poky: subtree update:968fcf4989..23deb29c1b
Arthur She (1):
igt-gpu-tools: Add PACKAGECONFIG for Chamelium support
Bruce Ashfield (4):
linux-yocto/5.4: update to v5.4.51
linux-yocto-rt/5.4: fix mmdrop stress test issues
kernel-yocto: account for extracted defconfig in elements check
kernel-devsrc: fix on-target module build for v5.8+
Changqing Li (2):
dpkg: change SRC_URI to take dpkg from git
gtk-immodules-cache.bbclass: fix post install scriptlet error
Charlie Davies (1):
u-boot: fix condition to allow use of *.cfg
Chen Qi (1):
rpm: fix nativesdk's default var location
Christian Eggers (2):
avahi: Fix typo in recipe
util-linux: Set license for library sub packages
Daniel Ammann (1):
image.bbclass: improve wording when image size exceeds the specified limit
Dmitry Baryshkov (1):
gcc-10.1: add fix for PR 96130
Douglas (2):
nativesdk: clear MACHINE_FEATURES
nativesdk: Set the CXXFLAGS to the BUILDSDK_CXXFLAGS
He Zhe (1):
cryptodev-module: Backport a patch to fix build failure with kernel v5.8
Hongxu Jia (1):
e2fsprogs: fix up check for hardlinks always false if inode > 0xFFFFFFFF
Jens Rehsack (3):
subversion: extend for nativesdk
serf: extend for nativesdk
kmod: add packageconfig for xz and ssl
Joshua Watt (8):
virtual/libgbm is the provider of gbm.pc
diffoscope: upgrade 150 -> 151
python3-pycryptodomex: upgrade 3.9.7 -> 3.9.8
python3-pycryptodome: upgrade 3.9.7 -> 3.9.8
classes/reproducible: Move to library code
lib/oe/reproducible: Fix error when no git HEAD
classes/cmake: Fix host detection
classes/package: Use HOST_OS for runtime dependencies
Kamil Dziezyk (1):
qemu: fix for virtfs configuration error in qemu 5.0.0
Kevin Hao (3):
wic/filemap: Drop the unused block_is_unmapped()
wic/filemap: Drop the unused get_unmapped_ranges()
wic/filemap: Fall back to standard copy when no way to get the block map
Khem Raj (4):
go: Disbale CGO for riscv64
go-dep: Fix build on riscv64
musl: Update to latest tip
site: Make sys_siglist default to no
Konrad Weihmann (2):
bitbake: pyshyacc: allow double COMMA statements
ptest: append to FILES
Kurt Kiefer (1):
linux-firmware: add ibt-20 package
Lee Chee Yang (1):
bison: fix Argument list too long error
Mingli Yu (1):
python3: define a profile directory path
Naveen Saini (3):
libva: upgrade 2.7.1 -> 2.8.0
libva-initial: upgrade 2.7.1 -> 2.8.0
libva-utils: upgrade 2.7.1 -> 2.8.0
Oleksandr (1):
expat: Added ptest
Pierre-Jean Texier (1):
u-boot: upgrade 2020.04 -> 2020.07
Rasmus Villemoes (1):
cml1: Move find_cfgs() helper to cml1.bbclass
Ricardo Salveti (1):
sudo: set with-rundir to /run/sudo
Richard Purdie (34):
bitbake: fetch2: Change git fetcher not to destroy old references
oeqa/selftest/sstatetests: Avoid polluting DL_DIR
bitbake: server/process: Fix a rare lockfile race
qemurunner: Ensure pid location is deterministic
qemurunner: Add extra debug info when qemu fails to start
bitbake: server/process: Ensure UI-less servers don't sit in infinite loops
oeqa/utils/qemurunner: Fix missing pid file tracebacks
mpfr: upgrade 4.0.2 -> 4.1.0
libuv: upgrade 1.38.0 -> 1.38.1
btrfs-tools: upgrade 5.6.1 -> 5.7
init-system-helpers: upgrade 1.57 -> 1.58
createrepo-c: upgrade 0.15.11 -> 0.16.0
mtd-utils: upgrade 2.1.1 -> 2.1.2
dpkg: upgrade 1.20.0 -> 1.20.5
python3-cython: upgrade 0.29.20 -> 0.29.21
python3-git: upgrade 3.1.3 -> 3.1.7
asciidoc: upgrade 9.0.0 -> 9.0.1
libnsl2: upgrade 1.2.0 -> 1.3.0
rpcsvc-proto: upgrade 1.4.1 -> 1.4.2
stress-ng: upgrade 0.11.14 -> 0.11.15
epiphany: upgrade 3.36.2 -> 3.36.3
ffmpeg: upgrade 4.3 -> 4.3.1
gnupg: upgrade 2.2.20 -> 2.2.21
mpg123: upgrade 1.26.1 -> 1.26.2
libevent: upgrade 2.1.11 -> 2.1.12
webkitgtk: upgrade 2.28.2 -> 2.28.3
libgcrypt: upgrade 1.8.5 -> 1.8.6
bitbake: server/process: Fix note reference -> info
bitbake: cooker: Fix unmatched files handling leading to misleading warnings
bitbake: build: Allow deltask to take multiple tasknames
pseudo: Update to add OFC fcntl lock updates
oeqa/qemurunner: Add priority/nice information for running processes
bitbake: cooker: Improve multiconfig configuration error reporting
bitbake: cooker: Handle multiconfig name mappings correctly
Robert Yang (1):
openssl: openssl-bin requires openssl-conf to run
Ross Burton (9):
insane: consolidate skipping of temporary do_package files
perf: add PACKAGECONFIG for CoreSight support
autotools: don't special-case help2man-native for dependencies
flex: fix build with autoconf 2.70
nasm: fix build with autoconf 2.70
init-ifupdown: always make machine-specific
insane: improve arch test messages
startup-notification: add time_t type mismatch patch from upstream
gcc: mitigate the Straight-line Speculation attack
Sakib Sajal (5):
qemu: fix CVE-2020-13362
qemu: fix CVE-2020-13659
qemu: fix CVE-2020-13800
qemu: fix CVE-2020-13791
busybox: make hwclock compatible with glibc 2.31
Tanu Kaskinen (2):
alsa-lib: upgrade 1.2.3.1 -> 1.2.3.2
pulseaudio: improve the Thumb frame pointer fix
Taras Kondratiuk (1):
nfs-utils: use rpcgen tool from HOSTTOOLS_DIR
Tim Orling (2):
lib/oe/recipeutils.py: add AUTHOR; BBCLASSEXTEND
scripts/lib/recipetool/create.py: fix regex strings
Wang Mingyu (4):
dbus: upgrade 1.12.18 -> 1.12.20
fribidi: upgrade 1.0.9 -> 1.0.10
glib-2.0: upgrade 2.64.3 -> 2.64.4
libvorbis: upgrade 1.3.6 -> 1.3.7
Yi Zhao (1):
bind: upgrade 9.11.19 -> 9.11.21
Yongxin Liu (2):
linux-firmware: fix the wrong file path for ibt-misc
linux-firmware: move ibt-misc to the end of ibt packages
akuster (3):
cve-check.bbclass: always save cve report
ref-system-requirements: update supported hosts lists
glibc: whitelist CVE-2010-10029
zhengruoqin (1):
gnutls: Fix krb5 code license to GPLv2.1+ to match the LICENSE file.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Iae9b13b7fe09bb3c0ab953a063793c95e8b17468
diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc
index d41cc8f..b1c822b 100644
--- a/poky/meta/recipes-devtools/qemu/qemu.inc
+++ b/poky/meta/recipes-devtools/qemu/qemu.inc
@@ -32,6 +32,10 @@
file://CVE-2020-13361.patch \
file://find_datadir.patch \
file://CVE-2020-10761.patch \
+ file://CVE-2020-13362.patch \
+ file://CVE-2020-13659.patch \
+ file://CVE-2020-13800.patch \
+ file://CVE-2020-13791.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
@@ -140,7 +144,7 @@
PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+"
PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2"
-PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap-ng attr,"
+PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr,"
PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio,"
PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs,"
PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
new file mode 100644
index 0000000..af8d4ba
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
@@ -0,0 +1,55 @@
+From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 14 May 2020 00:55:38 +0530
+Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check
+ index
+
+A guest user may set 'reply_queue_head' field of MegasasState to
+a negative value. Later in 'megasas_lookup_frame' it is used to
+index into s->frames[] array. Use unsigned type to avoid OOB
+access issue.
+
+Also check that 'index' value stays within s->frames[] bounds
+through the while() loop in 'megasas_lookup_frame' to avoid OOB
+access.
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Acked-by: Alexander Bulekov <alxndr@bu.edu>
+Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661]
+CVE: CVE-2020-13362
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/scsi/megasas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index af18c88b65..6ce598cd69 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -112,7 +112,7 @@ typedef struct MegasasState {
+ uint64_t reply_queue_pa;
+ void *reply_queue;
+ int reply_queue_len;
+- int reply_queue_head;
++ uint16_t reply_queue_head;
+ int reply_queue_tail;
+ uint64_t consumer_pa;
+ uint64_t producer_pa;
+@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
+
+ index = s->reply_queue_head;
+
+- while (num < s->fw_cmds) {
++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
+ if (s->frames[index].pa && s->frames[index].pa == frame) {
+ cmd = &s->frames[index];
+ break;
+--
+2.20.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
new file mode 100644
index 0000000..4d12ae8
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
@@ -0,0 +1,58 @@
+From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 26 May 2020 16:47:43 +0530
+Subject: [PATCH] exec: set map length to zero when returning NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When mapping physical memory into host's virtual address space,
+'address_space_map' may return NULL if BounceBuffer is in_use.
+Set and return '*plen = 0' to avoid later NULL pointer dereference.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
+Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
+CVE: CVE-2020-13659
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ exec.c | 1 +
+ include/exec/memory.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/exec.c b/exec.c
+index 9cbde85d8c..778263f1c6 100644
+--- a/exec.c
++++ b/exec.c
+@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
+
+ if (!memory_access_is_direct(mr, is_write)) {
+ if (atomic_xchg(&bounce.in_use, true)) {
++ *plen = 0;
+ return NULL;
+ }
+ /* Avoid unbounded allocations */
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index bd7fdd6081..af8ca7824e 100644
+--- a/include/exec/memory.h
++++ b/include/exec/memory.h
+@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
+ /* address_space_map: map a physical memory region into a host virtual address
+ *
+ * May map a subset of the requested range, given by and returned in @plen.
+- * May return %NULL if resources needed to perform the mapping are exhausted.
++ * May return %NULL and set *@plen to zero(0), if resources needed to perform
++ * the mapping are exhausted.
+ * Use only for reads OR writes - not for read-modify-write operations.
+ * Use cpu_register_map_client() to know when retrying the map operation is
+ * likely to succeed.
+--
+2.20.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
new file mode 100644
index 0000000..049dab9
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
@@ -0,0 +1,53 @@
+From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 4 Jun 2020 17:05:25 +0530
+Subject: [PATCH] pci: assert configuration access is within bounds
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While accessing PCI configuration bytes, assert that
+'address + len' is within PCI configuration space.
+
+Generally it is within bounds. This is more of a defensive
+assert, in case a buggy device was to send 'address' which
+may go out of bounds.
+
+Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20200604113525.58898-1-ppandit@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+Upstream-Status: Backport [f7d6a635fa3b7797f9d072e280f065bf3cfcd24d]
+CVE: CVE-2020-13791
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index 70c66965f5..7bf2ae6d92 100644
+--- a/hw/pci/pci.c
++++ b/hw/pci/pci.c
+@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
+ {
+ uint32_t val = 0;
+
++ assert(address + len <= pci_config_size(d));
++
+ if (pci_is_express_downstream_port(d) &&
+ ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
+ pcie_sync_bridge_lnk(d);
+@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int
+ int i, was_irq_disabled = pci_irq_disabled(d);
+ uint32_t val = val_in;
+
++ assert(addr + l <= pci_config_size(d));
++
+ for (i = 0; i < l; val >>= 8, ++i) {
+ uint8_t wmask = d->wmask[addr + i];
+ uint8_t w1cmask = d->w1cmask[addr + i];
+--
+2.20.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
new file mode 100644
index 0000000..52bfafb
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
@@ -0,0 +1,63 @@
+From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 4 Jun 2020 14:38:30 +0530
+Subject: [PATCH] ati-vga: check mm_index before recursive call
+ (CVE-2020-13800)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While accessing VGA registers via ati_mm_read/write routines,
+a guest may set 's->regs.mm_index' such that it leads to infinite
+recursion. Check mm_index value to avoid such recursion. Log an
+error message for wrong values.
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Yi Ren <c4tren@gmail.com>
+Message-id: 20200604090830.33885-1-ppandit@redhat.com
+Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
+Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455]
+CVE: CVE-2020-13800
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/display/ati.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/ati.c b/hw/display/ati.c
+index 065f197678..67604e68de 100644
+--- a/hw/display/ati.c
++++ b/hw/display/ati.c
+@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
+ if (idx <= s->vga.vram_size - size) {
+ val = ldn_le_p(s->vga.vram_ptr + idx, size);
+ }
+- } else {
++ } else if (s->regs.mm_index > MM_DATA + 3) {
+ val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
++ } else {
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
+ }
+ break;
+ case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
+ if (idx <= s->vga.vram_size - size) {
+ stn_le_p(s->vga.vram_ptr + idx, size, data);
+ }
+- } else {
++ } else if (s->regs.mm_index > MM_DATA + 3) {
+ ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
++ } else {
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
+ }
+ break;
+ case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+--
+2.20.1
+