poky: subtree update:81f9e815d3..03d4d9d68f
Adrian Bunk (1):
json-c: Don't --enable-rdrand
Alessio Igor Bogani (2):
wic: Using the right rootfs size during prepare_rootfs
rootfs-postcommands: Avoid use of an hard-coded value
Alexander Kanavin (1):
binutils: drop UPSTREAM_VERSION_UNKNOWN
Alexandre Bard (1):
systemd: Expose resolv-conf alternative only when resolved is built
Andre McCurdy (1):
ffmpeg: enable more verbose build logs
André Draszik (4):
ruby: drop long-merged CVE patches
ruby: configure mis-detects isnan/isinf on musl
ruby: fix non-IPv6 support
packagegroup: fix a comment regarding PACKAGE_ARCH
Bruce Ashfield (6):
linux-yocto/5.2: update to v5.2.13
linux-yocto/4.19: update to v4.19.72
linux-yocto/5.2: update to v5.2.14
linux-yocto/5.2: update to v5.2.16
linux-yocto/5.2: update to v5.2.17
yocto-bsps: update to v5.2.17
Böszörményi Zoltán via Openembedded-core (1):
classes/image-live.bbclass: Don't hardcode cpio.gz
Changqing Li (2):
devtool.py: change to do clean before remove-layer
devtool.py: fix buildclean test
Chen Qi (1):
systemd: fix NFS regression
Dan Tran (1):
unzip: Fix CVE-2019-13232
David Reyna (2):
bitbake: toaster: issues in import layer when clicking 'add layer'
bitbake: toaster: improve warnings when adding dependency to packages
Diego Rondini (2):
initramfs-framework: fix var name
initramfs-framework: support PARTLABEL option
Douglas Royds (1):
icecc: Don't use icecc when INHIBIT_DEFAULT_DEPS is set
He Zhe (1):
ltp: Fix hang of cve test cases
Heiko Schocher (1):
kernel.fitimage.bbclass: remove ramdisk_ctype
Jacob Kroon (1):
bitbake: tests/data: Test combinations of _append together with override
Joe Slater (1):
bash-completion: add image feature
Jonathan Marler (1):
package: Multiple shlib_providers for the same file should error
Joshua Watt (8):
classes/reproducible_build: Move SDE deploy to another directory
oeqa: Test multiconfig parsing
bitbake: cookerdata: Add mc conffiles hashes to cache hash
bitbake: hashserve: Add missing import
bitbake: siggen: Fix attribute error when hashserver fails
bitbake: hashserv: Don't daemonize server process
local.conf.sample: Add Hash Equivalence
classes/reproducible_build: Create SDE destination
Khem Raj (7):
musl: Fix riscv64 CAS functions
qemuriscv: Do not blacklist clang anymore
sdk: Install nativesdk locales for all TCLIBC variants
strace: Upgrade to 5.3
packagegroups: All groups are not allarch
musl: Fix __riscv_mc* containers to match glibc
core-image-sato-sdk-ptest: Remove valgrind ptests for riscv
Konrad Scherer (1):
gen-lockedsig-cache: Replace glob lookup with hash to filename lookup
Lei Maohui (1):
bluez5: update patch to fix do_patch error when PATCHTOOL = "patch".
Li Zhou (1):
shadow: use relaxed usernames for all
Limeng (1):
u-boot: add CVE patches for u-boot
Nathan Rossi (2):
oeqa/core/utils/concurrencytest.py: Handle exceptions and details
oeqa/core/case.py: Encode binary data of log
Niclas Svensson (1):
devtool: finish: Keep patches ordered when updating bbappend
Otavio Salvador (1):
mesa: Add freedreno PACKAGECONFIG option
Peter Kjellerstedt (3):
systemd: Make it build with hwdb disabled
devtool: finish: Add suppport for the --no-clean option
lib/oe/lsb: Make sure the distro ID is always lowercased
Randy MacLeod (1):
ffmpeg: update from 4.2 to 4.2.1
Richard Purdie (17):
Revert "meta-extsdk: Either an sstate task is a proper task or it isn't"
sstatesig: Fix hash equivlanency locked signature issues
oeqa/selftest/signing: Fix for hash equivlance server
lib/sstatesig: Fix class inheritance problems
populate_sdk_ext: Fix for hash equiv
bitbake: runqueue: Fix task migration problems
bitbake: siggen: Ensure setscenetasks list is available to worker context
bitbake: runqueue: Change task migration behaviour for rerunning setscene tasks
bitbake: siggen/runqueue: Fix signature mismatch issues
bitbake: siggen: Avoid writing misleading sigdata files
bitbake: runqueue: Save unihashes more frequently
bitbake: runqueue: Small performance optimisation
bitbake: siggen: Remove full path from unitaskhashes keys
bitbake: tests/runqueue: Fix hashserve shutdown race
base: Improve module import error message
sanity.conf: Bump minimum bitbake version
bitbake: bitbake: Bump verison 1.43.1 -> 1.43.2
Robert Yang (6):
cases/bbtests.py: test_bitbake_g(): Check base-files rather than busybox
expect: Fix configure error for nativesdk
net-tools: Fix installed-vs-shipped for nativesdk
expect: Fix buffer overflow error when build in long path
apr: Check for libtoolize rather than libtool
lttng-ust: Fix for --enable-python-agent
Ross Burton (12):
oeqa/selftest/reproducible: test ipkgs too
distcc: clean up the UI install logic
distcc: use --enable-tcp-insecure instead of --make-me-a-botnet
distcc: split into client and server packages
json-c: clean up recipe
json-c: use GitHub for upstream release checking
bitbake: fetch2/git: refactor check for git-lfs command
bitbake: tests/fetch: add test case for git-lfs handling
python3: move runpy to core
pango: fix the failing testiter test case
opkg: remove redundant systemd inherit
lttng-ust: update patch Signed-off-by
Trevor Gamblin (5):
python3-subunit: ensure runtime dependencies are present
python3-pip: ensure pickle is installed
lighttpd: remove fam as a PACKAGECONFIG option
tiff: fix CVE-2019-14973
opkg: remove pathfinder PACKAGECONFIG option
Wang Quanyang (1):
kexec-tools: fix arm kexec failure for __NR_kexec_file_load
Yi Zhao (1):
python: add tk-lib as runtime dependency for python-tkinter
Change-Id: I0570125d49f7e4bc3bbf70508cbfd7e10bdbc032
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch b/poky/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
new file mode 100644
index 0000000..1a5d1eb
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0001-CVE-2019-13103.patch
@@ -0,0 +1,69 @@
+From 39a759494f734c4cdc3e2b919671bfb3134b41ae Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:03 -0700
+Subject: [PATCH 1/9] CVE-2019-13103: disk: stop infinite recursion in DOS
+ Partitions
+
+part_get_info_extended and print_partition_extended can recurse infinitely
+while parsing a self-referential filesystem or one with a silly number of
+extended partitions. This patch adds a limit to the number of recursive
+partitions.
+
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=232e2f4fd9a24bf08215ddc8c53ccadffc841fb5]
+
+CVE: CVE-2019-13103
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ disk/part_dos.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/disk/part_dos.c b/disk/part_dos.c
+index 936cee0d36..aae9d95906 100644
+--- a/disk/part_dos.c
++++ b/disk/part_dos.c
+@@ -23,6 +23,10 @@
+
+ #define DOS_PART_DEFAULT_SECTOR 512
+
++/* should this be configurable? It looks like it's not very common at all
++ * to use large numbers of partitions */
++#define MAX_EXT_PARTS 256
++
+ /* Convert char[4] in little endian format to the host format integer
+ */
+ static inline unsigned int le32_to_int(unsigned char *le32)
+@@ -126,6 +130,13 @@ static void print_partition_extended(struct blk_desc *dev_desc,
+ dos_partition_t *pt;
+ int i;
+
++ /* set a maximum recursion level */
++ if (part_num > MAX_EXT_PARTS)
++ {
++ printf("** Nested DOS partitions detected, stopping **\n");
++ return;
++ }
++
+ if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
+ printf ("** Can't read partition table on %d:" LBAFU " **\n",
+ dev_desc->devnum, ext_part_sector);
+@@ -191,6 +202,13 @@ static int part_get_info_extended(struct blk_desc *dev_desc,
+ int i;
+ int dos_type;
+
++ /* set a maximum recursion level */
++ if (part_num > MAX_EXT_PARTS)
++ {
++ printf("** Nested DOS partitions detected, stopping **\n");
++ return -1;
++ }
++
+ if (blk_dread(dev_desc, ext_part_sector, 1, (ulong *)buffer) != 1) {
+ printf ("** Can't read partition table on %d:" LBAFU " **\n",
+ dev_desc->devnum, ext_part_sector);
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch b/poky/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
new file mode 100644
index 0000000..de122b2
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0002-CVE-2019-13104.patch
@@ -0,0 +1,49 @@
+From 1d36545e43003f4b1bb3a303a3b468abd482fa2f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:05 -0700
+Subject: [PATCH 2/9] CVE-2019-13104: ext4: check for underflow in
+ ext4fs_read_file
+
+in ext4fs_read_file, it is possible for a broken/malicious file
+system to cause a memcpy of a negative number of bytes, which
+overflows all memory. This patch fixes the issue by checking for
+a negative length.
+
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=878269dbe74229005dd7f27aca66c554e31dad8e]
+
+CVE: CVE-2019-13104
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index 26db677a1f..c8c8655ed8 100644
+--- a/fs/ext4/ext4fs.c
++++ b/fs/ext4/ext4fs.c
+@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+
+ ext_cache_init(&cache);
+
+- if (blocksize <= 0)
+- return -1;
+-
+ /* Adjust len so it we can't read past the end of the file. */
+ if (len + pos > filesize)
+ len = (filesize - pos);
+
++ if (blocksize <= 0 || len <= 0) {
++ ext_cache_fini(&cache);
++ return -1;
++ }
++
+ blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
+
+ for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch b/poky/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
new file mode 100644
index 0000000..f525147
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0003-CVE-2019-13105.patch
@@ -0,0 +1,37 @@
+From 4e937d0de669ee69cf41c20494cbf66c339c3174 Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:04 -0700
+Subject: [PATCH 3/9] CVE-2019-13105: ext4: fix double-free in ext4_cache_read
+
+ext_cache_read doesn't null cache->buf, after freeing, which results
+in a later function double-freeing it. This patch fixes
+ext_cache_read to call ext_cache_fini instead of free.
+
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=6e5a79de658cb1c8012c86e0837379aa6eabd024]
+
+CVE: CVE-2019-13105
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index c8c8655ed8..e2b740cac4 100644
+--- a/fs/ext4/ext4fs.c
++++ b/fs/ext4/ext4fs.c
+@@ -288,7 +288,7 @@ int ext_cache_read(struct ext_block_cache *cache, lbaint_t block, int size)
+ if (!cache->buf)
+ return 0;
+ if (!ext4fs_devread(block, 0, size, cache->buf)) {
+- free(cache->buf);
++ ext_cache_fini(cache);
+ return 0;
+ }
+ cache->block = block;
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch b/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
new file mode 100644
index 0000000..8e1a1a9
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0004-CVE-2019-13106.patch
@@ -0,0 +1,56 @@
+From 1307dabf5422372483f840dda3963f9dbd2e8e6f Mon Sep 17 00:00:00 2001
+From: Paul Emge <paulemge@forallsecure.com>
+Date: Mon, 8 Jul 2019 16:37:07 -0700
+Subject: [PATCH 4/9] CVE-2019-13106: ext4: fix out-of-bounds memset
+
+In ext4fs_read_file in ext4fs.c, a memset can overwrite the bounds of
+the destination memory region. This patch adds a check to disallow
+this.
+
+Signed-off-by: Paul Emge <paulemge@forallsecure.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=e205896c5383c938274262524adceb2775fb03ba]
+
+CVE: CVE-2019-13106
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ fs/ext4/ext4fs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
+index e2b740cac4..37b31d9f0f 100644
+--- a/fs/ext4/ext4fs.c
++++ b/fs/ext4/ext4fs.c
+@@ -61,6 +61,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ lbaint_t delayed_skipfirst = 0;
+ lbaint_t delayed_next = 0;
+ char *delayed_buf = NULL;
++ char *start_buf = buf;
+ short status;
+ struct ext_block_cache cache;
+
+@@ -139,6 +140,7 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ }
+ } else {
+ int n;
++ int n_left;
+ if (previous_block_number != -1) {
+ /* spill */
+ status = ext4fs_devread(delayed_start,
+@@ -153,8 +155,9 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
+ }
+ /* Zero no more than `len' bytes. */
+ n = blocksize - skipfirst;
+- if (n > len)
+- n = len;
++ n_left = len - ( buf - start_buf );
++ if (n > n_left)
++ n = n_left;
+ memset(buf, 0, n);
+ }
+ buf += blocksize - skipfirst;
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch b/poky/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
new file mode 100644
index 0000000..a19545a
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0005-CVE-2019-14192-14193-14199.patch
@@ -0,0 +1,43 @@
+From e8e602f4a4b2aacfb3da32bb8a838be15ea70e7b Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:33 +0000
+Subject: [PATCH 5/9] CVE: net: fix unbounded memcpy of UDP packet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a check to udp_len to fix unbounded memcpy for
+CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199.
+
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=fe7288069d2e6659117049f7d27e261b550bb725]
+
+CVE: CVE-2019-14192, CVE-2019-14193 and CVE-2019-14199
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/net.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/net.c b/net/net.c
+index 58b0417cbe..38105f1142 100644
+--- a/net/net.c
++++ b/net/net.c
+@@ -1252,6 +1252,9 @@ void net_process_received_packet(uchar *in_packet, int len)
+ return;
+ }
+
++ if (ntohs(ip->udp_len) < UDP_HDR_SIZE || ntohs(ip->udp_len) > ntohs(ip->ip_len))
++ return;
++
+ debug_cond(DEBUG_DEV_PKT,
+ "received UDP (to=%pI4, from=%pI4, len=%d)\n",
+ &dst_ip, &src_ip, len);
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch b/poky/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
new file mode 100644
index 0000000..04a09e4
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch
@@ -0,0 +1,44 @@
+From 261658ddaf24bb35edd477cf09ec055569fd9894 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:40 +0000
+Subject: [PATCH 6/9] CVE: nfs: fix stack-based buffer overflow in some
+ nfs_handler reply helper functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a check to nfs_handler to fix buffer overflow for CVE-2019-14197,
+CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.
+
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21]
+
+CVE: CVE-2019-14197, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202,
+ CVE-2019-14203 and CVE-2019-14204
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index d6a7f8e827..b7cf3b3a18 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -732,6 +732,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+
+ debug("%s\n", __func__);
+
++ if (len > sizeof(struct rpc_t))
++ return;
++
+ if (dest != nfs_our_port)
+ return;
+
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch b/poky/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
new file mode 100644
index 0000000..b3e3b72
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0007-CVE-2019-14194-14198.patch
@@ -0,0 +1,42 @@
+From fb6dc193bf2685b7574b218f7ca558aa54659e11 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:48 +0000
+Subject: [PATCH 7/9] CVE-2019-14194/CVE-2019-14198: nfs: fix unbounded memcpy
+ with a failed length check at nfs_read_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a check to rpc_pkt.u.reply.data at nfs_read_reply.
+
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=aa207cf3a6d68f39d64cd29057a4fb63943e9078]
+
+CVE: CVE-2019-14194 and CVE-2019-14198
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index b7cf3b3a18..11941fad1a 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -701,6 +701,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len)
+ &(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]);
+ }
+
++ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
++ return -9999;
++
+ if (store_block(data_ptr, nfs_offset, rlen))
+ return -9999;
+
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch b/poky/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
new file mode 100644
index 0000000..bf9fb0e
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0008-CVE-2019-14195.patch
@@ -0,0 +1,42 @@
+From 2236973b8a173ff54ae1ebf8ec2300928e69bd1b Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:47:54 +0000
+Subject: [PATCH 8/9] CVE-2019-14195: nfs: fix unbounded memcpy with
+ unvalidated length at nfs_readlink_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a check to rpc_pkt.u.reply.data at nfs_readlink_reply.
+
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=cf3a4f1e86ecdd24f87b615051b49d8e1968c230]
+
+CVE: CVE-2019-14195
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 11941fad1a..915acd95cf 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -634,6 +634,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len)
+ /* new path length */
+ rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]);
+
++ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len)
++ return -NFS_RPC_DROP;
++
+ if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') {
+ int pathlen;
+
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch b/poky/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
new file mode 100644
index 0000000..f06e025
--- /dev/null
+++ b/poky/meta/recipes-bsp/u-boot/files/0009-CVE-2019-14196.patch
@@ -0,0 +1,48 @@
+From 74c468caa95c86cdb12c4b8073e154c435ac0bf7 Mon Sep 17 00:00:00 2001
+From: "liucheng (G)" <liucheng32@huawei.com>
+Date: Thu, 29 Aug 2019 13:48:02 +0000
+Subject: [PATCH 9/9] CVE-2019-14196: nfs: fix unbounded memcpy with a failed
+ length check at nfs_lookup_reply
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This patch adds a check to rpc_pkt.u.reply.data at nfs_lookup_reply.
+
+Signed-off-by: Cheng Liu <liucheng32@huawei.com>
+Reported-by: Fermín Serna <fermin@semmle.com>
+Acked-by: Joe Hershberger <joe.hershberger@ni.com>
+
+Upstream-Status: Backport[http://git.denx.de/?p=u-boot.git;a=commit;
+ h=5d14ee4e53a81055d34ba280cb8fd90330f22a96]
+
+CVE: CVE-2019-14196
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ net/nfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/nfs.c b/net/nfs.c
+index 915acd95cf..89952aeb66 100644
+--- a/net/nfs.c
++++ b/net/nfs.c
+@@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len)
+ }
+
+ if (supported_nfs_versions & NFSV2_FLAG) {
++ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len)
++ return -NFS_RPC_DROP;
+ memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE);
+ } else { /* NFSV3_FLAG */
+ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]);
+ if (filefh3_length > NFS3_FHSIZE)
+ filefh3_length = NFS3_FHSIZE;
++ if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len)
++ return -NFS_RPC_DROP;
+ memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length);
+ }
+
+--
+2.17.1
+
diff --git a/poky/meta/recipes-bsp/u-boot/u-boot-common.inc b/poky/meta/recipes-bsp/u-boot/u-boot-common.inc
index a056eae..f63dfa3 100644
--- a/poky/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/poky/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,6 +14,16 @@
# repo during parse
SRCREV = "e5aee22e4be75e75a854ab64503fc80598bc2004"
-SRC_URI = "git://git.denx.de/u-boot.git"
+SRC_URI = "git://git.denx.de/u-boot.git \
+ file://0001-CVE-2019-13103.patch \
+ file://0002-CVE-2019-13104.patch \
+ file://0003-CVE-2019-13105.patch \
+ file://0004-CVE-2019-13106.patch \
+ file://0005-CVE-2019-14192-14193-14199.patch \
+ file://0006-CVE-2019-14197-14200-14201-14202-14203-14204.patch \
+ file://0007-CVE-2019-14194-14198.patch \
+ file://0008-CVE-2019-14195.patch \
+ file://0009-CVE-2019-14196.patch \
+"
S = "${WORKDIR}/git"