "--disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ --disable-xwayland \ " +EXTRA_OECMAKE += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '-DCMAKE_INSTALL_UNITDIR=/lib/systemd/system', '-DINSTALL_SYSTEMD_UNITS=OFF', d)}" + do_configure_append () { olddir=`pwd` cd ${XSERVER_SOURCE_DIR} @@ -125,6 +127,7 @@ do_install_append() { FILES_${PN} += " \ ${libdir}/xorg/modules/extensions \ ${datadir}/icons \ + ${systemd_unitdir} \ " FILES_${PN}-dbg += "${libdir}/xorg/modules/extensions/.debug" diff --git a/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.1.bb b/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.2.bb index 65f5b6adf4..ed7443dfd4 100644 --- a/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.1.bb +++ b/meta-openembedded/meta-oe/recipes-multimedia/libdvdread/libdvdread_6.1.2.bb @@ -4,8 +4,8 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=64e753fa7d1ca31632bc383da3b57c27" SRC_URI = "http://download.videolan.org/pub/videolan/libdvdread/${PV}/libdvdread-${PV}.tar.bz2" -SRC_URI[md5sum] = "09c7423568fb679279fd2a2bc6b10b6e" -SRC_URI[sha256sum] = "3e357309a17c5be3731385b9eabda6b7e3fa010f46022a06f104553bf8e21796" +SRC_URI[md5sum] = "034581479968405ed415c34a50d00224" +SRC_URI[sha256sum] = "cc190f553758ced7571859e301f802cb4821f164d02bfacfd320c14a4e0da763" inherit autotools lib_package binconfig pkgconfig diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch new file mode 100644 index 0000000000..5aec3c5747 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0008-configure.ac-autodetect-availability-of-systemd.patch @@ -0,0 +1,47 @@ +From 3f61e353424fb9ea3dce742022b94dfd7ea1ed9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de> +Date: Thu, 4 Mar 2021 14:23:39 +0100 +Subject: [PATCH] configure.ac: autodetect availability of systemd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Import systemd's official suggestion [1] how this should be handled in packages +using autoconf. A side effect of this is the removal of the hardcoded fallback +path "/lib/systemd/system" which leaks build host information when cross +compiling v4l-utils and therefore defeats reproducible builds. + +[1] https://www.freedesktop.org/software/systemd/man/daemon.html#Installing%20systemd%20Service%20Files + +Upstream-Status: Backport [https://git.linuxtv.org/v4l-utils.git/commit/?id=3f61e353424fb9ea3dce742022b94dfd7ea1ed9f] + +Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de> +Signed-off-by: Sean Young <sean@mess.org> +--- + configure.ac | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 727730c5ccf4..8470116df4b1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -388,7 +388,15 @@ AC_ARG_WITH(udevdir, + AC_ARG_WITH(systemdsystemunitdir, + AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [set systemd system unit directory]), + [], +- [with_systemdsystemunitdir=`$PKG_CONFIG --variable=systemdsystemunitdir systemd || echo /lib/systemd/system`]) ++ [with_systemdsystemunitdir=auto]) ++AS_IF([test "x$with_systemdsystemunitdir" = "xyes" -o "x$with_systemdsystemunitdir" = "xauto"], ++ [def_systemdsystemunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) ++ AS_IF([test "x$def_systemdsystemunitdir" = "x"], ++ [AS_IF([test "x$with_systemdsystemunitdir" = "xyes"], ++ [AC_MSG_ERROR([systemd support requested but pkg-config unable to query systemd package])]) ++ with_systemdsystemunitdir=no], ++ [with_systemdsystemunitdir="$def_systemdsystemunitdir"])]) ++AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$with_systemdsystemunitdir" != "xno"]) + + # Generic check: works with most distributions + def_gconv_dir=`for i in /lib64 /usr/lib64 /usr/local/lib64 /lib /usr/lib /usr/local/lib; do if @<:@ -d \$i/gconv @:>@; then echo \$i/gconv; break; fi; done` +-- +2.29.2 + diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch new file mode 100644 index 0000000000..63a695f8f9 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch @@ -0,0 +1,40 @@ +From 01f2c6c58e6f4441df7df8e27eb7919f1f01e310 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ulrich=20=C3=96lmann?= <u.oelmann@pengutronix.de> +Date: Thu, 4 Mar 2021 14:23:40 +0100 +Subject: [PATCH] keytable: restrict installation of 50-rc_keymap.conf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It is only needed if BPF is effectively used and the package is compiled for a +systemd based target. + +Upstream-Status: Backport [https://git.linuxtv.org/v4l-utils.git/commit/?id=01f2c6c58e6f4441df7df8e27eb7919f1f01e310] + +Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de> +Signed-off-by: Sean Young <sean@mess.org> +--- + utils/keytable/Makefile.am | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/utils/keytable/Makefile.am b/utils/keytable/Makefile.am +index c5eb414acf2f..eee61f0e0551 100644 +--- a/utils/keytable/Makefile.am ++++ b/utils/keytable/Makefile.am +@@ -3,9 +3,13 @@ man_MANS = ir-keytable.1 rc_keymap.5 + sysconf_DATA = rc_maps.cfg + keytablesystem_DATA = $(srcdir)/rc_keymaps/* + udevrules_DATA = 70-infrared.rules ++if WITH_BPF ++if HAVE_SYSTEMD + if HAVE_UDEVDSYSCALLFILTER + systemdsystemunit_DATA = 50-rc_keymap.conf + endif ++endif ++endif + + ir_keytable_SOURCES = keytable.c parse.h ir-encode.c ir-encode.h toml.c toml.h keymap.c keymap.h + +-- +2.29.2 + diff --git a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb index 3e92d49b4f..2261feb56c 100644 --- a/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb +++ b/meta-openembedded/meta-oe/recipes-multimedia/v4l2apps/v4l-utils_1.20.0.bb @@ -5,7 +5,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=48da9957849056017dc568bbc43d8975 \ PROVIDES = "libv4l media-ctl" DEPENDS = "jpeg \ - ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'virtual/libx11', '', d)}" + ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'virtual/libx11', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" DEPENDS_append_libc-musl = " argp-standalone" DEPENDS_append_class-target = " udev" LDFLAGS_append = " -pthread" @@ -21,13 +22,14 @@ SRC_URI = "http://linuxtv.org/downloads/v4l-utils/v4l-utils-${PV}.tar.bz2 \ file://export-mediactl-headers.patch \ file://0002-contrib-test-Link-mc_nextgen_test-with-libargp-if-ne.patch \ file://0007-Do-not-use-getsubopt.patch \ + file://0008-configure.ac-autodetect-availability-of-systemd.patch \ + file://0009-keytable-restrict-installation-of-50-rc_keymap.conf.patch \ " SRC_URI[md5sum] = "46f9e2c0b2fdccd009da2f7e1aa87894" SRC_URI[sha256sum] = "956118713f7ccb405c55c7088a6a2490c32d54300dd9a30d8d5008c28d3726f7" EXTRA_OECONF = "--disable-qv4l2 --enable-shared --with-udevdir=${base_libdir}/udev \ - --disable-v4l2-compliance-32 --disable-v4l2-ctl-32 \ - --with-systemdsystemunitdir=${systemd_system_unitdir}" + --disable-v4l2-compliance-32 --disable-v4l2-ctl-32" VIRTUAL-RUNTIME_ir-keytable-keymaps ?= "rc-keymaps" @@ -37,8 +39,7 @@ RPROVIDES_${PN}-dbg += "libv4l-dbg" FILES_media-ctl = "${bindir}/media-ctl ${libdir}/libmediactl.so.*" -FILES_ir-keytable = "${bindir}/ir-keytable ${base_libdir}/udev/rules.d/*-infrared.rules \ - ${systemd_system_unitdir}/systemd-udevd.service.d/50-rc_keymap.conf" +FILES_ir-keytable = "${bindir}/ir-keytable ${base_libdir}/udev/rules.d/*-infrared.rules" RDEPENDS_ir-keytable += "${VIRTUAL-RUNTIME_ir-keytable-keymaps}" FILES_rc-keymaps = "${sysconfdir}/rc* ${base_libdir}/udev/rc*" diff --git a/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.1.bb b/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.2.bb index 004c93d0f9..f1997136ac 100644 --- a/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/librsync/librsync_2.3.2.bb @@ -5,7 +5,7 @@ LICENSE = "LGPLv2.1+" LIC_FILES_CHKSUM = "file://COPYING;md5=d8045f3b8f929c1cb29a1e3fd737b499" SRC_URI = "git://github.com/librsync/librsync.git" -SRCREV = "27f738650c20fef1285f11d85a34e5094a71c06f" +SRCREV = "42b636d2a65ab6914ea7cac50886da28192aaf9b" S = "${WORKDIR}/git" DEPENDS = "popt" diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.63.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb index ab2c43d019..1863db131b 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.63.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.64.bb @@ -11,11 +11,12 @@ SECTION = "libs" DEPENDS = "sqlite3 nspr zlib nss-native" DEPENDS_class-native = "sqlite3-native nspr-native zlib-native" -LICENSE = "MPL-2.0 | (MPL-2.0 & GPL-2.0+) | (MPL-2.0 & LGPL-2.1+)" +LICENSE = "(MPL-2.0 & MIT) | (MPL-2.0 & GPL-2.0+ & MIT) | (MPL-2.0 & LGPL-2.1+ & MIT)" LIC_FILES_CHKSUM = "file://nss/COPYING;md5=3b1e88e1b9c0b5a4b2881d46cce06a18 \ file://nss/lib/freebl/mpi/doc/LICENSE;md5=491f158d09d948466afce85d6f1fe18f \ - file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132" + file://nss/lib/freebl/mpi/doc/LICENSE-MPL;md5=5d425c8f3157dbf212db2ec53d9e5132 \ + file://nss/lib/freebl/verified/Hacl_Poly1305_256.c;beginline=1;endline=22;md5=d4096c1e4421ee56e9e0f441a8161f78" VERSION_DIR = "${@d.getVar('BP').upper().replace('-', '_').replace('.', '_') + '_RTM'}" @@ -32,7 +33,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://nss-fix-nsinstall-build.patch \ file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ " -SRC_URI[sha256sum] = "182d2fef629102ae9423aabf2c192242b565cf5098e82c5a26cf70c5e4ea2221" +SRC_URI[sha256sum] = "d3175427172e9c3a6f1ebc74452cb791590f28191c6a1a443dbc0d87c9df1126" UPSTREAM_CHECK_URI = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases" UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>.+)_release_notes" @@ -121,8 +122,6 @@ do_compile() { fi export NSS_DISABLE_GTESTS=1 - # see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99420 - export NSS_ENABLE_WERROR=0 # We can modify CC in the environment, but if we set it via an # argument to make, nsinstall, a host program, will also build with it! # diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch deleted file mode 100644 index b5bfcd025a..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0001-syslog-ng-fix-segment-fault-during-service-start.patch +++ /dev/null @@ -1,74 +0,0 @@ -Subject: [PATCH] syslog-ng: fix segment fault during service start on arm64 - -service start failed since segment fault on arch arm64, -syslog-ng have a submodule ivykis, from ivykis V0.42, -it use pthread_atfork, but for arm64, this symbol is -not included by libpthread, so cause segment fault. - -refer systemd, replace pthread_atfork with __register_atfork -to fix this problem. - -I have create an issue, and this proposal to upstream. -https://github.com/buytenh/ivykis/issues/15 - -Upstream-Status: Pending - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - -Update for 3.24.1. -Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> ---- - lib/ivykis/src/pthr.h | 23 ++++++++++++----------- - 1 file changed, 12 insertions(+), 11 deletions(-) - -diff --git a/lib/ivykis/src/pthr.h b/lib/ivykis/src/pthr.h -index 29e4be7..5d29096 100644 ---- a/lib/ivykis/src/pthr.h -+++ b/lib/ivykis/src/pthr.h -@@ -24,6 +24,16 @@ - #include <pthread.h> - #include <signal.h> - -+#ifdef __GLIBC__ -+/* We use glibc __register_atfork() + __dso_handle directly here, as they are not included in the glibc -+ * headers. __register_atfork() is mostly equivalent to pthread_atfork(), but doesn't require us to link against -+ * libpthread, as it is part of glibc anyway. */ -+extern int __register_atfork(void (*prepare) (void), void (*parent) (void), void (*child) (void), void * __dso_handle); -+extern void* __dso_handle __attribute__ ((__weak__)); -+#else -+#define __register_atfork(prepare,parent,child,dso) pthread_atfork(prepare,parent,child) -+#endif -+ - #ifdef HAVE_PRAGMA_WEAK - #pragma weak pthread_create - #endif -@@ -36,16 +46,7 @@ static inline int pthreads_available(void) - - #ifdef HAVE_PRAGMA_WEAK - --/* -- * On Linux, pthread_atfork() is defined in libc_nonshared.a (for -- * glibc >= 2.28) or libpthread_nonshared.a (for glibc <= 2.27), and -- * we want to avoid "#pragma weak" for that symbol because that causes -- * it to be undefined even if you link lib*_nonshared.a in explicitly. -- */ --#if !defined(HAVE_LIBC_NONSHARED) && !defined(HAVE_LIBPTHREAD_NONSHARED) --#pragma weak pthread_atfork --#endif -- -+#pragma weak __register_atfork - #pragma weak pthread_create - #pragma weak pthread_detach - #pragma weak pthread_getspecific -@@ -73,7 +74,7 @@ static inline int - pthr_atfork(void (*prepare)(void), void (*parent)(void), void (*child)(void)) - { - if (pthreads_available()) -- return pthread_atfork(prepare, parent, child); -+ return __register_atfork(prepare, parent, child, __dso_handle); - - return ENOSYS; - } --- -2.7.4 - diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch new file mode 100644 index 0000000000..b2683350bb --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0002-scl-fix-wrong-ownership-during-installation.patch @@ -0,0 +1,30 @@ +From 7a8c458b7acf4732af74317f8a535077eb451b1e Mon Sep 17 00:00:00 2001 +From: Ming Liu <ming.liu@windriver.com> +Date: Thu, 17 Jul 2014 05:37:08 -0400 +Subject: [PATCH] scl: fix wrong ownership during installation + +The ownership of build user is preserved for some target files, fixed it by +adding --no-same-owner option to tar when extracting files. + +Signed-off-by: Ming Liu <ming.liu@windriver.com> + +Upstream-Status: Backport [9045908] + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> +--- + scl/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scl/Makefile.am b/scl/Makefile.am +index 940a467..3c19e50 100644 +--- a/scl/Makefile.am ++++ b/scl/Makefile.am +@@ -51,7 +51,7 @@ scl-install-data-local: + fi; \ + done + $(mkinstalldirs) $(DESTDIR)/$(scldir) +- (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf -) ++ (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf - --no-same-owner) + chmod -R u+rwX $(DESTDIR)/$(scldir) + + scl-uninstall-local: diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch new file mode 100644 index 0000000000..a8be7d81d6 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/0005-.py-s-python-python3-exclude-tests.patch @@ -0,0 +1,53 @@ +From b64fcc414316592968f181c85447cfd01d1e461e Mon Sep 17 00:00:00 2001 +From: Yi Fan Yu <yifan.yu@windriver.com> +Date: Thu, 15 Apr 2021 13:48:19 -0400 +Subject: [PATCH] *.py: s/python/python3/ (exclude tests) + +As stated by https://github.com/syslog-ng/syslog-ng/pull/3603 +python2 is EOL. + +Fix all shebangs calling python instead of python3 +except the tests. + +(correcting lib/merge-grammar.py) +Signed-off-by: Joe Slater <joe.slater@windriver.com> +(adding the rest) +Upstream-Status: Submitted [https://github.com/syslog-ng/syslog-ng/pull/3647] + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> +--- + contrib/scripts/config-graph-json-to-dot.py | 2 +- + lib/merge-grammar.py | 2 +- + modules/python/pylib/setup.py | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/contrib/scripts/config-graph-json-to-dot.py b/contrib/scripts/config-graph-json-to-dot.py +index 4955c81..0351a9a 100755 +--- a/contrib/scripts/config-graph-json-to-dot.py ++++ b/contrib/scripts/config-graph-json-to-dot.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + import json, sys + + j = None +diff --git a/lib/merge-grammar.py b/lib/merge-grammar.py +index 7313ff5..459712d 100755 +--- a/lib/merge-grammar.py ++++ b/lib/merge-grammar.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + ############################################################################# + # Copyright (c) 2010-2017 Balabit + # +diff --git a/modules/python/pylib/setup.py b/modules/python/pylib/setup.py +index 23bb5cc..a2fa05e 100755 +--- a/modules/python/pylib/setup.py ++++ b/modules/python/pylib/setup.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + ############################################################################# + # Copyright (c) 2015-2016 Balabit + # diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch deleted file mode 100644 index 4f8a3d0775..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/configure.ac-add-option-enable-thread-tls-to-manage-.patch +++ /dev/null @@ -1,47 +0,0 @@ -configure.ac: add option --enable-thread-tls to manage thread ssl support - -Add option --enable-thread-tls to manage the including of thread -local storage, so we could explicitly disable it. - -Upstream-Status: Pending - -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> ---- - configure.ac | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -Index: syslog-ng-3.15.1/configure.ac -=================================================================== ---- syslog-ng-3.15.1.orig/configure.ac -+++ syslog-ng-3.15.1/configure.ac -@@ -190,6 +190,9 @@ AC_ARG_ENABLE(gprof, - AC_ARG_ENABLE(memtrace, - [ --enable-memtrace Enable alternative leak debugging code.]) - -+AC_ARG_ENABLE(thread-tls, -+ [ --enable-thread-tls Enable Thread Local Storage support.],,enable_thread_tls="no") -+ - AC_ARG_ENABLE(dynamic-linking, - [ --enable-dynamic-linking Link everything dynamically.],,enable_dynamic_linking="auto") - -@@ -591,12 +594,14 @@ dnl *************************************************************************** - dnl Is the __thread keyword available? - dnl *************************************************************************** - --AC_LINK_IFELSE([AC_LANG_PROGRAM( --[[#include <pthread.h> --__thread int a; --]], --[a=0;])], --[ac_cv_have_tls=yes; AC_DEFINE_UNQUOTED(HAVE_THREAD_KEYWORD, 1, "Whether Thread Local Storage is supported by the system")]) -+if test "x$enable_thread_tls" != "xno"; then -+ AC_LINK_IFELSE([AC_LANG_PROGRAM( -+ [[#include <pthread.h> -+ __thread int a; -+ ]], -+ [a=0;])], -+ [ac_cv_have_tls=yes; AC_DEFINE_UNQUOTED(HAVE_THREAD_KEYWORD, 1, "Whether Thread Local Storage is supported by the system")]) -+fi - - dnl *************************************************************************** - dnl How to do static linking? diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch deleted file mode 100644 index 4ad0afa954..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-config-libnet.patch +++ /dev/null @@ -1,65 +0,0 @@ -Subject: [PATCH] add libnet enable option - -Upstream-Status: Pending - -This would avoid a implicit auto-detecting result. - -Signed-off-by: Ming Liu <ming.liu@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - -Update for 3.24.1. -Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> ---- - configure.ac | 28 ++++++++++++++++------------ - 1 file changed, 16 insertions(+), 12 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 00eb566..e7d5ac1 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -143,6 +143,9 @@ AC_CONFIG_HEADERS(config.h) - dnl *************************************************************************** - dnl Arguments - -+AC_ARG_ENABLE(libnet, -+ [ --enable-libnet Enable libnet support.],, enable_libnet="no") -+ - AC_ARG_WITH(libnet, - [ --with-libnet=path use path to libnet-config script], - , -@@ -1047,19 +1050,20 @@ dnl *************************************************************************** - dnl libnet headers/libraries - dnl *************************************************************************** - AC_MSG_CHECKING(for LIBNET) --if test "x$with_libnet" = "x"; then -- LIBNET_CONFIG="`which libnet-config`" --else -- LIBNET_CONFIG="$with_libnet/libnet-config" --fi -+if test "x$enable_libnet" = xyes; then -+ if test "x$with_libnet" = "x"; then -+ LIBNET_CONFIG="`which libnet-config`" -+ else -+ LIBNET_CONFIG="$with_libnet/libnet-config" -+ fi - --if test -n "$LIBNET_CONFIG" -a -x "$LIBNET_CONFIG"; then -- LIBNET_CFLAGS="`$LIBNET_CONFIG --defines`" -- LIBNET_LIBS="`$LIBNET_CONFIG --libs`" -- AC_MSG_RESULT(yes) --dnl libnet-config does not provide the _DEFAULT_SOURCE define, that can cause warning during build --dnl as upstream libnet-config does uses _DEFAULT_SOURCE this is just a fix till -- LIBNET_CFLAGS="$LIBNET_CFLAGS -D_DEFAULT_SOURCE" -+ if test -n "$LIBNET_CONFIG" -a -x "$LIBNET_CONFIG"; then -+ LIBNET_CFLAGS="`$LIBNET_CONFIG --defines`" -+ LIBNET_LIBS="`$LIBNET_CONFIG --libs`" -+ AC_MSG_RESULT(yes) -+ else -+ AC_MSG_ERROR([Could not find libnet, and libnet support was explicitly enabled.]) -+ fi - - else - LIBNET_LIBS= --- -2.7.4 - diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch deleted file mode 100644 index 54ecce57e3..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/fix-invalid-ownership.patch +++ /dev/null @@ -1,25 +0,0 @@ -syslog-ng: fix wrong ownership issue - -Upstream-Status: Pending - -The ownership of build user is preserved for some target files, fixed it by -adding --no-same-owner option to tar when extracting files. - -Signed-off-by: Ming Liu <ming.liu@windriver.com> ---- - scl/Makefile.am | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -Index: syslog-ng-3.8.1/scl/Makefile.am -=================================================================== ---- syslog-ng-3.8.1.orig/scl/Makefile.am -+++ syslog-ng-3.8.1/scl/Makefile.am -@@ -27,7 +27,7 @@ scl-install-data-local: - fi; \ - done - $(mkinstalldirs) $(DESTDIR)/$(scldir) -- (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf -) -+ (cd $(srcdir)/scl; tar cf - $(SCL_SUBDIRS)) | (cd $(DESTDIR)/$(scldir) && tar xf - --no-same-owner) - chmod -R u+rwX $(DESTDIR)/$(scldir) - - scl-uninstall-local: diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch deleted file mode 100644 index 35d967753e..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/shebang.patch +++ /dev/null @@ -1,18 +0,0 @@ -syslog-ng: change shebang to use python3 - -Correct shebang for python3. This is far from the only python file with an out of date shebang, -but it is the only one that winds up on a target. - -Upstream-Status: Pending - -Signed-off-by: Joe Slater <joe.slater@windriver.com> - - ---- a/lib/merge-grammar.py -+++ b/lib/merge-grammar.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - ############################################################################# - # Copyright (c) 2010-2017 Balabit - # diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd index 6a86276724..b63f46ddc3 100644 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.systemd @@ -1,4 +1,4 @@ -@version: 3.24 +@version: 3.31 # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. Originally written by anonymous (I can't find his name) diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit index 32b98610dc..07cd3b0868 100644 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/files/syslog-ng.conf.sysvinit @@ -1,4 +1,4 @@ -@version: 3.24 +@version: 3.31 # # Syslog-ng configuration file, compatible with default Debian syslogd # installation. Originally written by anonymous (I can't find his name) diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc index 818cad5bcd..80c5099731 100644 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng.inc @@ -10,7 +10,7 @@ ideal for firewalled environments. \ HOMEPAGE = "http://www.balabit.com/network-security/syslog-ng/opensource-logging-system" LICENSE = "GPLv2 & LGPLv2.1" -LIC_FILES_CHKSUM = "file://COPYING;md5=24c0c5cb2c83d9f2ab725481e4df5240" +LIC_FILES_CHKSUM = "file://COPYING;md5=189c3826d32deaf83ad8d0d538a10023" # util-linux added to get libuuid DEPENDS = "libpcre flex glib-2.0 openssl util-linux bison-native" @@ -22,7 +22,6 @@ SRC_URI = "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.ta file://syslog-ng.conf.sysvinit \ file://initscript \ file://volatiles.03_syslog-ng \ - file://configure.ac-add-option-enable-thread-tls-to-manage-.patch \ " UPSTREAM_CHECK_URI = "https://github.com/balabit/syslog-ng/releases" @@ -42,12 +41,8 @@ EXTRA_OECONF = " \ --disable-python \ --disable-java --disable-java-modules \ --with-pidfile-dir=${localstatedir}/run/${BPN} \ - ${CONFIG_TLS} \ " -CONFIG_TLS = "--enable-thread-tls" -CONFIG_TLS_arm = "${@oe.utils.conditional( "DEBUG_BUILD", "1", " --disable-thread-tls", " --enable-thread-tls", d )}" - PACKAGECONFIG ??= " \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6 systemd', d)} \ " @@ -55,7 +50,7 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,," PACKAGECONFIG[systemd] = "--enable-systemd --with-systemdsystemunitdir=${systemd_unitdir}/system/,--disable-systemd --without-systemdsystemunitdir,systemd," PACKAGECONFIG[linux-caps] = "--enable-linux-caps,--disable-linux-caps,libcap," PACKAGECONFIG[dbi] = "--enable-sql,--disable-sql,libdbi," -PACKAGECONFIG[libnet] = "--enable-libnet --with-libnet=${STAGING_BINDIR_CROSS},--disable-libnet,libnet," +PACKAGECONFIG[spoof-source] = "--enable-spoof-source --with-libnet=${STAGING_BINDIR_CROSS},--disable-spoof-source,libnet," PACKAGECONFIG[http] = "--enable-http,--disable-http,curl," PACKAGECONFIG[smtp] = "--enable-smtp --with-libesmtp=${STAGING_LIBDIR},--disable-smtp,libesmtp," PACKAGECONFIG[json] = "--enable-json,--disable-json,json-c," diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb deleted file mode 100644 index 10bf00fdce..0000000000 --- a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.24.1.bb +++ /dev/null @@ -1,15 +0,0 @@ -require syslog-ng.inc - -# We only want to add stuff we need to the defaults provided in syslog-ng.inc. -# -SRC_URI += " \ - file://fix-config-libnet.patch \ - file://fix-invalid-ownership.patch \ - file://syslog-ng.service-the-syslog-ng-service.patch \ - file://0001-syslog-ng-fix-segment-fault-during-service-start.patch \ - file://shebang.patch \ - file://syslog-ng-tmp.conf \ - " - -SRC_URI[md5sum] = "ef9de066793f7358af7312b964ac0450" -SRC_URI[sha256sum] = "d4d0a0357b452be96b69d6f741129275530d8f0451e35adc408ad5635059fa3d" diff --git a/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb new file mode 100644 index 0000000000..5d2b7f77ea --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/syslog-ng/syslog-ng_3.31.2.bb @@ -0,0 +1,16 @@ +require syslog-ng.inc + +# We only want to add stuff we need to the defaults provided in syslog-ng.inc. +# +SRC_URI += "https://github.com/balabit/syslog-ng/releases/download/${BP}/${BP}.tar.gz \ + file://syslog-ng.conf.systemd \ + file://syslog-ng.conf.sysvinit \ + file://initscript \ + file://volatiles.03_syslog-ng \ + file://syslog-ng-tmp.conf \ + file://syslog-ng.service-the-syslog-ng-service.patch \ + file://0002-scl-fix-wrong-ownership-during-installation.patch \ + file://0005-.py-s-python-python3-exclude-tests.patch \ + " +SRC_URI[md5sum] = "69ef4dc5628d5e603e9e4a1b937592f8" +SRC_URI[sha256sum] = "2eeb8e0dbbcb556fdd4e50bc9f29bc8c66c9b153026f87caa7567bd3139c186a" diff --git a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb index b05a59dc70..7e57ebf555 100644 --- a/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb +++ b/meta-openembedded/meta-oe/recipes-support/tbb/tbb_2021.2.0.bb @@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=86d3f3a95c324c9479bd8986968f4327" DEPENDS_append_libc-musl = " libucontext" +PE = "1" + BRANCH = "onetbb_2021" SRCREV = "2dba2072869a189b9fdab3ffa431d3ea49059a19" SRC_URI = "git://github.com/oneapi-src/oneTBB.git;protocol=https;branch=${BRANCH} \ diff --git a/meta-openembedded/meta-perl/README b/meta-openembedded/meta-perl/README index 67f291079f..7b177bada8 100644 --- a/meta-openembedded/meta-perl/README +++ b/meta-openembedded/meta-perl/README @@ -52,7 +52,7 @@ Dependencies This layer depends on: URI: git://git.openembedded.org/openembedded-core - branch: master + branch: hardknott revision: HEAD prio: default @@ -75,14 +75,12 @@ Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org with -'[meta-perl]' in the subject. +'[meta-perl][hardknott]' in the subject. When sending single patches, please using something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-perl][PATCH' +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-perl][hardknott][PATCH' -Layer maintainers: - Hongxu Jia <hongxu.jia@windriver.com> - Tim "moto-timo" Orling <ticotimo@gmail.com> +hardknott maintainers: Armin kuster <akuster808@gmail.com> License ------- diff --git a/meta-openembedded/meta-python/README b/meta-openembedded/meta-python/README index ca0a290d9f..904d2f9636 100644 --- a/meta-openembedded/meta-python/README +++ b/meta-openembedded/meta-python/README @@ -13,12 +13,12 @@ The meta-python layer depends on: URI: git://git.openembedded.org/openembedded-core layers: meta - branch: master + branch: hardknott revision: HEAD URI: git://git.openembedded.org/meta-openembedded layers: meta-oe - branch: master + branch: hardknott revision: HEAD Please follow the recommended setup procedures of your OE distribution. @@ -35,16 +35,12 @@ comments and patch review. It is subscriber only, so please register before posting. Send pull requests to openembedded-devel@lists.openembedded.org with -'[meta-python]' in the subject. +'[meta-python][hardknott]' in the subject. When sending single patches, please use something like: -'git send-email -M -1 --to=openembedded-devel@lists.openembedded.org --subject-prefix=meta-python][PATCH' +'git send-email -M -1 --to=openembedded-devel@lists.openembedded.org --subject-prefix=meta-python][hardknott][PATCH' Maintenance ------------------------- -Layer Maintainers: - Tim "moto-timo" Orling <TicoTimo@gmail.com> - Derek Straka <derek@asterius.io> - Trevor Gamblin <trevor.gamblin@windriver.com> - +hardknott Maintainers: Armin Kuster <akuster808@gmail.com> diff --git a/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.0.bb b/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.1.bb index 4a936b49af..2d46e96112 100644 --- a/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.0.bb +++ b/meta-openembedded/meta-python/recipes-connectivity/python-hyperframe/python3-hyperframe_6.0.1.bb @@ -4,7 +4,6 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=5bf1c68e73fbaec2b1687b7e71514393" -SRC_URI[md5sum] = "30136a712e092b1a45ae3cad3ae93131" -SRC_URI[sha256sum] = "742d2a4bc3152a340a49d59f32e33ec420aa8e7054c1444ef5c7efff255842f1" +SRC_URI[sha256sum] = "ae510046231dc8e9ecb1a6586f63d2347bf4c8905914aa84ba585ae85f28a914" inherit pypi setuptools3 diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.4.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.5.bb index c2149336fd..429a56bae6 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.4.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-asttokens_2.0.5.bb @@ -7,7 +7,7 @@ PYPI_PACKAGE = "asttokens" inherit pypi setuptools3 -SRC_URI[sha256sum] = "a42e57e28f2ac1c85ed9b1f84109401427e5c63c04f61d15b8842b027eec5128" +SRC_URI[sha256sum] = "9a54c114f02c7a9480d56550932546a3f1fe71d8a02f1bc7ccd0ee3ee35cf4d5" DEPENDS += "\ python3-setuptools-scm-native \ diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.2.bb index 79a7ac1bf9..0a36ffe1bd 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.1.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-cryptography_3.3.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=bf405a8056a6647e7d077b0e7bc36aba" LDSHARED += "-pthread" -SRC_URI[sha256sum] = "7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6" +SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed" SRC_URI += " \ file://run-ptest \ diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb deleted file mode 100644 index 0715abbd4c..0000000000 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.16.bb +++ /dev/null @@ -1,9 +0,0 @@ -require python-django.inc -inherit setuptools3 - -SRC_URI[md5sum] = "93faf5bbd54a19ea49f4932a813b9758" -SRC_URI[sha256sum] = "62cf45e5ee425c52e411c0742e641a6588b7e8af0d2c274a27940931b2786594" - -RDEPENDS_${PN} += "\ - ${PYTHON_PN}-sqlparse \ -" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb new file mode 100644 index 0000000000..905d022a4f --- /dev/null +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-django_2.2.20.bb @@ -0,0 +1,9 @@ +require python-django.inc +inherit setuptools3 + +SRC_URI[md5sum] = "947060d96ccc0a05e8049d839e541b25" +SRC_URI[sha256sum] = "2569f9dc5f8e458a5e988b03d6b7a02bda59b006d6782f4ea0fd590ed7336a64" + +RDEPENDS_${PN} += "\ + ${PYTHON_PN}-sqlparse \ +" diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.42.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.43.bb index 25defabc51..dbb6a8d8f6 100644 --- a/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.42.bb +++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pysonos_0.0.43.bb @@ -4,7 +4,7 @@ SECTION = "devel/python" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=07b0e2ca9ac77cd65cd4edf2e13367ea" -SRC_URI[sha256sum] = "20b45fa1779a01325e67822d243e1a3f7657d8b515308d84c1eb3c805cc3bdb5" +SRC_URI[sha256sum] = "47be2b37defc856f15d7e7a419cfb939e9822750efe968db192156ebeba31684" inherit pypi setuptools3 diff --git a/meta-openembedded/meta-webserver/README b/meta-openembedded/meta-webserver/README index 7b60630700..e525b0b5eb 100644 --- a/meta-openembedded/meta-webserver/README +++ b/meta-openembedded/meta-webserver/README @@ -13,14 +13,14 @@ This layer depends on: URI: git://github.com/openembedded/oe-core.git subdirectory: meta -branch: master +branch: hardknott revision: HEAD For some recipes, the meta-oe layer is required: URI: git://github.com/openembedded/meta-oe.git subdirectory: meta-oe -branch: master +branch: hardknott revision: HEAD @@ -52,9 +52,9 @@ Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org -with '[meta-webserver]' in the subject. +with '[meta-webserver][hardknott]' in the subject. -Layer maintainer: Derek Straka <derek@asterius.io> +hardknott Maintainer: Armin Kuster <akuster808@gmail.com> License diff --git a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb index 2fa5bc4a93..ec3334d8f0 100644 --- a/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb +++ b/meta-openembedded/meta-webserver/recipes-core/packagesgroups/packagegroup-meta-webserver.bb @@ -26,7 +26,6 @@ RDEPENDS_packagegroup-meta-webserver-http = "\ monkey \ nginx \ nginx \ - nostromo \ sthttpd \ " diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb index e726c9ac66..f1cf59355d 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/nostromo/nostromo_1.9.9.bb @@ -62,3 +62,6 @@ pkg_postinst_${PN} () { fi fi } + +PNBLACKLIST[nostromo] ?= "Host site for URI is dead" +EXCLUDE_FROM_WORLD = "1" diff --git a/meta-openembedded/meta-xfce/README b/meta-openembedded/meta-xfce/README index 70ad47a2d1..2ae6f16975 100644 --- a/meta-openembedded/meta-xfce/README +++ b/meta-openembedded/meta-xfce/README @@ -1,11 +1,11 @@ This layer depends on: URI: git://github.com/openembedded/oe-core.git -branch: master +branch: hardknott revision: HEAD URI: git://github.com/openembedded/meta-oe.git -branch: master +branch: hardknott revision: HEAD meta-xfce depends on meta-oe, meta-gnome and meta-multimedia in this repository. @@ -14,9 +14,9 @@ this to local.conf: BBMASK = "meta-xfce/recipes-multimedia" -Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-xfce]' in the subject' +Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-xfce][hardknott]' in the subject' When sending single patches, please using something like: -'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-xfce][PATCH' +'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix=meta-xfce][hardknott][PATCH' -Layer maintainer: Kai Kang <kai.kang@windriver.com> +hardknott Maintainer: Armin Kuster <akuster808@gmail.com> diff --git a/meta-raspberrypi/conf/machine/include/rpi-base.inc b/meta-raspberrypi/conf/machine/include/rpi-base.inc index 572fe22411..77cada7436 100644 --- a/meta-raspberrypi/conf/machine/include/rpi-base.inc +++ b/meta-raspberrypi/conf/machine/include/rpi-base.inc @@ -102,7 +102,7 @@ SERIAL_CONSOLES_CHECK ??= "${SERIAL_CONSOLES}" BOOTFILES_DIR_NAME ?= "bootfiles" # Set Raspberrypi splash image -SPLASH = "psplash-raspberrypi" +SPLASH ?= "psplash-raspberrypi" def make_dtb_boot_files(d): # Generate IMAGE_BOOT_FILES entries for device tree files listed in diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb index de43c4b367..c4b441182b 100644 --- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb +++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb @@ -118,10 +118,15 @@ do_deploy() { # Video camera support if [ "${VIDEO_CAMERA}" = "1" ]; then - # TODO: It has been observed that Raspberry Pi 4B 4GB may fail to enable the camera if "start_x=1" is at the end - # of the file. The underlying cause is unknown, but it can be related with a file size limitation affecting - # this variable. Therefore, "start_x=1" has been set to replace the original occurrence in config.txt, - # which is at the middle of the file. + # It has been observed that Raspberry Pi 4B 4GB may fail to enable the + # camera if "start_x=1" is at the end of the file. Therefore, + # "start_x=1" has been set to replace the original occurrence in + # config.txt, which is at the middle of the file. + # The exact underlying cause is unknown. There are similar issues + # reported in the raspberrypi/firware repo and the conclusion reached + # was that there could be a file size limitation affecting certain + # variables. It was commented that this limitation could be 4k but + # not proved. sed -i '/#start_x=/ c\start_x=1' $CONFIG fi diff --git a/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules b/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules index 6bf019bd15..ddd1e1743e 100644 --- a/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules +++ b/meta-raspberrypi/recipes-core/udev/udev-rules-rpi/99-com.rules @@ -1,8 +1,8 @@ KERNEL=="ttyAMA[01]", PROGRAM="/bin/sh -c '\ ALIASES=/proc/device-tree/aliases; \ - if cmp -s $ALIASES/uart0 $ALIASES/serial0; then \ + if cmp -s $$ALIASES/uart0 $$ALIASES/serial0; then \ echo 0;\ - elif cmp -s $ALIASES/uart0 $ALIASES/serial1; then \ + elif cmp -s $$ALIASES/uart0 $$ALIASES/serial1; then \ echo 1; \ else \ exit 1; \ @@ -11,9 +11,9 @@ KERNEL=="ttyAMA[01]", PROGRAM="/bin/sh -c '\ KERNEL=="ttyS0", PROGRAM="/bin/sh -c '\ ALIASES=/proc/device-tree/aliases; \ - if cmp -s $ALIASES/uart1 $ALIASES/serial0; then \ + if cmp -s $$ALIASES/uart1 $$ALIASES/serial0; then \ echo 0; \ - elif cmp -s $ALIASES/uart1 $ALIASES/serial1; then \ + elif cmp -s $$ALIASES/uart1 $$ALIASES/serial1; then \ echo 1; \ else \ exit 1; \ diff --git a/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend b/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend new file mode 100644 index 0000000000..56ff4213aa --- /dev/null +++ b/meta-raspberrypi/recipes-graphics/libva/libva_%.bbappend @@ -0,0 +1,3 @@ +# when using userland graphic KHR/khrplatform.h is provided by userland but virtual/libgl is provided by mesa-gl where +# we explicitly delete KHR/khrplatform.h since its already coming from userland package +DEPENDS_append_rpi = " ${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '', 'userland', d)}" diff --git a/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb b/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb index 310d2f8446..d28e2c126c 100644 --- a/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb +++ b/meta-raspberrypi/recipes-kernel/bluez-firmware-rpidistro/bluez-firmware-rpidistro_git.bb @@ -16,7 +16,7 @@ SECTION = "kernel" # [^1]: https://github.com/RPi-Distro/bluez-firmware/issues/1 LICENSE = "Firmware-cypress-rpidistro" LIC_FILES_CHKSUM = "\ - file://LICENCE.cypress-rpidistro;md5=852f9d10cbedba1f6c439729bd0617b4 \ + file://LICENCE.cypress-rpidistro;md5=c5d12ae0b24ef7177902a8e288751a4e \ " # These are not common licenses, set NO_GENERIC_LICENSE for them @@ -24,8 +24,8 @@ LIC_FILES_CHKSUM = "\ NO_GENERIC_LICENSE[Firmware-cypress-rpidistro] = "LICENCE.cypress-rpidistro" SRC_URI = "git://github.com/RPi-Distro/bluez-firmware" -SRCREV = "96eefffcccc725425fd83be5e0704a5c32b79e54" -PV = "0.0+git${SRCPV}" +SRCREV = "e7fd166981ab4bb9a36c2d1500205a078a35714d" +PV = "1.2-4+rpt8" S = "${WORKDIR}/git" @@ -55,11 +55,15 @@ do_install() { PACKAGES = "\ ${PN}-cypress-license \ ${PN}-bcm43430a1-hcd \ + ${PN}-bcm43430b0-hcd \ ${PN}-bcm4345c0-hcd \ + ${PN}-bcm4345c5-hcd \ " LICENSE_${PN}-bcm43430a1-hcd = "Firmware-cypress-rpidistro" +LICENSE_${PN}-bcm43430b0-hcd = "Firmware-cypress-rpidistro" LICENSE_${PN}-bcm4345c0-hcd = "Firmware-cypress-rpidistro" +LICENSE_${PN}-bcm4345c5-hcd = "Firmware-cypress-rpidistro" LICENSE_${PN}-cypress-license = "Firmware-cypress-rpidistro" FILES_${PN}-cypress-license = "\ @@ -68,16 +72,28 @@ FILES_${PN}-cypress-license = "\ FILES_${PN}-bcm43430a1-hcd = "\ ${nonarch_base_libdir}/firmware/brcm/BCM43430A1.hcd \ " +FILES_${PN}-bcm43430b0-hcd = "\ + ${nonarch_base_libdir}/firmware/brcm/BCM43430B0.hcd \ +" FILES_${PN}-bcm4345c0-hcd = "\ ${nonarch_base_libdir}/firmware/brcm/BCM4345C0.hcd \ " +FILES_${PN}-bcm4345c5-hcd = "\ + ${nonarch_base_libdir}/firmware/brcm/BCM4345C5.hcd \ +" RDEPENDS_${PN}-bcm43430a1-hcd += "${PN}-cypress-license" +RDEPENDS_${PN}-bcm43430b0-hcd += "${PN}-cypress-license" RDEPENDS_${PN}-bcm4345c0-hcd += "${PN}-cypress-license" +RDEPENDS_${PN}-bcm4345c5-hcd += "${PN}-cypress-license" RCONFLICTS_${PN}-bcm43430a1-hcd = "linux-firmware-bcm43430a1-hcd" RREPLACES_${PN}-bcm43430a1-hcd = "linux-firmware-bcm43430a1-hcd" +RCONFLICTS_${PN}-bcm43430b0-hcd = "linux-firmware-bcm43430b0-hcd" +RREPLACES_${PN}-bcm43430b0-hcd = "linux-firmware-bcm43430b0-hcd" RCONFLICTS_${PN}-bcm43435c0-hcd = "linux-firmware-bcm4345c0-hcd" RREPLACES_${PN}-bcm43435c0-hcd = "linux-firmware-bcm4345c0-hcd" +RCONFLICTS_${PN}-bcm43435c5-hcd = "linux-firmware-bcm4345c5-hcd" +RREPLACES_${PN}-bcm43435c5-hcd = "linux-firmware-bcm4345c5-hcd" # Firmware files are generally not run on the CPU, so they can be # allarch despite being architecture specific diff --git a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb index 671dfa20bc..a091585a55 100644 --- a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb +++ b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb @@ -36,8 +36,8 @@ NO_GENERIC_LICENSE[WHENCE] = "WHENCE" SRC_URI = "git://github.com/RPi-Distro/firmware-nonfree" -SRCREV = "b66ab26cebff689d0d3257f56912b9bb03c20567" -PV = "20190114-1+rpt10" +SRCREV = "83938f78ca2d5a0ffe0c223bb96d72ccc7b71ca5" +PV = "20190114-1+rpt11" S = "${WORKDIR}/git" diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index f673ef6988..32110253c4 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -1,33 +1,76 @@ -stages: - - build - -.build: - stage: build - image: crops/poky - before_script: +.before-my-script: &before-my-script - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error - export PATH=~/.local/bin:$PATH - wget https://bootstrap.pypa.io/get-pip.py - python3 get-pip.py - python3 -m pip install kas - after_script: + +.after-my-script: &after-my-script - cd $CI_PROJECT_DIR/poky - . ./oe-init-build-env $CI_PROJECT_DIR/build - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do - send-error-report -y tmp/log/error-report/$x - done - - cd $CI_PROJECT_DIR - - rm -rf build - cache: - paths: - - layers + - rm -fr $CI_PROJECT_DIR/build + + +stages: + - build + - parsec + - multi + - alt + - musl + - test + +.build: + before_script: + - *before-my-script + stage: build + after_script: + - *after-my-script + +.parsec: + before_script: + - *before-my-script + stage: parsec + after_script: + - *after-my-script + + +.multi: + before_script: + - *before-my-script + stage: multi + after_script: + - *after-my-script + +.alt: + before_script: + - *before-my-script + stage: alt + after_script: + - *after-my-script + +.musl: + before_script: + - *before-my-script + stage: musl + after_script: + - *after-my-script + +.test: + before_script: + - *before-my-script + stage: test + after_script: + - *after-my-script + qemux86: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -35,8 +78,7 @@ qemux86: qemux86-64: extends: .build script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image" - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -44,20 +86,17 @@ qemuarm: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemuarm64: extends: .build script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image" - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml qemuppc: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemumips64: extends: .build @@ -69,61 +108,58 @@ qemuriscv64: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-tpm: - extends: .build - script: - - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml - - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml - -qemuarm64-tpm2: - extends: .build - script: - - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml - qemuarm64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemuarm64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemumips64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemumips64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-musl: - extends: .build + extends: .musl script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemuarm64-musl: - extends: .build + extends: .musl script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-test: - extends: .build + extends: .test allow_failure: true script: - kas build --target security-test-image kas/$CI_JOB_NAME.yml - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml +parsec: + extends: .parsec + script: + - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml diff --git a/meta-security/README b/meta-security/README index eb15366753..f223feef03 100644 --- a/meta-security/README +++ b/meta-security/README @@ -11,19 +11,28 @@ This layer depends on: URI: git://git.openembedded.org/openembedded-core branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-oe branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-perl branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-python branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-networking branch: master - + revision: HEAD + prio: default Adding the security layer to your build ======================================== @@ -42,23 +51,11 @@ other layers needed. e.g.: /path/to/meta-openembedded/meta-perl \ /path/to/meta-openembedded/meta-python \ /path/to/meta-openembedded/meta-networking \ - /path/to/layer/meta-security " - -Optional Rust dependancy -====================================== -If you want to use the latest Suricata that needs rust, you will need to clone - - URI: https://github.com/meta-rust/meta-rust.git - branch: master - - BBLAYERS += "/path/to/layer/meta-rust" - -This will activate the dynamic-layer mechanism and pull in the newer suricata - + /path/to/layer/meta-security \ Maintenance -====================================== +----------- Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 906e024407..fd21da1eba 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -12,7 +12,3 @@ BBFILE_PRIORITY_security = "8" LAYERSERIES_COMPAT_security = "hardknott" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -BBFILES_DYNAMIC += " \ -rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ -" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch deleted file mode 100644 index fc44ce68f5..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch +++ /dev/null @@ -1,32 +0,0 @@ -Skip pkg Makefile from using its own rust steps - -Upstream-Status: OE Specific - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: suricata-6.0.2/Makefile.am -=================================================================== ---- suricata-6.0.2.orig/Makefile.am -+++ suricata-6.0.2/Makefile.am -@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - $(SURICATA_UPDATE_DIR) \ - lua \ - acsite.m4 --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* -Index: suricata-6.0.2/Makefile.in -=================================================================== ---- suricata-6.0.2.orig/Makefile.in -+++ suricata-6.0.2/Makefile.in -@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - lua \ - acsite.m4 - --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest deleted file mode 100644 index 666ba9c954..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service deleted file mode 100644 index a99a76ef86..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a27449..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file.<id>" where <id> is - # an incrementing number starting at 1. For each file "file.<id>" a meta - # file "file.<id>.meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata deleted file mode 100644 index fbf37848ee..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata +++ /dev/null @@ -1,2 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /var/log/suricata 0755 root root diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b0f..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/log/suricata none diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb deleted file mode 100644 index 34e72e9cb9..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" - -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1" - -DEPENDS = "zlib" - -inherit autotools-brokensep pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -#S = "${WORKDIR}/suricata-${VER}/${BPN}" - -S = "${WORKDIR}/git" - -do_configure () { - cd ${S} - ./autogen.sh - oe_runconf -} - -RDEPENDS_${PN} += "zlib" - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc deleted file mode 100644 index 85f419e48a..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ /dev/null @@ -1,8 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -VER = "6.0.2" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb deleted file mode 100644 index a4255d2476..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb +++ /dev/null @@ -1,193 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -DEPENDS = "lz4 libhtp" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - file://fixup.patch \ - " - -SRC_URI += " \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/arrayvec/0.4.12 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/libc/0.2.86 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/version_check/0.9.2 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/nodrop/0.1.14 \ - crate://crates.io/cfg-if/0.1.9 \ - crate://crates.io/static_assertions/0.3.4 \ - crate://crates.io/getrandom/0.1.16 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/siphasher/0.3.3 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro2/0.4.30 \ - crate://crates.io/unicode-xid/0.1.0 \ - crate://crates.io/syn/0.15.44 \ - crate://crates.io/build_const/0.2.1 \ - crate://crates.io/num-derive/0.2.5 \ - crate://crates.io/base64/0.11.0 \ - crate://crates.io/widestring/0.4.3 \ - crate://crates.io/md5/0.7.0 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/byteorder/1.4.2 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/nom/5.1.1 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.3.1 \ - crate://crates.io/num-rational/0.2.4 \ - crate://crates.io/num-complex/0.2.4 \ - crate://crates.io/num-iter/0.1.42 \ - crate://crates.io/phf_shared/0.8.0 \ - crate://crates.io/crc/1.8.1 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/phf/0.8.0 \ - crate://crates.io/lexical-core/0.6.7 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/quote/0.6.13 \ - crate://crates.io/rand_core/0.5.1 \ - crate://crates.io/rand_chacha/0.2.2 \ - crate://crates.io/rand_pcg/0.2.1 \ - crate://crates.io/num-traits/0.1.43 \ - crate://crates.io/rand/0.7.3 \ - crate://crates.io/enum_primitive/0.1.1 \ - crate://crates.io/phf_generator/0.8.0 \ - crate://crates.io/phf_codegen/0.8.0 \ - crate://crates.io/tls-parser/0.9.4 \ - crate://crates.io/num/0.2.1 \ - crate://crates.io/rusticata-macros/2.1.0 \ - crate://crates.io/ntp-parser/0.4.0 \ - crate://crates.io/der-oid-macro/0.2.0 \ - crate://crates.io/der-parser/3.0.4 \ - crate://crates.io/ipsec-parser/0.5.0 \ - crate://crates.io/x509-parser/0.6.5 \ - crate://crates.io/der-parser/4.1.0 \ - crate://crates.io/snmp-parser/0.6.0 \ - crate://crates.io/kerberos-parser/0.5.0 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/log/0.4.0 \ - crate://crates.io/rand_hc/0.2.0 \ - crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ - " - -# test case support -SRC_URI += " \ - crate://crates.io/test-case/1.0.1 \ - crate://crates.io/proc-macro2/1.0.1 \ - crate://crates.io/quote/1.0.1 \ - crate://crates.io/syn/1.0.1 \ - crate://crates.io/unicode-xid/0.2.0 \ - " - -inherit autotools pkgconfig python3native systemd ptest cargo - -EXTRA_OECONF += " --disable-debug \ - --disable-gccmarch-native \ - --enable-non-bundled-htp \ - --disable-suricata-update \ - --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ - " - -CARGO_SRC_DIR = "rust" - -B = "${S}" - -PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" - -do_configure_prepend () { - oe_runconf -} - -do_compile () { - # we do this to bypass the make provided by this pkg - # patches Makefile to skip the subdir - cargo_do_compile - - # Finish building - cd ${S} - make -} - -do_install () { - install -d ${D}${sysconfdir}/suricata - - oe_runmake install DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl -} - -pkg_postinst_ontarget_${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-python" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml index 309acaa03f..1514524520 100644 --- a/meta-security/kas/kas-security-alt.yml +++ b/meta-security/kas/kas-security-alt.yml @@ -5,4 +5,4 @@ header: local_conf_header: alt: | - DISTRO_FEATURES_append = " apparmor pam smack systemd" + DISTRO_FEATURES_append = " systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index aa68336e18..7096d09eb1 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -14,7 +14,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky - refspec: master + refspec: hardknott layers: meta: meta-poky: @@ -22,7 +22,7 @@ repos: meta-openembedded: url: http://git.openembedded.org/meta-openembedded - refspec: master + refspec: hardknott layers: meta-oe: meta-perl: @@ -35,14 +35,14 @@ local_conf_header: CONF_VERSION = "1" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" + SSTATE_DIR = "/home/build/sstate-cache/hardknott" + DL_DIR = "/home/build/downloads/hardknott" BB_HASHSERVE = "auto" BB_SIGNATURE_HANDLER = "OEEquivHash" INHERIT += "buildstats buildstats-summary buildhistory" INHERIT += "report-error" INHERIT += "testimage" INHERIT += "rm_work" - BB_NUMBER_THREADS="24" - BB_NUMBER_PARSE_THREADS="12" BB_TASK_NICE_LEVEL = '5' BB_TASK_NICE_LEVEL_task-testimage = '0' BB_TASK_IONICE_LEVEL = '2.7' @@ -51,6 +51,8 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" + DISTRO_FEATURES_append = " pam apparmor smack" + MACHINE_FEATURES_append = " tpm tpm2" diskmon: | BB_DISKMON_DIRS = "\ diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml deleted file mode 100644 index 3a8d8fc0de..0000000000 --- a/meta-security/kas/qemuarm64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml index 923c213700..c5d54d4d4f 100644 --- a/meta-security/kas/qemumips64-alt.yml +++ b/meta-security/kas/qemumips64-alt.yml @@ -1,10 +1,6 @@ header: version: 8 includes: - - kas-security-base.yml - -local_conf_header: - alt: | - DISTRO_FEATURES_append = " pam systmed" + - kas-security-alt.yml machine: qemumips64 diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml deleted file mode 100644 index 565b423274..0000000000 --- a/meta-security/kas/qemux86-64-tpm.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml deleted file mode 100644 index a43693ee90..0000000000 --- a/meta-security/kas/qemux86-64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml index 7b5f45151c..83a5353e7f 100644 --- a/meta-security/kas/qemux86-test.yml +++ b/meta-security/kas/qemux86-test.yml @@ -3,9 +3,4 @@ header: includes: - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " apparmor smack pam" - machine: qemux86 diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 9ac0d2c25f..c723badee8 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -80,6 +80,8 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " +RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor" + RDEPENDS_packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ diff --git a/poky/bitbake/bin/bitbake-server b/poky/bitbake/bin/bitbake-server index ffbc7894ef..65796be747 100755 --- a/poky/bitbake/bin/bitbake-server +++ b/poky/bitbake/bin/bitbake-server @@ -26,7 +26,7 @@ readypipeinfd = int(sys.argv[3]) logfile = sys.argv[4] lockname = sys.argv[5] sockname = sys.argv[6] -timeout = sys.argv[7] +timeout = float(sys.argv[7]) xmlrpcinterface = (sys.argv[8], int(sys.argv[9])) if xmlrpcinterface[0] == "None": xmlrpcinterface = (None, xmlrpcinterface[1]) diff --git a/poky/bitbake/lib/bb/fetch2/git.py b/poky/bitbake/lib/bb/fetch2/git.py index e3ba80a3f5..cf7424ebf4 100644 --- a/poky/bitbake/lib/bb/fetch2/git.py +++ b/poky/bitbake/lib/bb/fetch2/git.py @@ -394,7 +394,7 @@ class Git(FetchMethod): tmpdir = tempfile.mkdtemp(dir=d.getVar('DL_DIR')) try: # Do the checkout. This implicitly involves a Git LFS fetch. - self.unpack(ud, tmpdir, d) + Git.unpack(self, ud, tmpdir, d) # Scoop up a copy of any stuff that Git LFS downloaded. Merge them into # the bare clonedir. diff --git a/poky/bitbake/lib/bb/runqueue.py b/poky/bitbake/lib/bb/runqueue.py index cd56a55472..6c41fe6d43 100644 --- a/poky/bitbake/lib/bb/runqueue.py +++ b/poky/bitbake/lib/bb/runqueue.py @@ -2030,8 +2030,6 @@ class RunQueueExecute: logger.debug("%s didn't become valid, skipping setscene" % nexttask) self.sq_task_failoutright(nexttask) return True - else: - self.sqdata.outrightfail.remove(nexttask) if nexttask in self.sqdata.outrightfail: logger.debug2('No package found, so skipping setscene task %s', nexttask) self.sq_task_failoutright(nexttask) @@ -2296,10 +2294,16 @@ class RunQueueExecute: self.updated_taskhash_queue.remove((tid, unihash)) if unihash != self.rqdata.runtaskentries[tid].unihash: - hashequiv_logger.verbose("Task %s unihash changed to %s" % (tid, unihash)) - self.rqdata.runtaskentries[tid].unihash = unihash - bb.parse.siggen.set_unihash(tid, unihash) - toprocess.add(tid) + # Make sure we rehash any other tasks with the same task hash that we're deferred against. + torehash = [tid] + for deftid in self.sq_deferred: + if self.sq_deferred[deftid] == tid: + torehash.append(deftid) + for hashtid in torehash: + hashequiv_logger.verbose("Task %s unihash changed to %s" % (hashtid, unihash)) + self.rqdata.runtaskentries[hashtid].unihash = unihash + bb.parse.siggen.set_unihash(hashtid, unihash) + toprocess.add(hashtid) # Work out all tasks which depend upon these total = set() @@ -2827,6 +2831,8 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s sqdata.stamppresent.remove(tid) if tid in sqdata.valid: sqdata.valid.remove(tid) + if tid in sqdata.outrightfail: + sqdata.outrightfail.remove(tid) noexec, stamppresent = check_setscene_stamps(tid, rqdata, rq, stampcache, noexecstamp=True) @@ -2845,6 +2851,7 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s sqdata.valid |= rq.validate_hashes(tocheck, cooker.data, len(sqdata.stamppresent), False, summary=summary) sqdata.hashes = {} + sqrq.sq_deferred = {} for mc in sorted(sqdata.multiconfigs): for tid in sorted(sqdata.sq_revdeps): if mc_from_tid(tid) != mc: @@ -2857,10 +2864,13 @@ def update_scenequeue_data(tids, sqdata, rqdata, rq, cooker, stampcache, sqrq, s continue if tid in sqrq.scenequeue_notcovered: continue - sqdata.outrightfail.add(tid) + if tid in sqrq.scenequeue_covered: + continue h = pending_hash_index(tid, rqdata) if h not in sqdata.hashes: + if tid in tids: + sqdata.outrightfail.add(tid) sqdata.hashes[h] = tid else: sqrq.sq_deferred[tid] = sqdata.hashes[h] diff --git a/poky/bitbake/lib/bb/server/process.py b/poky/bitbake/lib/bb/server/process.py index b27b4aefe0..3e99bcef8f 100644 --- a/poky/bitbake/lib/bb/server/process.py +++ b/poky/bitbake/lib/bb/server/process.py @@ -509,7 +509,7 @@ class BitBakeServer(object): os.set_inheritable(self.bitbake_lock.fileno(), True) os.set_inheritable(self.readypipein, True) serverscript = os.path.realpath(os.path.dirname(__file__) + "/../../../bin/bitbake-server") - os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname, str(self.server_timeout), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1])) + os.execl(sys.executable, "bitbake-server", serverscript, "decafbad", str(self.bitbake_lock.fileno()), str(self.readypipein), self.logfile, self.bitbake_lock.name, self.sockname, str(self.server_timeout or 0), str(self.xmlrpcinterface[0]), str(self.xmlrpcinterface[1])) def execServer(lockfd, readypipeinfd, lockname, sockname, server_timeout, xmlrpcinterface): diff --git a/poky/bitbake/lib/bb/tests/fetch.py b/poky/bitbake/lib/bb/tests/fetch.py index ddf6e97439..b921a952e4 100644 --- a/poky/bitbake/lib/bb/tests/fetch.py +++ b/poky/bitbake/lib/bb/tests/fetch.py @@ -390,6 +390,7 @@ class FetcherTest(unittest.TestCase): if os.environ.get("BB_TMPDIR_NOCLEAN") == "yes": print("Not cleaning up %s. Please remove manually." % self.tempdir) else: + bb.process.run('chmod u+rw -R %s' % self.tempdir) bb.utils.prunedir(self.tempdir) class MirrorUriTest(FetcherTest): @@ -679,6 +680,8 @@ class FetcherLocalTest(FetcherTest): prefix='gitfetch_localusehead_') src_dir = os.path.abspath(src_dir) bb.process.run("git init", cwd=src_dir) + bb.process.run("git config user.email 'you@example.com'", cwd=src_dir) + bb.process.run("git config user.name 'Your Name'", cwd=src_dir) bb.process.run("git commit --allow-empty -m'Dummy commit'", cwd=src_dir) # Use other branch than master @@ -705,6 +708,8 @@ class FetcherLocalTest(FetcherTest): prefix='gitfetch_localusehead_') src_dir = os.path.abspath(src_dir) bb.process.run("git init", cwd=src_dir) + bb.process.run("git config user.email 'you@example.com'", cwd=src_dir) + bb.process.run("git config user.name 'Your Name'", cwd=src_dir) bb.process.run("git commit --allow-empty -m'Dummy commit'", cwd=src_dir) # Use other branch than master @@ -1390,6 +1395,8 @@ class GitMakeShallowTest(FetcherTest): self.gitdir = os.path.join(self.tempdir, 'gitshallow') bb.utils.mkdirhier(self.gitdir) bb.process.run('git init', cwd=self.gitdir) + bb.process.run('git config user.email "you@example.com"', cwd=self.gitdir) + bb.process.run('git config user.name "Your Name"', cwd=self.gitdir) def assertRefs(self, expected_refs): actual_refs = self.git(['for-each-ref', '--format=%(refname)']).splitlines() @@ -1513,6 +1520,8 @@ class GitShallowTest(FetcherTest): bb.utils.mkdirhier(self.srcdir) self.git('init', cwd=self.srcdir) + self.git('config user.email "you@example.com"', cwd=self.srcdir) + self.git('config user.name "Your Name"', cwd=self.srcdir) self.d.setVar('WORKDIR', self.tempdir) self.d.setVar('S', self.gitdir) self.d.delVar('PREMIRRORS') @@ -1594,6 +1603,7 @@ class GitShallowTest(FetcherTest): # fetch and unpack, from the shallow tarball bb.utils.remove(self.gitdir, recurse=True) + bb.process.run('chmod u+w -R "%s"' % ud.clonedir) bb.utils.remove(ud.clonedir, recurse=True) bb.utils.remove(ud.clonedir.replace('gitsource', 'gitsubmodule'), recurse=True) @@ -1746,6 +1756,8 @@ class GitShallowTest(FetcherTest): smdir = os.path.join(self.tempdir, 'gitsubmodule') bb.utils.mkdirhier(smdir) self.git('init', cwd=smdir) + self.git('config user.email "you@example.com"', cwd=smdir) + self.git('config user.name "Your Name"', cwd=smdir) # Make this look like it was cloned from a remote... self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir) self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir) @@ -1776,6 +1788,8 @@ class GitShallowTest(FetcherTest): smdir = os.path.join(self.tempdir, 'gitsubmodule') bb.utils.mkdirhier(smdir) self.git('init', cwd=smdir) + self.git('config user.email "you@example.com"', cwd=smdir) + self.git('config user.name "Your Name"', cwd=smdir) # Make this look like it was cloned from a remote... self.git('config --add remote.origin.url "%s"' % smdir, cwd=smdir) self.git('config --add remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"', cwd=smdir) @@ -1818,8 +1832,8 @@ class GitShallowTest(FetcherTest): self.git('annex init', cwd=self.srcdir) open(os.path.join(self.srcdir, 'c'), 'w').close() self.git('annex add c', cwd=self.srcdir) - self.git('commit -m annex-c -a', cwd=self.srcdir) - bb.process.run('chmod u+w -R %s' % os.path.join(self.srcdir, '.git', 'annex')) + self.git('commit --author "Foo Bar <foo@bar>" -m annex-c -a', cwd=self.srcdir) + bb.process.run('chmod u+w -R %s' % self.srcdir) uri = 'gitannex://%s;protocol=file;subdir=${S}' % self.srcdir fetcher, ud = self.fetch_shallow(uri) @@ -2094,6 +2108,8 @@ class GitLfsTest(FetcherTest): bb.utils.mkdirhier(self.srcdir) self.git('init', cwd=self.srcdir) + self.git('config user.email "you@example.com"', cwd=self.srcdir) + self.git('config user.name "Your Name"', cwd=self.srcdir) with open(os.path.join(self.srcdir, '.gitattributes'), 'wt') as attrs: attrs.write('*.mp3 filter=lfs -text') self.git(['add', '.gitattributes'], cwd=self.srcdir) diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py index 5a2e25f7b2..a764ea4dea 100644 --- a/poky/documentation/conf.py +++ b/poky/documentation/conf.py @@ -16,7 +16,7 @@ import os import sys import datetime -current_version = "dev" +current_version = "3.3.1" # String used in sidebar version = 'Version: ' + current_version diff --git a/poky/documentation/poky.yaml b/poky/documentation/poky.yaml index 8ccb359e0f..a273de3295 100644 --- a/poky/documentation/poky.yaml +++ b/poky/documentation/poky.yaml @@ -1,12 +1,12 @@ -DISTRO : "3.2.3" -DISTRO_NAME_NO_CAP : "gatesgarth" -DISTRO_NAME : "Gatesgarth" -DISTRO_NAME_NO_CAP_MINUS_ONE : "dunfell" -DISTRO_NAME_NO_CAP_LTS : "dunfell" -YOCTO_DOC_VERSION : "3.2.3" -YOCTO_DOC_VERSION_MINUS_ONE : "3.1.6" -DISTRO_REL_TAG : "yocto-3.2.3" -POKYVERSION : "24.0.3" +DISTRO : "3.3.1" +DISTRO_NAME_NO_CAP : "hardknott" +DISTRO_NAME : "Hardknott" +DISTRO_NAME_NO_CAP_MINUS_ONE : "gatesgarth" +DISTRO_NAME_NO_CAP_LTS : "gatesgarth" +YOCTO_DOC_VERSION : "3.3.1" +YOCTO_DOC_VERSION_MINUS_ONE : "3.2.4" +DISTRO_REL_TAG : "yocto-3.3.1" +POKYVERSION : "25.0.1" YOCTO_POKY : "poky-&DISTRO_NAME_NO_CAP;-&POKYVERSION;" YOCTO_DL_URL : "https://downloads.yoctoproject.org" YOCTO_AB_URL : "https://autobuilder.yoctoproject.org" diff --git a/poky/documentation/releases.rst b/poky/documentation/releases.rst index 6a65b9fb34..daf8912799 100644 --- a/poky/documentation/releases.rst +++ b/poky/documentation/releases.rst @@ -5,6 +5,14 @@ ========================= ******************************* +3.3 'hardknott' Release Series +******************************* + +- :yocto_docs:`3.3 Documentation </3.3>` +- :yocto_docs:`3.3.1 Documentation </3.3.1>` + + +******************************* 3.2 'gatesgarth' Release Series ******************************* @@ -12,6 +20,7 @@ - :yocto_docs:`3.2.1 Documentation </3.2.1>` - :yocto_docs:`3.2.2 Documentation </3.2.2>` - :yocto_docs:`3.2.3 Documentation </3.2.3>` +- :yocto_docs:`3.2.4 Documentation </3.2.4>` **************************** 3.1 'dunfell' Release Series diff --git a/poky/meta-poky/conf/distro/poky.conf b/poky/meta-poky/conf/distro/poky.conf index c098b30261..dac8f4d155 100644 --- a/poky/meta-poky/conf/distro/poky.conf +++ b/poky/meta-poky/conf/distro/poky.conf @@ -1,6 +1,6 @@ DISTRO = "poky" DISTRO_NAME = "Poky (Yocto Project Reference Distro)" -DISTRO_VERSION = "3.3" +DISTRO_VERSION = "3.3.1" DISTRO_CODENAME = "hardknott" SDK_VENDOR = "-pokysdk" SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" diff --git a/poky/meta/classes/archiver.bbclass b/poky/meta/classes/archiver.bbclass index 858507b343..a3962306b1 100644 --- a/poky/meta/classes/archiver.bbclass +++ b/poky/meta/classes/archiver.bbclass @@ -118,7 +118,7 @@ python () { d.appendVarFlag('do_deploy_archives', 'depends', ' %s:do_ar_patched' % pn) elif ar_src == "configured": # We can't use "addtask do_ar_configured after do_configure" since it - # will cause the deptask of do_populate_sysroot to run not matter what + # will cause the deptask of do_populate_sysroot to run no matter what # archives we need, so we add the depends here. # There is a corner case with "gcc-source-${PV}" recipes, they don't have @@ -163,7 +163,7 @@ python () { d.appendVarFlag('do_package_write_rpm', 'depends', ' %s:do_ar_configured' % pn) } -# Take all the sources for a recipe and puts them in WORKDIR/archiver-work/. +# Take all the sources for a recipe and put them in WORKDIR/archiver-work/. # Files in SRC_URI are copied directly, anything that's a directory # (e.g. git repositories) is "unpacked" and then put into a tarball. python do_ar_original() { @@ -463,7 +463,7 @@ python do_unpack_and_patch() { ar_sysroot_native = d.getVar('STAGING_DIR_NATIVE') pn = d.getVar('PN') - # The kernel class functions require it to be on work-shared, so we dont change WORKDIR + # The kernel class functions require it to be on work-shared, so we don't change WORKDIR if not is_work_shared(d): # Change the WORKDIR to make do_unpack do_patch run in another dir. d.setVar('WORKDIR', ar_workdir) @@ -505,7 +505,7 @@ python do_unpack_and_patch() { # of the output file ensures that we create it each time the recipe # gets rebuilt, at least as long as a PR server is used. We also rely # on that mechanism to catch changes in the file content, because the -# file content is not part of of the task signature either. +# file content is not part of the task signature either. do_ar_recipe[vardepsexclude] += "BBINCLUDED" python do_ar_recipe () { """ diff --git a/poky/meta/classes/cmake.bbclass b/poky/meta/classes/cmake.bbclass index 8876ce5aa5..f01db7480b 100644 --- a/poky/meta/classes/cmake.bbclass +++ b/poky/meta/classes/cmake.bbclass @@ -149,16 +149,14 @@ addtask generate_toolchain_file after do_patch before do_configure CONFIGURE_FILES = "CMakeLists.txt" +do_configure[cleandirs] = "${@d.getVar('B') if d.getVar('S') != d.getVar('B') else ''}" + cmake_do_configure() { if [ "${OECMAKE_BUILDPATH}" ]; then bbnote "cmake.bbclass no longer uses OECMAKE_BUILDPATH. The default behaviour is now out-of-tree builds with B=WORKDIR/build." fi - if [ "${S}" != "${B}" ]; then - rm -rf ${B} - mkdir -p ${B} - cd ${B} - else + if [ "${S}" = "${B}" ]; then find ${B} -name CMakeFiles -or -name Makefile -or -name cmake_install.cmake -or -name CMakeCache.txt -delete fi diff --git a/poky/meta/classes/externalsrc.bbclass b/poky/meta/classes/externalsrc.bbclass index 54cc7edbae..3d6b80bee2 100644 --- a/poky/meta/classes/externalsrc.bbclass +++ b/poky/meta/classes/externalsrc.bbclass @@ -217,11 +217,10 @@ def srctree_hash_files(d, srcdir=None): env['GIT_INDEX_FILE'] = tmp_index.name subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env) git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8") - submodule_helper = subprocess.check_output(['git', 'submodule', 'status'], cwd=s_dir, env=env).decode("utf-8") + submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8") for line in submodule_helper.splitlines(): - module_relpath = line.split()[1] - if not module_relpath.split('/')[0] == '..': - module_dir = os.path.join(s_dir, module_relpath) + module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) + if os.path.isdir(module_dir): proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) proc.communicate() proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) diff --git a/poky/meta/classes/image.bbclass b/poky/meta/classes/image.bbclass index 013455f492..353cc67175 100644 --- a/poky/meta/classes/image.bbclass +++ b/poky/meta/classes/image.bbclass @@ -657,7 +657,7 @@ reproducible_final_image_task () { fi # Set mtime of all files to a reproducible value bbnote "reproducible_final_image_task: mtime set to $REPRODUCIBLE_TIMESTAMP_ROOTFS" - find ${IMAGE_ROOTFS} -exec touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS {} \; + find ${IMAGE_ROOTFS} -print0 | xargs -0 touch -h --date=@$REPRODUCIBLE_TIMESTAMP_ROOTFS fi } diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass index fa05fc055b..763d5f1da2 100644 --- a/poky/meta/classes/insane.bbclass +++ b/poky/meta/classes/insane.bbclass @@ -176,7 +176,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages): if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir): # The dynamic linker searches both these places anyway. There is no point in # looking there again. - package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath)) + package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath)) QAPATHTEST[dev-so] = "package_qa_check_dev" def package_qa_check_dev(path, name, d, elf, messages): @@ -185,8 +185,8 @@ def package_qa_check_dev(path, name, d, elf, messages): """ if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path): - package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[dev-elf] = "package_qa_check_dev_elf" def package_qa_check_dev_elf(path, name, d, elf, messages): @@ -196,8 +196,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages): install link-time .so files that are linker scripts. """ if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf: - package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[staticdev] = "package_qa_check_staticdev" def package_qa_check_staticdev(path, name, d, elf, messages): @@ -210,7 +210,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages): if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path: package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + (name, package_qa_clean_path(path,d, name))) QAPATHTEST[mime] = "package_qa_check_mime" def package_qa_check_mime(path, name, d, elf, messages): diff --git a/poky/meta/classes/kernel-yocto.bbclass b/poky/meta/classes/kernel-yocto.bbclass index 15c8dbb81f..30f07de4ca 100644 --- a/poky/meta/classes/kernel-yocto.bbclass +++ b/poky/meta/classes/kernel-yocto.bbclass @@ -378,7 +378,7 @@ do_kernel_checkout() { # checkout and clobber any unimportant files git checkout -f ${machine_branch} } -do_kernel_checkout[dirs] = "${S}" +do_kernel_checkout[dirs] = "${S} ${WORKDIR}" addtask kernel_checkout before do_kernel_metadata after do_symlink_kernsrc addtask kernel_metadata after do_validate_branches do_unpack before do_patch diff --git a/poky/meta/classes/license_image.bbclass b/poky/meta/classes/license_image.bbclass index c96b032ebd..73cebb4d55 100644 --- a/poky/meta/classes/license_image.bbclass +++ b/poky/meta/classes/license_image.bbclass @@ -1,3 +1,5 @@ +ROOTFS_LICENSE_DIR = "${IMAGE_ROOTFS}/usr/share/common-licenses" + python write_package_manifest() { # Get list of installed packages license_image_dir = d.expand('${LICENSE_DIRECTORY}/${IMAGE_NAME}') @@ -104,8 +106,7 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True): copy_lic_manifest = d.getVar('COPY_LIC_MANIFEST') copy_lic_dirs = d.getVar('COPY_LIC_DIRS') if rootfs and copy_lic_manifest == "1": - rootfs_license_dir = os.path.join(d.getVar('IMAGE_ROOTFS'), - 'usr', 'share', 'common-licenses') + rootfs_license_dir = d.getVar('ROOTFS_LICENSE_DIR') bb.utils.mkdirhier(rootfs_license_dir) rootfs_license_manifest = os.path.join(rootfs_license_dir, os.path.split(license_manifest)[1]) @@ -143,12 +144,13 @@ def write_license_files(d, license_manifest, pkg_dic, rootfs=True): continue # Make sure we use only canonical name for the license file - rootfs_license = os.path.join(rootfs_license_dir, "generic_%s" % generic_lic) + generic_lic_file = "generic_%s" % generic_lic + rootfs_license = os.path.join(rootfs_license_dir, generic_lic_file) if not os.path.exists(rootfs_license): oe.path.copyhardlink(pkg_license, rootfs_license) if not os.path.exists(pkg_rootfs_license): - os.symlink(os.path.join('..', lic), pkg_rootfs_license) + os.symlink(os.path.join('..', generic_lic_file), pkg_rootfs_license) else: if (oe.license.license_ok(canonical_license(d, lic), bad_licenses) == False or @@ -267,3 +269,13 @@ python do_populate_lic_deploy() { addtask populate_lic_deploy before do_build after do_image_complete do_populate_lic_deploy[recrdeptask] += "do_populate_lic do_deploy" +python license_qa_dead_symlink() { + import os + + for root, dirs, files in os.walk(d.getVar('ROOTFS_LICENSE_DIR')): + for file in files: + full_path = root + "/" + file + if os.path.islink(full_path) and not os.path.exists(full_path): + bb.error("broken symlink: " + full_path) +} +IMAGE_QA_COMMANDS += "license_qa_dead_symlink" diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass index 894f0e3107..a2ac4eeb80 100644 --- a/poky/meta/classes/sanity.bbclass +++ b/poky/meta/classes/sanity.bbclass @@ -392,9 +392,12 @@ def check_connectivity(d): msg = data.getVar('CONNECTIVITY_CHECK_MSG') or "" if len(msg) == 0: msg = "%s.\n" % err - msg += " Please ensure your host's network is configured correctly,\n" - msg += " or set BB_NO_NETWORK = \"1\" to disable network access if\n" - msg += " all required sources are on local disk.\n" + msg += " Please ensure your host's network is configured correctly.\n" + msg += " If your ISP or network is blocking the above URL,\n" + msg += " try with another domain name, for example by setting:\n" + msg += " CONNECTIVITY_CHECK_URIS = \"https://www.yoctoproject.org/\"" + msg += " You could also set BB_NO_NETWORK = \"1\" to disable network\n" + msg += " access if all required sources are on local disk.\n" retval = msg return retval @@ -887,6 +890,8 @@ def check_sanity_everybuild(status, d): status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.") if oeroot.find('@') != -1: status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.") + if oeroot.find('%') != -1: + status.addresult("Error, you have an invalid character (%) in your COREBASE directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters.") if oeroot.find(' ') != -1: status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.") diff --git a/poky/meta/conf/distro/include/yocto-uninative.inc b/poky/meta/conf/distro/include/yocto-uninative.inc index a2a2dd18ec..05b79d14c3 100644 --- a/poky/meta/conf/distro/include/yocto-uninative.inc +++ b/poky/meta/conf/distro/include/yocto-uninative.inc @@ -8,7 +8,7 @@ UNINATIVE_MAXGLIBCVERSION = "2.33" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.0/" -UNINATIVE_CHECKSUM[aarch64] ?= "1c668909098c5b56132067adc69a249cb771f4560428e5822de903a12d97bf33" -UNINATIVE_CHECKSUM[i686] ?= "e6cc2fc056234cffa6a2ff084cce27d544ea3f487a62b5e253351cefd4421900" -UNINATIVE_CHECKSUM[x86_64] ?= "5ec5a9276046e7eceeac749a18b175667384e1f445cd4526300a41404d985a5b" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.1/" +UNINATIVE_CHECKSUM[aarch64] ?= "7fa12b9fe7a95934cc09beb0e8a25ff97179ef3105116015d32548eadd27b024" +UNINATIVE_CHECKSUM[i686] ?= "bbfcdd48336800b5af97e294918c6586a0a8fa903f127f813b0bd5110de8c55c" +UNINATIVE_CHECKSUM[x86_64] ?= "5d0611df544edff6428cef7d871257a91aa6ba1bd92f5365a2df8deb54b6b31e" diff --git a/poky/meta/conf/machine/include/arm/arch-armv6m.inc b/poky/meta/conf/machine/include/arm/arch-armv6m.inc index 739550d005..739550d005 100755..100644 --- a/poky/meta/conf/machine/include/arm/arch-armv6m.inc +++ b/poky/meta/conf/machine/include/arm/arch-armv6m.inc diff --git a/poky/meta/lib/oe/package_manager/__init__.py b/poky/meta/lib/oe/package_manager/__init__.py index 8e7128b195..4d22bc0296 100644 --- a/poky/meta/lib/oe/package_manager/__init__.py +++ b/poky/meta/lib/oe/package_manager/__init__.py @@ -189,7 +189,7 @@ class PackageManager(object, metaclass=ABCMeta): bb.utils.remove(self.intercepts_dir, True) bb.utils.mkdirhier(self.intercepts_dir) for intercept in postinst_intercepts: - bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) + shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) @abstractmethod def _handle_intercept_failure(self, failed_script): diff --git a/poky/meta/lib/oe/package_manager/deb/sdk.py b/poky/meta/lib/oe/package_manager/deb/sdk.py index 9859d8f32d..f4b0b6510a 100644 --- a/poky/meta/lib/oe/package_manager/deb/sdk.py +++ b/poky/meta/lib/oe/package_manager/deb/sdk.py @@ -65,6 +65,8 @@ class PkgSdk(Sdk): self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY')) + self.target_pm.run_pre_post_installs() + self.target_pm.run_intercepts(populate_sdk='target') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND")) @@ -78,6 +80,8 @@ class PkgSdk(Sdk): self._populate_sysroot(self.host_pm, self.host_manifest) self.install_locales(self.host_pm) + self.host_pm.run_pre_post_installs() + self.host_pm.run_intercepts(populate_sdk='host') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND")) diff --git a/poky/meta/lib/oe/rootfs.py b/poky/meta/lib/oe/rootfs.py index 5f81023040..d634adda4e 100644 --- a/poky/meta/lib/oe/rootfs.py +++ b/poky/meta/lib/oe/rootfs.py @@ -305,7 +305,7 @@ class Rootfs(object, metaclass=ABCMeta): def _check_for_kernel_modules(self, modules_dir): for root, dirs, files in os.walk(modules_dir, topdown=True): for name in files: - found_ko = name.endswith(".ko") + found_ko = name.endswith((".ko", ".ko.gz", ".ko.xz")) if found_ko: return found_ko return False diff --git a/poky/meta/lib/oe/terminal.py b/poky/meta/lib/oe/terminal.py index 61c2687ef4..59aa80de66 100644 --- a/poky/meta/lib/oe/terminal.py +++ b/poky/meta/lib/oe/terminal.py @@ -163,7 +163,12 @@ class Tmux(Terminal): # devshells, if it's already there, add a new window to it. window_name = 'devshell-%i' % os.getpid() - self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name) + self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"' + if not check_tmux_version('1.9'): + # `tmux new-session -c` was added in 1.9; + # older versions fail with that flag + self.command = 'tmux new -d -s {0} -n {0} "{{command}}"' + self.command = self.command.format(window_name) Terminal.__init__(self, sh_cmd, title, env, d) attach_cmd = 'tmux att -t {0}'.format(window_name) @@ -253,13 +258,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None): except OSError: return +def check_tmux_version(desired): + vernum = check_terminal_version("tmux") + if vernum and LooseVersion(vernum) < desired: + return False + return vernum + def check_tmux_pane_size(tmux): import subprocess as sub # On older tmux versions (<1.9), return false. The reason # is that there is no easy way to get the height of the active panel # on current window without nested formats (available from version 1.9) - vernum = check_terminal_version("tmux") - if vernum and LooseVersion(vernum) < '1.9': + if not check_tmux_version('1.9'): return False try: p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux, diff --git a/poky/meta/lib/oeqa/core/case.py b/poky/meta/lib/oeqa/core/case.py index aae451fef2..bc4446a938 100644 --- a/poky/meta/lib/oeqa/core/case.py +++ b/poky/meta/lib/oeqa/core/case.py @@ -43,8 +43,13 @@ class OETestCase(unittest.TestCase): clss.tearDownClassMethod() def _oeSetUp(self): - for d in self.decorators: - d.setUpDecorator() + try: + for d in self.decorators: + d.setUpDecorator() + except: + for d in self.decorators: + d.tearDownDecorator() + raise self.setUpMethod() def _oeTearDown(self): diff --git a/poky/meta/lib/oeqa/core/decorator/oetimeout.py b/poky/meta/lib/oeqa/core/decorator/oetimeout.py index df90d1c798..5e6873ad48 100644 --- a/poky/meta/lib/oeqa/core/decorator/oetimeout.py +++ b/poky/meta/lib/oeqa/core/decorator/oetimeout.py @@ -24,5 +24,6 @@ class OETimeout(OETestDecorator): def tearDownDecorator(self): signal.alarm(0) - signal.signal(signal.SIGALRM, self.alarmSignal) - self.logger.debug("Removed SIGALRM handler") + if hasattr(self, 'alarmSignal'): + signal.signal(signal.SIGALRM, self.alarmSignal) + self.logger.debug("Removed SIGALRM handler") diff --git a/poky/meta/lib/oeqa/core/tests/cases/timeout.py b/poky/meta/lib/oeqa/core/tests/cases/timeout.py index 5dfecc7b7c..69cf969a67 100644 --- a/poky/meta/lib/oeqa/core/tests/cases/timeout.py +++ b/poky/meta/lib/oeqa/core/tests/cases/timeout.py @@ -8,6 +8,7 @@ from time import sleep from oeqa.core.case import OETestCase from oeqa.core.decorator.oetimeout import OETimeout +from oeqa.core.decorator.depends import OETestDepends class TimeoutTest(OETestCase): @@ -19,3 +20,15 @@ class TimeoutTest(OETestCase): def testTimeoutFail(self): sleep(2) self.assertTrue(True, msg='How is this possible?') + + + def testTimeoutSkip(self): + self.skipTest("This test needs to be skipped, so that testTimeoutDepends()'s OETestDepends kicks in") + + @OETestDepends(["timeout.TimeoutTest.testTimeoutSkip"]) + @OETimeout(3) + def testTimeoutDepends(self): + self.assertTrue(False, msg='How is this possible?') + + def testTimeoutUnrelated(self): + sleep(6) diff --git a/poky/meta/lib/oeqa/core/tests/test_decorators.py b/poky/meta/lib/oeqa/core/tests/test_decorators.py index b798bf7d33..5095f39948 100755 --- a/poky/meta/lib/oeqa/core/tests/test_decorators.py +++ b/poky/meta/lib/oeqa/core/tests/test_decorators.py @@ -133,5 +133,11 @@ class TestTimeoutDecorator(TestBase): msg = "OETestTimeout didn't restore SIGALRM" self.assertIs(alarm_signal, signal.getsignal(signal.SIGALRM), msg=msg) + def test_timeout_cancel(self): + tests = ['timeout.TimeoutTest.testTimeoutSkip', 'timeout.TimeoutTest.testTimeoutDepends', 'timeout.TimeoutTest.testTimeoutUnrelated'] + msg = 'Unrelated test failed to complete' + tc = self._testLoader(modules=self.modules, tests=tests) + self.assertTrue(tc.runTests().wasSuccessful(), msg=msg) + if __name__ == '__main__': unittest.main() diff --git a/poky/meta/lib/oeqa/runtime/cases/date.py b/poky/meta/lib/oeqa/runtime/cases/date.py index fdd2a6ae58..e14322911d 100644 --- a/poky/meta/lib/oeqa/runtime/cases/date.py +++ b/poky/meta/lib/oeqa/runtime/cases/date.py @@ -13,12 +13,12 @@ class DateTest(OERuntimeTestCase): def setUp(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Stopping systemd-timesyncd daemon') - self.target.run('systemctl disable --now systemd-timesyncd') + self.target.run('systemctl disable --now --runtime systemd-timesyncd') def tearDown(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Starting systemd-timesyncd daemon') - self.target.run('systemctl enable --now systemd-timesyncd') + self.target.run('systemctl enable --now --runtime systemd-timesyncd') @OETestDepends(['ssh.SSHTest.test_ssh']) @OEHasPackage(['coreutils', 'busybox']) diff --git a/poky/meta/lib/oeqa/runtime/cases/parselogs.py b/poky/meta/lib/oeqa/runtime/cases/parselogs.py index 4714741aff..1bb0425521 100644 --- a/poky/meta/lib/oeqa/runtime/cases/parselogs.py +++ b/poky/meta/lib/oeqa/runtime/cases/parselogs.py @@ -88,6 +88,8 @@ qemux86_common = [ 'tsc: HPET/PMTIMER calibration failed', "modeset(0): Failed to initialize the DRI2 extension", "glamor initialization failed", + "blk_update_request: I/O error, dev fd0, sector 0 op 0x0:(READ)", + "floppy: error", ] + common_errors ignore_errors = { diff --git a/poky/meta/lib/oeqa/runtime/cases/rtc.py b/poky/meta/lib/oeqa/runtime/cases/rtc.py index a34c101a9d..c4e6681324 100644 --- a/poky/meta/lib/oeqa/runtime/cases/rtc.py +++ b/poky/meta/lib/oeqa/runtime/cases/rtc.py @@ -9,12 +9,12 @@ class RTCTest(OERuntimeTestCase): def setUp(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Stopping systemd-timesyncd daemon') - self.target.run('systemctl disable --now systemd-timesyncd') + self.target.run('systemctl disable --now --runtime systemd-timesyncd') def tearDown(self): if self.tc.td.get('VIRTUAL-RUNTIME_init_manager') == 'systemd': self.logger.debug('Starting systemd-timesyncd daemon') - self.target.run('systemctl enable --now systemd-timesyncd') + self.target.run('systemctl enable --now --runtime systemd-timesyncd') @OETestDepends(['ssh.SSHTest.test_ssh']) @OEHasPackage(['coreutils', 'busybox']) diff --git a/poky/meta/lib/oeqa/runtime/decorator/package.py b/poky/meta/lib/oeqa/runtime/decorator/package.py index 57178655cc..2d7e174dbf 100644 --- a/poky/meta/lib/oeqa/runtime/decorator/package.py +++ b/poky/meta/lib/oeqa/runtime/decorator/package.py @@ -45,14 +45,14 @@ class OEHasPackage(OETestDecorator): msg = 'Checking if %s is not installed' % ', '.join(unneed_pkgs) self.logger.debug(msg) if not self.case.tc.image_packages.isdisjoint(unneed_pkgs): - msg = "Test can't run with %s installed" % ', or'.join(unneed_pkgs) + msg = "Test can't run with %s installed" % ', or '.join(unneed_pkgs) self._decorator_fail(msg) if need_pkgs: msg = 'Checking if at least one of %s is installed' % ', '.join(need_pkgs) self.logger.debug(msg) if self.case.tc.image_packages.isdisjoint(need_pkgs): - msg = "Test requires %s to be installed" % ', or'.join(need_pkgs) + msg = "Test requires %s to be installed" % ', or '.join(need_pkgs) self._decorator_fail(msg) def _decorator_fail(self, msg): diff --git a/poky/meta/lib/oeqa/selftest/cases/buildoptions.py b/poky/meta/lib/oeqa/selftest/cases/buildoptions.py index 20fe8ed8f6..1859d3222a 100644 --- a/poky/meta/lib/oeqa/selftest/cases/buildoptions.py +++ b/poky/meta/lib/oeqa/selftest/cases/buildoptions.py @@ -58,15 +58,15 @@ class ImageOptionsTests(OESelftestTestCase): class DiskMonTest(OESelftestTestCase): def test_stoptask_behavior(self): - self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay") self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output) diff --git a/poky/meta/lib/oeqa/selftest/cases/distrodata.py b/poky/meta/lib/oeqa/selftest/cases/distrodata.py index fbc0c2a98d..0ad6e1ef91 100644 --- a/poky/meta/lib/oeqa/selftest/cases/distrodata.py +++ b/poky/meta/lib/oeqa/selftest/cases/distrodata.py @@ -99,7 +99,7 @@ The following recipes do not have a DESCRIPTION. Please add an entry for DESCRIP return True return False - feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\n' + feature = 'require conf/distro/include/maintainers.inc\nLICENSE_FLAGS_WHITELIST += " commercial"\nPARSE_ALL_RECIPES = "1"\nPACKAGE_CLASSES = "package_ipk package_deb package_rpm"\n' self.write_config(feature) with bb.tinfoil.Tinfoil() as tinfoil: diff --git a/poky/meta/lib/oeqa/selftest/cases/runqemu.py b/poky/meta/lib/oeqa/selftest/cases/runqemu.py index 7e676bcb41..da22f77b27 100644 --- a/poky/meta/lib/oeqa/selftest/cases/runqemu.py +++ b/poky/meta/lib/oeqa/selftest/cases/runqemu.py @@ -163,12 +163,11 @@ class QemuTest(OESelftestTestCase): bitbake(cls.recipe) def _start_qemu_shutdown_check_if_shutdown_succeeded(self, qemu, timeout): + # Allow the runner's LoggingThread instance to exit without errors + # (such as the exception "Console connection closed unexpectedly") + # as qemu will disappear when we shut it down + qemu.runner.allowexit() qemu.run_serial("shutdown -h now") - # Stop thread will stop the LoggingThread instance used for logging - # qemu through serial console, stop thread will prevent this code - # from facing exception (Console connection closed unexpectedly) - # when qemu was shutdown by the above shutdown command - qemu.runner.stop_thread() time_track = 0 try: while True: diff --git a/poky/meta/lib/oeqa/utils/commands.py b/poky/meta/lib/oeqa/utils/commands.py index a71c16ab14..024261410e 100644 --- a/poky/meta/lib/oeqa/utils/commands.py +++ b/poky/meta/lib/oeqa/utils/commands.py @@ -174,11 +174,8 @@ def runCmd(command, ignore_status=False, timeout=None, assert_error=True, sync=T if native_sysroot: extra_paths = "%s/sbin:%s/usr/sbin:%s/usr/bin" % \ (native_sysroot, native_sysroot, native_sysroot) - extra_libpaths = "%s/lib:%s/usr/lib" % \ - (native_sysroot, native_sysroot) nenv = dict(options.get('env', os.environ)) nenv['PATH'] = extra_paths + ':' + nenv.get('PATH', '') - nenv['LD_LIBRARY_PATH'] = extra_libpaths + ':' + nenv.get('LD_LIBRARY_PATH', '') options['env'] = nenv cmd = Command(command, timeout=timeout, output_log=output_log, **options) diff --git a/poky/meta/lib/oeqa/utils/qemurunner.py b/poky/meta/lib/oeqa/utils/qemurunner.py index 278904ba0b..a0f17d557b 100644 --- a/poky/meta/lib/oeqa/utils/qemurunner.py +++ b/poky/meta/lib/oeqa/utils/qemurunner.py @@ -71,6 +71,8 @@ class QemuRunner: self.monitorpipe = None self.logger = logger + # Whether we're expecting an exit and should show related errors + self.canexit = False # Enable testing other OS's # Set commands for target communication, and default to Linux ALWAYS @@ -471,6 +473,11 @@ class QemuRunner: self.thread.stop() self.thread.join() + def allowexit(self): + self.canexit = True + if self.thread: + self.thread.allowexit() + def restart(self, qemuparams = None): self.logger.warning("Restarting qemu process") if self.runqemu.poll() is None: @@ -526,7 +533,9 @@ class QemuRunner: if re.search(self.boot_patterns['search_cmd_finished'], data): break else: - raise Exception("No data on serial console socket") + if self.canexit: + return (1, "") + raise Exception("No data on serial console socket, connection closed?") if data: if raw: @@ -564,6 +573,7 @@ class LoggingThread(threading.Thread): self.logger = logger self.readsock = None self.running = False + self.canexit = False self.errorevents = select.POLLERR | select.POLLHUP | select.POLLNVAL self.readevents = select.POLLIN | select.POLLPRI @@ -597,6 +607,9 @@ class LoggingThread(threading.Thread): self.close_ignore_error(self.writepipe) self.running = False + def allowexit(self): + self.canexit = True + def eventloop(self): poll = select.poll() event_read_mask = self.errorevents | self.readevents @@ -642,7 +655,7 @@ class LoggingThread(threading.Thread): data = self.readsock.recv(count) except socket.error as e: if e.errno == errno.EAGAIN or e.errno == errno.EWOULDBLOCK: - return '' + return b'' else: raise @@ -653,7 +666,9 @@ class LoggingThread(threading.Thread): # happened. But for this code it counts as an # error since the connection shouldn't go away # until qemu exits. - raise Exception("Console connection closed unexpectedly") + if not self.canexit: + raise Exception("Console connection closed unexpectedly") + return b'' return data diff --git a/poky/meta/recipes-bsp/grub/grub2.inc b/poky/meta/recipes-bsp/grub/grub2.inc index 590deb8d92..6de683ee1c 100644 --- a/poky/meta/recipes-bsp/grub/grub2.inc +++ b/poky/meta/recipes-bsp/grub/grub2.inc @@ -49,6 +49,8 @@ GRUBPLATFORM ??= "pc" inherit autotools gettext texinfo pkgconfig +CFLAGS_remove = "-O2" + EXTRA_OECONF = "--with-platform=${GRUBPLATFORM} \ --disable-grub-mkfont \ --program-prefix="" \ diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 357c28634a..cddcfb6811 100644 --- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -32,6 +32,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ file://CVE-2021-0326.patch \ file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" diff --git a/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb b/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb index 0021e45511..3804f4f7b2 100644 --- a/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb +++ b/poky/meta/recipes-core/busybox/busybox-inittab_1.33.0.bb @@ -44,9 +44,6 @@ EOF fi } -do_install_append_qemuppc64 () { - echo "9:12345:respawn:${base_sbindir}/getty 38400 hvc0" >> ${D}${sysconfdir}/inittab -} pkg_postinst_${PN} () { # run this on host and on target diff --git a/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch new file mode 100644 index 0000000000..67c9f189cc --- /dev/null +++ b/poky/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch @@ -0,0 +1,58 @@ +From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001 +From: Samuel Sapalski <samuel.sapalski@nokia.com> +Date: Wed, 3 Mar 2021 16:31:22 +0100 +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt + +On certain corrupt gzip files, huft_build will set the error bit on +the result pointer. If afterwards abort_unzip is called huft_free +might run into a segmentation fault or an invalid pointer to +free(p). + +In order to mitigate this, we check in huft_free if the error bit +is set and clear it before the linked list is freed. + +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +Upstream-Status: Backport +CVE: CVE-2021-28831 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index eb3b64930..e93cd5005 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table + * is given: "fixed inflate" decoder feeds us such data. + */ +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1) +-#define ERR_RET ((huft_t*)(uintptr_t)1) + static huft_t* huft_build(const unsigned *b, const unsigned n, + const unsigned s, const struct cp_ext *cp_ext, + unsigned *m) diff --git a/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch b/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch new file mode 100644 index 0000000000..e0a22c5bb3 --- /dev/null +++ b/poky/meta/recipes-core/busybox/busybox/0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch @@ -0,0 +1,28 @@ +From bff7f16f7f41de8df67beb03722f235828ef2249 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 3 May 2021 15:48:19 -0700 +Subject: [PATCH] gen_build_files: Use C locale when calling sed on globbed files + +sort order is different based on chosen locale and also default shell +being bash or dash + +This sets the environment variable LC_ALL to the value C, which will +enforce bytewise sorting, irrespective of the shell + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + scripts/gen_build_files.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/gen_build_files.sh ++++ b/scripts/gen_build_files.sh +@@ -4,6 +4,8 @@ + # but users complain that many sed implementations + # are misinterpreting --. + ++export LC_ALL=C ++ + test $# -ge 2 || { echo "Syntax: $0 SRCTREE OBJTREE"; exit 1; } + + # cd to objtree diff --git a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb b/poky/meta/recipes-core/busybox/busybox_1.33.0.bb index 1a3f218bca..b2a30ba16f 100644 --- a/poky/meta/recipes-core/busybox/busybox_1.33.0.bb +++ b/poky/meta/recipes-core/busybox/busybox_1.33.0.bb @@ -46,7 +46,9 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-sysctl-ignore-EIO-of-stable_secret-below-proc-sys-ne.patch \ file://rev.cfg \ file://pgrep.cfg \ -" + file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ + file://0001-gen_build_files-Use-C-locale-when-calling-sed-on-glo.patch \ + " SRC_URI_append_libc-musl = " file://musl.cfg " SRC_URI[tarball.sha256sum] = "d568681c91a85edc6710770cebc1e80e042ad74d305b5c2e6d57a5f3de3b8fbd" diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch new file mode 100644 index 0000000000..e3def1a980 --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch @@ -0,0 +1,32 @@ +From 48dd0d030a2b5240457472d40d8691b80bf5fa78 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 24 Feb 2021 17:33:38 +0000 +Subject: [PATCH 1/5] glocalfileoutputstream: Fix a typo in a comment + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +CVE: CVE-2021-28153 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + gio/glocalfileoutputstream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index f34c3e4..e3d31d6 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -854,7 +854,7 @@ handle_overwrite_open (const char *filename, + mode = mode_from_flags_or_info (flags, reference_info); + + /* We only need read access to the original file if we are creating a backup. +- * We also add O_CREATE to avoid a race if the file was just removed */ ++ * We also add O_CREAT to avoid a race if the file was just removed */ + if (create_backup || readable) + open_flags = O_RDWR | O_CREAT | O_BINARY; + else +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch new file mode 100644 index 0000000000..d8d4d51751 --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch @@ -0,0 +1,47 @@ +From 3d7f54ae4cfdddaf1a807879d9263e16cd12ffd3 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 24 Feb 2021 17:34:32 +0000 +Subject: [PATCH 2/5] tests: Stop using g_test_bug_base() in file tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since a following commit is going to add a new test which references +Gitlab, so it’s best to move the URI bases inside the test cases. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +CVE: CVE-2021-28153 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + gio/tests/file.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/gio/tests/file.c b/gio/tests/file.c +index d876965..39d51da 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -686,7 +686,7 @@ test_replace_cancel (void) + guint count; + GError *error = NULL; + +- g_test_bug ("629301"); ++ g_test_bug ("https://bugzilla.gnome.org/629301"); + + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); + g_assert_no_error (error); +@@ -1785,8 +1785,6 @@ main (int argc, char *argv[]) + { + g_test_init (&argc, &argv, NULL); + +- g_test_bug_base ("http://bugzilla.gnome.org/"); +- + g_test_add_func ("/file/basic", test_basic); + g_test_add_func ("/file/build-filename", test_build_filename); + g_test_add_func ("/file/parent", test_parent); +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch new file mode 100644 index 0000000000..425a1d402f --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0003-glocalfileoutputstream-Factor-out-a-flag-check.patch @@ -0,0 +1,60 @@ +From 8cc84a2f8c668541aaba584cb9b73c98afeb8e2d Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 10 Mar 2021 16:05:55 +0000 +Subject: [PATCH 3/5] glocalfileoutputstream: Factor out a flag check + +This clarifies the code a little. It introduces no functional changes. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +CVE: CVE-2021-28153 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + gio/glocalfileoutputstream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index e3d31d6..392d0b0 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -850,6 +850,7 @@ handle_overwrite_open (const char *filename, + int res; + int mode; + int errsv; ++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); + + mode = mode_from_flags_or_info (flags, reference_info); + +@@ -960,7 +961,7 @@ handle_overwrite_open (const char *filename, + * to a backup file and rewrite the contents of the file. + */ + +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || ++ if (replace_destination_set || + (!(_g_stat_nlink (&original_stat) > 1) && !is_symlink)) + { + char *dirname, *tmp_filename; +@@ -979,7 +980,7 @@ handle_overwrite_open (const char *filename, + + /* try to keep permissions (unless replacing) */ + +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && ++ if (!replace_destination_set && + ( + #ifdef HAVE_FCHOWN + fchown (tmpfd, _g_stat_uid (&original_stat), _g_stat_gid (&original_stat)) == -1 || +@@ -1120,7 +1121,7 @@ handle_overwrite_open (const char *filename, + } + } + +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) ++ if (replace_destination_set) + { + g_close (fd, NULL); + +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch new file mode 100644 index 0000000000..54a9f452d6 --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch @@ -0,0 +1,294 @@ +From ed8f2235da7d2a408bfa18c1003f4a07f90b05e8 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 24 Feb 2021 17:36:07 +0000 +Subject: [PATCH 4/5] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +Fixes: #2325 + +CVE: CVE-2021-28153 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + gio/glocalfileoutputstream.c | 77 ++++++++++++++++++------- + gio/tests/file.c | 108 +++++++++++++++++++++++++++++++++++ + 2 files changed, 163 insertions(+), 22 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 392d0b0..a2c7e3c 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -878,16 +878,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!replace_destination_set) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !replace_destination_set) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !replace_destination_set)) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -898,15 +904,30 @@ handle_overwrite_open (const char *filename, + return -1; + } + +- res = g_local_file_fstat (fd, +- G_LOCAL_FILE_STAT_FIELD_TYPE | +- G_LOCAL_FILE_STAT_FIELD_MODE | +- G_LOCAL_FILE_STAT_FIELD_UID | +- G_LOCAL_FILE_STAT_FIELD_GID | +- G_LOCAL_FILE_STAT_FIELD_MTIME | +- G_LOCAL_FILE_STAT_FIELD_NLINK, +- G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat); +- errsv = errno; ++ if (!is_symlink) ++ { ++ res = g_local_file_fstat (fd, ++ G_LOCAL_FILE_STAT_FIELD_TYPE | ++ G_LOCAL_FILE_STAT_FIELD_MODE | ++ G_LOCAL_FILE_STAT_FIELD_UID | ++ G_LOCAL_FILE_STAT_FIELD_GID | ++ G_LOCAL_FILE_STAT_FIELD_MTIME | ++ G_LOCAL_FILE_STAT_FIELD_NLINK, ++ G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat); ++ errsv = errno; ++ } ++ else ++ { ++ res = g_local_file_lstat (filename, ++ G_LOCAL_FILE_STAT_FIELD_TYPE | ++ G_LOCAL_FILE_STAT_FIELD_MODE | ++ G_LOCAL_FILE_STAT_FIELD_UID | ++ G_LOCAL_FILE_STAT_FIELD_GID | ++ G_LOCAL_FILE_STAT_FIELD_MTIME | ++ G_LOCAL_FILE_STAT_FIELD_NLINK, ++ G_LOCAL_FILE_STAT_FIELD_ALL, &original_stat); ++ errsv = errno; ++ } + + if (res != 0) + { +@@ -923,16 +944,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (_g_stat_mode (&original_stat))) + { + if (S_ISDIR (_g_stat_mode (&original_stat))) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (_g_stat_mode (&original_stat)) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, + G_IO_ERROR, + G_IO_ERROR_NOT_REGULAR_FILE, + _("Target file is not a regular file")); +- goto err_out; ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -1015,7 +1047,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index 39d51da..ddd1ffc 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -805,6 +805,113 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325"); ++ g_test_summary ("Test that G_FILE_CREATE_REPLACE_DESTINATION doesn’t follow symlinks"); ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1798,6 +1905,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); + g_test_add_func ("/file/measure", test_measure); +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch new file mode 100644 index 0000000000..0ab9a750ab --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch @@ -0,0 +1,60 @@ +From ab4ee65fb5778964fa3cca9b3d6749711ef9ba19 Mon Sep 17 00:00:00 2001 +From: Philip Withnall <pwithnall@endlessos.org> +Date: Wed, 24 Feb 2021 17:42:24 +0000 +Subject: [PATCH 5/5] glocalfileoutputstream: Add a missing O_CLOEXEC flag to + replace() + +Signed-off-by: Philip Withnall <pwithnall@endlessos.org> + +CVE: CVE-2021-28153 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/issues/2325] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + gio/glocalfileoutputstream.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index a2c7e3c..4c512ea 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -63,6 +63,12 @@ + #define O_BINARY 0 + #endif + ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 0 ++#else ++#define HAVE_O_CLOEXEC 1 ++#endif ++ + struct _GLocalFileOutputStreamPrivate { + char *tmp_filename; + char *original_filename; +@@ -1239,7 +1245,7 @@ _g_local_file_output_stream_replace (const char *filename, + sync_on_close = FALSE; + + /* If the file doesn't exist, create it */ +- open_flags = O_CREAT | O_EXCL | O_BINARY; ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; + if (readable) + open_flags |= O_RDWR; + else +@@ -1269,8 +1275,11 @@ _g_local_file_output_stream_replace (const char *filename, + set_error_from_open_errno (filename, error); + return NULL; + } +- +- ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) ++ else ++ fcntl (fd, F_SETFD, FD_CLOEXEC); ++#endif ++ + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); + stream->priv->fd = fd; + stream->priv->sync_on_close = sync_on_close; +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb index 3909b76ddf..e5e65a4aad 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.66.7.bb @@ -50,6 +50,16 @@ SRC_URI += "\ file://0028-gresource-Fix-a-pointer-mismatch-with-an-atomic-load.patch \ file://0029-docs-Document-not-to-use-volatile-qualifiers.patch \ " + +# Fix CVE-2021-28153 +SRC_URI += "\ + file://0001-glocalfileoutputstream-Fix-a-typo-in-a-comment.patch \ + file://0002-tests-Stop-using-g_test_bug_base-in-file-tests.patch \ + file://0003-glocalfileoutputstream-Factor-out-a-flag-check.patch \ + file://0004-glocalfileoutputstream-Fix-CREATE_REPLACE_DESTINATIO.patch \ + file://0005-glocalfileoutputstream-Add-a-missing-O_CLOEXEC-flag-.patch \ +" + SRC_URI_append_class-native = " file://relocate-modules.patch" SRC_URI[sha256sum] = "09f158769f6f26b31074e15b1ac80ec39b13b53102dfae66cfe826fb2cc65502" diff --git a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 1aeb952db2..fe1715f2e3 100644 --- a/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/poky/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,8 +24,8 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx" inherit core-image setuptools3 -SRCREV ?= "42514ade8bdb9502f49a56752561f6c2e9f23348" -SRC_URI = "git://git.yoctoproject.org/poky \ +SRCREV ?= "96e8fcd6a24fd732e010607be347cbb3348ef725" +SRC_URI = "git://git.yoctoproject.org/poky;branch=hardknott \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ file://README_VirtualBox_Guest_Additions.txt \ diff --git a/poky/meta/recipes-core/meta/cve-update-db-native.bb b/poky/meta/recipes-core/meta/cve-update-db-native.bb index 25ec6bac71..e5822cee58 100644 --- a/poky/meta/recipes-core/meta/cve-update-db-native.bb +++ b/poky/meta/recipes-core/meta/cve-update-db-native.bb @@ -139,7 +139,12 @@ def parse_node_and_insert(c, node, cveId): for cpe in node.get('cpe_match', ()): if not cpe['vulnerable']: return - cpe23 = cpe['cpe23Uri'].split(':') + cpe23 = cpe.get('cpe23Uri') + if not cpe23: + return + cpe23 = cpe23.split(':') + if len(cpe23) < 6: + return vendor = cpe23[3] product = cpe23[4] version = cpe23[5] diff --git a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb index b8e2c718e6..194dca76d0 100644 --- a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb +++ b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-profile.bb @@ -57,6 +57,7 @@ VALGRIND_armv6 = "" VALGRIND_armeb = "" VALGRIND_aarch64 = "" VALGRIND_riscv64 = "" +VALGRIND_riscv32 = "" VALGRIND_powerpc = "${@bb.utils.contains('TARGET_FPU', 'soft', '', 'valgrind', d)}" VALGRIND_linux-gnux32 = "" VALGRIND_linux-gnun32 = "" diff --git a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb index a5fc152859..015810cb6b 100644 --- a/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb +++ b/poky/meta/recipes-core/packagegroups/packagegroup-core-tools-testapps.bb @@ -16,6 +16,7 @@ KEXECTOOLS_e5500-64b ?= "" KEXECTOOLS_microblaze ?= "" KEXECTOOLS_nios2 ?= "" KEXECTOOLS_riscv64 ?= "" +KEXECTOOLS_riscv32 ?= "" GSTEXAMPLES ?= "gst-examples" GSTEXAMPLES_riscv64 = "" diff --git a/poky/meta/recipes-core/systemd/systemd-boot_247.4.bb b/poky/meta/recipes-core/systemd/systemd-boot_247.6.bb index 249e620f4e..249e620f4e 100644 --- a/poky/meta/recipes-core/systemd/systemd-boot_247.4.bb +++ b/poky/meta/recipes-core/systemd/systemd-boot_247.6.bb diff --git a/poky/meta/recipes-core/systemd/systemd-conf_247.3.bb b/poky/meta/recipes-core/systemd/systemd-conf_247.6.bb index ea35e83f4f..ea35e83f4f 100644 --- a/poky/meta/recipes-core/systemd/systemd-conf_247.3.bb +++ b/poky/meta/recipes-core/systemd/systemd-conf_247.6.bb diff --git a/poky/meta/recipes-core/systemd/systemd.inc b/poky/meta/recipes-core/systemd/systemd.inc index 098bca98f1..7d3b3064ba 100644 --- a/poky/meta/recipes-core/systemd/systemd.inc +++ b/poky/meta/recipes-core/systemd/systemd.inc @@ -14,7 +14,7 @@ LICENSE = "GPLv2 & LGPLv2.1" LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \ file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c" -SRCREV = "069525e84a67375e27429cb490e8d28af78e673a" +SRCREV = "17472dca0160cbe7b807ca648475fd70d0d62fe5" SRCBRANCH = "v247-stable" SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}" diff --git a/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch b/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch new file mode 100644 index 0000000000..bbee6e6b28 --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch @@ -0,0 +1,36 @@ +From 7b32582c066549fea0f7180a6c575e7fa37a867f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 12 Apr 2021 23:44:53 -0700 +Subject: [PATCH] missing_syscall.h: Define MIPS ABI defines for musl + +musl does not define _MIPS_SIM_ABI32, _MIPS_SIM_NABI32, _MIPS_SIM_ABI64 +unlike glibc where these are provided by libc headers, therefore define +them here in case they are undefined + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/basic/missing_syscall.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/basic/missing_syscall.h b/src/basic/missing_syscall.h +index 0594a1b930..495d161334 100644 +--- a/src/basic/missing_syscall.h ++++ b/src/basic/missing_syscall.h +@@ -15,6 +15,12 @@ + #include <asm/sgidefs.h> + #endif + ++#ifndef _MIPS_SIM_ABI32 ++#define _MIPS_SIM_ABI32 1 ++#define _MIPS_SIM_NABI32 2 ++#define _MIPS_SIM_ABI64 3 ++#endif ++ + #if defined(__x86_64__) && defined(__ILP32__) + # define systemd_SC_arch_bias(x) ((x) | /* __X32_SYSCALL_BIT */ 0x40000000) + #elif defined(__ia64__) +-- +2.31.1 + diff --git a/poky/meta/recipes-core/systemd/systemd_247.4.bb b/poky/meta/recipes-core/systemd/systemd_247.6.bb index cd67e65abe..32afa159ec 100644 --- a/poky/meta/recipes-core/systemd/systemd_247.4.bb +++ b/poky/meta/recipes-core/systemd/systemd_247.6.bb @@ -55,6 +55,7 @@ SRC_URI_MUSL = "\ file://0022-do-not-disable-buffer-in-writing-files.patch \ file://0025-Handle-__cpu_mask-usage.patch \ file://0026-Handle-missing-gshadow.patch \ + file://0028-missing_syscall.h-Define-MIPS-ABI-defines-for-musl.patch \ " PAM_PLUGINS = " \ diff --git a/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty b/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty index dfa799adac..699a1ead1a 100644 --- a/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty +++ b/poky/meta/recipes-core/sysvinit/sysvinit-inittab/start_getty @@ -1,17 +1,4 @@ #!/bin/sh -############################################################################### -# This script is used to automatically set up the serial console(s) on startup. -# The variable SERIAL_CONSOLES can be set in meta/conf/machine/*.conf. -# Script enhancement has been done based on Bug YOCTO #10844. -# Most of the information is retrieved from /proc virtual filesystem containing -# all the runtime system information (eg. system memory, device mount, etc). -############################################################################### - -# Get active serial filename. -active_serial=$(grep "serial" /proc/tty/drivers | cut -d/ -f1 | sed "s/ *$//") - -# Rephrase input parameter from ttyS target index (ttyS1, ttyS2, ttyAMA0, etc). -runtime_tty=$(echo $2 | grep -oh '[0-9]\+') # busybox' getty does this itself, util-linux' agetty needs extra help getty="/sbin/getty" @@ -25,31 +12,6 @@ case $(readlink -f "${getty}") in ;; esac -# Backup $IFS. -DEFAULT_IFS=$IFS -# Customize Internal Field Separator. -IFS="$(printf '\n\t')" - -for line in $active_serial; do - # Check we have the file containing current active serial target index. - if [ -e "/proc/tty/driver/$line" ] - then - # Remove all unknown entries and discard the first line (desc). - activetty=$(grep -v "unknown" "/proc/tty/driver/$line" \ - | tail -n +2 | grep -oh "^\s*\S*[0-9]\+") - for active in $activetty; do - # If indexes do match then enable the serial console. - if [ $active -eq $runtime_tty ] - then - if [ -c /dev/$2 ] - then - ${setsid:-} ${getty} -L $1 $2 $3 - fi - break - fi - done - fi -done - -# Restore $IFS. -IFS=$DEFAULT_IFS +if [ -e /sys/class/tty/$2 -a -c /dev/$2 ]; then + ${setsid:-} ${getty} -L $1 $2 $3 +fi diff --git a/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb b/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb index 0af116f35c..d95d1a63f5 100644 --- a/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb +++ b/poky/meta/recipes-core/sysvinit/sysvinit-inittab_2.88dsf.bb @@ -53,10 +53,6 @@ EOF fi } -do_install_append_qemuppc64 () { - echo "9:12345:respawn:${base_sbindir}/getty 38400 hvc0" >> ${D}${sysconfdir}/inittab -} - pkg_postinst_${PN} () { # run this on host and on target if [ "${SERIAL_CONSOLES_CHECK}" = "" ]; then diff --git a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb index 0a007bb2cd..ce242c3593 100644 --- a/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb +++ b/poky/meta/recipes-devtools/dejagnu/dejagnu_1.6.2.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SECTION = "devel" DEPENDS += "expect-native" +RDEPENDS_${PN} = "expect" inherit autotools diff --git a/poky/meta/recipes-devtools/go/go-1.16.2.inc b/poky/meta/recipes-devtools/go/go-1.16.3.inc index e65caf8197..ebd25a5eaa 100644 --- a/poky/meta/recipes-devtools/go/go-1.16.2.inc +++ b/poky/meta/recipes-devtools/go/go-1.16.3.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.16" -PV = "1.16.2" +PV = "1.16.3" FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -17,4 +17,4 @@ SRC_URI += "\ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ " -SRC_URI[main.sha256sum] = "37ca14287a23cb8ba2ac3f5c3dd8adbc1f7a54b9701a57824bf19a0b271f83ea" +SRC_URI[main.sha256sum] = "b298d29de9236ca47a023e382313bcc2d2eed31dfa706b60a04103ce83a71a25" diff --git a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb index 4fb060173c..d01a2bd8f1 100644 --- a/poky/meta/recipes-devtools/go/go-binary-native_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-binary-native_1.16.3.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "542e936b19542e62679766194364f45141fde55169db2d8d01046555ca9eb4b8" -SRC_URI[go_linux_arm64.sha256sum] = "6924601d998a0917694fd14261347e3798bd2ad6b13c4d7f2edd70c9d57f62ab" +SRC_URI[go_linux_amd64.sha256sum] = "951a3c7c6ce4e56ad883f97d9db74d3d6d80d5fec77455c6ada6c1f7ac4776d2" +SRC_URI[go_linux_arm64.sha256sum] = "566b1d6f17d2bc4ad5f81486f0df44f3088c3ed47a3bec4099d8ed9939e90d5d" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/poky/meta/recipes-devtools/go/go-common.inc b/poky/meta/recipes-devtools/go/go-common.inc index f18d928c70..c368b95b69 100644 --- a/poky/meta/recipes-devtools/go/go-common.inc +++ b/poky/meta/recipes-devtools/go/go-common.inc @@ -14,7 +14,7 @@ LICENSE = "BSD-3-Clause" inherit goarch -SRC_URI = "http://golang.org/dl/go${PV}.src.tar.gz;name=main" +SRC_URI = "https://dl.google.com/go/go${PV}.src.tar.gz;name=main" S = "${WORKDIR}/go" B = "${S}" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.src\.tar" diff --git a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb index 7ac9449e47..7ac9449e47 100644 --- a/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-cross-canadian_1.16.3.bb diff --git a/poky/meta/recipes-devtools/go/go-cross_1.16.2.bb b/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/poky/meta/recipes-devtools/go/go-cross_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-cross_1.16.3.bb diff --git a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb index 1857c8a577..1857c8a577 100644 --- a/poky/meta/recipes-devtools/go/go-crosssdk_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-crosssdk_1.16.3.bb diff --git a/poky/meta/recipes-devtools/go/go-native_1.16.2.bb b/poky/meta/recipes-devtools/go/go-native_1.16.3.bb index f14892cdb0..f14892cdb0 100644 --- a/poky/meta/recipes-devtools/go/go-native_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-native_1.16.3.bb diff --git a/poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb b/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb index 63464a1501..63464a1501 100644 --- a/poky/meta/recipes-devtools/go/go-runtime_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go-runtime_1.16.3.bb diff --git a/poky/meta/recipes-devtools/go/go_1.16.2.bb b/poky/meta/recipes-devtools/go/go_1.16.3.bb index 4e9e0ebec8..4e9e0ebec8 100644 --- a/poky/meta/recipes-devtools/go/go_1.16.2.bb +++ b/poky/meta/recipes-devtools/go/go_1.16.3.bb diff --git a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc index 19a03d4733..e9225e140c 100644 --- a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc +++ b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc @@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \ file://0001-libtool-Fix-support-for-NIOS2-processor.patch \ file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \ file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \ + file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \ " SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e" diff --git a/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch new file mode 100644 index 0000000000..87f8492346 --- /dev/null +++ b/poky/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-automake.patch @@ -0,0 +1,35 @@ +From e82c06584f02e3e4487aa73aa05981e2a35dc6d1 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Tue, 13 Apr 2021 07:17:29 +0000 +Subject: [PATCH] Makefile.am: make sure autoheader run before automake + +When use automake to generate Makefile.in from Makefile.am, there +comes below race: + | configure.ac:45: error: required file 'config-h.in' not found + +It is because the file config-h.in in updating process by autoheader, +so make automake run after autoheader to avoid the above race. + +Upstream-Status: Submitted [libtool-patches@gnu.org maillist] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 2752ecc..29950db 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -328,7 +328,7 @@ EXTRA_DIST += $(lt_aclocal_m4) \ + $(lt_obsolete_m4) \ + $(stamp_mk) + +-$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) ++$(lt_Makefile_in): $(lt_Makefile_am) $(lt_aclocal_m4) $(lt_config_h_in) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOMAKE) Makefile + + # Don't let unused scripts leak into the libltdl Makefile +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch new file mode 100644 index 0000000000..ba35ec6ffc --- /dev/null +++ b/poky/meta/recipes-devtools/patchelf/patchelf/6edec83653ce1b5fc201ff6db93b966394766814.patch @@ -0,0 +1,44 @@ +From 6edec83653ce1b5fc201ff6db93b966394766814 Mon Sep 17 00:00:00 2001 +From: rmnull <rmnull@users.noreply.github.com> +Date: Tue, 18 Aug 2020 20:22:52 +0530 +Subject: [PATCH] mark phdrs synced with sections, avoid rechecking it when + syncing note sections to segments. + +This also serves as a bug fix when a previously synced note segment +overlaps with another section and creates a false alarm. + +Upstream-Status: Backport +--- + src/patchelf.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/patchelf.cc b/src/patchelf.cc +index 05ec793..622f0b6 100644 +--- a/src/patchelf.cc ++++ b/src/patchelf.cc +@@ -669,6 +669,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff, + memset(contents + rdi(shdr.sh_offset), 'X', rdi(shdr.sh_size)); + } + ++ std::set<unsigned int> noted_phdrs = {}; + for (auto & i : replacedSections) { + std::string sectionName = i.first; + auto & shdr = findSection(sectionName); +@@ -721,7 +722,7 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff, + shdr.sh_addralign = orig_shdr.sh_addralign; + + for (unsigned int j = 0; j < phdrs.size(); ++j) +- if (rdi(phdrs[j].p_type) == PT_NOTE) { ++ if (rdi(phdrs[j].p_type) == PT_NOTE && noted_phdrs.find(j) == noted_phdrs.end()) { + Elf_Off p_start = rdi(phdrs[j].p_offset); + Elf_Off p_end = p_start + rdi(phdrs[j].p_filesz); + Elf_Off s_start = rdi(orig_shdr.sh_offset); +@@ -739,6 +740,8 @@ void ElfFile<ElfFileParamNames>::writeReplacedSections(Elf_Off & curOff, + phdrs[j].p_offset = shdr.sh_offset; + phdrs[j].p_vaddr = phdrs[j].p_paddr = shdr.sh_addr; + phdrs[j].p_filesz = phdrs[j].p_memsz = shdr.sh_size; ++ ++ noted_phdrs.insert(j); + } + } + diff --git a/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch new file mode 100644 index 0000000000..a06876e50a --- /dev/null +++ b/poky/meta/recipes-devtools/patchelf/patchelf/alignmentfix.patch @@ -0,0 +1,44 @@ +If a binary has multiple SHT_NOTE sections and corresponding PT_NOTE +headers, we can see the error: + +patchelf: cannot normalize PT_NOTE segment: non-contiguous SHT_NOTE sections + +if the SHT_NOTE sections aren't sized to end on aligned boundaries. An example +would be a binary with: + + [ 2] .note.ABI-tag NOTE 00000000000002f4 000002f4 + 0000000000000020 0000000000000000 A 0 0 4 + [ 3] .note.gnu.propert NOTE 0000000000000318 00000318 + 0000000000000030 0000000000000000 A 0 0 8 + [ 4] .note.gnu.build-i NOTE 0000000000000348 00000348 + 0000000000000024 0000000000000000 A 0 0 4 + + NOTE 0x0000000000000318 0x0000000000000318 0x0000000000000318 + 0x0000000000000030 0x0000000000000030 R 0x8 + NOTE 0x00000000000002f4 0x00000000000002f4 0x00000000000002f4 + 0x0000000000000078 0x0000000000000074 R 0x4 + +since the PT_NOTE section at 2f4 covers [2] and [3] but the code +calclates curr_off should be 314, not the 318 in the binary. This +is an alignment issue. + +To fix this, we need to round curr_off to the next section alignment. + +Upstream-Status: Submitted [https://github.com/NixOS/patchelf/pull/274] +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Index: git/src/patchelf.cc +=================================================================== +--- git.orig/src/patchelf.cc ++++ git/src/patchelf.cc +@@ -1010,8 +1010,9 @@ void ElfFile<ElfFileParamNames>::normali + size_t size = 0; + for (const auto & shdr : shdrs) { + if (rdi(shdr.sh_type) != SHT_NOTE) continue; +- if (rdi(shdr.sh_offset) != curr_off) continue; ++ if (rdi(shdr.sh_offset) != roundUp(curr_off, rdi(shdr.sh_addralign))) continue; + size = rdi(shdr.sh_size); ++ curr_off = roundUp(curr_off, rdi(shdr.sh_addralign)); + break; + } + if (size == 0) diff --git a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb index 95886c6d3a..7c97ea0789 100644 --- a/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb +++ b/poky/meta/recipes-devtools/patchelf/patchelf_0.12.bb @@ -6,6 +6,8 @@ LICENSE = "GPLv3" SRC_URI = "git://github.com/NixOS/patchelf;protocol=https \ file://handle-read-only-files.patch \ + file://6edec83653ce1b5fc201ff6db93b966394766814.patch \ + file://alignmentfix.patch \ " SRCREV = "8d3a16e97294e3c5521c61b4c8835499c9918264" diff --git a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb index 17bd02c27c..4eab133128 100644 --- a/poky/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/poky/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://fallback-group \ " -SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b" +SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch index 35b7e0c480..c3d1e06d00 100644 --- a/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch +++ b/poky/meta/recipes-devtools/python/python3/0001-test_locale.py-correct-the-test-output-format.patch @@ -23,24 +23,24 @@ Before this patch: Upstream-Status: Submitted [https://github.com/python/cpython/pull/15132] + +Rebased for 3.9.4, still not accepted upstream Signed-off-by: Alejandro Hernandez <alejandro@enedino.org> + Signed-off-by: Mingli Yu <mingli.yu@windriver.com> --- Lib/test/test_locale.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/Lib/test/test_locale.py b/Lib/test/test_locale.py -index e2c2178..558d63c 100644 ---- a/Lib/test/test_locale.py -+++ b/Lib/test/test_locale.py -@@ -527,7 +527,7 @@ class TestMiscellaneous(unittest.TestCase): +Index: Python-3.9.4/Lib/test/test_locale.py +=================================================================== +--- Python-3.9.4.orig/Lib/test/test_locale.py ++++ Python-3.9.4/Lib/test/test_locale.py +@@ -562,7 +562,7 @@ class TestMiscellaneous(unittest.TestCas self.skipTest('test needs Turkish locale') loc = locale.getlocale(locale.LC_CTYPE) if verbose: - print('testing with %a' % (loc,), end=' ', flush=True) + print('testing with %a...' % (loc,), end=' ', flush=True) - locale.setlocale(locale.LC_CTYPE, loc) - self.assertEqual(loc, locale.getlocale(locale.LC_CTYPE)) - --- -2.7.4 - + try: + locale.setlocale(locale.LC_CTYPE, loc) + except locale.Error as exc: diff --git a/poky/meta/recipes-devtools/python/python3/create_manifest3.py b/poky/meta/recipes-devtools/python/python3/create_manifest3.py index 4da02a2991..045240ea0b 100644 --- a/poky/meta/recipes-devtools/python/python3/create_manifest3.py +++ b/poky/meta/recipes-devtools/python/python3/create_manifest3.py @@ -36,7 +36,7 @@ # Tha method to handle cached files does not work when a module includes a folder which # itself contains the pycache folder, gladly this is almost never the case. # -# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29 at gmail dot com> +# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org> import sys @@ -45,6 +45,11 @@ import json import os import collections +if '-d' in sys.argv: + debugFlag = '-d' +else: + debugFlag = '' + # Get python version from ${PYTHON_MAJMIN} pyversion = str(sys.argv[1]) @@ -84,6 +89,12 @@ def prepend_comments(comments, json_manifest): manifest.seek(0, 0) manifest.write(comments + json_contents) +def print_indent(msg, offset): + for l in msg.splitlines(): + msg = ' ' * offset + l + print(msg) + + # Read existing JSON manifest with open('python3-manifest.json') as manifest: # The JSON format doesn't allow comments so we hack the call to keep the comments using a marker @@ -99,7 +110,7 @@ with open('python3-manifest.json') as manifest: # Not exactly the same so it should not be a function # -print ('Getting dependencies for package: core') +print_indent('Getting dependencies for package: core', 0) # This special call gets the core dependencies and @@ -109,7 +120,7 @@ print ('Getting dependencies for package: core') # on the new core package, they will still find them # even when checking the old_manifest -output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package']).decode('utf8') +output = subprocess.check_output([sys.executable, 'get_module_deps3.py', 'python-core-package', '%s' % debugFlag]).decode('utf8') for coredep in output.split(): coredep = coredep.replace(pyversion,'${PYTHON_MAJMIN}') if isCached(coredep): @@ -149,17 +160,16 @@ for filedep in old_manifest['core']['files']: # Get actual module name , shouldnt be affected by libdir/bindir, etc. pymodule = os.path.splitext(os.path.basename(os.path.normpath(filedep)))[0] - # We now know that were dealing with a python module, so we can import it # and check what its dependencies are. # We launch a separate task for each module for deterministic behavior. # Each module will only import what is necessary for it to work in specific. # The output of each task will contain each module's dependencies - print ('Getting dependencies for module: %s' % pymodule) - output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8') - print ('The following dependencies were found for module %s:\n' % pymodule) - print (output) + print_indent('Getting dependencies for module: %s' % pymodule, 2) + output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8') + print_indent('The following dependencies were found for module %s:\n' % pymodule, 4) + print_indent(output, 6) for pymodule_dep in output.split(): @@ -178,12 +188,13 @@ for filedep in old_manifest['core']['files']: # all others will use this a base. +print('\n\nChecking for directories...\n') # To improve the script speed, we check which packages contain directories # since we will be looping through (only) those later. for pypkg in old_manifest: for filedep in old_manifest[pypkg]['files']: if isFolder(filedep): - print ('%s is a folder' % filedep) + print_indent('%s is a directory' % filedep, 2) if pypkg not in hasfolders: hasfolders.append(pypkg) if filedep not in allfolders: @@ -221,14 +232,14 @@ for pypkg in old_manifest: print('\n') print('--------------------------') - print ('Handling package %s' % pypkg) + print('Handling package %s' % pypkg) print('--------------------------') # Handle special cases, we assume that when they were manually added # to the manifest we knew what we were doing. special_packages = ['misc', 'modules', 'dev', 'tests'] if pypkg in special_packages or 'staticdev' in pypkg: - print('Passing %s package directly' % pypkg) + print_indent('Passing %s package directly' % pypkg, 2) new_manifest[pypkg] = old_manifest[pypkg] continue @@ -259,7 +270,7 @@ for pypkg in old_manifest: # Get actual module name , shouldnt be affected by libdir/bindir, etc. # We need to check if the imported module comes from another (e.g. sqlite3.dump) - path,pymodule = os.path.split(filedep) + path, pymodule = os.path.split(filedep) path = os.path.basename(path) pymodule = os.path.splitext(os.path.basename(pymodule))[0] @@ -279,10 +290,10 @@ for pypkg in old_manifest: # Each module will only import what is necessary for it to work in specific. # The output of each task will contain each module's dependencies - print ('\nGetting dependencies for module: %s' % pymodule) - output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule]).decode('utf8') - print ('The following dependencies were found for module %s:\n' % pymodule) - print (output) + print_indent('\nGetting dependencies for module: %s' % pymodule, 2) + output = subprocess.check_output([sys.executable, 'get_module_deps3.py', '%s' % pymodule, '%s' % debugFlag]).decode('utf8') + print_indent('The following dependencies were found for module %s:\n' % pymodule, 4) + print_indent(output, 6) reportFILES = [] reportRDEPS = [] @@ -325,7 +336,7 @@ for pypkg in old_manifest: # print('Checking folder %s on package %s' % (pymodule_dep,pypkg_with_folder)) for folder_dep in old_manifest[pypkg_with_folder]['files'] or folder_dep in old_manifest[pypkg_with_folder]['cached']: if folder_dep == folder: - print ('%s folder found in %s' % (folder, pypkg_with_folder)) + print ('%s directory found in %s' % (folder, pypkg_with_folder)) folderFound = True if pypkg_with_folder not in new_manifest[pypkg]['rdepends'] and pypkg_with_folder != pypkg: new_manifest[pypkg]['rdepends'].append(pypkg_with_folder) @@ -424,7 +435,7 @@ prepend_comments(comments,'python3-manifest.json.new') if (repeated): error_msg = '\n\nERROR:\n' - error_msg += 'The following files are repeated (contained in more than one package),\n' + error_msg += 'The following files were found in more than one package),\n' error_msg += 'this is likely to happen when new files are introduced after an upgrade,\n' error_msg += 'please check which package should get it,\n modify the manifest accordingly and re-run the create_manifest task:\n' error_msg += '\n'.join(repeated) diff --git a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py index 6806f23172..1f4c982aed 100644 --- a/poky/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/poky/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -3,14 +3,18 @@ # them out, the output of this execution will have all dependencies # for a specific module, which will be parsed an dealt on create_manifest.py # -# Author: Alejandro Enedino Hernandez Samaniego "aehs29" <aehs29@gmail.com> +# Author: Alejandro Enedino Hernandez Samaniego <alejandro at enedino dot org> -# We can get a log per module, for all the dependencies that were found, but its messy. -debug=False import sys import os +# We can get a log per module, for all the dependencies that were found, but its messy. +if '-d' in sys.argv: + debug = True +else: + debug = False + # We can get a list of the modules which are currently required to run python # so we run python-core and get its modules, we then import what we need # and check what modules are currently running, if we substract them from the @@ -19,13 +23,13 @@ import os # We use importlib to achieve this, so we also need to know what modules importlib needs import importlib -core_deps=set(sys.modules) +core_deps = set(sys.modules) def fix_path(dep_path): import os # We DONT want the path on our HOST system - pivot='recipe-sysroot-native' - dep_path=dep_path[dep_path.find(pivot)+len(pivot):] + pivot = 'recipe-sysroot-native' + dep_path = dep_path[dep_path.find(pivot)+len(pivot):] if '/usr/bin' in dep_path: dep_path = dep_path.replace('/usr/bin''${bindir}') @@ -46,8 +50,8 @@ def fix_path(dep_path): # Module to import was passed as an argument current_module = str(sys.argv[1]).rstrip() -if(debug==True): - log = open('log_%s' % current_module,'w') +if debug == True: + log = open('temp/log_%s' % current_module.strip('.*'),'w') log.write('Module %s generated the following dependencies:\n' % current_module) try: m = importlib.import_module(current_module) @@ -63,13 +67,13 @@ try: except: pass # ignore all import or other exceptions raised during import except ImportError as e: - if (debug==True): - log.write('Module was not found') + if debug == True: + log.write('Module was not found\n') pass # Get current module dependencies, dif will contain a list of specific deps for this module -module_deps=set(sys.modules) +module_deps = set(sys.modules) # We handle the core package (1st pass on create_manifest.py) as a special case if current_module == 'python-core-package': @@ -81,14 +85,18 @@ else: # Check where each dependency came from for item in dif: - dep_path='' + # Main module returns script filename, __main matches mp_main__ as well + if 'main__' in item: + continue + + dep_path = '' try: - if (debug==True): - log.write('Calling: sys.modules[' + '%s' % item + '].__file__\n') + if debug == True: + log.write('\nCalling: sys.modules[' + '%s' % item + '].__file__\n') dep_path = sys.modules['%s' % item].__file__ except AttributeError as e: # Deals with thread (builtin module) not having __file__ attribute - if debug==True: + if debug == True: log.write(item + ' ') log.write(str(e)) log.write('\n') @@ -96,11 +104,16 @@ for item in dif: except NameError as e: # Deals with NameError: name 'dep_path' is not defined # because module is not found (wasn't compiled?), e.g. bddsm - if (debug==True): + if debug == True: log.write(item+' ') log.write(str(e)) pass + if dep_path == '': + continue + if debug == True: + log.write('Dependency path found:\n%s\n' % dep_path) + # Site-customize is a special case since we (OpenEmbedded) put it there manually if 'sitecustomize' in dep_path: dep_path = '${libdir}/python${PYTHON_MAJMIN}/sitecustomize.py' @@ -111,52 +124,51 @@ for item in dif: dep_path = fix_path(dep_path) import sysconfig - soabi=sysconfig.get_config_var('SOABI') + soabi = sysconfig.get_config_var('SOABI') # Check if its a shared library and deconstruct it if soabi in dep_path: - if (debug==True): - log.write('Shared library found in %s' % dep_path) + if debug == True: + log.write('Shared library found in %s\n' % dep_path) dep_path = dep_path.replace(soabi,'*') print (dep_path) continue if "_sysconfigdata" in dep_path: dep_path = dep_path.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*") - if (debug==True): + if debug == True: log.write(dep_path+'\n') # Prints out result, which is what will be used by create_manifest print (dep_path) - import imp - cpython_tag = imp.get_tag() - cached='' + cpython_tag = sys.implementation.cache_tag + cached = '' # Theres no naive way to find *.pyc files on python3 try: - if (debug==True): - log.write('Calling: sys.modules[' + '%s' % item + '].__cached__\n') + if debug == True: + log.write('\nCalling: sys.modules[' + '%s' % item + '].__cached__\n') cached = sys.modules['%s' % item].__cached__ except AttributeError as e: # Deals with thread (builtin module) not having __cached__ attribute - if debug==True: + if debug == True: log.write(item + ' ') log.write(str(e)) log.write('\n') pass except NameError as e: # Deals with NameError: name 'cached' is not defined - if (debug==True): + if debug == True: log.write(item+' ') log.write(str(e)) pass if cached is not None: - if (debug==True): - log.write(cached) + if debug == True: + log.write(cached + '\n') cached = fix_path(cached) cached = cached.replace(cpython_tag,'*') if "_sysconfigdata" in cached: cached = cached.replace(sysconfig._get_sysconfigdata_name(), "_sysconfigdata*") print (cached) -if debug==True: +if debug == True: log.close() diff --git a/poky/meta/recipes-devtools/python/python3_3.9.2.bb b/poky/meta/recipes-devtools/python/python3_3.9.4.bb index fd1172335a..cb371ceed7 100644 --- a/poky/meta/recipes-devtools/python/python3_3.9.2.bb +++ b/poky/meta/recipes-devtools/python/python3_3.9.4.bb @@ -38,7 +38,7 @@ SRC_URI_append_class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "3c2034c54f811448f516668dce09d24008a0716c3a794dd8639b5388cbde247d" +SRC_URI[sha256sum] = "4b0e6644a76f8df864ae24ac500a51bbf68bd098f6a173e27d3b61cdca9aa134" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" @@ -69,7 +69,7 @@ ALTERNATIVE_LINK_NAME[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config ALTERNATIVE_TARGET[python3-config] = "${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}" -DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2" +DEPENDS = "bzip2-replacement-native libffi bzip2 openssl sqlite3 zlib virtual/libintl xz virtual/crypt util-linux libtirpc libnsl2 autoconf-archive-native" DEPENDS_append_class-target = " python3-native" DEPENDS_append_class-nativesdk = " python3-native" diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index a625809597..8b8cecd7a0 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -31,6 +31,32 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://determinism.patch \ file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ file://CVE-2021-20203.patch \ + file://CVE-2020-35517_1.patch \ + file://CVE-2020-35517_2.patch \ + file://CVE-2020-35517_3.patch \ + file://CVE-2021-20181.patch \ + file://CVE-2020-29443.patch \ + file://CVE-2021-20221.patch \ + file://CVE-2021-3409_1.patch \ + file://CVE-2021-3409_2.patch \ + file://CVE-2021-3409_3.patch \ + file://CVE-2021-3409_4.patch \ + file://CVE-2021-3409_5.patch \ + file://CVE-2021-3409_6.patch \ + file://CVE-2021-3416_1.patch \ + file://CVE-2021-3416_2.patch \ + file://CVE-2021-3416_3.patch \ + file://CVE-2021-3416_4.patch \ + file://CVE-2021-3416_5.patch \ + file://CVE-2021-3416_6.patch \ + file://CVE-2021-3416_7.patch \ + file://CVE-2021-3416_8.patch \ + file://CVE-2021-3416_9.patch \ + file://CVE-2021-3416_10.patch \ + file://CVE-2021-20257.patch \ + file://CVE-2020-27821.patch \ + file://CVE-2021-20263.patch \ + file://CVE-2021-3392.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch new file mode 100644 index 0000000000..58622f0487 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch @@ -0,0 +1,143 @@ +From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 1 Dec 2020 09:29:56 -0500 +Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an + MMIO region + +In using the address_space_translate_internal API, address_space_cache_init +forgot one piece of advice that can be found in the code for +address_space_translate_internal: + + /* MMIO registers can be expected to perform full-width accesses based only + * on their address, without considering adjacent registers that could + * decode to completely different MemoryRegions. When such registers + * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO + * regions overlap wildly. For this reason we cannot clamp the accesses + * here. + * + * If the length is small (as is the case for address_space_ldl/stl), + * everything works fine. If the incoming length is large, however, + * the caller really has to do the clamping through memory_access_size. + */ + +address_space_cache_init is exactly one such case where "the incoming length +is large", therefore we need to clamp the resulting length---not to +memory_access_size though, since we are not doing an access yet, but to +the size of the resulting section. This ensures that subsequent accesses +to the cached MemoryRegionSection will be in range. + +With this patch, the enclosed testcase notices that the used ring does +not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" +error. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442] +CVE: CVE-2020-27821 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + softmmu/physmem.c | 10 ++++++++ + tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3027747c0..2cd1de4a2 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + AddressSpaceDispatch *d; + hwaddr l; + MemoryRegion *mr; ++ Int128 diff; + + assert(len > 0); + +@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, + d = flatview_to_dispatch(cache->fv); + cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); + ++ /* ++ * cache->xlat is now relative to cache->mrs.mr, not to the section itself. ++ * Take that into account to compute how many bytes are there between ++ * cache->xlat and the end of the section. ++ */ ++ diff = int128_sub(cache->mrs.size, ++ int128_make64(cache->xlat - cache->mrs.offset_within_region)); ++ l = int128_get64(int128_min(diff, int128_make64(l))); ++ + mr = cache->mrs.mr; + memory_region_ref(mr); + if (memory_access_is_direct(mr, is_write)) { +diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c +index 9cb4c42bd..28739248e 100644 +--- a/tests/qtest/fuzz-test.c ++++ b/tests/qtest/fuzz-test.c +@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void) + qtest_outl(s, 0x5d02, 0xebed205d); + } + ++/* ++ * Here a MemoryRegionCache pointed to an MMIO region but had a ++ * larger size than the underlying region. ++ */ ++static void test_mmio_oob_from_memory_region_cache(void) ++{ ++ QTestState *s; ++ ++ s = qtest_init("-M pc-q35-5.2 -display none -m 512M " ++ "-device virtio-scsi,num_queues=8,addr=03.0 "); ++ ++ qtest_outl(s, 0xcf8, 0x80001811); ++ qtest_outb(s, 0xcfc, 0x6e); ++ qtest_outl(s, 0xcf8, 0x80001824); ++ qtest_outl(s, 0xcf8, 0x80001813); ++ qtest_outl(s, 0xcfc, 0xa080000); ++ qtest_outl(s, 0xcf8, 0x80001802); ++ qtest_outl(s, 0xcfc, 0x5a175a63); ++ qtest_outb(s, 0x6e08, 0x9e); ++ qtest_writeb(s, 0x9f003, 0xff); ++ qtest_writeb(s, 0x9f004, 0x01); ++ qtest_writeb(s, 0x9e012, 0x0e); ++ qtest_writeb(s, 0x9e01b, 0x0e); ++ qtest_writeb(s, 0x9f006, 0x01); ++ qtest_writeb(s, 0x9f008, 0x01); ++ qtest_writeb(s, 0x9f00a, 0x01); ++ qtest_writeb(s, 0x9f00c, 0x01); ++ qtest_writeb(s, 0x9f00e, 0x01); ++ qtest_writeb(s, 0x9f010, 0x01); ++ qtest_writeb(s, 0x9f012, 0x01); ++ qtest_writeb(s, 0x9f014, 0x01); ++ qtest_writeb(s, 0x9f016, 0x01); ++ qtest_writeb(s, 0x9f018, 0x01); ++ qtest_writeb(s, 0x9f01a, 0x01); ++ qtest_writeb(s, 0x9f01c, 0x01); ++ qtest_writeb(s, 0x9f01e, 0x01); ++ qtest_writeb(s, 0x9f020, 0x01); ++ qtest_writeb(s, 0x9f022, 0x01); ++ qtest_writeb(s, 0x9f024, 0x01); ++ qtest_writeb(s, 0x9f026, 0x01); ++ qtest_writeb(s, 0x9f028, 0x01); ++ qtest_writeb(s, 0x9f02a, 0x01); ++ qtest_writeb(s, 0x9f02c, 0x01); ++ qtest_writeb(s, 0x9f02e, 0x01); ++ qtest_writeb(s, 0x9f030, 0x01); ++ qtest_outb(s, 0x6e10, 0x00); ++ qtest_quit(s); ++} ++ + int main(int argc, char **argv) + { + const char *arch = qtest_get_arch(); +@@ -58,6 +107,8 @@ int main(int argc, char **argv) + test_lp1878263_megasas_zero_iov_cnt); + qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert", + test_lp1878642_pci_bus_get_irq_level_assert); ++ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache", ++ test_mmio_oob_from_memory_region_cache); + } + + return g_test_run(); +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..c72324fce6 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch @@ -0,0 +1,107 @@ +From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 18 Jan 2021 17:21:30 +0530 +Subject: [PATCH] ide: atapi: check logical block address and read size + (CVE-2020-29443) + +While processing ATAPI cmd_read/cmd_read_cd commands, +Logical Block Address (LBA) maybe invalid OR closer to the last block, +leading to an OOB access issues. Add range check to avoid it. + +Fixes: CVE-2020-29443 +Reported-by: Wenxiang Qian <leonwxqian@gmail.com> +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20210118115130.457044-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e] +CVE: CVE-2020-29443 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/ide/atapi.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index e79157863..b626199e3 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size) + static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->elementary_transfer_size = 0; +@@ -420,6 +422,8 @@ eot: + static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->io_buffer_size = 0; +@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf) + + static void cmd_read(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba; ++ unsigned int nb_sectors, lba; ++ ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + + if (buf[0] == GPCMD_READ_10) { + nb_sectors = lduw_be_p(buf + 7); + } else { + nb_sectors = ldl_be_p(buf + 6); + } +- +- lba = ldl_be_p(buf + 2); + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + ide_atapi_cmd_read(s, lba, nb_sectors, 2048); + } + + static void cmd_read_cd(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba, transfer_request; ++ unsigned int nb_sectors, lba, transfer_request; + +- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; +- lba = ldl_be_p(buf + 2); ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + ++ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + transfer_request = buf[9] & 0xf8; + if (transfer_request == 0x00) { + /* nothing */ +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch new file mode 100644 index 0000000000..73a4cb2064 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch @@ -0,0 +1,153 @@ +From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi <stefanha@redhat.com> +Date: Thu, 4 Feb 2021 15:02:06 +0000 +Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open() + +Both lo_open() and lo_create() have similar code to open a file. Extract +a common lo_do_open() function from lo_open() that will be used by +lo_create() in a later commit. + +Since lo_do_open() does not otherwise need fuse_req_t req, convert +lo_add_fd_mapping() to use struct lo_data *lo instead. + +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20210204150208.367837-2-stefanha@redhat.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> + +Upstream-Status: Backport +[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c] + +CVE: CVE-2020-35517 + +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++--------------- + 1 file changed, 46 insertions(+), 27 deletions(-) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 5fb36d9..f14fa51 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key) + } + + /* Assumes lo->mutex is held */ +-static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd) ++static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd) + { + struct lo_map_elem *elem; + +- elem = lo_map_alloc_elem(&lo_data(req)->fd_map); ++ elem = lo_map_alloc_elem(&lo->fd_map); + if (!elem) { + return -1; + } + + elem->fd = fd; +- return elem - lo_data(req)->fd_map.elems; ++ return elem - lo->fd_map.elems; + } + + /* Assumes lo->mutex is held */ +@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io, + } + } + ++static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, ++ struct fuse_file_info *fi) ++{ ++ char buf[64]; ++ ssize_t fh; ++ int fd; ++ ++ update_open_flags(lo->writeback, lo->allow_direct_io, fi); ++ ++ sprintf(buf, "%i", inode->fd); ++ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); ++ if (fd == -1) { ++ return errno; ++ } ++ ++ pthread_mutex_lock(&lo->mutex); ++ fh = lo_add_fd_mapping(lo, fd); ++ pthread_mutex_unlock(&lo->mutex); ++ if (fh == -1) { ++ close(fd); ++ return ENOMEM; ++ } ++ ++ fi->fh = fh; ++ if (lo->cache == CACHE_NONE) { ++ fi->direct_io = 1; ++ } else if (lo->cache == CACHE_ALWAYS) { ++ fi->keep_cache = 1; ++ } ++ return 0; ++} ++ + static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, + mode_t mode, struct fuse_file_info *fi) + { +@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, + ssize_t fh; + + pthread_mutex_lock(&lo->mutex); +- fh = lo_add_fd_mapping(req, fd); ++ fh = lo_add_fd_mapping(lo, fd); + pthread_mutex_unlock(&lo->mutex); + if (fh == -1) { + close(fd); +@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync, + + static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) + { +- int fd; +- ssize_t fh; +- char buf[64]; + struct lo_data *lo = lo_data(req); ++ struct lo_inode *inode = lo_inode(req, ino); ++ int err; + + fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino, + fi->flags); + +- update_open_flags(lo->writeback, lo->allow_direct_io, fi); +- +- sprintf(buf, "%i", lo_fd(req, ino)); +- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); +- if (fd == -1) { +- return (void)fuse_reply_err(req, errno); +- } +- +- pthread_mutex_lock(&lo->mutex); +- fh = lo_add_fd_mapping(req, fd); +- pthread_mutex_unlock(&lo->mutex); +- if (fh == -1) { +- close(fd); +- fuse_reply_err(req, ENOMEM); ++ if (!inode) { ++ fuse_reply_err(req, EBADF); + return; + } + +- fi->fh = fh; +- if (lo->cache == CACHE_NONE) { +- fi->direct_io = 1; +- } else if (lo->cache == CACHE_ALWAYS) { +- fi->keep_cache = 1; ++ err = lo_do_open(lo, inode, fi); ++ lo_inode_put(lo, &inode); ++ if (err) { ++ fuse_reply_err(req, err); ++ } else { ++ fuse_reply_open(req, fi); + } +- fuse_reply_open(req, fi); + } + + static void lo_release(fuse_req_t req, fuse_ino_t ino, +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch new file mode 100644 index 0000000000..bf11bdb6f8 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch @@ -0,0 +1,117 @@ +From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi <stefanha@redhat.com> +Date: Thu, 4 Feb 2021 15:02:07 +0000 +Subject: [PATCH] virtiofsd: optionally return inode pointer from + lo_do_lookup() + +lo_do_lookup() finds an existing inode or allocates a new one. It +increments nlookup so that the inode stays alive until the client +releases it. + +Existing callers don't need the struct lo_inode so the function doesn't +return it. Extend the function to optionally return the inode. The next +commit will need it. + +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Message-Id: <20210204150208.367837-3-stefanha@redhat.com> +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> + +Upstream-Status: Backport +[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3] + +CVE: CVE-2020-35517 + +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index f14fa51..aa35fc6 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname, + } + + /* +- * Increments nlookup and caller must release refcount using +- * lo_inode_put(&parent). ++ * Increments nlookup on the inode on success. unref_inode_lolocked() must be ++ * called eventually to decrement nlookup again. If inodep is non-NULL, the ++ * inode pointer is stored and the caller must call lo_inode_put(). + */ + static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, +- struct fuse_entry_param *e) ++ struct fuse_entry_param *e, ++ struct lo_inode **inodep) + { + int newfd; + int res; +@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, + struct lo_inode *inode = NULL; + struct lo_inode *dir = lo_inode(req, parent); + ++ if (inodep) { ++ *inodep = NULL; ++ } ++ + /* + * name_to_handle_at() and open_by_handle_at() can reach here with fuse + * mount point in guest, but we don't have its inode info in the +@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, + pthread_mutex_unlock(&lo->mutex); + } + e->ino = inode->fuse_ino; +- lo_inode_put(lo, &inode); ++ ++ /* Transfer ownership of inode pointer to caller or drop it */ ++ if (inodep) { ++ *inodep = inode; ++ } else { ++ lo_inode_put(lo, &inode); ++ } ++ + lo_inode_put(lo, &dir); + + fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent, +@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + return; + } + +- err = lo_do_lookup(req, parent, name, &e); ++ err = lo_do_lookup(req, parent, name, &e, NULL); + if (err) { + fuse_reply_err(req, err); + } else { +@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent, + goto out; + } + +- saverr = lo_do_lookup(req, parent, name, &e); ++ saverr = lo_do_lookup(req, parent, name, &e, NULL); + if (saverr) { + goto out; + } +@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size, + + if (plus) { + if (!is_dot_or_dotdot(name)) { +- err = lo_do_lookup(req, ino, name, &e); ++ err = lo_do_lookup(req, ino, name, &e, NULL); + if (err) { + goto error; + } +@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, + } + + fi->fh = fh; +- err = lo_do_lookup(req, parent, name, &e); ++ err = lo_do_lookup(req, parent, name, &e, NULL); + } + if (lo->cache == CACHE_NONE) { + fi->direct_io = 1; +-- +1.8.3.1 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch new file mode 100644 index 0000000000..f348f3f2bd --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch @@ -0,0 +1,303 @@ +From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi <stefanha@redhat.com> +Date: Thu, 4 Feb 2021 15:02:08 +0000 +Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517) + +A well-behaved FUSE client does not attempt to open special files with +FUSE_OPEN because they are handled on the client side (e.g. device nodes +are handled by client-side device drivers). + +The check to prevent virtiofsd from opening special files is missing in +a few cases, most notably FUSE_OPEN. A malicious client can cause +virtiofsd to open a device node, potentially allowing the guest to +escape. This can be exploited by a modified guest device driver. It is +not exploitable from guest userspace since the guest kernel will handle +special files inside the guest instead of sending FUSE requests. + +This patch fixes this issue by introducing the lo_inode_open() function +to check the file type before opening it. This is a short-term solution +because it does not prevent a compromised virtiofsd process from opening +device nodes on the host. + +Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT +| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not +necessary here. If the file exists and the user did not specify O_EXCL, +open it via lo_do_open(). + +Reported-by: Alex Xu <alex@alxu.ca> +Fixes: CVE-2020-35517 +Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Reviewed-by: Vivek Goyal <vgoyal@redhat.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20210204150208.367837-4-stefanha@redhat.com> +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> + +Upstream-Status: Backport +[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789] + +CVE: CVE-2020-35517 + +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++----------- + 1 file changed, 92 insertions(+), 52 deletions(-) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index aa35fc6ba5a5..147b59338a18 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino) + return fd; + } + ++/* ++ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a ++ * regular file or a directory. ++ * ++ * Use this helper function instead of raw openat(2) to prevent security issues ++ * when a malicious client opens special files such as block device nodes. ++ * Symlink inodes are also rejected since symlinks must already have been ++ * traversed on the client side. ++ */ ++static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode, ++ int open_flags) ++{ ++ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd); ++ int fd; ++ ++ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) { ++ return -EBADF; ++ } ++ ++ /* ++ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier ++ * that the inode is not a special file but if an external process races ++ * with us then symlinks are traversed here. It is not possible to escape ++ * the shared directory since it is mounted as "/" though. ++ */ ++ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW); ++ if (fd < 0) { ++ return -errno; ++ } ++ return fd; ++} ++ + static void lo_init(void *userdata, struct fuse_conn_info *conn) + { + struct lo_data *lo = (struct lo_data *)userdata; +@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + if (fi) { + truncfd = fd; + } else { +- sprintf(procname, "%i", ifd); +- truncfd = openat(lo->proc_self_fd, procname, O_RDWR); ++ truncfd = lo_inode_open(lo, inode, O_RDWR); + if (truncfd < 0) { ++ errno = -truncfd; + goto out_err; + } + } +@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name, + struct lo_inode *dir = lo_inode(req, parent); + + if (inodep) { +- *inodep = NULL; ++ *inodep = NULL; /* in case there is an error */ + } + + /* +@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io, + } + } + ++/* ++ * Open a regular file, set up an fd mapping, and fill out the struct ++ * fuse_file_info for it. If existing_fd is not negative, use that fd instead ++ * opening a new one. Takes ownership of existing_fd. ++ * ++ * Returns 0 on success or a positive errno. ++ */ + static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, +- struct fuse_file_info *fi) ++ int existing_fd, struct fuse_file_info *fi) + { +- char buf[64]; + ssize_t fh; +- int fd; ++ int fd = existing_fd; + + update_open_flags(lo->writeback, lo->allow_direct_io, fi); + +- sprintf(buf, "%i", inode->fd); +- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW); +- if (fd == -1) { +- return errno; ++ if (fd < 0) { ++ fd = lo_inode_open(lo, inode, fi->flags); ++ if (fd < 0) { ++ return -fd; ++ } + } + + pthread_mutex_lock(&lo->mutex); +@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, + static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, + mode_t mode, struct fuse_file_info *fi) + { +- int fd; ++ int fd = -1; + struct lo_data *lo = lo_data(req); + struct lo_inode *parent_inode; ++ struct lo_inode *inode = NULL; + struct fuse_entry_param e; + int err; + struct lo_cred old = {}; +@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name, + + update_open_flags(lo->writeback, lo->allow_direct_io, fi); + +- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW, +- mode); ++ /* Try to create a new file but don't open existing files */ ++ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode); + err = fd == -1 ? errno : 0; +- lo_restore_cred(&old); + +- if (!err) { +- ssize_t fh; ++ lo_restore_cred(&old); + +- pthread_mutex_lock(&lo->mutex); +- fh = lo_add_fd_mapping(lo, fd); +- pthread_mutex_unlock(&lo->mutex); +- if (fh == -1) { +- close(fd); +- err = ENOMEM; +- goto out; +- } ++ /* Ignore the error if file exists and O_EXCL was not given */ ++ if (err && (err != EEXIST || (fi->flags & O_EXCL))) { ++ goto out; ++ } + +- fi->fh = fh; +- err = lo_do_lookup(req, parent, name, &e, NULL); ++ err = lo_do_lookup(req, parent, name, &e, &inode); ++ if (err) { ++ goto out; + } +- if (lo->cache == CACHE_NONE) { +- fi->direct_io = 1; +- } else if (lo->cache == CACHE_ALWAYS) { +- fi->keep_cache = 1; ++ ++ err = lo_do_open(lo, inode, fd, fi); ++ fd = -1; /* lo_do_open() takes ownership of fd */ ++ if (err) { ++ /* Undo lo_do_lookup() nlookup ref */ ++ unref_inode_lolocked(lo, inode, 1); + } + + out: ++ lo_inode_put(lo, &inode); + lo_inode_put(lo, &parent_inode); + + if (err) { ++ if (fd >= 0) { ++ close(fd); ++ } ++ + fuse_reply_err(req, err); + } else { + fuse_reply_create(req, &e, fi); +@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo, + pid_t pid, int *err) + { + struct lo_inode_plock *plock; +- char procname[64]; + int fd; + + plock = +@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo, + } + + /* Open another instance of file which can be used for ofd locks. */ +- sprintf(procname, "%i", inode->fd); +- + /* TODO: What if file is not writable? */ +- fd = openat(lo->proc_self_fd, procname, O_RDWR); +- if (fd == -1) { +- *err = errno; ++ fd = lo_inode_open(lo, inode, O_RDWR); ++ if (fd < 0) { ++ *err = -fd; + free(plock); + return NULL; + } +@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) + return; + } + +- err = lo_do_open(lo, inode, fi); ++ err = lo_do_open(lo, inode, -1, fi); + lo_inode_put(lo, &inode); + if (err) { + fuse_reply_err(req, err); +@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi) + static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync, + struct fuse_file_info *fi) + { ++ struct lo_inode *inode = lo_inode(req, ino); ++ struct lo_data *lo = lo_data(req); + int res; + int fd; +- char *buf; + + fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino, + (void *)fi); + +- if (!fi) { +- struct lo_data *lo = lo_data(req); +- +- res = asprintf(&buf, "%i", lo_fd(req, ino)); +- if (res == -1) { +- return (void)fuse_reply_err(req, errno); +- } ++ if (!inode) { ++ fuse_reply_err(req, EBADF); ++ return; ++ } + +- fd = openat(lo->proc_self_fd, buf, O_RDWR); +- free(buf); +- if (fd == -1) { +- return (void)fuse_reply_err(req, errno); ++ if (!fi) { ++ fd = lo_inode_open(lo, inode, O_RDWR); ++ if (fd < 0) { ++ res = -fd; ++ goto out; + } + } else { + fd = lo_fi_fd(req, fi); + } + + if (datasync) { +- res = fdatasync(fd); ++ res = fdatasync(fd) == -1 ? errno : 0; + } else { +- res = fsync(fd); ++ res = fsync(fd) == -1 ? errno : 0; + } + if (!fi) { + close(fd); + } +- fuse_reply_err(req, res == -1 ? errno : 0); ++out: ++ lo_inode_put(lo, &inode); ++ fuse_reply_err(req, res); + } + + static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset, diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch new file mode 100644 index 0000000000..1b8c77f838 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch @@ -0,0 +1,81 @@ +From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001 +From: Greg Kurz <groug@kaod.org> +Date: Thu, 14 Jan 2021 17:04:12 +0100 +Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +Depending on the client activity, the server can be asked to open a huge +number of file descriptors and eventually hit RLIMIT_NOFILE. This is +currently mitigated using a reclaim logic : the server closes the file +descriptors of idle fids, based on the assumption that it will be able +to re-open them later. This assumption doesn't hold of course if the +client requests the file to be unlinked. In this case, we loop on the +entire fid list and mark all related fids as unreclaimable (the reclaim +logic will just ignore them) and, of course, we open or re-open their +file descriptors if needed since we're about to unlink the file. + +This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual +opening of a file can cause the coroutine to yield, another client +request could possibly add a new fid that we may want to mark as +non-reclaimable as well. The loop is thus restarted if the re-open +request was actually transmitted to the backend. This is achieved +by keeping a reference on the first fid (head) before traversing +the list. + +This is wrong in several ways: +- a potential clunk request from the client could tear the first + fid down and cause the reference to be stale. This leads to a + use-after-free error that can be detected with ASAN, using a + custom 9p client +- fids are added at the head of the list : restarting from the + previous head will always miss fids added by a some other + potential request + +All these problems could be avoided if fids were being added at the +end of the list. This can be achieved with a QSIMPLEQ, but this is +probably too much change for a bug fix. For now let's keep it +simple and just restart the loop from the current head. + +Fixes: CVE-2021-20181 +Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 +Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com> +Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Stefano Stabellini <sstabellini@kernel.org> +Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305] +CVE: CVE-2021-20181 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/9pfs/9p.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 94df440fc..6026b51a1 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch new file mode 100644 index 0000000000..d762a51d02 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch @@ -0,0 +1,70 @@ +From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org> +Date: Sun, 31 Jan 2021 11:34:01 +0100 +Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the ARM Generic Interrupt Controller Architecture specification +(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +not 10: + + - 4.3 Distributor register descriptions + - 4.3.15 Software Generated Interrupt Register, GICD_SG + + - Table 4-21 GICD_SGIR bit assignments + + The Interrupt ID of the SGI to forward to the specified CPU + interfaces. The value of this field is the Interrupt ID, in + the range 0-15, for example a value of 0b0011 specifies + Interrupt ID 3. + +Correct the irq mask to fix an undefined behavior (which eventually +lead to a heap-buffer-overflow, see [Buglink]): + + $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio + [I 1612088147.116987] OPENED + [R +0.278293] writel 0x8000f00 0xff4affb0 + ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 + +This fixes a security issue when running with KVM on Arm with +kernel-irqchip=off. (The default is kernel-irqchip=on, which is +unaffected, and which is also the correct choice for performance.) + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20221 +Fixes: 9ee6e8bb853 ("ARMv7 support.") +Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Message-id: 20210131103401.217160-1-f4bug@amsat.org +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a] +CVE: CVE-2021-20221 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/intc/arm_gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index c60dc6b5e..fbde60de0 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch new file mode 100644 index 0000000000..7175b24e99 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch @@ -0,0 +1,55 @@ +From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:45:28 +0800 +Subject: [PATCH] e1000: fail early for evil descriptor + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de> +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8] +CVE: CVE-2021-20257 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index cf22c4f07..c3564c7ce 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch new file mode 100644 index 0000000000..4f9a91f0c6 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch @@ -0,0 +1,214 @@ +From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> +Date: Wed, 24 Feb 2021 19:56:25 +0000 +Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as + needed + +On Linux, the 'security.capability' xattr holds a set of +capabilities that can change when an executable is run, giving +a limited form of privilege escalation to those programs that +the writer of the file deemed worthy. + +Any write causes the 'security.capability' xattr to be dropped, +stopping anyone from gaining privilege by modifying a blessed +file. + +Fuse relies on the daemon to do this dropping, and in turn the +daemon relies on the host kernel to drop the xattr for it. However, +with the addition of -o xattrmap, the xattr that the guest +stores its capabilities in is now not the same as the one that +the host kernel automatically clears. + +Where the mapping changes 'security.capability', explicitly clear +the remapped name to preserve the same behaviour. + +This bug is assigned CVE-2021-20263. + +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Reviewed-by: Vivek Goyal <vgoyal@redhat.com> + +Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846] +CVE: CVE-2021-20263 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + docs/tools/virtiofsd.rst | 4 ++ + tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++- + 2 files changed, 80 insertions(+), 1 deletion(-) + +diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst +index 866b7db3e..00554c75b 100644 +--- a/docs/tools/virtiofsd.rst ++++ b/docs/tools/virtiofsd.rst +@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix + to the matched **key** (or all attributes if **key** is empty). + There may be at most one 'map' rule and it must be the last rule in the set. + ++Note: When the 'security.capability' xattr is remapped, the daemon has to do ++extra work to remove it during many operations, which the host kernel normally ++does itself. ++ + xattr-mapping Examples + ---------------------- + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 03c5e0d13..c9197da86 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -160,6 +160,7 @@ struct lo_data { + int posix_lock; + int xattr; + char *xattrmap; ++ char *xattr_security_capability; + char *source; + char *modcaps; + double timeout; +@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0; + + static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st, + uint64_t mnt_id); ++static int xattr_map_client(const struct lo_data *lo, const char *client_name, ++ char **out_name); + + static int is_dot_or_dotdot(const char *name) + { +@@ -365,6 +368,37 @@ out: + return ret; + } + ++/* ++ * The host kernel normally drops security.capability xattr's on ++ * any write, however if we're remapping xattr names we need to drop ++ * whatever the clients security.capability is actually stored as. ++ */ ++static int drop_security_capability(const struct lo_data *lo, int fd) ++{ ++ if (!lo->xattr_security_capability) { ++ /* We didn't remap the name, let the host kernel do it */ ++ return 0; ++ } ++ if (!fremovexattr(fd, lo->xattr_security_capability)) { ++ /* All good */ ++ return 0; ++ } ++ ++ switch (errno) { ++ case ENODATA: ++ /* Attribute didn't exist, that's fine */ ++ return 0; ++ ++ case ENOTSUP: ++ /* FS didn't support attribute anyway, also fine */ ++ return 0; ++ ++ default: ++ /* Hmm other error */ ++ return errno; ++ } ++} ++ + static void lo_map_init(struct lo_map *map) + { + map->elems = NULL; +@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1; + gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1; + ++ saverr = drop_security_capability(lo, ifd); ++ if (saverr) { ++ goto out_err; ++ } ++ + res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW); + if (res == -1) { + goto out_err; +@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr, + } + } + ++ saverr = drop_security_capability(lo, truncfd); ++ if (saverr) { ++ if (!fi) { ++ close(truncfd); ++ } ++ goto out_err; ++ } ++ + res = ftruncate(truncfd, attr->st_size); + if (!fi) { + saverr = errno; +@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode, + if (fd < 0) { + return -fd; + } ++ if (fi->flags & (O_TRUNC)) { ++ int err = drop_security_capability(lo, fd); ++ if (err) { ++ close(fd); ++ return err; ++ } ++ } + } + + pthread_mutex_lock(&lo->mutex); +@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino, + "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino, + out_buf.buf[0].size, (unsigned long)off); + ++ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd); ++ if (res) { ++ fuse_reply_err(req, res); ++ return; ++ } ++ + /* + * If kill_priv is set, drop CAP_FSETID which should lead to kernel + * clearing setuid/setgid on file. +@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo) + { + const char *map = lo->xattrmap; + const char *tmp; ++ int ret; + + lo->xattr_map_nentries = 0; + while (*map) { +@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo) + * the last entry. + */ + parse_xattrmap_map(lo, map, sep); +- return; ++ break; + } else { + fuse_log(FUSE_LOG_ERR, + "%s: Unexpected type;" +@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo) + fuse_log(FUSE_LOG_ERR, "Empty xattr map\n"); + exit(1); + } ++ ++ ret = xattr_map_client(lo, "security.capability", ++ &lo->xattr_security_capability); ++ if (ret) { ++ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n", ++ strerror(ret)); ++ exit(1); ++ } ++ if (!strcmp(lo->xattr_security_capability, "security.capability")) { ++ /* 1-1 mapping, don't need to do anything */ ++ free(lo->xattr_security_capability); ++ lo->xattr_security_capability = NULL; ++ } + } + + /* +@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo) + + free(lo->xattrmap); + free_xattrmap(lo); ++ free(lo->xattr_security_capability); + free(lo->source); + } + +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 0000000000..af94cff7e8 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch @@ -0,0 +1,89 @@ +From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001 +From: Michael Tokarev <mjt@tls.msk.ru> +Date: Mon, 19 Apr 2021 15:42:47 +0200 +Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field + (CVE-2021-3392) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While processing SCSI i/o requests in mptsas_process_scsi_io_request(), +the Megaraid emulator appends new MPTSASRequest object 'req' to +the 's->pending' queue. In case of an error, this same object gets +dequeued in mptsas_free_request() only if SCSIRequest object +'req->sreq' is initialised. This may lead to a use-after-free issue. + +Since s->pending is actually not used, simply remove it from +MPTSASState. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +Message-id: 20210419134247.1467982-1-f4bug@amsat.org +Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru> +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr> +BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392) +Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device") +[PMD: Reworded description, added more tags] +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +CVE: CVE-2021-3392 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + hw/scsi/mptsas.c | 6 ------ + hw/scsi/mptsas.h | 1 - + 2 files changed, 7 deletions(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 7416e7870614..db3219e7d206 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + + static void mptsas_free_request(MPTSASRequest *req) + { +- MPTSASState *s = req->dev; +- + if (req->sreq != NULL) { + req->sreq->hba_private = NULL; + scsi_req_unref(req->sreq); + req->sreq = NULL; +- QTAILQ_REMOVE(&s->pending, req, next); + } + qemu_sglist_destroy(&req->qsg); + g_free(req); +@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + } + + req = g_new0(MPTSASRequest, 1); +- QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; + +@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp) + + s->request_bh = qemu_bh_new(mptsas_fetch_requests, s); + +- QTAILQ_INIT(&s->pending); +- + scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL); + } + +diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h +index b85ac1a5fcc7..c046497db719 100644 +--- a/hw/scsi/mptsas.h ++++ b/hw/scsi/mptsas.h +@@ -79,7 +79,6 @@ struct MPTSASState { + uint16_t reply_frame_size; + + SCSIBus bus; +- QTAILQ_HEAD(, MPTSASRequest) pending; + }; + + void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req); diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch new file mode 100644 index 0000000000..f9395add43 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch @@ -0,0 +1,56 @@ +From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Tue, 16 Feb 2021 11:46:52 +0800 +Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in + sdhci_sdma_transfer_multi_blocks() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +s->prnsts is updated in both branches of the if () else () statement. +Move the common bits outside so that it is cleaner. + +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 2f8b74a84..f83c5e295 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + page_aligned = true; + } + ++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; + if (s->trnmod & SDHC_TRNS_READ) { +- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT | +- SDHC_DAT_LINE_ACTIVE; ++ s->prnsts |= SDHC_DOING_READ; + while (s->blkcnt) { + if (s->data_count == 0) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + } + } + } else { +- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT | +- SDHC_DAT_LINE_ACTIVE; ++ s->prnsts |= SDHC_DOING_WRITE; + while (s->blkcnt) { + begin = s->data_count; + if (((boundary_count + begin) < block_size) && page_aligned) { +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch new file mode 100644 index 0000000000..f3d2bb1375 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch @@ -0,0 +1,92 @@ +From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:35 +0800 +Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time + out +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +At the end of sdhci_send_command(), it starts a data transfer if the +command register indicates data is associated. But the data transfer +should only be initiated when the command execution has succeeded. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001810 +outl 0xcfc 0xe1068000 +outl 0xcf8 0x80001804 +outw 0xcfc 0x7 +write 0xe106802c 0x1 0x0f +write 0xe1068004 0xc 0x2801d10101fffffbff28a384 +write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f +write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576 +write 0xe1068003 0x1 0xfe + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \ + -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive \ + -monitor none -serial none -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Acked-by: Alistair Francis <alistair.francis@wdc.com> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index f83c5e295..44f8a82ea 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s) + SDRequest request; + uint8_t response[16]; + int rlen; ++ bool timeout = false; + + s->errintsts = 0; + s->acmd12errsts = 0; +@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s) + trace_sdhci_response16(s->rspreg[3], s->rspreg[2], + s->rspreg[1], s->rspreg[0]); + } else { ++ timeout = true; + trace_sdhci_error("timeout waiting for command response"); + if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { + s->errintsts |= SDHC_EIS_CMDTIMEOUT; +@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s) + + sdhci_update_irq(s); + +- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { ++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + s->data_count = 0; + sdhci_data_transfer(s); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch new file mode 100644 index 0000000000..c3b37ed616 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch @@ -0,0 +1,109 @@ +From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:36 +0800 +Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when + transfer is in progress +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per "SD Host Controller Standard Specification Version 7.00" +chapter 2.2.1 SDMA System Address Register: + +This register can be accessed only if no transaction is executing +(i.e., after a transaction has stopped). + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xfbefff00 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xfbefff2c 0x1 0x05 +write 0xfbefff0f 0x1 0x37 +write 0xfbefff0a 0x1 0x01 +write 0xfbefff0f 0x1 0x29 +write 0xfbefff0f 0x1 0x02 +write 0xfbefff0f 0x1 0x03 +write 0xfbefff04 0x1 0x01 +write 0xfbefff05 0x1 0x01 +write 0xfbefff07 0x1 0x02 +write 0xfbefff0c 0x1 0x33 +write 0xfbefff0e 0x1 0x20 +write 0xfbefff0f 0x1 0x00 +write 0xfbefff2a 0x1 0x01 +write 0xfbefff0c 0x1 0x00 +write 0xfbefff03 0x1 0x00 +write 0xfbefff05 0x1 0x00 +write 0xfbefff2a 0x1 0x02 +write 0xfbefff0c 0x1 0x32 +write 0xfbefff01 0x1 0x01 +write 0xfbefff02 0x1 0x01 +write 0xfbefff03 0x1 0x01 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 44f8a82ea..d8a46f307 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + + switch (offset & ~0x3) { + case SDHC_SYSAD: +- s->sdmasysad = (s->sdmasysad & mask) | value; +- MASKED_WRITE(s->sdmasysad, mask, value); +- /* Writing to last byte of sdmasysad might trigger transfer */ +- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && +- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { +- if (s->trnmod & SDHC_TRNS_MULTI) { +- sdhci_sdma_transfer_multi_blocks(s); +- } else { +- sdhci_sdma_transfer_single_block(s); ++ if (!TRANSFERRING_DATA(s->prnsts)) { ++ s->sdmasysad = (s->sdmasysad & mask) | value; ++ MASKED_WRITE(s->sdmasysad, mask, value); ++ /* Writing to last byte of sdmasysad might trigger transfer */ ++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && ++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { ++ if (s->trnmod & SDHC_TRNS_MULTI) { ++ sdhci_sdma_transfer_multi_blocks(s); ++ } else { ++ sdhci_sdma_transfer_single_block(s); ++ } + } + } + break; +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch new file mode 100644 index 0000000000..d5be99759d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch @@ -0,0 +1,75 @@ +From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:37 +0800 +Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for + ADMA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When an ADMA transfer is started, the codes forget to set the +controller status to indicate a transfer is in progress. + +With this fix, the following 2 reproducers: + +https://paste.debian.net/plain/1185136 +https://paste.debian.net/plain/1185141 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index d8a46f307..7de03c6dd 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s) + + switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { + case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ ++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; + if (s->trnmod & SDHC_TRNS_READ) { ++ s->prnsts |= SDHC_DOING_READ; + while (length) { + if (s->data_count == 0) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s) + } + } + } else { ++ s->prnsts |= SDHC_DOING_WRITE; + while (length) { + begin = s->data_count; + if ((length + begin) < block_size) { +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch new file mode 100644 index 0000000000..7199056838 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch @@ -0,0 +1,56 @@ +From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:38 +0800 +Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE + register is writable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The codes to limit the maximum block size is only necessary when +SDHC_BLKSIZE register is writable. + +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 7de03c6dd..6c780126e 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + if (!TRANSFERRING_DATA(s->prnsts)) { + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); +- } + +- /* Limit block size to the maximum buffer size */ +- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { +- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " +- "the maximum buffer 0x%x\n", __func__, s->blksize, +- s->buf_maxsz); ++ /* Limit block size to the maximum buffer size */ ++ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than " ++ "the maximum buffer 0x%x\n", __func__, s->blksize, ++ s->buf_maxsz); + +- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ } + } + + break; +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch new file mode 100644 index 0000000000..624c1f6496 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch @@ -0,0 +1,99 @@ +From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001 +From: Bin Meng <bmeng.cn@gmail.com> +Date: Wed, 3 Mar 2021 20:26:39 +0800 +Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] + when a different block size is programmed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the block size is programmed to a different value from the +previous one, reset the data pointer of s->fifo_buffer[] so that +s->fifo_buffer[] can be filled in using the new block size in +the next transfer. + +With this fix, the following reproducer: + +outl 0xcf8 0x80001010 +outl 0xcfc 0xe0000000 +outl 0xcf8 0x80001001 +outl 0xcfc 0x06000000 +write 0xe000002c 0x1 0x05 +write 0xe0000005 0x1 0x02 +write 0xe0000007 0x1 0x01 +write 0xe0000028 0x1 0x10 +write 0x0 0x1 0x23 +write 0x2 0x1 0x08 +write 0xe000000c 0x1 0x01 +write 0xe000000e 0x1 0x20 +write 0xe000000f 0x1 0x00 +write 0xe000000c 0x1 0x32 +write 0xe0000004 0x2 0x0200 +write 0xe0000028 0x1 0x00 +write 0xe0000003 0x1 0x40 + +cannot be reproduced with the following QEMU command line: + +$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \ + -nodefaults -device sdhci-pci,sd-spec-version=3 \ + -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ + -device sd-card,drive=mydrive -qtest stdio + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2020-17380 +Fixes: CVE-2020-25085 +Fixes: CVE-2021-3409 +Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller") +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum) +Reported-by: Sergej Schumilo (Ruhr-Universität Bochum) +Reported-by: Simon Wörner (Ruhr-Universität Bochum) +Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 +Buglink: https://bugs.launchpad.net/qemu/+bug/1909418 +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Bin Meng <bmeng.cn@gmail.com> +Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com> +Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> + +Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9] +CVE: CVE-2021-3409 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/sd/sdhci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 6c780126e..216842420 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { ++ uint16_t blksize = s->blksize; ++ + MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); + +@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); + } ++ ++ /* ++ * If the block size is programmed to a different value from ++ * the previous one, reset the data pointer of s->fifo_buffer[] ++ * so that s->fifo_buffer[] can be filled in using the new block ++ * size in the next transfer. ++ */ ++ if (blksize != s->blksize) { ++ s->data_count = 0; ++ } + } + + break; +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch new file mode 100644 index 0000000000..5bacd67481 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch @@ -0,0 +1,177 @@ +From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 11:44:36 +0800 +Subject: [PATCH 01/10] net: introduce qemu_receive_packet() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some NIC supports loopback mode and this is done by calling +nc->info->receive() directly which in fact suppresses the effort of +reentrancy check that is done in qemu_net_queue_send(). + +Unfortunately we can't use qemu_net_queue_send() here since for +loopback there's no sender as peer, so this patch introduce a +qemu_receive_packet() which is used for implementing loopback mode +for a NIC with this check. + +NIC that supports loopback mode will be converted to this helper. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + include/net/net.h | 5 +++++ + include/net/queue.h | 8 ++++++++ + net/net.c | 38 +++++++++++++++++++++++++++++++------- + net/queue.c | 22 ++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 7 deletions(-) + +diff --git a/include/net/net.h b/include/net/net.h +index 778fc787c..03f058ecb 100644 +--- a/include/net/net.h ++++ b/include/net/net.h +@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); + void qemu_del_net_client(NetClientState *nc); + typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); + void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); ++int qemu_can_receive_packet(NetClientState *nc); + int qemu_can_send_packet(NetClientState *nc); + ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, + int iovcnt); + ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, + int iovcnt, NetPacketSent *sent_cb); + ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet_iov(NetClientState *nc, ++ const struct iovec *iov, ++ int iovcnt); + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); + ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, + int size, NetPacketSent *sent_cb); +diff --git a/include/net/queue.h b/include/net/queue.h +index c0269bb1d..9f2f289d7 100644 +--- a/include/net/queue.h ++++ b/include/net/queue.h +@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, + + void qemu_del_net_queue(NetQueue *queue); + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size); ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt); ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/net/net.c b/net/net.c +index 6a2c3d956..5e15e5d27 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) + #endif + } + ++int qemu_can_receive_packet(NetClientState *nc) ++{ ++ if (nc->receive_disabled) { ++ return 0; ++ } else if (nc->info->can_receive && ++ !nc->info->can_receive(nc)) { ++ return 0; ++ } ++ return 1; ++} ++ + int qemu_can_send_packet(NetClientState *sender) + { + int vm_running = runstate_is_running(); +@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender) + return 1; + } + +- if (sender->peer->receive_disabled) { +- return 0; +- } else if (sender->peer->info->can_receive && +- !sender->peer->info->can_receive(sender->peer)) { +- return 0; +- } +- return 1; ++ return qemu_can_receive_packet(sender->peer); + } + + static ssize_t filter_receive_iov(NetClientState *nc, +@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + return qemu_send_packet_async(nc, buf, size, NULL); + } + ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive(nc->incoming_queue, buf, size); ++} ++ ++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, ++ int iovcnt) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); ++} ++ + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) + { + return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, +diff --git a/net/queue.c b/net/queue.c +index 19e32c80f..c872d51df 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, + return ret; + } + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver(queue, NULL, 0, data, size); ++} ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); ++} ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch new file mode 100644 index 0000000000..7deec1a347 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch @@ -0,0 +1,44 @@ +From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 14:35:30 -0500 +Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/lan9118.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index ab57c02c8..75f18ae2d 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s) + /* FIXME: Honor TX disable, and allow queueing of packets. */ + if (s->phy_control & 0x4000) { + /* This assumes the receive routine doesn't touch the VLANClient. */ +- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch new file mode 100644 index 0000000000..5e53e20bac --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch @@ -0,0 +1,42 @@ +From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 12:13:22 +0800 +Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/e1000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index d7d05ae30..cf22c4f07 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) + + NetClientState *nc = qemu_get_queue(s->nic); + if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch new file mode 100644 index 0000000000..3fc469e3e3 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch @@ -0,0 +1,43 @@ +From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 12:57:40 +0800 +Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for + loopback packet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/dp8393x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c +index 205c0decc..533a8304d 100644 +--- a/hw/net/dp8393x.c ++++ b/hw/net/dp8393x.c +@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) + s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; + if (nc->info->can_receive(nc)) { + s->loopback_packet = 1; +- nc->info->receive(nc, s->tx_buffer, tx_len); ++ qemu_receive_packet(nc, s->tx_buffer, tx_len); + } + } else { + /* Transmit packet */ +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch new file mode 100644 index 0000000000..e14f37735d --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch @@ -0,0 +1,43 @@ +From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:00:01 +0800 +Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/msf2-emac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c +index 32ba9e841..3e6206044 100644 +--- a/hw/net/msf2-emac.c ++++ b/hw/net/msf2-emac.c +@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s) + * R_CFG1 bit 0 is set. + */ + if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch new file mode 100644 index 0000000000..c3f8f97592 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch @@ -0,0 +1,45 @@ +From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:14:35 +0800 +Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Alistair Francis <alistair.francis@wdc.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/sungem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/sungem.c b/hw/net/sungem.c +index 33c3722df..3684a4d73 100644 +--- a/hw/net/sungem.c ++++ b/hw/net/sungem.c +@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, + NetClientState *nc = qemu_get_queue(s->nic); + + if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch new file mode 100644 index 0000000000..855c6970f4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch @@ -0,0 +1,43 @@ +From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 24 Feb 2021 13:27:52 +0800 +Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_receive_iov() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/net_tx_pkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index da262edc3..1f9aa59ec 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, + NetClientState *nc, const struct iovec *iov, int iov_cnt) + { + if (pkt->is_loopback) { +- nc->info->receive_iov(nc, iov, iov_cnt); ++ qemu_receive_packet_iov(nc, iov, iov_cnt); + } else { + qemu_sendv_packet(nc, iov, iov_cnt); + } +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch new file mode 100644 index 0000000000..4e1115de02 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch @@ -0,0 +1,45 @@ +From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Fri, 26 Feb 2021 13:47:53 -0500 +Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index ba5ace1ab..d2dd03e6a 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, + } + + DPRINTF("+++ transmit loopback mode\n"); +- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); ++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); + + if (iov) { + g_free(buf2); +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch new file mode 100644 index 0000000000..ed716468dc --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch @@ -0,0 +1,44 @@ +From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 10:33:34 -0500 +Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/pcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index f3f18d859..dcd3fc494 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1250,7 +1250,7 @@ txagain: + if (BCR_SWSTYLE(s) == 1) + add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); + s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + s->looptest = 0; + } else { + if (s->nic) { +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch new file mode 100644 index 0000000000..39d32b33a4 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch @@ -0,0 +1,46 @@ +From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Mon, 1 Mar 2021 14:33:43 -0500 +Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed] +CVE: CVE-2021-3416 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/net/cadence_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c +index 7a534691f..43b760e3f 100644 +--- a/hw/net/cadence_gem.c ++++ b/hw/net/cadence_gem.c +@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s) + /* Send the packet somewhere */ + if (s->phy_loop || (s->regs[GEM_NWCTRL] & + GEM_NWCTRL_LOCALLOOP)) { +- gem_receive(qemu_get_queue(s->nic), s->tx_packet, +- total_bytes); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet, ++ total_bytes); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet, + total_bytes); +-- +2.29.2 + diff --git a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch index 38d755205c..d8fcc16729 100644 --- a/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch +++ b/poky/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch @@ -1,4 +1,4 @@ -From 9bbe3f8564705aafcdcc5f2f033f9241a97f47c6 Mon Sep 17 00:00:00 2001 +From 7b2dd83d8fcd06af8e583b53da79ed0033793d46 Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Mon, 27 Feb 2017 09:43:30 +0200 Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for @@ -14,7 +14,7 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 6c78568e4..76b1d40e4 100644 +index fe35a90fa..b2faec6f3 100644 --- a/configure.ac +++ b/configure.ac @@ -966,7 +966,7 @@ else @@ -40,7 +40,7 @@ index 35c8cf9df..9d8b2825c 100644 %_infodir %{_datadir}/info %_mandir %{_datadir}/man diff --git a/rpm.am b/rpm.am -index cd40a16be..e6941e09f 100644 +index 8e1dc2184..3d889ec86 100644 --- a/rpm.am +++ b/rpm.am @@ -1,10 +1,10 @@ @@ -55,4 +55,4 @@ index cd40a16be..e6941e09f 100644 +rpmconfigdir = $(libdir)/rpm # Libtool version (current-revision-age) for all our libraries - rpm_version_info = 10:2:1 + rpm_version_info = 10:3:1 diff --git a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb index d369c706a2..7c03b41fc8 100644 --- a/poky/meta/recipes-devtools/rpm/rpm_4.16.1.2.bb +++ b/poky/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb @@ -43,7 +43,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.16.x \ " PE = "1" -SRCREV = "278883a704ea36c97974d0f2d65d41abe78b0e2a" +SRCREV = "3659b8a04f5b8bacf6535e0124e7fe23f15286bd" S = "${WORKDIR}/git" diff --git a/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch new file mode 100644 index 0000000000..2d51ddf965 --- /dev/null +++ b/poky/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch @@ -0,0 +1,31 @@ +From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 +From: Matt McCutchen <matt@mattmccutchen.net> +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +CVE: CVE-2020-14387 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975..46701af 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb index 8b36a8ebde..cb18667755 100644 --- a/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/poky/meta/recipes-devtools/rsync/rsync_3.2.3.bb @@ -14,6 +14,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ file://determism.patch \ + file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \ " SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb index 28e12c3cd7..944cb81c1d 100644 --- a/poky/meta/recipes-devtools/ruby/ruby_3.0.0.bb +++ b/poky/meta/recipes-devtools/ruby/ruby_3.0.1.bb @@ -8,7 +8,7 @@ SRC_URI += " \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ " -SRC_URI[sha256sum] = "a13ed141a1c18eb967aac1e33f4d6ad5f21be1ac543c344e0d6feeee54af8e28" +SRC_URI[sha256sum] = "369825db2199f6aeef16b408df6a04ebaddb664fb9af0ec8c686b0ce7ab77727" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" diff --git a/poky/meta/recipes-extended/groff/groff_1.22.4.bb b/poky/meta/recipes-extended/groff/groff_1.22.4.bb index 983cb9aea6..f0e9eb6a8a 100644 --- a/poky/meta/recipes-extended/groff/groff_1.22.4.bb +++ b/poky/meta/recipes-extended/groff/groff_1.22.4.bb @@ -62,6 +62,10 @@ do_install_append() { rm -rf ${D}${bindir}/glilypond rm -rf ${D}${libdir}/groff/glilypond rm -rf ${D}${mandir}/man1/glilypond* + + # not ship /usr/bin/grap2graph and its releated man files + rm -rf ${D}${bindir}/grap2graph + rm -rf ${D}${mandir}/man1/grap2graph* } do_install_append_class-native() { diff --git a/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch b/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch new file mode 100644 index 0000000000..f32cd18370 --- /dev/null +++ b/poky/meta/recipes-extended/lsb/lsb-release/help2man-reproducibility.patch @@ -0,0 +1,27 @@ +lsb-release maintains it's own copy of help2man. Include the support +for specifying SOURCE_DATE_EPOCH from upstream. + +Upstream-Status: Pending + +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +diff --git a/help2man b/help2man +index 13015c2..63439db 100755 +--- a/help2man ++++ b/help2man +@@ -173,7 +173,14 @@ my ($help_text, $version_text) = map { + or die "$this_program: can't get `--$_' info from $ARGV[0]\n" + } qw(help), $opt_version_key; + +-my $date = strftime "%B %Y", localtime; ++my $epoch_secs = time; ++if (exists $ENV{SOURCE_DATE_EPOCH} and $ENV{SOURCE_DATE_EPOCH} =~ /^(\d+)$/) ++{ ++ $epoch_secs = $1; ++ $ENV{TZ} = 'UTC0'; ++} ++ ++my $date = strftime "%B %Y", localtime $epoch_secs; + (my $program = $ARGV[0]) =~ s!.*/!!; + my $package = $program; + my $version; diff --git a/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb b/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb index 3e8f7a13ec..bafc18fcc0 100644 --- a/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb +++ b/poky/meta/recipes-extended/lsb/lsb-release_1.4.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://README;md5=12da544b1a3a5a1795a21160b49471cf" SRC_URI = "${SOURCEFORGE_MIRROR}/project/lsb/lsb_release/1.4/lsb-release-1.4.tar.gz \ file://0001-fix-lsb_release-to-work-with-busybox-head-and-find.patch \ file://0001-Remove-timestamp-from-manpage.patch \ + file://help2man-reproducibility.patch \ " SRC_URI[md5sum] = "30537ef5a01e0ca94b7b8eb6a36bb1e4" diff --git a/poky/meta/recipes-extended/ltp/ltp_20210121.bb b/poky/meta/recipes-extended/ltp/ltp_20210121.bb index f58ca2eb2c..d98c9fdc25 100644 --- a/poky/meta/recipes-extended/ltp/ltp_20210121.bb +++ b/poky/meta/recipes-extended/ltp/ltp_20210121.bb @@ -61,7 +61,7 @@ EXTRA_OECONF += " --without-tirpc " do_install(){ install -d ${D}${prefix}/ - oe_runmake DESTDIR=${D} SKIP_IDCHECK=1 install + oe_runmake DESTDIR=${D} SKIP_IDCHECK=1 install include-install # fixup not deploy STPfailure_report.pl to avoid confusing about it fails to run # as it lacks dependency on some perl moudle such as LWP::Simple diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch new file mode 100644 index 0000000000..fe594b24bb --- /dev/null +++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch @@ -0,0 +1,40 @@ +From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi <ebassi@gnome.org> +Date: Wed, 1 Apr 2020 18:11:55 +0100 +Subject: [PATCH] Check the memset length argument + +Avoid overflows by using the checked multiplication macro for gsize. + +Fixes: #132 + +Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e] +CVE: CVE-2021-20240 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + gdk-pixbuf/io-gif-animation.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c +index c9db3c66e..49674fd2e 100644 +--- a/gdk-pixbuf/io-gif-animation.c ++++ b/gdk-pixbuf/io-gif-animation.c +@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter) + + /* If no rendered frame, render the first frame */ + if (anim->last_frame == NULL) { ++ gsize len = 0; + if (anim->last_frame_data == NULL) + anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height); + if (anim->last_frame_data == NULL) + return NULL; +- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height); ++ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height)) ++ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len); ++ else ++ return NULL; + composite_frame (anim, g_list_nth_data (anim->frames, 0)); + } + +-- +GitLab diff --git a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb index 226e1c7b89..f01da32e71 100644 --- a/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb +++ b/poky/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb @@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \ file://missing-test-data.patch \ file://CVE-2020-29385.patch \ + file://CVE-2021-20240.patch \ " SRC_URI_append_class-target = " \ diff --git a/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..f8e69beb0b --- /dev/null +++ b/poky/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch @@ -0,0 +1,121 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +CVE: CVE-2020-35492 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85] + +original patch from upstream has a binary file, it will cause +do_patch failed with "git binary diffs are not supported". + +so add do_patch_append in recipe to add this binary source. when removing +this patch, please also remove do_patch_append for this patch + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + 3 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 79ad69f68..4f8aaed99 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +diff --git a/test/Makefile.sources b/test/Makefile.sources +index 7eb73647f..86494348d 100644 +--- a/test/Makefile.sources ++++ b/test/Makefile.sources +@@ -34,6 +34,7 @@ test_sources = \ + bug-source-cu.c \ + bug-extents.c \ + bug-seams.c \ ++ bug-image-compositor.c \ + caps.c \ + checkerboard.c \ + caps-joins.c \ +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +new file mode 100644 +index 000000000..fc4fd370b +--- /dev/null ++++ b/test/bug-image-compositor.c +@@ -0,0 +1,39 @@ ++#include "cairo-test.h" ++ ++static cairo_test_status_t ++draw (cairo_t *cr, int width, int height) ++{ ++ cairo_set_source_rgb (cr, 0., 0., 0.); ++ cairo_paint (cr); ++ ++ cairo_set_source_rgb (cr, 1., 1., 1.); ++ cairo_set_line_width (cr, 1.); ++ ++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); ++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); ++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); ++ cairo_set_source (cr, p); ++ ++ cairo_move_to (cr, 0.5, -1); ++ for (int i = 0; i < width; i+=3) { ++ cairo_rel_line_to (cr, 2, 2); ++ cairo_rel_line_to (cr, 1, -2); ++ } ++ ++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); ++ cairo_stroke (cr); ++ ++ cairo_pattern_destroy(p); ++ ++ return CAIRO_TEST_SUCCESS; ++} ++ ++ ++CAIRO_TEST (bug_image_compositor, ++ "Crash in image-compositor", ++ "stroke, stress", /* keywords */ ++ NULL, /* requirements */ ++ 10000, 1, ++ NULL, draw) ++ ++ +-- +GitLab diff --git a/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png Binary files differnew file mode 100644 index 0000000000..939f659d2c --- /dev/null +++ b/poky/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png diff --git a/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 68f993d7ca..d48da1a4c7 100644 --- a/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/poky/meta/recipes-graphics/cairo/cairo_1.16.0.bb @@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://CVE-2018-19876.patch \ file://CVE-2019-6461.patch \ file://CVE-2019-6462.patch \ + file://CVE-2020-35492.patch \ + file://bug-image-compositor.ref.png \ " SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" @@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no" # Ensure we don't depend on LZO export ac_cv_lib_lzo2_lzo2a_decompress="no" +#for CVE-2020-35492.patch +do_patch_append() { + bb.build.exec_func('do_cp_binary_source', d) +} + +do_cp_binary_source () { + cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/ +} + do_install_append () { rm -rf ${D}${bindir}/cairo-sphinx rm -rf ${D}${libdir}/cairo/cairo-fdr* diff --git a/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch b/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch index ef092f17a1..cddd330971 100644 --- a/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch +++ b/poky/meta/recipes-graphics/glslang/glslang/0001-generate-glslang-pkg-config.patch @@ -34,14 +34,14 @@ index 00000000..64b6882d --- /dev/null +++ b/glslang/glslang.pc.cmake.in @@ -0,0 +1,11 @@ -+ prefix=@CMAKE_INSTALL_PREFIX@ -+ exec_prefix=@CMAKE_INSTALL_PREFIX@ -+ libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@ -+ includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@ -+ -+ Name: @PROJECT_NAME@ -+ Description: OpenGL and OpenGL ES shader front end and validator -+ Requires: -+ Version: @GLSLANG_VERSION@ -+ Libs: -L${libdir} -lglslang -lOSDependent -lHLSL -lOGLCompiler -lSPVRemapper -+ Cflags: -I${includedir} ++prefix=@CMAKE_INSTALL_PREFIX@ ++exec_prefix=@CMAKE_INSTALL_PREFIX@ ++libdir=${exec_prefix}/@CMAKE_INSTALL_LIBDIR@ ++includedir=${prefix}/@CMAKE_INSTALL_INCLUDEDIR@ ++ ++Name: @PROJECT_NAME@ ++Description: OpenGL and OpenGL ES shader front end and validator ++Requires: ++Version: @GLSLANG_VERSION@ ++Libs: -L${libdir} -lglslang -lOSDependent -lHLSL -lOGLCompiler -lSPVRemapper ++Cflags: -I${includedir} diff --git a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb index b6efc6bca0..0bd6af8db9 100644 --- a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb +++ b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.6.bb @@ -29,7 +29,7 @@ RCONFLICTS_${PN} += "jpeg" inherit cmake pkgconfig -export NASMENV = "--debug-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}" +export NASMENV = "--reproducible --debug-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}" # Add nasm-native dependency consistently for all build arches is hard EXTRA_OECMAKE_append_class-native = " -DWITH_SIMD=False" diff --git a/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.1.bb b/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.3.bb index dff79f0be0..dff79f0be0 100644 --- a/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.1.bb +++ b/poky/meta/recipes-graphics/mesa/mesa-gl_21.0.3.bb diff --git a/poky/meta/recipes-graphics/mesa/mesa.inc b/poky/meta/recipes-graphics/mesa/mesa.inc index caf3c62ad8..a85f94c75e 100644 --- a/poky/meta/recipes-graphics/mesa/mesa.inc +++ b/poky/meta/recipes-graphics/mesa/mesa.inc @@ -21,7 +21,7 @@ SRC_URI = "https://mesa.freedesktop.org/archive/mesa-${PV}.tar.xz \ file://0001-futex.h-Define-__NR_futex-if-it-does-not-exist.patch \ " -SRC_URI[sha256sum] = "379fc984459394f2ab2d84049efdc3a659869dc1328ce72ef0598506611712bb" +SRC_URI[sha256sum] = "565c6f4bd2d5747b919454fc1d439963024fc78ca56fd05158c3b2cde2f6912b" UPSTREAM_CHECK_GITTAGREGEX = "mesa-(?P<pver>\d+(\.\d+)+)" diff --git a/poky/meta/recipes-graphics/mesa/mesa_21.0.1.bb b/poky/meta/recipes-graphics/mesa/mesa_21.0.3.bb index 8c584d8e9f..8c584d8e9f 100644 --- a/poky/meta/recipes-graphics/mesa/mesa_21.0.1.bb +++ b/poky/meta/recipes-graphics/mesa/mesa_21.0.3.bb diff --git a/poky/meta/recipes-graphics/pango/pango_1.48.2.bb b/poky/meta/recipes-graphics/pango/pango_1.48.2.bb index 1dcb43b5e1..aa279bb503 100644 --- a/poky/meta/recipes-graphics/pango/pango_1.48.2.bb +++ b/poky/meta/recipes-graphics/pango/pango_1.48.2.bb @@ -18,6 +18,8 @@ inherit gnomebase gtk-doc ptest-gnome upstream-version-is-even gobject-introspec GIR_MESON_ENABLE_FLAG = "enabled" GIR_MESON_DISABLE_FLAG = "disabled" +SRC_URI += "file://run-ptest" + SRC_URI[archive.sha256sum] = "d21f8b30dc8abdfc55de25656ecb88dc1105eeeb315e5e2a980dcef8010c2c80" DEPENDS = "glib-2.0 glib-2.0-native fontconfig freetype virtual/libiconv cairo harfbuzz fribidi" diff --git a/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch b/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch new file mode 100644 index 0000000000..06e0f7baec --- /dev/null +++ b/poky/meta/recipes-graphics/wayland/weston/0001-meson.build-fix-incorrect-header.patch @@ -0,0 +1,32 @@ +From a2ba4714a6872e547621d29d9ddcb0f374b88cf6 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Tue, 20 Apr 2021 20:42:18 -0700 +Subject: [PATCH] meson.build: fix incorrect header + +The wayland.c actually include 'xdg-shell-client-protocol.h' instead of +the server one, so fix it. Otherwise, it's possible to get build failure +due to race condition. + +Upstream-Status: Pending + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + libweston/backend-wayland/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libweston/backend-wayland/meson.build b/libweston/backend-wayland/meson.build +index 7e82513..29270b5 100644 +--- a/libweston/backend-wayland/meson.build ++++ b/libweston/backend-wayland/meson.build +@@ -10,7 +10,7 @@ srcs_wlwl = [ + fullscreen_shell_unstable_v1_protocol_c, + presentation_time_protocol_c, + presentation_time_server_protocol_h, +- xdg_shell_server_protocol_h, ++ xdg_shell_client_protocol_h, + xdg_shell_protocol_c, + ] + +-- +2.30.2 + diff --git a/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb b/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb index 50fbfa613b..bcbac06d58 100644 --- a/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb +++ b/poky/meta/recipes-graphics/wayland/weston_9.0.0.bb @@ -11,6 +11,7 @@ SRC_URI = "https://wayland.freedesktop.org/releases/${BPN}-${PV}.tar.xz \ file://xwayland.weston-start \ file://0001-weston-launch-Provide-a-default-version-that-doesn-t.patch \ file://0001-tests-include-fcntl.h-for-open-O_RDWR-O_CLOEXEC-and-.patch \ + file://0001-meson.build-fix-incorrect-header.patch \ " SRC_URI_append_libc-musl = " file://dont-use-plane-add-prop.patch " diff --git a/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch b/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch new file mode 100644 index 0000000000..3e87794d20 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-lib/libxshmfence/0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch @@ -0,0 +1,39 @@ +From 5827f6389a227157958d14a687fb29223cb3a03a Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 7 Apr 2021 07:48:42 +0000 +Subject: [PATCH] xshmfence_futex.h: Define SYS_futex if it does not exist + +_NR_futex is not defines by newer architectures e.g. riscv32 as +they only have 64bit variant of time_t. Glibc defines SYS_futex +interface based on __NR_futex, since this is used in applications, +such applications start to fail to build for these newer architectures. +This patch defines a fallback to alias __NR_futex to __NR_futex_time64 +to make SYS_futex keep working. + +Reference: https://git.openembedded.org/openembedded-core/commit/?id=7a218adf9990f5e18d0b6a33eb34091969f979c7 + +Upstream-Status: Pending + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/xshmfence_futex.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/xshmfence_futex.h b/src/xshmfence_futex.h +index 673ac0e..a71efa5 100644 +--- a/src/xshmfence_futex.h ++++ b/src/xshmfence_futex.h +@@ -53,6 +53,10 @@ static inline int futex_wait(int32_t *addr, int32_t value) { + #include <sys/time.h> + #include <sys/syscall.h> + ++#if !defined(SYS_futex) && defined(SYS_futex_time64) ++#define SYS_futex SYS_futex_time64 ++#endif ++ + static inline long sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3) + { + return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3); +-- +2.29.2 + diff --git a/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb b/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb index cc45696530..d153c7a603 100644 --- a/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb +++ b/poky/meta/recipes-graphics/xorg-lib/libxshmfence_1.3.bb @@ -13,7 +13,9 @@ DEPENDS += "virtual/libx11" EXTRA_OECONF += "--with-shared-memory-dir=/dev/shm" -BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://0001-xshmfence_futex.h-Define-SYS_futex-if-it-does-not-ex.patch" SRC_URI[md5sum] = "42dda8016943dc12aff2c03a036e0937" SRC_URI[sha256sum] = "b884300d26a14961a076fbebc762a39831cb75f92bed5ccf9836345b459220c7" + +BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch new file mode 100644 index 0000000000..5480f71871 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-3472.patch @@ -0,0 +1,43 @@ +From 7aaf54a1884f71dc363f0b884e57bcb67407a6cd Mon Sep 17 00:00:00 2001 +From: Matthieu Herrb <matthieu@herrb.eu> +Date: Sun, 21 Mar 2021 18:38:57 +0100 +Subject: [PATCH] Fix XChangeFeedbackControl() request underflow + +CVE-2021-3472 / ZDI-CAN-1259 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Matthieu Herrb <matthieu@herrb.eu> + +Upstream-Status: Backport +CVE: CVE-2021-3472 + +Reference to upstream patch: +[https://gitlab.freedesktop.org/xorg/xserver/-/commit/7aaf54a1884f71dc363f0b884e57bcb67407a6cd] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + Xi/chgfctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/Xi/chgfctl.c b/Xi/chgfctl.c +index 1de4da9..7a597e4 100644 +--- a/Xi/chgfctl.c ++++ b/Xi/chgfctl.c +@@ -464,8 +464,11 @@ ProcXChangeFeedbackControl(ClientPtr client) + break; + case StringFeedbackClass: + { +- xStringFeedbackCtl *f = ((xStringFeedbackCtl *) &stuff[1]); ++ xStringFeedbackCtl *f; + ++ REQUEST_AT_LEAST_EXTRA_SIZE(xChangeFeedbackControlReq, ++ sizeof(xStringFeedbackCtl)); ++ f = ((xStringFeedbackCtl *) &stuff[1]); + if (client->swapped) { + if (len < bytes_to_int32(sizeof(xStringFeedbackCtl))) + return BadLength; +-- +2.17.1 + diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb index 5c6dbac4d7..755a762a73 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.10.bb @@ -7,6 +7,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://0001-drmmode_display.c-add-missing-mi.h-include.patch \ file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \ file://0001-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch \ + file://CVE-2021-3472.patch \ " SRC_URI[sha256sum] = "977420c082450dc808de301ef56af4856d653eea71519a973c3490a780cb7c99" diff --git a/poky/meta/recipes-kernel/kmod/kmod.inc b/poky/meta/recipes-kernel/kmod/kmod.inc index ccda9f2b73..ba5ec7f650 100644 --- a/poky/meta/recipes-kernel/kmod/kmod.inc +++ b/poky/meta/recipes-kernel/kmod/kmod.inc @@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \ S = "${WORKDIR}/git" -EXTRA_AUTORECONF += "--install --symlink" EXTRA_OECONF +=" --enable-tools --with-zlib" PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb index 78856cbf66..bd1f177209 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210315.bb @@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ - file://WHENCE;md5=ef0565762eac313c409567b59dff00b2 \ + file://WHENCE;md5=e21a8cbddc1612bce56f06fe154a0743 \ " # These are not common licenses, set NO_GENERIC_LICENSE for them @@ -205,7 +205,7 @@ PE = "1" SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "1bcb1a3944c361507754a7d26ccff40ffc28d1fb93bce711d67da26b33e785b7" +SRC_URI[sha256sum] = "a2348f03492713dca9aef202496c6e58f5e63ee5bec6a7bdfcf8b18ce7155e70" inherit allarch @@ -645,8 +645,8 @@ FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio. " FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" -FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \ - ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \ +FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.* \ " FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \ diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb index 8725473d1c..ee41d612fd 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-dev.bb @@ -50,5 +50,7 @@ KERNEL_FEATURES_append_qemuall=" cfg/virtio.scc features/drm-bochs/drm-bochs.scc KERNEL_FEATURES_append_qemux86=" cfg/sound.scc cfg/paravirt_kvm.scc" KERNEL_FEATURES_append_qemux86-64=" cfg/sound.scc cfg/paravirt_kvm.scc" KERNEL_FEATURES_append = " ${@bb.utils.contains("TUNE_FEATURES", "mx32", " cfg/x32.scc", "", d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ptest", " features/scsi/scsi-debug.scc", "", d)}" +KERNEL_FEATURES_append = " ${@bb.utils.contains("DISTRO_FEATURES", "ptest", " features/gpio/mockup.scc", "", d)}" KERNEL_VERSION_SANITY_SKIP = "1" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb index cb34887cda..08314ea03e 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.10.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "be2935bce35f9adb6d0e735d42651e81a5094adf" -SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e" +SRCREV_machine ?= "400fbf5b14a0c88afb7c31d65be56fb9d6214c81" +SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.10.25" +LINUX_VERSION ?= "5.10.34" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 2ffc8ed542..f82c6b335b 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "65bbe689d98a007848008be2c8edeb5fa8066829" -SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f" +SRCREV_machine ?= "b62ae8bedb024e67e7c5cda51840454a4170c858" +SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.107" +LINUX_VERSION ?= "5.4.116" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb index 83e59b0ebb..8bd674f116 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.10.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.10.25" +LINUX_VERSION ?= "5.10.34" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "0f87ec9fea7a5695cd063d9d11d89751efa53ddd" -SRCREV_machine ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e" +SRCREV_machine_qemuarm ?= "bf33b78f5136873b6d2ec6274908cf688341bc9e" +SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 2b6e35a69c..1c3fe73ae5 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.107" +LINUX_VERSION ?= "5.4.116" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "ac3cbab1d6692d4a032dfffe0a604f39a634d18a" -SRCREV_machine ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f" +SRCREV_machine_qemuarm ?= "80bd6016a9bdaed4b66ddffffa8c8e62d7c1f8a6" +SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb index 026e69511a..2e7a452495 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.10.bb @@ -13,17 +13,17 @@ KBRANCH_qemux86 ?= "v5.10/standard/base" KBRANCH_qemux86-64 ?= "v5.10/standard/base" KBRANCH_qemumips64 ?= "v5.10/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "d8551cae1ccdbe062a5c6068ce39ea8f4e1c72db" -SRCREV_machine_qemuarm64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemumips ?= "7f1f1ad2f2d90b1b070c6b0a82f0add9aa492e37" -SRCREV_machine_qemuppc ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemuriscv64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemuriscv32 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemux86 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemux86-64 ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_machine_qemumips64 ?= "fd5ac097b891642eea13659bea536f3ec5910d6d" -SRCREV_machine ?= "cf5b0320cf4544d3db9ce3ddd6ddb7553a610651" -SRCREV_meta ?= "031f6c76e488a3563f35258c72ff1de3e25a512e" +SRCREV_machine_qemuarm ?= "78e8e722eec4434024c5db3e0d59da0b128c7647" +SRCREV_machine_qemuarm64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemumips ?= "b5c0852a90709e77f7a3d185d1745e6a1f66b77c" +SRCREV_machine_qemuppc ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemuriscv64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemuriscv32 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemux86 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemux86-64 ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_machine_qemumips64 ?= "bf264e264d2141a4fb61d515573c27935e67ecfa" +SRCREV_machine ?= "85c17ad073e9249f261cc550e8ada89a900d7d9a" +SRCREV_meta ?= "38eb7ca3f4b59339c57a04c310f20809b198fa91" # remap qemuarm to qemuarma15 for the 5.8 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -32,7 +32,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.10;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" -LINUX_VERSION ?= "5.10.25" +LINUX_VERSION ?= "5.10.34" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 245c3d574b..5245530229 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "ea4097dbff5a148265018e1a998e02b5a05e3d27" -SRCREV_machine_qemuarm64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_machine_qemumips ?= "230ca33504faef6f40c5d3b24901aaacb901c9a6" -SRCREV_machine_qemuppc ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_machine_qemuriscv64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_machine_qemux86 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_machine_qemux86-64 ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_machine_qemumips64 ?= "84e071a893ef9cea8a8ffbcd233b47a2bc9056b5" -SRCREV_machine ?= "cf76c5c0dc0edd51ae4a75a1f8701a2675e87c72" -SRCREV_meta ?= "19738ca97b999a3b150e2d34232bb44b6537348f" +SRCREV_machine_qemuarm ?= "e71df0530eefcac1b3248329e385bcefbad6336e" +SRCREV_machine_qemuarm64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_machine_qemumips ?= "07445052fdd15e60b30dc5ae9d162c2e6bba47d1" +SRCREV_machine_qemuppc ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_machine_qemuriscv64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_machine_qemux86 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_machine_qemux86-64 ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_machine_qemumips64 ?= "b36d79d6f2aaf9dadec352f611e7b9becf2b9a55" +SRCREV_machine ?= "ea7a54fa402727f3c4bc4a1904d4a9590e7c8b85" +SRCREV_meta ?= "b89df7433ea8124d3092805391b78808df4147a7" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.107" +LINUX_VERSION ?= "5.4.116" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch new file mode 100644 index 0000000000..3a2280ccdc --- /dev/null +++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0005-fix-block-add-a-disk_uevent-helper-v5.12.patch @@ -0,0 +1,305 @@ +From 17cd2dc91cb82ed342b0da699f2b1a70c1bf6a03 Mon Sep 17 00:00:00 2001 +From: Michael Jeanson <mjeanson@efficios.com> +Date: Mon, 15 Mar 2021 14:54:02 -0400 +Subject: [PATCH 2/4] fix: block: add a disk_uevent helper (v5.12) + +See upstream commit: + + commit bc359d03c7ec1bf3b86d03bafaf6bbb21e6414fd + Author: Christoph Hellwig <hch@lst.de> + Date: Sun Jan 24 11:02:39 2021 +0100 + + block: add a disk_uevent helper + + Add a helper to call kobject_uevent for the disk and all partitions, and + unexport the disk_part_iter_* helpers that are now only used in the core + block code. + +Upstream-status: Backport [2.12.6] + +Change-Id: If6e8797049642ab382d5699660ee1dd734e92c90 +Signed-off-by: Michael Jeanson <mjeanson@efficios.com> +Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +--- + Makefile | 1 + + lttng-statedump-impl.c | 34 +++++++++---- + src/wrapper/genhd.c | 111 +++++++++++++++++++++++++++++++++++++++++ + wrapper/genhd.h | 62 +++++++++++++++++++++++ + 4 files changed, 198 insertions(+), 10 deletions(-) + create mode 100644 src/wrapper/genhd.c + +diff --git a/Makefile b/Makefile +index a9aff3f1..34043cfb 100644 +--- a/Makefile ++++ b/Makefile +@@ -80,6 +80,7 @@ ifneq ($(KERNELRELEASE),) + wrapper/kallsyms.o \ + wrapper/irqdesc.o \ + wrapper/fdtable.o \ ++ wrapper/genhd.o \ + lttng-wrapper-impl.o + + ifneq ($(CONFIG_HAVE_SYSCALL_TRACEPOINTS),) +diff --git a/lttng-statedump-impl.c b/lttng-statedump-impl.c +index 60b937c9..5511c7e8 100644 +--- a/lttng-statedump-impl.c ++++ b/lttng-statedump-impl.c +@@ -250,13 +250,17 @@ int lttng_enumerate_block_devices(struct lttng_session *session) + struct device_type *ptr_disk_type; + struct class_dev_iter iter; + struct device *dev; ++ int ret = 0; + + ptr_block_class = wrapper_get_block_class(); +- if (!ptr_block_class) +- return -ENOSYS; ++ if (!ptr_block_class) { ++ ret = -ENOSYS; ++ goto end; ++ } + ptr_disk_type = wrapper_get_disk_type(); + if (!ptr_disk_type) { +- return -ENOSYS; ++ ret = -ENOSYS; ++ goto end; + } + class_dev_iter_init(&iter, ptr_block_class, NULL, ptr_disk_type); + while ((dev = class_dev_iter_next(&iter))) { +@@ -272,22 +276,32 @@ int lttng_enumerate_block_devices(struct lttng_session *session) + (disk->flags & GENHD_FL_SUPPRESS_PARTITION_INFO)) + continue; + +- disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0); +- while ((part = disk_part_iter_next(&piter))) { ++ /* ++ * The original 'disk_part_iter_init' returns void, but our ++ * wrapper can fail to lookup the original symbol. ++ */ ++ if (wrapper_disk_part_iter_init(&piter, disk, DISK_PITER_INCL_PART0) < 0) { ++ ret = -ENOSYS; ++ goto iter_exit; ++ } ++ ++ while ((part = wrapper_disk_part_iter_next(&piter))) { + char name_buf[BDEVNAME_SIZE]; + + if (lttng_get_part_name(disk, part, name_buf) == -ENOSYS) { +- disk_part_iter_exit(&piter); +- class_dev_iter_exit(&iter); +- return -ENOSYS; ++ wrapper_disk_part_iter_exit(&piter); ++ ret = -ENOSYS; ++ goto iter_exit; + } + trace_lttng_statedump_block_device(session, + lttng_get_part_devt(part), name_buf); + } +- disk_part_iter_exit(&piter); ++ wrapper_disk_part_iter_exit(&piter); + } ++iter_exit: + class_dev_iter_exit(&iter); +- return 0; ++end: ++ return ret; + } + + #ifdef CONFIG_INET +diff --git a/src/wrapper/genhd.c b/src/wrapper/genhd.c +new file mode 100644 +index 00000000..a5a6c410 +--- /dev/null ++++ b/src/wrapper/genhd.c +@@ -0,0 +1,111 @@ ++/* SPDX-License-Identifier: (GPL-2.0-only OR LGPL-2.1-only) ++ * ++ * wrapper/genhd.c ++ * ++ * Wrapper around disk_part_iter_(init|next|exit). Using KALLSYMS to get the ++ * addresses when available, else we need to have a kernel that exports this ++ * function to GPL modules. This export was removed in 5.12. ++ * ++ * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com> ++ */ ++ ++#include <lttng/kernel-version.h> ++#include <linux/module.h> ++#include <wrapper/genhd.h> ++ ++#if (defined(CONFIG_KALLSYMS) && \ ++ (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0))) ++ ++#include <wrapper/kallsyms.h> ++ ++static ++void (*disk_part_iter_init_sym)(struct disk_part_iter *piter, struct gendisk *disk, ++ unsigned int flags); ++ ++static ++LTTNG_DISK_PART_TYPE *(*disk_part_iter_next_sym)(struct disk_part_iter *piter); ++ ++static ++void (*disk_part_iter_exit_sym)(struct disk_part_iter *piter); ++ ++/* ++ * This wrapper has an 'int' return type instead of the original 'void', to be ++ * able to report the symbol lookup failure to the caller. ++ * ++ * Return 0 on success, -1 on error. ++ */ ++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, ++ unsigned int flags) ++{ ++ if (!disk_part_iter_init_sym) ++ disk_part_iter_init_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_init"); ++ ++ if (disk_part_iter_init_sym) { ++ disk_part_iter_init_sym(piter, disk, flags); ++ } else { ++ printk_once(KERN_WARNING "LTTng: disk_part_iter_init symbol lookup failed.\n"); ++ return -1; ++ } ++ return 0; ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); ++ ++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) ++{ ++ if (!disk_part_iter_next_sym) ++ disk_part_iter_next_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_next"); ++ ++ if (disk_part_iter_next_sym) { ++ return disk_part_iter_next_sym(piter); ++ } else { ++ printk_once(KERN_WARNING "LTTng: disk_part_iter_next symbol lookup failed.\n"); ++ return NULL; ++ } ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); ++ ++/* ++ * We don't return an error on symbol lookup failure here because there is ++ * nothing the caller can do to cleanup the iterator. ++ */ ++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) ++{ ++ if (!disk_part_iter_exit_sym) ++ disk_part_iter_exit_sym = (void *) kallsyms_lookup_funcptr("disk_part_iter_exit"); ++ ++ if (disk_part_iter_exit_sym) { ++ disk_part_iter_exit_sym(piter); ++ } else { ++ printk_once(KERN_WARNING "LTTng: disk_part_iter_exit symbol lookup failed.\n"); ++ } ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); ++ ++#else ++ ++/* ++ * This wrapper has an 'int' return type instead of the original 'void', so the ++ * kallsyms variant can report the symbol lookup failure to the caller. ++ * ++ * This variant always succeeds and returns 0. ++ */ ++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, ++ unsigned int flags) ++{ ++ disk_part_iter_init(piter, disk, flags); ++ return 0; ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_init); ++ ++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter) ++{ ++ return disk_part_iter_next(piter); ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_next); ++ ++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter) ++{ ++ disk_part_iter_exit(piter); ++} ++EXPORT_SYMBOL_GPL(wrapper_disk_part_iter_exit); ++#endif +diff --git a/wrapper/genhd.h b/wrapper/genhd.h +index 98feb57b..6bae239d 100644 +--- a/wrapper/genhd.h ++++ b/wrapper/genhd.h +@@ -13,6 +13,13 @@ + #define _LTTNG_WRAPPER_GENHD_H + + #include <linux/genhd.h> ++#include <lttng/kernel-version.h> ++ ++#if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) ++#define LTTNG_DISK_PART_TYPE struct block_device ++#else ++#define LTTNG_DISK_PART_TYPE struct hd_struct ++#endif + + #ifdef CONFIG_KALLSYMS_ALL + +@@ -94,4 +101,59 @@ struct device_type *wrapper_get_disk_type(void) + + #endif + ++/* ++ * This wrapper has an 'int' return type instead of the original 'void', to be ++ * able to report the symbol lookup failure to the caller. ++ * ++ * Return 0 on success, -1 on error. ++ */ ++int wrapper_disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, ++ unsigned int flags); ++LTTNG_DISK_PART_TYPE *wrapper_disk_part_iter_next(struct disk_part_iter *piter); ++void wrapper_disk_part_iter_exit(struct disk_part_iter *piter); ++ ++/* ++ * Canary function to check for 'disk_part_iter_init()' at compile time. ++ * ++ * From 'include/linux/genhd.h': ++ * ++ * extern void disk_part_iter_init(struct disk_part_iter *piter, ++ * struct gendisk *disk, unsigned int flags); ++ * ++ */ ++static inline ++void __canary__disk_part_iter_init(struct disk_part_iter *piter, struct gendisk *disk, ++ unsigned int flags) ++{ ++ disk_part_iter_init(piter, disk, flags); ++} ++ ++/* ++ * Canary function to check for 'disk_part_iter_next()' at compile time. ++ * ++ * From 'include/linux/genhd.h': ++ * ++ * struct block_device *disk_part_iter_next(struct disk_part_iter *piter); ++ * ++ */ ++static inline ++LTTNG_DISK_PART_TYPE *__canary__disk_part_iter_next(struct disk_part_iter *piter) ++{ ++ return disk_part_iter_next(piter); ++} ++ ++/* ++ * Canary function to check for 'disk_part_iter_exit()' at compile time. ++ * ++ * From 'include/linux/genhd.h': ++ * ++ * extern void disk_part_iter_exit(struct disk_part_iter *piter); ++ * ++ */ ++static inline ++void __canary__disk_part_iter_exit(struct disk_part_iter *piter) ++{ ++ return disk_part_iter_exit(piter); ++} ++ + #endif /* _LTTNG_WRAPPER_GENHD_H */ +-- +2.25.1 + diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch new file mode 100644 index 0000000000..e32b3e7a2e --- /dev/null +++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch @@ -0,0 +1,48 @@ +From 127135b6a45d5fca828815c62308f72de97e5739 Mon Sep 17 00:00:00 2001 +From: Michael Jeanson <mjeanson@efficios.com> +Date: Thu, 15 Apr 2021 13:56:24 -0400 +Subject: [PATCH 3/4] fix backport: block: add a disk_uevent helper (v5.12) + +Upstream-Status: Backport [2.12.6] + +Signed-off-by: Michael Jeanson <mjeanson@efficios.com> +Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Change-Id: I717162069990577abe78e5e7fed28816f32b2c84 +--- + {src/wrapper => wrapper}/genhd.c | 2 +- + wrapper/genhd.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + rename {src/wrapper => wrapper}/genhd.c (98%) + +diff --git a/src/wrapper/genhd.c b/wrapper/genhd.c +similarity index 98% +rename from src/wrapper/genhd.c +rename to wrapper/genhd.c +index a5a6c410..cbec06f7 100644 +--- a/src/wrapper/genhd.c ++++ b/wrapper/genhd.c +@@ -9,7 +9,7 @@ + * Copyright (C) 2021 Michael Jeanson <mjeanson@efficios.com> + */ + +-#include <lttng/kernel-version.h> ++#include <lttng-kernel-version.h> + #include <linux/module.h> + #include <wrapper/genhd.h> + +diff --git a/wrapper/genhd.h b/wrapper/genhd.h +index 6bae239d..1b4a4201 100644 +--- a/wrapper/genhd.h ++++ b/wrapper/genhd.h +@@ -13,7 +13,7 @@ + #define _LTTNG_WRAPPER_GENHD_H + + #include <linux/genhd.h> +-#include <lttng/kernel-version.h> ++#include <lttng-kernel-version.h> + + #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,11,0)) + #define LTTNG_DISK_PART_TYPE struct block_device +-- +2.25.1 + diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch b/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch new file mode 100644 index 0000000000..dfc9427dca --- /dev/null +++ b/poky/meta/recipes-kernel/lttng/lttng-modules/0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch @@ -0,0 +1,71 @@ +From 853d5903a200d8a15b3f38780ddaea5c92fa1a03 Mon Sep 17 00:00:00 2001 +From: He Zhe <zhe.he@windriver.com> +Date: Mon, 19 Apr 2021 09:09:28 +0000 +Subject: [PATCH 4/4] fix: mm, tracing: kfree event name mismatching with + provider kmem (v5.12) + +a8bc8ae5c932 ("fix: mm, tracing: record slab name for kmem_cache_free() (v5.12)") +introduces the following call trace for kfree. This is caused by mismatch +between kfree event and its provider kmem. + +This patch maps kfree to kmem_kfree. + +WARNING: CPU: 2 PID: 42294 at src/lttng-probes.c:81 fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] +CPU: 2 PID: 42294 Comm: modprobe Tainted: G O 5.12.0-rc6-yoctodev-standard #1 +Hardware name: Intel Corporation JACOBSVILLE/JACOBSVILLE, BIOS JBVLCRB2.86B.0014.P20.2004020248 04/02/2020 +RIP: 0010:fixup_lazy_probes+0xb0/0x1b0 [lttng_tracer] +Code: 75 28 83 c3 01 3b 5d c4 74 22 48 8b 4d d0 48 63 + c3 4c 89 e2 4c 89 f6 48 8b 04 c1 4c 8b 38 4c 89 + ff e8 64 9f 4b de 85 c0 74 c3 <0f> 0b 48 8b 05 bf + f2 1e 00 48 8d 50 e8 48 3d f0 a0 98 c0 75 18 eb +RSP: 0018:ffffb976807bfbe0 EFLAGS: 00010286 +RAX: 00000000ffffffff RBX: 0000000000000004 RCX: 0000000000000004 +RDX: 0000000000000066 RSI: ffffffffc03c10a7 RDI: ffffffffc03c11a1 +RBP: ffffb976807bfc28 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000004 +R13: ffffffffc03c2000 R14: ffffffffc03c10a7 R15: ffffffffc03c11a1 +FS: 00007f0ef9533740(0000) GS:ffffa100faa00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000561e8f0aa000 CR3: 000000015b318000 CR4: 0000000000350ee0 +Call Trace: + lttng_probe_register+0x38/0xe0 [lttng_tracer] + ? __event_probe__module_load+0x520/0x520 [lttng_probe_module] + __lttng_events_init__module+0x15/0x20 [lttng_probe_module] + do_one_initcall+0x68/0x310 + ? kmem_cache_alloc_trace+0x2ad/0x4c0 + ? do_init_module+0x28/0x280 + do_init_module+0x62/0x280 + load_module+0x26e4/0x2920 + ? kernel_read_file+0x22e/0x290 + __do_sys_finit_module+0xb1/0xf0 + __x64_sys_finit_module+0x1a/0x20 + do_syscall_64+0x38/0x50 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Upstream-Status: Backport [2.12.6] + +Signed-off-by: He Zhe <zhe.he@windriver.com> +Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> +Change-Id: I00e8ee2b8c35f6f8602c88295f5113fbbd139709 +--- + instrumentation/events/lttng-module/kmem.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/instrumentation/events/lttng-module/kmem.h b/instrumentation/events/lttng-module/kmem.h +index d787ea54..c9edee61 100644 +--- a/instrumentation/events/lttng-module/kmem.h ++++ b/instrumentation/events/lttng-module/kmem.h +@@ -88,7 +88,9 @@ LTTNG_TRACEPOINT_EVENT_INSTANCE(kmem_alloc_node, kmem_cache_alloc_node, + ) + + #if (LTTNG_LINUX_VERSION_CODE >= LTTNG_KERNEL_VERSION(5,12,0)) +-LTTNG_TRACEPOINT_EVENT(kfree, ++LTTNG_TRACEPOINT_EVENT_MAP(kfree, ++ ++ kmem_kfree, + + TP_PROTO(unsigned long call_site, const void *ptr), + +-- +2.25.1 + diff --git a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb index 5b05c644a6..1a01cb0c01 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-modules_2.12.5.bb @@ -15,6 +15,9 @@ SRC_URI = "https://lttng.org/files/${BPN}/${BPN}-${PV}.tar.bz2 \ file://0002-Fix-filter-interpreter-early-exits-on-uninitialized-.patch \ file://0003-fix-mm-tracing-record-slab-name-for-kmem_cache_free-.patch \ file://0004-Fix-kretprobe-null-ptr-deref-on-session-destroy.patch \ + file://0005-fix-block-add-a-disk_uevent-helper-v5.12.patch \ + file://0006-fix-backport-block-add-a-disk_uevent-helper-v5.12.patch \ + file://0007-fix-mm-tracing-kfree-event-name-mismatching-with-pro.patch \ " SRC_URI[sha256sum] = "c4d1a1b42c728e37b6b7947ae16563a011c4b297311aa04d56f9a1791fb5a30a" diff --git a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb index 7074096ee7..6132daf1a1 100644 --- a/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb +++ b/poky/meta/recipes-kernel/lttng/lttng-tools_2.12.3.bb @@ -69,7 +69,7 @@ do_install_append () { } do_install_ptest () { - for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/load-42*.lttng tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh; do + for f in Makefile tests/Makefile tests/utils/utils.sh tests/regression/tools/save-load/*.lttng tests/regression/tools/save-load/configuration/load-42*.lttng tests/regression/tools/health/test_health.sh tests/regression/tools/metadata/utils.sh tests/regression/tools/rotation/rotate_utils.sh; do install -D "${B}/$f" "${D}${PTEST_PATH}/$f" done @@ -155,7 +155,7 @@ do_install_ptest () { -i ${D}${PTEST_PATH}/tests/unit/Makefile # Fix hardcoded build path - sed -e 's#TESTAPP_PATH=.*/tests/regression/#TESTAPP_PATH=${PTEST_PATH}/tests/regression/#' \ + sed -e 's#TESTAPP_PATH=.*/tests/regression/#TESTAPP_PATH="${PTEST_PATH}/tests/regression/#' \ -i ${D}${PTEST_PATH}/tests/regression/ust/python-logging/test_python_logging # Substitute links to installed binaries. diff --git a/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh b/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh index 28fe6f92d7..67e1dcd990 100755 --- a/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh +++ b/poky/meta/recipes-kernel/modutils-initscripts/files/modutils.sh @@ -13,6 +13,7 @@ LOAD_MODULE=modprobe [ -f /proc/modules ] || exit 0 +[ -d /lib/modules/`uname -r` ] || exit 0 # Test if modules.dep exists and has a size greater than zero if [ ! -s /lib/modules/`uname -r`/modules.dep ]; then diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb index b4683720aa..28d0c6a2a2 100644 --- a/poky/meta/recipes-kernel/perf/perf.bb +++ b/poky/meta/recipes-kernel/perf/perf.bb @@ -322,7 +322,7 @@ PACKAGES =+ "${PN}-archive ${PN}-tests ${PN}-perl ${PN}-python" RDEPENDS_${PN} += "elfutils bash" RDEPENDS_${PN}-archive =+ "bash" -RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python3', '', d)}" +RDEPENDS_${PN}-python =+ "bash python3 python3-modules ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'audit-python', '', d)}" RDEPENDS_${PN}-perl =+ "bash perl perl-modules" RDEPENDS_${PN}-tests =+ "python3 bash" diff --git a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.04.21.bb index b3567bca95..f79c0b29ea 100644 --- a/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2020.11.20.bb +++ b/poky/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.04.21.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "b4164490d82ff7b0086e812ac42ab27baf57be24324d4c0ee1c5dd6ba27f2a52" +SRC_URI[sha256sum] = "9e4c02b2a9710df4dbdb327c39612e8cbbae6495987afeddaebab28c1ea3d8fa" inherit bin_package allarch diff --git a/poky/meta/recipes-sato/puzzles/puzzles_git.bb b/poky/meta/recipes-sato/puzzles/puzzles_git.bb index 16a08585cc..a1788cf684 100644 --- a/poky/meta/recipes-sato/puzzles/puzzles_git.bb +++ b/poky/meta/recipes-sato/puzzles/puzzles_git.bb @@ -9,7 +9,7 @@ DEPENDS = "libxt" # The libxt requires x11 in DISTRO_FEATURES REQUIRED_DISTRO_FEATURES = "x11" -SRC_URI = "git://git.tartarus.org/simon/puzzles.git \ +SRC_URI = "git://git.tartarus.org/simon/puzzles.git;branch=main \ file://fix-compiling-failure-with-option-g-O.patch \ file://0001-palisade-Fix-warnings-with-clang-on-arm.patch \ file://0001-Use-Wno-error-format-overflow-if-the-compiler-suppor.patch \ diff --git a/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch b/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch new file mode 100644 index 0000000000..98d2d1ded9 --- /dev/null +++ b/poky/meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch @@ -0,0 +1,31 @@ +From dcf9ae0dc0b4510eddbeeea09e11edfb123f95af Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sun, 2 May 2021 13:10:49 -0700 +Subject: [PATCH] MiniBrowser: Fix reproduciblity + +Do not emit references to source dir in generated sourcecode + +Upstream-Status: Submitted [https://bugs.webkit.org/show_bug.cgi?id=225283] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + Tools/MiniBrowser/gtk/CMakeLists.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Tools/MiniBrowser/gtk/CMakeLists.txt b/Tools/MiniBrowser/gtk/CMakeLists.txt +index 93b62521..482d3b00 100644 +--- a/Tools/MiniBrowser/gtk/CMakeLists.txt ++++ b/Tools/MiniBrowser/gtk/CMakeLists.txt +@@ -51,8 +51,8 @@ add_custom_command( + OUTPUT ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c + ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h + MAIN_DEPENDENCY ${MiniBrowser_DIR}/browser-marshal.list +- COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --body > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c +- COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --header > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h ++ COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --body --skip-source > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.c ++ COMMAND glib-genmarshal --prefix=browser_marshal ${MiniBrowser_DIR}/browser-marshal.list --header --skip-source > ${MiniBrowser_DERIVED_SOURCES_DIR}/BrowserMarshal.h + VERBATIM) + + if (USE_GTK4) +-- +2.31.1 + diff --git a/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb b/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb index cdc3f9b584..1fefc75c49 100644 --- a/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb +++ b/poky/meta/recipes-sato/webkit/webkitgtk_2.30.5.bb @@ -20,6 +20,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ file://reduce-memory-overheads.patch \ file://0001-Extend-atomics-check-to-include-1-byte-CAS-test.patch \ file://musl-lower-stack-usage.patch \ + file://0001-MiniBrowser-Fix-reproduciblity.patch \ " SRC_URI[sha256sum] = "7d0dab08e3c5ae07bec80b2822ef42e952765d5724cac86eb23999bfed5a7f1f" diff --git a/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb index 888a235c1a..7dcc86fdc1 100644 --- a/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ b/poky/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb @@ -83,8 +83,8 @@ do_install_append_class-native () { SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates } -RDEPENDS_${PN}_class-target = "openssl-bin" -RDEPENDS_${PN}_class-native = "openssl-native" -RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" +RDEPENDS_${PN}_append_class-native = " openssl-native" +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" BBCLASSEXTEND = "native nativesdk" diff --git a/poky/meta/recipes-support/db/db_5.3.28.bb b/poky/meta/recipes-support/db/db_5.3.28.bb index 9cb57e6a53..b2ae98f05c 100644 --- a/poky/meta/recipes-support/db/db_5.3.28.bb +++ b/poky/meta/recipes-support/db/db_5.3.28.bb @@ -15,7 +15,7 @@ HOMEPAGE = "https://www.oracle.com/database/technologies/related/berkeleydb.html LICENSE = "Sleepycat" RCONFLICTS_${PN} = "db3" -CVE_PRODUCT = "oracle_berkeley_db" +CVE_PRODUCT = "oracle_berkeley_db berkeley_db" CVE_VERSION = "11.2.${PV}" PR = "r1" diff --git a/poky/meta/recipes-support/diffoscope/diffoscope_172.bb b/poky/meta/recipes-support/diffoscope/diffoscope_172.bb index bf4726e778..86dd5d8d70 100644 --- a/poky/meta/recipes-support/diffoscope/diffoscope_172.bb +++ b/poky/meta/recipes-support/diffoscope/diffoscope_172.bb @@ -23,6 +23,7 @@ do_install_append_class-native() { create_wrapper ${D}${bindir}/diffoscope \ MAGIC=${STAGING_DIR_NATIVE}${datadir_native}/misc/magic.mgc \ RPM_CONFIGDIR=${STAGING_LIBDIR_NATIVE}/rpm \ + LD_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \ RPM_ETCCONFIGDIR=${STAGING_DIR_NATIVE} } diff --git a/poky/meta/recipes-support/libcap/libcap_2.48.bb b/poky/meta/recipes-support/libcap/libcap_2.48.bb index a12738d63a..2f83acf966 100644 --- a/poky/meta/recipes-support/libcap/libcap_2.48.bb +++ b/poky/meta/recipes-support/libcap/libcap_2.48.bb @@ -20,15 +20,6 @@ UPSTREAM_CHECK_URI = "https://www.kernel.org/pub/linux/libs/security/linux-privs inherit lib_package -# do NOT pass target cflags to host compilations -# -do_configure() { - # libcap uses := for compilers, fortunately, it gives us a hint - # on what should be replaced with ?= - sed -e 's,:=,?=,g' -i Make.Rules - sed -e 's,^BUILD_CFLAGS ?= ,BUILD_CFLAGS := $(BUILD_CFLAGS) ,' -i Make.Rules -} - PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG_class-native ??= "" @@ -44,11 +35,15 @@ EXTRA_OEMAKE = " \ EXTRA_OEMAKE_append_class-target = " SYSTEM_HEADERS=${STAGING_INCDIR}" -# these are present in the libcap defaults, so include in our CFLAGS too -CFLAGS += "-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" - do_compile() { - oe_runmake ${PACKAGECONFIG_CONFARGS} + unset CFLAGS BUILD_CFLAGS + oe_runmake \ + ${PACKAGECONFIG_CONFARGS} \ + AR="${AR}" \ + CC="${CC}" \ + RANLIB="${RANLIB}" \ + COPTS="${CFLAGS}" \ + BUILD_COPTS="${BUILD_CFLAGS}" } do_install() { diff --git a/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch b/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch new file mode 100644 index 0000000000..0b20eda3c0 --- /dev/null +++ b/poky/meta/recipes-support/libevent/libevent/0002-test-regress.h-Increase-default-timeval-tolerance-50.patch @@ -0,0 +1,33 @@ +From dff8fd27edb23bc1486809186c6a4fe1f75f2179 Mon Sep 17 00:00:00 2001 +From: Yi Fan Yu <yifan.yu@windriver.com> +Date: Thu, 22 Apr 2021 22:35:59 -0400 +Subject: [PATCH] test/regress.h: Increase default timeval tolerance 50 ms -> + 100 ms + +The default timeout tolerance is 50 ms, +which causes intermittent failure in many the +related tests in arm64 QEMU. + +See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14163 +(The root cause seems to be a heavy load) + +Upstream-Status: Submitted [https://github.com/libevent/libevent/pull/1157] + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> +--- + test/regress.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/regress.h b/test/regress.h +index f06a7669..829af4a7 100644 +--- a/test/regress.h ++++ b/test/regress.h +@@ -127,7 +127,7 @@ int test_ai_eq_(const struct evutil_addrinfo *ai, const char *sockaddr_port, + tt_int_op(labs(timeval_msec_diff((tv1), (tv2)) - diff), <=, tolerance) + + #define test_timeval_diff_eq(tv1, tv2, diff) \ +- test_timeval_diff_leq((tv1), (tv2), (diff), 50) ++ test_timeval_diff_leq((tv1), (tv2), (diff), 100) + + long timeval_msec_diff(const struct timeval *start, const struct timeval *end); + diff --git a/poky/meta/recipes-support/libevent/libevent_2.1.12.bb b/poky/meta/recipes-support/libevent/libevent_2.1.12.bb index dd4533cce5..6d53fea5a8 100644 --- a/poky/meta/recipes-support/libevent/libevent_2.1.12.bb +++ b/poky/meta/recipes-support/libevent/libevent_2.1.12.bb @@ -15,6 +15,7 @@ SRC_URI = "https://github.com/libevent/libevent/releases/download/release-${PV}- file://Makefile-missing-test-dir.patch \ file://run-ptest \ file://0001-test-regress_dns.c-patch-out-tests-that-require-a-wo.patch \ + file://0002-test-regress.h-Increase-default-timeval-tolerance-50.patch \ " SRC_URI[sha256sum] = "92e6de1be9ec176428fd2367677e61ceffc2ee1cb119035037a27d346b0403bb" diff --git a/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch b/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch new file mode 100644 index 0000000000..b331c1bf81 --- /dev/null +++ b/poky/meta/recipes-support/libssh2/files/0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch @@ -0,0 +1,112 @@ +From 1f76151c92e1b52e9c24ebf06adc77fbd6c062bc Mon Sep 17 00:00:00 2001 +From: Will Cosgrove <will@panic.com> +Date: Tue, 26 Jan 2021 11:41:21 -0800 +Subject: [PATCH] kex.c: move EC macro outside of if check #549 (#550) + +File: kex.c + +Notes: +Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the LIBSSH2_ECDSA since it's also now used by the ED25519 code. + +Sha 256, 384 and 512 need to be defined for all backends now even if they aren't used directly. I believe this is already the case, but just a heads up. + +Credit: +Stefan-Ghinea + +Upstream-Status: Backport + +Reference to upstream patch: +https://github.com/libssh2/libssh2/commit/1f76151c92e1b52e9c24ebf06adc77fbd6c062bc + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/kex.c | 66 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 33 insertions(+), 33 deletions(-) + +diff --git a/src/kex.c b/src/kex.c +index cb16639..19ab6ec 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -1885,39 +1885,6 @@ kex_method_diffie_hellman_group_exchange_sha256_key_exchange + } + + +-#if LIBSSH2_ECDSA +- +-/* kex_session_ecdh_curve_type +- * returns the EC curve type by name used in key exchange +- */ +- +-static int +-kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type) +-{ +- int ret = 0; +- libssh2_curve_type type; +- +- if(name == NULL) +- return -1; +- +- if(strcmp(name, "ecdh-sha2-nistp256") == 0) +- type = LIBSSH2_EC_CURVE_NISTP256; +- else if(strcmp(name, "ecdh-sha2-nistp384") == 0) +- type = LIBSSH2_EC_CURVE_NISTP384; +- else if(strcmp(name, "ecdh-sha2-nistp521") == 0) +- type = LIBSSH2_EC_CURVE_NISTP521; +- else { +- ret = -1; +- } +- +- if(ret == 0 && out_type) { +- *out_type = type; +- } +- +- return ret; +-} +- +- + /* LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY + * + * Macro that create and verifies EC SHA hash with a given digest bytes +@@ -2027,6 +1994,39 @@ kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type) + } \ + + ++#if LIBSSH2_ECDSA ++ ++/* kex_session_ecdh_curve_type ++ * returns the EC curve type by name used in key exchange ++ */ ++ ++static int ++kex_session_ecdh_curve_type(const char *name, libssh2_curve_type *out_type) ++{ ++ int ret = 0; ++ libssh2_curve_type type; ++ ++ if(name == NULL) ++ return -1; ++ ++ if(strcmp(name, "ecdh-sha2-nistp256") == 0) ++ type = LIBSSH2_EC_CURVE_NISTP256; ++ else if(strcmp(name, "ecdh-sha2-nistp384") == 0) ++ type = LIBSSH2_EC_CURVE_NISTP384; ++ else if(strcmp(name, "ecdh-sha2-nistp521") == 0) ++ type = LIBSSH2_EC_CURVE_NISTP521; ++ else { ++ ret = -1; ++ } ++ ++ if(ret == 0 && out_type) { ++ *out_type = type; ++ } ++ ++ return ret; ++} ++ ++ + /* ecdh_sha2_nistp + * Elliptic Curve Diffie Hellman Key Exchange + */ +-- +2.17.1 + diff --git a/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb b/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb index 0b8ccbd217..a5451628e7 100644 --- a/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb +++ b/poky/meta/recipes-support/libssh2/libssh2_1.9.0.bb @@ -11,6 +11,7 @@ SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \ file://CVE-2019-17498.patch \ file://0001-configure-Conditionally-undefine-backend-m4-macro.patch \ file://run-ptest \ + file://0001-kex.c-move-EC-macro-outside-of-if-check-549-550.patch \ " SRC_URI_append_ptest = " file://0001-Don-t-let-host-enviroment-to-decide-if-a-test-is-bui.patch" diff --git a/poky/meta/recipes-support/nettle/nettle_3.7.1.bb b/poky/meta/recipes-support/nettle/nettle_3.7.2.bb index 3bbcf17c7a..f8f3360086 100644 --- a/poky/meta/recipes-support/nettle/nettle_3.7.1.bb +++ b/poky/meta/recipes-support/nettle/nettle_3.7.2.bb @@ -24,7 +24,7 @@ SRC_URI_append_class-target = "\ file://dlopen-test.patch \ " -SRC_URI[sha256sum] = "156621427c7b00a75ff9b34b770b95d34f80ef7a55c3407de94b16cbf436c42e" +SRC_URI[sha256sum] = "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162" UPSTREAM_CHECK_REGEX = "nettle-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb index 57a3ae005b..6bd10d2fec 100644 --- a/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb +++ b/poky/meta/recipes-support/ptest-runner/ptest-runner_2.4.1.bb @@ -26,3 +26,5 @@ do_compile () { do_install () { install -D -m 0755 ${S}/ptest-runner ${D}${bindir}/ptest-runner } + +RDEPENDS_${PN}_append_libc-glibc = " libgcc" diff --git a/poky/scripts/oe-buildenv-internal b/poky/scripts/oe-buildenv-internal index ba0a9b44d6..e0d920f2fc 100755 --- a/poky/scripts/oe-buildenv-internal +++ b/poky/scripts/oe-buildenv-internal @@ -88,6 +88,10 @@ if [ ! -d "$BITBAKEDIR" ]; then return 1 fi +# Add BitBake's library to PYTHONPATH +PYTHONPATH=$BITBAKEDIR/lib:$PYTHONPATH +export PYTHONPATH + # Make sure our paths are at the beginning of $PATH for newpath in "$BITBAKEDIR/bin" "$OEROOT/scripts"; do # Remove any existences of $newpath from $PATH diff --git a/poky/scripts/oe-debuginfod b/poky/scripts/oe-debuginfod index 967dd5807c..5560769888 100755 --- a/poky/scripts/oe-debuginfod +++ b/poky/scripts/oe-debuginfod @@ -20,12 +20,7 @@ if __name__ == "__main__": package_classes_var = "DEPLOY_DIR_" + tinfoil.config_data.getVar("PACKAGE_CLASSES").split()[0].replace("package_", "").upper() feed_dir = tinfoil.config_data.getVar(package_classes_var, expand=True) - try: - if package_classes_var == "DEPLOY_DIR_RPM": - subprocess.check_output(subprocess.run(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', feed_dir])) - else: - subprocess.check_output(subprocess.run(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-U', feed_dir])) - except subprocess.CalledProcessError: - print("\nTo use the debuginfod server Please ensure that this variable PACKAGECONFIG_pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf") - except KeyboardInterrupt: - sys.exit(1) + subprocess.call(['bitbake', '-c', 'addto_recipe_sysroot', 'elfutils-native']) + + subprocess.call(['oe-run-native', 'elfutils-native', 'debuginfod', '--verbose', '-R', '-U', feed_dir]) + print("\nTo use the debuginfod server please ensure that this variable PACKAGECONFIG_pn-elfutils-native = \"debuginfod libdebuginfod\" is set in the local.conf") diff --git a/poky/scripts/oe-time-dd-test.sh b/poky/scripts/oe-time-dd-test.sh index 970a86dff0..459071e732 100644..100755 --- a/poky/scripts/oe-time-dd-test.sh +++ b/poky/scripts/oe-time-dd-test.sh @@ -13,11 +13,16 @@ usage() { echo "Usage: $0 <count>" } +TIMEOUT=15 + if [ $# -ne 1 ]; then usage exit 1 fi uptime -/usr/bin/time -f "%e" dd if=/dev/zero of=foo bs=1024 count=$1 conv=fsync -top -b -n 1 | grep -v "0 0 0" | grep -E ' [RSD] ' | cut -c 46-47 | sort | uniq -c +timeout ${TIMEOUT} dd if=/dev/zero of=oe-time-dd-test.dat bs=1024 count=$1 conv=fsync +if [ $? -ne 0 ]; then + echo "Timeout used: ${TIMEOUT}" + top -c -b -n1 -w 512 +fi diff --git a/poky/scripts/pybootchartgui/pybootchartgui/draw.py b/poky/scripts/pybootchartgui/pybootchartgui/draw.py index 53324b9f8b..29eb7505bc 100644 --- a/poky/scripts/pybootchartgui/pybootchartgui/draw.py +++ b/poky/scripts/pybootchartgui/pybootchartgui/draw.py @@ -271,7 +271,7 @@ def draw_chart(ctx, color, fill, chart_bounds, data, proc_tree, data_range): # If data_range is given, scale the chart so that the value range in # data_range matches the chart bounds exactly. # Otherwise, scale so that the actual data matches the chart bounds. - if data_range: + if data_range and (data_range[1] - data_range[0]): yscale = float(chart_bounds[3]) / (data_range[1] - data_range[0]) ybase = data_range[0] else: diff --git a/poky/scripts/runqemu b/poky/scripts/runqemu index ba0b701aff..edd17d09c4 100755 --- a/poky/scripts/runqemu +++ b/poky/scripts/runqemu @@ -145,7 +145,6 @@ class BaseConfig(object): self.qemu_opt = '' self.qemu_opt_script = '' self.qemuparams = '' - self.clean_nfs_dir = False self.nfs_server = '' self.rootfs = '' # File name(s) of a OVMF firmware file or variable store, @@ -210,6 +209,8 @@ class BaseConfig(object): self.qemupid = None # avoid cleanup twice self.cleaned = False + # Files to cleanup after run + self.cleanup_files = [] def acquire_taplock(self, error=True): logger.debug("Acquiring lockfile %s..." % self.taplock) @@ -1020,8 +1021,9 @@ class BaseConfig(object): logger.info('Running %s...' % str(cmd)) if subprocess.call(cmd) != 0: raise RunQemuError('Failed to run %s' % cmd) - self.clean_nfs_dir = True self.rootfs = dest + self.cleanup_files.append(self.rootfs) + self.cleanup_files.append('%s.pseudo_state' % self.rootfs) # Start the userspace NFS server cmd = ('runqemu-export-rootfs', 'start', self.rootfs) @@ -1204,6 +1206,7 @@ class BaseConfig(object): self.rootfs = newrootfs # Don't need a second copy now! self.snapshot = False + self.cleanup_files.append(newrootfs) qb_rootfs_opt = self.get('QB_ROOTFS_OPT') if qb_rootfs_opt: @@ -1476,10 +1479,13 @@ class BaseConfig(object): if self.saved_stty: subprocess.check_call(("stty", self.saved_stty)) - if self.clean_nfs_dir: - logger.info('Removing %s' % self.rootfs) - shutil.rmtree(self.rootfs) - shutil.rmtree('%s.pseudo_state' % self.rootfs) + if self.cleanup_files: + for ent in self.cleanup_files: + logger.info('Removing %s' % ent) + if os.path.isfile(ent): + os.remove(ent) + else: + shutil.rmtree(ent) self.cleaned = True diff --git a/poky/scripts/yocto-check-layer b/poky/scripts/yocto-check-layer index b7c83c8b54..deba3cb4f8 100755 --- a/poky/scripts/yocto-check-layer +++ b/poky/scripts/yocto-check-layer @@ -138,6 +138,9 @@ def main(): layer['type'] == LayerType.ERROR_BSP_DISTRO: continue + # Reset to a clean backup copy for each run + shutil.copyfile(bblayersconf + '.backup', bblayersconf) + if check_bblayers(bblayersconf, layer['path'], logger): logger.info("%s already in %s. To capture initial signatures, layer under test should not present " "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name'])) |
