diff options
Diffstat (limited to 'meta/recipes-devtools')
343 files changed, 39287 insertions, 1193 deletions
diff --git a/meta/recipes-devtools/apt/apt/0001-add-missing-cstdint-for-uint16_t.patch b/meta/recipes-devtools/apt/apt/0001-add-missing-cstdint-for-uint16_t.patch new file mode 100644 index 0000000000..44aa8a5873 --- /dev/null +++ b/meta/recipes-devtools/apt/apt/0001-add-missing-cstdint-for-uint16_t.patch @@ -0,0 +1,35 @@ +From 960d10e89cf60d39998dae6fdcd4f0866b753a79 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 23 Jan 2023 12:31:35 -0800 +Subject: [PATCH] add missing <cstdint> for uint16_t + +This fixes build problems with gcc 13 snapshot [1] + +Fixes +| include/apt-pkg/pkgcache.h:257:23: warning: cast from 'char*' to 'const uint16_t*' {aka 'const short unsigned int*'} increases required alignment of target type [-Wcast-align] +| 257 | uint16_t len = *reinterpret_cast<const uint16_t*>(name - sizeof(uint16_t)); +| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +[1] https://www.gnu.org/software/gcc/gcc-13/porting_to.html + +Upstream-Status: Submitted [https://salsa.debian.org/apt-team/apt/-/merge_requests/276] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + apt-pkg/contrib/mmap.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/apt-pkg/contrib/mmap.cc b/apt-pkg/contrib/mmap.cc +index 642e20473..0568e1cd0 100644 +--- a/apt-pkg/contrib/mmap.cc ++++ b/apt-pkg/contrib/mmap.cc +@@ -23,6 +23,7 @@ + #include <apt-pkg/macros.h> + #include <apt-pkg/mmap.h> + ++#include <cstdint> + #include <cstring> + #include <string> + #include <errno.h> +-- +2.39.1 + diff --git a/meta/recipes-devtools/apt/apt_2.4.5.bb b/meta/recipes-devtools/apt/apt_2.4.5.bb index 95c25e3036..9ceabcc186 100644 --- a/meta/recipes-devtools/apt/apt_2.4.5.bb +++ b/meta/recipes-devtools/apt/apt_2.4.5.bb @@ -13,6 +13,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/${BPN}_${PV}.tar.xz \ file://0001-cmake-Do-not-build-po-files.patch \ file://0001-Hide-fstatat64-and-prlimit64-defines-on-musl.patch \ file://0001-aptwebserver.cc-Include-array.patch \ + file://0001-add-missing-cstdint-for-uint16_t.patch \ " SRC_URI:append:class-native = " \ @@ -117,6 +118,7 @@ do_install:append:class-native() { do_install:append:class-nativesdk() { customize_apt_conf_sample + rm -rf ${D}${localstatedir}/log } do_install:append:class-target() { @@ -132,5 +134,5 @@ do_install:append:class-target() { do_install:append() { # Avoid non-reproducible -src package - sed -i -e "s,${B},,g" ${B}/apt-pkg/tagfile-keys.cc + sed -i -e "s,${B}/include/,,g" ${B}/apt-pkg/tagfile-keys.cc } diff --git a/meta/recipes-devtools/autoconf/autoconf/0001-Port-to-compilers-that-moan-about-K-R-func-decls.patch b/meta/recipes-devtools/autoconf/autoconf/0001-Port-to-compilers-that-moan-about-K-R-func-decls.patch new file mode 100644 index 0000000000..4f15bf96c3 --- /dev/null +++ b/meta/recipes-devtools/autoconf/autoconf/0001-Port-to-compilers-that-moan-about-K-R-func-decls.patch @@ -0,0 +1,138 @@ +From 7a3bbca81b803ba116b83c82de378e840cc35f81 Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Thu, 1 Sep 2022 16:19:50 -0500 +Subject: [PATCH] Port to compilers that moan about K&R func decls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* lib/autoconf/c.m4 (AC_LANG_CALL, AC_LANG_FUNC_LINK_TRY): +Use '(void)' rather than '()' in function prototypes, as the latter +provokes fatal errors in some compilers nowadays. +* lib/autoconf/functions.m4 (AC_FUNC_STRTOD): +* tests/fortran.at (AC_F77_DUMMY_MAIN usage): +* tests/semantics.at (AC_CHECK_DECLS): +Don’t use () in a function decl. + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/autoconf.git/commit/?id=8b5e2016c7ed2d67f31b03a3d2e361858ff5299b] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + doc/autoconf.texi | 7 +++---- + lib/autoconf/c.m4 | 6 +++--- + lib/autoconf/functions.m4 | 3 --- + tests/fortran.at | 8 ++++---- + tests/semantics.at | 2 +- + 5 files changed, 11 insertions(+), 15 deletions(-) + +--- a/doc/autoconf.texi ++++ b/doc/autoconf.texi +@@ -5465,9 +5465,7 @@ the @samp{#undef malloc}): + #include <config.h> + #undef malloc + +-#include <sys/types.h> +- +-void *malloc (); ++#include <stdlib.h> + + /* Allocate an N-byte block of memory from the heap. + If N is zero, allocate a 1-byte block. */ +@@ -8295,7 +8293,7 @@ needed: + # ifdef __cplusplus + extern "C" + # endif +- int F77_DUMMY_MAIN () @{ return 1; @} ++ int F77_DUMMY_MAIN (void) @{ return 1; @} + #endif + @end example + +--- a/lib/autoconf/c.m4 ++++ b/lib/autoconf/c.m4 +@@ -127,7 +127,7 @@ m4_if([$2], [main], , + [/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +-char $2 ();])], [return $2 ();])]) ++char $2 (void);])], [return $2 ();])]) + + + # AC_LANG_FUNC_LINK_TRY(C)(FUNCTION) +@@ -151,7 +151,7 @@ m4_define([AC_LANG_FUNC_LINK_TRY(C)], + #define $1 innocuous_$1 + + /* System header to define __stub macros and hopefully few prototypes, +- which can conflict with char $1 (); below. */ ++ which can conflict with char $1 (void); below. */ + + #include <limits.h> + #undef $1 +@@ -162,7 +162,7 @@ m4_define([AC_LANG_FUNC_LINK_TRY(C)], + #ifdef __cplusplus + extern "C" + #endif +-char $1 (); ++char $1 (void); + /* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +--- a/lib/autoconf/functions.m4 ++++ b/lib/autoconf/functions.m4 +@@ -1601,9 +1601,6 @@ AC_DEFUN([AC_FUNC_STRTOD], + AC_CACHE_CHECK(for working strtod, ac_cv_func_strtod, + [AC_RUN_IFELSE([AC_LANG_SOURCE([[ + ]AC_INCLUDES_DEFAULT[ +-#ifndef strtod +-double strtod (); +-#endif + int + main (void) + { +--- a/tests/fortran.at ++++ b/tests/fortran.at +@@ -233,7 +233,7 @@ void FOOBAR_F77 (double *x, double *y); + # ifdef __cplusplus + extern "C" + # endif +- int F77_DUMMY_MAIN () { return 1; } ++ int F77_DUMMY_MAIN (void) { return 1; } + #endif + + int main(int argc, char *argv[]) +@@ -315,7 +315,7 @@ void FOOBAR_FC(double *x, double *y); + # ifdef __cplusplus + extern "C" + # endif +- int FC_DUMMY_MAIN () { return 1; } ++ int FC_DUMMY_MAIN (void) { return 1; } + #endif + + int main (int argc, char *argv[]) +@@ -561,7 +561,7 @@ void @foobar@ (int *x); + # ifdef __cplusplus + extern "C" + # endif +- int F77_DUMMY_MAIN () { return 1; } ++ int F77_DUMMY_MAIN (void) { return 1; } + #endif + + int main(int argc, char *argv[]) +@@ -637,7 +637,7 @@ void @foobar@ (int *x); + # ifdef __cplusplus + extern "C" + # endif +- int FC_DUMMY_MAIN () { return 1; } ++ int FC_DUMMY_MAIN (void) { return 1; } + #endif + + int main(int argc, char *argv[]) +--- a/tests/semantics.at ++++ b/tests/semantics.at +@@ -207,7 +207,7 @@ AT_CHECK_MACRO([AC_CHECK_DECLS], + [[extern int yes; + enum { myenum }; + extern struct mystruct_s { int x[20]; } mystruct; +- extern int myfunc(); ++ extern int myfunc (int); + #define mymacro1(arg) arg + #define mymacro2]]) + # Ensure we can detect missing declarations of functions whose diff --git a/meta/recipes-devtools/autoconf/autoconf_2.71.bb b/meta/recipes-devtools/autoconf/autoconf_2.71.bb index 799191e2ca..97c241a3f5 100644 --- a/meta/recipes-devtools/autoconf/autoconf_2.71.bb +++ b/meta/recipes-devtools/autoconf/autoconf_2.71.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/autoconf/${BP}.tar.gz \ file://preferbash.patch \ file://autotest-automake-result-format.patch \ file://man-host-perl.patch \ + file://0001-Port-to-compilers-that-moan-about-K-R-func-decls.patch \ " SRC_URI:append:class-native = " file://no-man.patch" diff --git a/meta/recipes-devtools/automake/automake/buildtest.patch b/meta/recipes-devtools/automake/automake/buildtest.patch index b88b9e8693..c43a4ac8f3 100644 --- a/meta/recipes-devtools/automake/automake/buildtest.patch +++ b/meta/recipes-devtools/automake/automake/buildtest.patch @@ -36,7 +36,7 @@ index e0db651..de137fa 100644 -check-TESTS: $(TESTS) +AM_RECURSIVE_TARGETS += buildtest runtest + -+buildtest-TESTS: $(TESTS) ++buildtest-TESTS: $(TESTS) $(check_PROGRAMS) + +check-TESTS: buildtest-TESTS + $(MAKE) $(AM_MAKEFLAGS) runtest-TESTS diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index a069071c97..bbe7bb57b2 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_38-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)" -SRCREV ?= "134f17ef688ba4c72a6c4e57af7382882cc1a705" +SRCREV ?= "ea5fe5d01e5a182ee7a0eddb54a702109a9f5931" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=git" SRC_URI = "\ ${BINUTILS_GIT_URI} \ @@ -33,5 +33,43 @@ SRC_URI = "\ file://0012-Check-for-clang-before-checking-gcc-version.patch \ file://0013-Avoid-as-info-race-condition.patch \ file://0014-CVE-2019-1010204.patch \ + file://0015-CVE-2022-38533.patch \ + file://0016-CVE-2022-38126.patch \ + file://0017-CVE-2022-38127-1.patch \ + file://0017-CVE-2022-38127-2.patch \ + file://0017-CVE-2022-38127-3.patch \ + file://0017-CVE-2022-38127-4.patch \ + file://0018-CVE-2022-38128-1.patch \ + file://0018-CVE-2022-38128-2.patch \ + file://0018-CVE-2022-38128-3.patch \ + file://0019-CVE-2022-4285.patch \ + file://0020-CVE-2023-22608-1.patch \ + file://0020-CVE-2023-22608-2.patch \ + file://0020-CVE-2023-22608-3.patch \ + file://0021-CVE-2023-1579-1.patch \ + file://0021-CVE-2023-1579-2.patch \ + file://0021-CVE-2023-1579-3.patch \ + file://0021-CVE-2023-1579-4.patch \ + file://0022-CVE-2023-25584-1.patch \ + file://0022-CVE-2023-25584-2.patch \ + file://0022-CVE-2023-25584-3.patch \ + file://0023-CVE-2023-25585.patch \ + file://0026-CVE-2023-1972.patch \ + file://0025-CVE-2023-25588.patch \ + file://0027-CVE-2022-47008.patch \ + file://0028-CVE-2022-47011.patch \ + file://0029-CVE-2022-48065-1.patch \ + file://0029-CVE-2022-48065-2.patch \ + file://0029-CVE-2022-48065-3.patch \ + file://0030-CVE-2022-44840.patch \ + file://0031-CVE-2022-45703-1.patch \ + file://0031-CVE-2022-45703-2.patch \ + file://0031-CVE-2022-47695.patch \ + file://CVE-2022-48063.patch \ + file://0032-CVE-2022-47010.patch \ + file://0033-CVE-2022-47007.patch \ + file://0034-CVE-2022-48064.patch \ + file://0035-CVE-2023-39129.patch \ + file://0036-CVE-2023-39130.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch b/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch index 59a97c13c7..8a5f4a8d79 100644 --- a/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch +++ b/meta/recipes-devtools/binutils/binutils/0003-binutils-nativesdk-Search-for-alternative-ld.so.conf.patch @@ -65,7 +65,7 @@ index 121c25d948f..34cbc60e5e9 100644 info.path = NULL; info.len = info.alloc = 0; - tmppath = concat (ld_sysroot, prefix, "/etc/ld.so.conf", -+ tmppath = concat (ld_sysconfdir, "/etc/ld.so.conf", ++ tmppath = concat (ld_sysconfdir, "/ld.so.conf", (const char *) NULL); if (!ldelf_parse_ld_so_conf (&info, tmppath)) { diff --git a/meta/recipes-devtools/binutils/binutils/0015-CVE-2022-38533.patch b/meta/recipes-devtools/binutils/binutils/0015-CVE-2022-38533.patch new file mode 100644 index 0000000000..5d9ac2cb1f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0015-CVE-2022-38533.patch @@ -0,0 +1,36 @@ +From ef186fe54aa6d281a3ff8a9528417e5cc614c797 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sat, 13 Aug 2022 15:32:47 +0930 +Subject: [PATCH] PR29482 - strip: heap-buffer-overflow + + PR 29482 + * coffcode.h (coff_set_section_contents): Sanity check _LIB. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> + +--- + bfd/coffcode.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/bfd/coffcode.h b/bfd/coffcode.h +index 67aaf158ca1..52027981c3f 100644 +--- a/bfd/coffcode.h ++++ b/bfd/coffcode.h +@@ -4302,10 +4302,13 @@ coff_set_section_contents (bfd * abfd, + + rec = (bfd_byte *) location; + recend = rec + count; +- while (rec < recend) ++ while (recend - rec >= 4) + { ++ size_t len = bfd_get_32 (abfd, rec); ++ if (len == 0 || len > (size_t) (recend - rec) / 4) ++ break; ++ rec += len * 4; + ++section->lma; +- rec += bfd_get_32 (abfd, rec) * 4; + } + + BFD_ASSERT (rec == recend); diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch new file mode 100644 index 0000000000..8200e28a81 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch @@ -0,0 +1,34 @@ +From e3e5ae049371a27fd1737aba946fe26d06e029b5 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 27 Jun 2022 13:43:02 +0100 +Subject: [PATCH] Replace a run-time assertion failure with a warning message + when parsing corrupt DWARF data. + + PR 29289 + * dwarf.c (display_debug_names): Replace assert with a warning + message. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3e5ae049371a27fd1737aba946fe26d06e029b5] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 7 ++++++- + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 37b477b886d..b99c56987da 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -9802,7 +9802,12 @@ display_debug_names (struct dwarf_sectio + printf (_("Out of %lu items there are %zu bucket clashes" + " (longest of %zu entries).\n"), + (unsigned long) name_count, hash_clash_count, longest_clash); +- assert (name_count == buckets_filled + hash_clash_count); ++ ++ if (name_count != buckets_filled + hash_clash_count) ++ warn (_("The name_count (%lu) is not the same as the used bucket_count (%lu) + the hash clash count (%lu)"), ++ (unsigned long) name_count, ++ (unsigned long) buckets_filled, ++ (unsigned long) hash_clash_count); + + struct abbrev_lookup_entry + { diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-1.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-1.patch new file mode 100644 index 0000000000..9bbf1d6453 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-1.patch @@ -0,0 +1,1224 @@ +From 19c26da69d68d5d863f37c06ad73ab6292d02ffa Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 6 Apr 2022 14:43:37 +0100 +Subject: [PATCH] Add code to display the contents of .debug_loclists sections + which contain offset entry tables. + + PR 28981 + * dwarf.c (fetch_indexed_value): Rename to fecth_indexed_addr and + return the address, rather than a string. + (fetch_indexed_value): New function - returns a value indexed by a + DW_FORM_loclistx or DW_FORM_rnglistx form. + (read_and_display_attr_value): Add support for DW_FORM_loclistx + and DW_FORM_rnglistx. + (process_debug_info): Load the loclists and rnglists sections. + (display_loclists_list): Add support for DW_LLE_base_addressx, + DW_LLE_startx_endx, DW_LLE_startx_length and + DW_LLE_default_location. + (display_offset_entry_loclists): New function. Displays a + .debug_loclists section that contains offset entry tables. + (display_debug_loc): Call the new function. + (display_debug_rnglists_list): Add support for + DW_RLE_base_addressx, DW_RLE_startx_endx and DW_RLE_startx_length. + (display_debug_ranges): Display the contents of the section's + header. + * dwarf.h (struct debug_info): Add loclists_base field. + * testsuite/binutils-all/dw5.W: Update expected output. + * testsuite/binutils-all/x86-64/pr26808.dump: Likewise. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=19c26da69d68d5d863f37c06ad73ab6292d02ffa] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/ChangeLog | 24 + + binutils/dwarf.c | 513 +++++++++++++++--- + binutils/dwarf.h | 4 + + binutils/testsuite/binutils-all/dw5.W | 2 +- + .../binutils-all/x86-64/pr26808.dump | 82 +-- + gas/ChangeLog | 5 + + gas/testsuite/gas/elf/dwarf-5-irp.d | 2 +- + 7 files changed, 517 insertions(+), 115 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 15b3c81a138..bc862f77c04 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -240,7 +240,7 @@ static const char * + dwarf_vmatoa_1 (const char *fmtch, dwarf_vma value, unsigned num_bytes) + { + /* As dwarf_vmatoa is used more then once in a printf call +- for output, we are cycling through an fixed array of pointers ++ for output, we are cycling through a fixed array of pointers + for return address. */ + static int buf_pos = 0; + static struct dwarf_vmatoa_buf +@@ -796,24 +796,70 @@ fetch_indexed_string (dwarf_vma idx, str + return ret; + } + +-static const char * +-fetch_indexed_value (dwarf_vma offset, dwarf_vma bytes) ++static dwarf_vma ++fetch_indexed_addr (dwarf_vma offset, uint32_t num_bytes) + { + struct dwarf_section *section = &debug_displays [debug_addr].section; + + if (section->start == NULL) +- return (_("<no .debug_addr section>")); ++ { ++ warn (_("<no .debug_addr section>")); ++ return 0; ++ } + +- if (offset + bytes > section->size) ++ if (offset + num_bytes > section->size) + { + warn (_("Offset into section %s too big: 0x%s\n"), + section->name, dwarf_vmatoa ("x", offset)); +- return "<offset too big>"; ++ return 0; + } + +- return dwarf_vmatoa ("x", byte_get (section->start + offset, bytes)); ++ return byte_get (section->start + offset, num_bytes); + } + ++/* Fetch a value from a debug section that has been indexed by ++ something in another section (eg DW_FORM_loclistx). ++ Returns 0 if the value could not be found. */ ++ ++static dwarf_vma ++fetch_indexed_value (dwarf_vma index, ++ enum dwarf_section_display_enum sec_enum) ++{ ++ struct dwarf_section *section = &debug_displays [sec_enum].section; ++ ++ if (section->start == NULL) ++ { ++ warn (_("Unable to locate %s section\n"), section->uncompressed_name); ++ return 0; ++ } ++ ++ uint32_t pointer_size, bias; ++ ++ if (byte_get (section->start, 4) == 0xffffffff) ++ { ++ pointer_size = 8; ++ bias = 20; ++ } ++ else ++ { ++ pointer_size = 4; ++ bias = 12; ++ } ++ ++ dwarf_vma offset = index * pointer_size; ++ ++ /* Offsets are biased by the size of the section header. */ ++ offset += bias; ++ ++ if (offset + pointer_size > section->size) ++ { ++ warn (_("Offset into section %s too big: 0x%s\n"), ++ section->name, dwarf_vmatoa ("x", offset)); ++ return 0; ++ } ++ ++ return byte_get (section->start + offset, pointer_size); ++} + + /* FIXME: There are better and more efficient ways to handle + these structures. For now though, I just want something that +@@ -1999,6 +2045,8 @@ skip_attr_bytes (unsigned long form, + case DW_FORM_strx: + case DW_FORM_GNU_addr_index: + case DW_FORM_addrx: ++ case DW_FORM_loclistx: ++ case DW_FORM_rnglistx: + READ_ULEB (uvalue, data, end); + break; + +@@ -2410,9 +2458,6 @@ read_and_display_attr_value (unsigned lo + + switch (form) + { +- default: +- break; +- + case DW_FORM_ref_addr: + if (dwarf_version == 2) + SAFE_BYTE_GET_AND_INC (uvalue, data, pointer_size, end); +@@ -2496,6 +2541,8 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_udata: + case DW_FORM_GNU_addr_index: + case DW_FORM_addrx: ++ case DW_FORM_loclistx: ++ case DW_FORM_rnglistx: + READ_ULEB (uvalue, data, end); + break; + +@@ -2515,6 +2562,9 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_implicit_const: + uvalue = implicit_const; + break; ++ ++ default: ++ break; + } + + switch (form) +@@ -2710,6 +2760,8 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_addrx2: + case DW_FORM_addrx3: + case DW_FORM_addrx4: ++ case DW_FORM_loclistx: ++ case DW_FORM_rnglistx: + if (!do_loc) + { + dwarf_vma base; +@@ -2728,11 +2780,11 @@ read_and_display_attr_value (unsigned lo + /* We have already displayed the form name. */ + printf (_("%c(index: 0x%s): %s"), delimiter, + dwarf_vmatoa ("x", uvalue), +- fetch_indexed_value (offset, pointer_size)); ++ dwarf_vmatoa ("x", fetch_indexed_addr (offset, pointer_size))); + else + printf (_("%c(addr_index: 0x%s): %s"), delimiter, + dwarf_vmatoa ("x", uvalue), +- fetch_indexed_value (offset, pointer_size)); ++ dwarf_vmatoa ("x", fetch_indexed_addr (offset, pointer_size))); + } + break; + +@@ -2754,6 +2806,13 @@ read_and_display_attr_value (unsigned lo + { + switch (attribute) + { ++ case DW_AT_loclists_base: ++ if (debug_info_p->loclists_base) ++ warn (_("CU @ 0x%s has multiple loclists_base values"), ++ dwarf_vmatoa ("x", debug_info_p->cu_offset)); ++ debug_info_p->loclists_base = uvalue; ++ break; ++ + case DW_AT_frame_base: + have_frame_base = 1; + /* Fall through. */ +@@ -2776,7 +2835,8 @@ read_and_display_attr_value (unsigned lo + case DW_AT_GNU_call_site_target_clobbered: + if ((dwarf_version < 4 + && (form == DW_FORM_data4 || form == DW_FORM_data8)) +- || form == DW_FORM_sec_offset) ++ || form == DW_FORM_sec_offset ++ || form == DW_FORM_loclistx) + { + /* Process location list. */ + unsigned int lmax = debug_info_p->max_loc_offsets; +@@ -2796,11 +2856,17 @@ read_and_display_attr_value (unsigned lo + lmax, sizeof (*debug_info_p->have_frame_base)); + debug_info_p->max_loc_offsets = lmax; + } +- if (this_set != NULL) ++ ++ if (form == DW_FORM_loclistx) ++ uvalue = fetch_indexed_value (uvalue, loclists); ++ else if (this_set != NULL) + uvalue += this_set->section_offsets [DW_SECT_LOC]; ++ + debug_info_p->have_frame_base [num] = have_frame_base; + if (attribute != DW_AT_GNU_locviews) + { ++ uvalue += debug_info_p->loclists_base; ++ + /* Corrupt DWARF info can produce more offsets than views. + See PR 23062 for an example. */ + if (debug_info_p->num_loc_offsets +@@ -2844,7 +2910,8 @@ read_and_display_attr_value (unsigned lo + case DW_AT_ranges: + if ((dwarf_version < 4 + && (form == DW_FORM_data4 || form == DW_FORM_data8)) +- || form == DW_FORM_sec_offset) ++ || form == DW_FORM_sec_offset ++ || form == DW_FORM_rnglistx) + { + /* Process range list. */ + unsigned int lmax = debug_info_p->max_range_lists; +@@ -2858,6 +2925,10 @@ read_and_display_attr_value (unsigned lo + lmax, sizeof (*debug_info_p->range_lists)); + debug_info_p->max_range_lists = lmax; + } ++ ++ if (form == DW_FORM_rnglistx) ++ uvalue = fetch_indexed_value (uvalue, rnglists); ++ + debug_info_p->range_lists [num] = uvalue; + debug_info_p->num_range_lists++; + } +@@ -3231,6 +3302,7 @@ read_and_display_attr_value (unsigned lo + have_frame_base = 1; + /* Fall through. */ + case DW_AT_location: ++ case DW_AT_loclists_base: + case DW_AT_string_length: + case DW_AT_return_addr: + case DW_AT_data_member_location: +@@ -3248,7 +3320,8 @@ read_and_display_attr_value (unsigned lo + case DW_AT_GNU_call_site_target_clobbered: + if ((dwarf_version < 4 + && (form == DW_FORM_data4 || form == DW_FORM_data8)) +- || form == DW_FORM_sec_offset) ++ || form == DW_FORM_sec_offset ++ || form == DW_FORM_loclistx) + printf (_(" (location list)")); + /* Fall through. */ + case DW_AT_allocated: +@@ -3517,6 +3590,9 @@ process_debug_info (struct dwarf_section + } + + load_debug_section_with_follow (abbrev_sec, file); ++ load_debug_section_with_follow (loclists, file); ++ load_debug_section_with_follow (rnglists, file); ++ + if (debug_displays [abbrev_sec].section.start == NULL) + { + warn (_("Unable to locate %s section!\n"), +@@ -3729,6 +3805,7 @@ process_debug_info (struct dwarf_section + debug_information [unit].have_frame_base = NULL; + debug_information [unit].max_loc_offsets = 0; + debug_information [unit].num_loc_offsets = 0; ++ debug_information [unit].loclists_base = 0; + debug_information [unit].range_lists = NULL; + debug_information [unit].max_range_lists= 0; + debug_information [unit].num_range_lists = 0; +@@ -6465,20 +6542,21 @@ display_loc_list (struct dwarf_section * + /* Display a location list from a normal (ie, non-dwo) .debug_loclists section. */ + + static void +-display_loclists_list (struct dwarf_section *section, +- unsigned char **start_ptr, +- unsigned int debug_info_entry, +- dwarf_vma offset, +- dwarf_vma base_address, +- unsigned char **vstart_ptr, +- int has_frame_base) +-{ +- unsigned char *start = *start_ptr, *vstart = *vstart_ptr; +- unsigned char *section_end = section->start + section->size; +- dwarf_vma cu_offset; +- unsigned int pointer_size; +- unsigned int offset_size; +- int dwarf_version; ++display_loclists_list (struct dwarf_section * section, ++ unsigned char ** start_ptr, ++ unsigned int debug_info_entry, ++ dwarf_vma offset, ++ dwarf_vma base_address, ++ unsigned char ** vstart_ptr, ++ int has_frame_base) ++{ ++ unsigned char * start = *start_ptr; ++ unsigned char * vstart = *vstart_ptr; ++ unsigned char * section_end = section->start + section->size; ++ dwarf_vma cu_offset; ++ unsigned int pointer_size; ++ unsigned int offset_size; ++ unsigned int dwarf_version; + + /* Initialize it due to a false compiler warning. */ + dwarf_vma begin = -1, vbegin = -1; +@@ -6544,27 +6622,59 @@ display_loclists_list (struct dwarf_sect + case DW_LLE_end_of_list: + printf (_("<End of list>\n")); + break; ++ ++ case DW_LLE_base_addressx: ++ READ_ULEB (base_address, start, section_end); ++ print_dwarf_vma (base_address, pointer_size); ++ printf (_("(index into .debug_addr) ")); ++ base_address = fetch_indexed_addr (base_address, pointer_size); ++ print_dwarf_vma (base_address, pointer_size); ++ printf (_("(base address)\n")); ++ break; ++ ++ case DW_LLE_startx_endx: ++ READ_ULEB (begin, start, section_end); ++ begin = fetch_indexed_addr (begin, pointer_size); ++ READ_ULEB (end, start, section_end); ++ end = fetch_indexed_addr (end, pointer_size); ++ break; ++ ++ case DW_LLE_startx_length: ++ READ_ULEB (begin, start, section_end); ++ begin = fetch_indexed_addr (begin, pointer_size); ++ READ_ULEB (end, start, section_end); ++ end += begin; ++ break; ++ ++ case DW_LLE_default_location: ++ begin = end = 0; ++ break; ++ + case DW_LLE_offset_pair: + READ_ULEB (begin, start, section_end); + begin += base_address; + READ_ULEB (end, start, section_end); + end += base_address; + break; ++ ++ case DW_LLE_base_address: ++ SAFE_BYTE_GET_AND_INC (base_address, start, pointer_size, ++ section_end); ++ print_dwarf_vma (base_address, pointer_size); ++ printf (_("(base address)\n")); ++ break; ++ + case DW_LLE_start_end: + SAFE_BYTE_GET_AND_INC (begin, start, pointer_size, section_end); + SAFE_BYTE_GET_AND_INC (end, start, pointer_size, section_end); + break; ++ + case DW_LLE_start_length: + SAFE_BYTE_GET_AND_INC (begin, start, pointer_size, section_end); + READ_ULEB (end, start, section_end); + end += begin; + break; +- case DW_LLE_base_address: +- SAFE_BYTE_GET_AND_INC (base_address, start, pointer_size, +- section_end); +- print_dwarf_vma (base_address, pointer_size); +- printf (_("(base address)\n")); +- break; ++ + #ifdef DW_LLE_view_pair + case DW_LLE_view_pair: + if (vstart) +@@ -6578,15 +6688,17 @@ display_loclists_list (struct dwarf_sect + printf (_("views for:\n")); + continue; + #endif ++ + default: + error (_("Invalid location list entry type %d\n"), llet); + return; + } ++ + if (llet == DW_LLE_end_of_list) + break; +- if (llet != DW_LLE_offset_pair +- && llet != DW_LLE_start_end +- && llet != DW_LLE_start_length) ++ ++ if (llet == DW_LLE_base_address ++ || llet == DW_LLE_base_addressx) + continue; + + if (start == section_end) +@@ -6828,6 +6940,218 @@ loc_offsets_compar (const void *ap, cons + } + + static int ++display_offset_entry_loclists (struct dwarf_section *section) ++{ ++ unsigned char * start = section->start; ++ unsigned char * const end = start + section->size; ++ ++ introduce (section, false); ++ ++ do ++ { ++ dwarf_vma length; ++ unsigned short version; ++ unsigned char address_size; ++ unsigned char segment_selector_size; ++ uint32_t offset_entry_count; ++ uint32_t i; ++ bool is_64bit; ++ ++ printf (_("Table at Offset 0x%lx\n"), (long)(start - section->start)); ++ ++ SAFE_BYTE_GET_AND_INC (length, start, 4, end); ++ if (length == 0xffffffff) ++ { ++ is_64bit = true; ++ SAFE_BYTE_GET_AND_INC (length, start, 8, end); ++ } ++ else ++ is_64bit = false; ++ ++ SAFE_BYTE_GET_AND_INC (version, start, 2, end); ++ SAFE_BYTE_GET_AND_INC (address_size, start, 1, end); ++ SAFE_BYTE_GET_AND_INC (segment_selector_size, start, 1, end); ++ SAFE_BYTE_GET_AND_INC (offset_entry_count, start, 4, end); ++ ++ printf (_(" Length: 0x%s\n"), dwarf_vmatoa ("x", length)); ++ printf (_(" DWARF version: %u\n"), version); ++ printf (_(" Address size: %u\n"), address_size); ++ printf (_(" Segment size: %u\n"), segment_selector_size); ++ printf (_(" Offset entries: %u\n"), offset_entry_count); ++ ++ if (version < 5) ++ { ++ warn (_("The %s section contains a corrupt or " ++ "unsupported version number: %d.\n"), ++ section->name, version); ++ return 0; ++ } ++ ++ if (segment_selector_size != 0) ++ { ++ warn (_("The %s section contains an " ++ "unsupported segment selector size: %d.\n"), ++ section->name, segment_selector_size); ++ return 0; ++ } ++ ++ if (offset_entry_count == 0) ++ { ++ warn (_("The %s section contains a table without offset\n"), ++ section->name); ++ return 0; ++ } ++ ++ printf (_("\n Offset Entries starting at 0x%lx:\n"), ++ (long)(start - section->start)); ++ ++ if (is_64bit) ++ { ++ for (i = 0; i < offset_entry_count; i++) ++ { ++ dwarf_vma entry; ++ ++ SAFE_BYTE_GET_AND_INC (entry, start, 8, end); ++ printf (_(" [%6u] 0x%s\n"), i, dwarf_vmatoa ("x", entry)); ++ } ++ } ++ else ++ { ++ for (i = 0; i < offset_entry_count; i++) ++ { ++ uint32_t entry; ++ ++ SAFE_BYTE_GET_AND_INC (entry, start, 4, end); ++ printf (_(" [%6u] 0x%x\n"), i, entry); ++ } ++ } ++ ++ putchar ('\n'); ++ ++ uint32_t j; ++ ++ for (j = 1, i = 0; i < offset_entry_count;) ++ { ++ unsigned char lle; ++ dwarf_vma base_address = 0; ++ dwarf_vma begin; ++ dwarf_vma finish; ++ dwarf_vma off = start - section->start; ++ ++ if (j != i) ++ { ++ printf (_(" Offset Entry %u\n"), i); ++ j = i; ++ } ++ ++ printf (" "); ++ print_dwarf_vma (off, 4); ++ ++ SAFE_BYTE_GET_AND_INC (lle, start, 1, end); ++ ++ switch (lle) ++ { ++ case DW_LLE_end_of_list: ++ printf (_("<End of list>\n\n")); ++ i ++; ++ continue; ++ ++ case DW_LLE_base_addressx: ++ READ_ULEB (base_address, start, end); ++ print_dwarf_vma (base_address, address_size); ++ printf (_("(index into .debug_addr) ")); ++ base_address = fetch_indexed_addr (base_address, address_size); ++ print_dwarf_vma (base_address, address_size); ++ printf (_("(base address)\n")); ++ continue; ++ ++ case DW_LLE_startx_endx: ++ READ_ULEB (begin, start, end); ++ begin = fetch_indexed_addr (begin, address_size); ++ READ_ULEB (finish, start, end); ++ finish = fetch_indexed_addr (finish, address_size); ++ break; ++ ++ case DW_LLE_startx_length: ++ READ_ULEB (begin, start, end); ++ begin = fetch_indexed_addr (begin, address_size); ++ READ_ULEB (finish, start, end); ++ finish += begin; ++ break; ++ ++ case DW_LLE_offset_pair: ++ READ_ULEB (begin, start, end); ++ begin += base_address; ++ READ_ULEB (finish, start, end); ++ finish += base_address; ++ break; ++ ++ case DW_LLE_default_location: ++ begin = finish = 0; ++ break; ++ ++ case DW_LLE_base_address: ++ SAFE_BYTE_GET_AND_INC (base_address, start, address_size, end); ++ print_dwarf_vma (base_address, address_size); ++ printf (_("(base address)\n")); ++ continue; ++ ++ case DW_LLE_start_end: ++ SAFE_BYTE_GET_AND_INC (begin, start, address_size, end); ++ SAFE_BYTE_GET_AND_INC (finish, start, address_size, end); ++ break; ++ ++ case DW_LLE_start_length: ++ SAFE_BYTE_GET_AND_INC (begin, start, address_size, end); ++ READ_ULEB (finish, start, end); ++ finish += begin; ++ break; ++ ++ default: ++ error (_("Invalid location list entry type %d\n"), lle); ++ return 0; ++ } ++ ++ if (start == end) ++ { ++ warn (_("Location list starting at offset 0x%lx is not terminated.\n"), ++ (unsigned long) off); ++ break; ++ } ++ ++ print_dwarf_vma (begin, address_size); ++ print_dwarf_vma (finish, address_size); ++ ++ if (begin == finish) ++ fputs (_(" (start == end)"), stdout); ++ else if (begin > finish) ++ fputs (_(" (start > end)"), stdout); ++ ++ /* Read the counted location descriptions. */ ++ READ_ULEB (length, start, end); ++ ++ if (length > (size_t) (end - start)) ++ { ++ warn (_("Location list starting at offset 0x%lx is not terminated.\n"), ++ (unsigned long) off); ++ break; ++ } ++ ++ putchar (' '); ++ (void) decode_location_expression (start, address_size, address_size, ++ version, length, 0, section); ++ start += length; ++ putchar ('\n'); ++ } ++ ++ putchar ('\n'); ++ } ++ while (start < end); ++ ++ return 1; ++} ++ ++static int + display_debug_loc (struct dwarf_section *section, void *file) + { + unsigned char *start = section->start, *vstart = NULL; +@@ -6893,13 +7217,9 @@ display_debug_loc (struct dwarf_section + } + + SAFE_BYTE_GET_AND_INC (offset_entry_count, hdrptr, 4, end); ++ + if (offset_entry_count != 0) +- { +- warn (_("The %s section contains " +- "unsupported offset entry count: %d.\n"), +- section->name, offset_entry_count); +- return 0; +- } ++ return display_offset_entry_loclists (section); + + expected_start = hdrptr - section_begin; + } +@@ -6959,9 +7279,10 @@ display_debug_loc (struct dwarf_section + if (debug_information [first].num_loc_offsets > 0 + && debug_information [first].loc_offsets [0] != expected_start + && debug_information [first].loc_views [0] != expected_start) +- warn (_("Location lists in %s section start at 0x%s\n"), ++ warn (_("Location lists in %s section start at 0x%s rather than 0x%s\n"), + section->name, +- dwarf_vmatoa ("x", debug_information [first].loc_offsets [0])); ++ dwarf_vmatoa ("x", debug_information [first].loc_offsets [0]), ++ dwarf_vmatoa ("x", expected_start)); + + if (!locs_sorted) + array = (unsigned int *) xcmalloc (num_loc_list, sizeof (unsigned int)); +@@ -7639,24 +7960,44 @@ display_debug_rnglists_list (unsigned ch + case DW_RLE_end_of_list: + printf (_("<End of list>\n")); + break; +- case DW_RLE_base_address: +- SAFE_BYTE_GET_AND_INC (base_address, start, pointer_size, finish); ++ case DW_RLE_base_addressx: ++ READ_ULEB (base_address, start, finish); ++ print_dwarf_vma (base_address, pointer_size); ++ printf (_("(base address index) ")); ++ base_address = fetch_indexed_addr (base_address, pointer_size); + print_dwarf_vma (base_address, pointer_size); + printf (_("(base address)\n")); + break; +- case DW_RLE_start_length: +- SAFE_BYTE_GET_AND_INC (begin, start, pointer_size, finish); ++ case DW_RLE_startx_endx: ++ READ_ULEB (begin, start, finish); ++ READ_ULEB (end, start, finish); ++ begin = fetch_indexed_addr (begin, pointer_size); ++ end = fetch_indexed_addr (begin, pointer_size); ++ break; ++ case DW_RLE_startx_length: ++ READ_ULEB (begin, start, finish); + READ_ULEB (length, start, finish); ++ begin = fetch_indexed_addr (begin, pointer_size); + end = begin + length; + break; + case DW_RLE_offset_pair: + READ_ULEB (begin, start, finish); + READ_ULEB (end, start, finish); + break; ++ case DW_RLE_base_address: ++ SAFE_BYTE_GET_AND_INC (base_address, start, pointer_size, finish); ++ print_dwarf_vma (base_address, pointer_size); ++ printf (_("(base address)\n")); ++ break; + case DW_RLE_start_end: + SAFE_BYTE_GET_AND_INC (begin, start, pointer_size, finish); + SAFE_BYTE_GET_AND_INC (end, start, pointer_size, finish); + break; ++ case DW_RLE_start_length: ++ SAFE_BYTE_GET_AND_INC (begin, start, pointer_size, finish); ++ READ_ULEB (length, start, finish); ++ end = begin + length; ++ break; + default: + error (_("Invalid range list entry type %d\n"), rlet); + rlet = DW_RLE_end_of_list; +@@ -7664,7 +8005,7 @@ display_debug_rnglists_list (unsigned ch + } + if (rlet == DW_RLE_end_of_list) + break; +- if (rlet == DW_RLE_base_address) ++ if (rlet == DW_RLE_base_address || rlet == DW_RLE_base_addressx) + continue; + + /* Only a DW_RLE_offset_pair needs the base address added. */ +@@ -7709,6 +8050,8 @@ display_debug_ranges (struct dwarf_secti + return 0; + } + ++ introduce (section, false); ++ + if (is_rnglists) + { + dwarf_vma initial_length; +@@ -7745,19 +8088,19 @@ display_debug_ranges (struct dwarf_secti + } + } + +- /* Get and check the version number. */ ++ /* Get the other fields in the header. */ + SAFE_BYTE_GET_AND_INC (version, start, 2, finish); +- +- if (version != 5) +- { +- warn (_("Only DWARF version 5 debug_rnglists info " +- "is currently supported.\n")); +- return 0; +- } +- + SAFE_BYTE_GET_AND_INC (address_size, start, 1, finish); +- + SAFE_BYTE_GET_AND_INC (segment_selector_size, start, 1, finish); ++ SAFE_BYTE_GET_AND_INC (offset_entry_count, start, 4, finish); ++ ++ printf (_(" Length: 0x%s\n"), dwarf_vmatoa ("x", initial_length)); ++ printf (_(" DWARF version: %u\n"), version); ++ printf (_(" Address size: %u\n"), address_size); ++ printf (_(" Segment size: %u\n"), segment_selector_size); ++ printf (_(" Offset entries: %u\n"), offset_entry_count); ++ ++ /* Check the fields. */ + if (segment_selector_size != 0) + { + warn (_("The %s section contains " +@@ -7766,16 +8109,39 @@ display_debug_ranges (struct dwarf_secti + return 0; + } + +- SAFE_BYTE_GET_AND_INC (offset_entry_count, start, 4, finish); +- if (offset_entry_count != 0) ++ if (version < 5) + { +- warn (_("The %s section contains " +- "unsupported offset entry count: %u.\n"), +- section->name, offset_entry_count); ++ warn (_("Only DWARF version 5+ debug_rnglists info " ++ "is currently supported.\n")); + return 0; + } +- } + ++ if (offset_entry_count != 0) ++ { ++ printf (_("\n Offsets starting at 0x%lx:\n"), (long)(start - section->start)); ++ if (offset_size == 8) ++ { ++ for (i = 0; i < offset_entry_count; i++) ++ { ++ dwarf_vma entry; ++ ++ SAFE_BYTE_GET_AND_INC (entry, start, 8, finish); ++ printf (_(" [%6u] 0x%s\n"), i, dwarf_vmatoa ("x", entry)); ++ } ++ } ++ else ++ { ++ for (i = 0; i < offset_entry_count; i++) ++ { ++ uint32_t entry; ++ ++ SAFE_BYTE_GET_AND_INC (entry, start, 4, finish); ++ printf (_(" [%6u] 0x%x\n"), i, entry); ++ } ++ } ++ } ++ } ++ + if (load_debug_info (file) == 0) + { + warn (_("Unable to load/parse the .debug_info section, so cannot interpret the %s section.\n"), +@@ -7834,8 +8200,7 @@ display_debug_ranges (struct dwarf_secti + warn (_("Range lists in %s section start at 0x%lx\n"), + section->name, (unsigned long) range_entries[0].ranges_offset); + +- introduce (section, false); +- ++ putchar ('\n'); + printf (_(" Offset Begin End\n")); + + for (i = 0; i < num_range_list; i++) +@@ -7895,8 +8260,12 @@ display_debug_ranges (struct dwarf_secti + start = next; + last_start = next; + +- (is_rnglists ? display_debug_rnglists_list : display_debug_ranges_list) +- (start, finish, pointer_size, offset, base_address); ++ if (is_rnglists) ++ display_debug_rnglists_list ++ (start, finish, pointer_size, offset, base_address); ++ else ++ display_debug_ranges_list ++ (start, finish, pointer_size, offset, base_address); + } + putchar ('\n'); + +diff --git a/binutils/dwarf.h b/binutils/dwarf.h +index 4fc62abfa4c..ccce2461c81 100644 +--- a/binutils/dwarf.h ++++ b/binutils/dwarf.h +@@ -181,9 +181,13 @@ typedef struct + /* This is an array of offsets to the location view table. */ + dwarf_vma * loc_views; + int * have_frame_base; ++ ++ /* Information for associating location lists with CUs. */ + unsigned int num_loc_offsets; + unsigned int max_loc_offsets; + unsigned int num_loc_views; ++ dwarf_vma loclists_base; ++ + /* List of .debug_ranges offsets seen in this .debug_info. */ + dwarf_vma * range_lists; + unsigned int num_range_lists; +diff --git a/binutils/testsuite/binutils-all/dw5.W b/binutils/testsuite/binutils-all/dw5.W +index ebab8b7d3b0..bfcdac175ba 100644 +--- a/binutils/testsuite/binutils-all/dw5.W ++++ b/binutils/testsuite/binutils-all/dw5.W +@@ -281,7 +281,7 @@ Contents of the .debug_loclists section: + 00000039 <End of list> + + Contents of the .debug_rnglists section: +- ++#... + Offset Begin End + 0000000c 0000000000001234 0000000000001236 + 00000016 0000000000001234 0000000000001239 +diff --git a/binutils/testsuite/binutils-all/x86-64/pr26808.dump b/binutils/testsuite/binutils-all/x86-64/pr26808.dump +index f64f9d008f9..7ef73b24dc9 100644 +--- a/binutils/testsuite/binutils-all/x86-64/pr26808.dump ++++ b/binutils/testsuite/binutils-all/x86-64/pr26808.dump +@@ -30,13 +30,13 @@ Contents of the .debug_info.dwo section: + <a5> DW_AT_decl_file : 1 + <a6> DW_AT_decl_line : 30 + <a7> DW_AT_type : <0x90> +- <ab> DW_AT_low_pc : (addr_index: 0x0): <no .debug_addr section> ++ <ab> DW_AT_low_pc : (addr_index: 0x0): 0 + <ac> DW_AT_high_pc : 0x304 + <b4> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <b6> DW_AT_GNU_all_tail_call_sites: 1 + <b6> DW_AT_sibling : <0x11b> + <2><ba>: Abbrev Number: 14 (DW_TAG_lexical_block) +- <bb> DW_AT_low_pc : (addr_index: 0x1): <no .debug_addr section> ++ <bb> DW_AT_low_pc : (addr_index: 0x1): 0 + <bc> DW_AT_high_pc : 0x2fa + <3><c4>: Abbrev Number: 15 (DW_TAG_variable) + <c5> DW_AT_name : c1 +@@ -56,7 +56,7 @@ Contents of the .debug_info.dwo section: + <ff> DW_AT_artificial : 1 + <ff> DW_AT_location : 2 byte block: fb 2 (DW_OP_GNU_addr_index <0x2>) + <3><102>: Abbrev Number: 14 (DW_TAG_lexical_block) +- <103> DW_AT_low_pc : (addr_index: 0x3): <no .debug_addr section> ++ <103> DW_AT_low_pc : (addr_index: 0x3): 0 + <104> DW_AT_high_pc : 0x2f + <4><10c>: Abbrev Number: 17 (DW_TAG_variable) + <10d> DW_AT_name : i +@@ -274,7 +274,7 @@ Contents of the .debug_info.dwo section: + <2dd> DW_AT_decl_file : 1 + <2de> DW_AT_decl_line : 70 + <2df> DW_AT_linkage_name: _Z4f13iv +- <2e8> DW_AT_low_pc : (addr_index: 0x0): <no .debug_addr section> ++ <2e8> DW_AT_low_pc : (addr_index: 0x0): 0 + <2e9> DW_AT_high_pc : 0x6 + <2f1> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <2f3> DW_AT_GNU_all_call_sites: 1 +@@ -282,7 +282,7 @@ Contents of the .debug_info.dwo section: + <2f4> DW_AT_specification: <0x219> + <2f8> DW_AT_decl_file : 2 + <2f9> DW_AT_decl_line : 30 +- <2fa> DW_AT_low_pc : (addr_index: 0x1): <no .debug_addr section> ++ <2fa> DW_AT_low_pc : (addr_index: 0x1): 0 + <2fb> DW_AT_high_pc : 0x20 + <303> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <305> DW_AT_object_pointer: <0x30d> +@@ -300,7 +300,7 @@ Contents of the .debug_info.dwo section: + <31d> DW_AT_specification: <0x223> + <321> DW_AT_decl_file : 2 + <322> DW_AT_decl_line : 38 +- <323> DW_AT_low_pc : (addr_index: 0x2): <no .debug_addr section> ++ <323> DW_AT_low_pc : (addr_index: 0x2): 0 + <324> DW_AT_high_pc : 0x18 + <32c> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <32e> DW_AT_object_pointer: <0x336> +@@ -316,7 +316,7 @@ Contents of the .debug_info.dwo section: + <341> DW_AT_specification: <0x22d> + <345> DW_AT_decl_file : 2 + <346> DW_AT_decl_line : 46 +- <347> DW_AT_low_pc : (addr_index: 0x3): <no .debug_addr section> ++ <347> DW_AT_low_pc : (addr_index: 0x3): 0 + <348> DW_AT_high_pc : 0x18 + <350> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <352> DW_AT_object_pointer: <0x35a> +@@ -332,7 +332,7 @@ Contents of the .debug_info.dwo section: + <365> DW_AT_specification: <0x237> + <369> DW_AT_decl_file : 2 + <36a> DW_AT_decl_line : 54 +- <36b> DW_AT_low_pc : (addr_index: 0x4): <no .debug_addr section> ++ <36b> DW_AT_low_pc : (addr_index: 0x4): 0 + <36c> DW_AT_high_pc : 0x16 + <374> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <376> DW_AT_object_pointer: <0x37e> +@@ -348,7 +348,7 @@ Contents of the .debug_info.dwo section: + <389> DW_AT_specification: <0x26b> + <38d> DW_AT_decl_file : 2 + <38e> DW_AT_decl_line : 62 +- <38f> DW_AT_low_pc : (addr_index: 0x5): <no .debug_addr section> ++ <38f> DW_AT_low_pc : (addr_index: 0x5): 0 + <390> DW_AT_high_pc : 0x16 + <398> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <39a> DW_AT_object_pointer: <0x3a2> +@@ -366,7 +366,7 @@ Contents of the .debug_info.dwo section: + <3b2> DW_AT_specification: <0x275> + <3b6> DW_AT_decl_file : 2 + <3b7> DW_AT_decl_line : 72 +- <3b8> DW_AT_low_pc : (addr_index: 0x6): <no .debug_addr section> ++ <3b8> DW_AT_low_pc : (addr_index: 0x6): 0 + <3b9> DW_AT_high_pc : 0x1b + <3c1> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <3c3> DW_AT_object_pointer: <0x3cb> +@@ -382,7 +382,7 @@ Contents of the .debug_info.dwo section: + <3d6> DW_AT_specification: <0x27f> + <3da> DW_AT_decl_file : 2 + <3db> DW_AT_decl_line : 82 +- <3dc> DW_AT_low_pc : (addr_index: 0x7): <no .debug_addr section> ++ <3dc> DW_AT_low_pc : (addr_index: 0x7): 0 + <3dd> DW_AT_high_pc : 0x1b + <3e5> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <3e7> DW_AT_object_pointer: <0x3ef> +@@ -398,7 +398,7 @@ Contents of the .debug_info.dwo section: + <3fa> DW_AT_specification: <0x289> + <3fe> DW_AT_decl_file : 2 + <3ff> DW_AT_decl_line : 92 +- <400> DW_AT_low_pc : (addr_index: 0x8): <no .debug_addr section> ++ <400> DW_AT_low_pc : (addr_index: 0x8): 0 + <401> DW_AT_high_pc : 0x19 + <409> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <40b> DW_AT_object_pointer: <0x413> +@@ -414,7 +414,7 @@ Contents of the .debug_info.dwo section: + <41e> DW_AT_specification: <0x2ae> + <422> DW_AT_decl_file : 2 + <423> DW_AT_decl_line : 102 +- <424> DW_AT_low_pc : (addr_index: 0x9): <no .debug_addr section> ++ <424> DW_AT_low_pc : (addr_index: 0x9): 0 + <425> DW_AT_high_pc : 0x19 + <42d> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <42f> DW_AT_object_pointer: <0x437> +@@ -432,7 +432,7 @@ Contents of the .debug_info.dwo section: + <447> DW_AT_specification: <0x2b8> + <44b> DW_AT_decl_file : 2 + <44c> DW_AT_decl_line : 112 +- <44d> DW_AT_low_pc : (addr_index: 0xa): <no .debug_addr section> ++ <44d> DW_AT_low_pc : (addr_index: 0xa): 0 + <44e> DW_AT_high_pc : 0x1f + <456> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <458> DW_AT_object_pointer: <0x460> +@@ -451,7 +451,7 @@ Contents of the .debug_info.dwo section: + <471> DW_AT_decl_line : 120 + <472> DW_AT_linkage_name: _Z4f11av + <47b> DW_AT_type : <0x242> +- <47f> DW_AT_low_pc : (addr_index: 0xb): <no .debug_addr section> ++ <47f> DW_AT_low_pc : (addr_index: 0xb): 0 + <480> DW_AT_high_pc : 0xb + <488> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <48a> DW_AT_GNU_all_call_sites: 1 +@@ -459,7 +459,7 @@ Contents of the .debug_info.dwo section: + <48b> DW_AT_specification: <0x2c2> + <48f> DW_AT_decl_file : 2 + <490> DW_AT_decl_line : 126 +- <491> DW_AT_low_pc : (addr_index: 0xc): <no .debug_addr section> ++ <491> DW_AT_low_pc : (addr_index: 0xc): 0 + <492> DW_AT_high_pc : 0x20 + <49a> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <49c> DW_AT_object_pointer: <0x4a4> +@@ -478,7 +478,7 @@ Contents of the .debug_info.dwo section: + <4b4> DW_AT_decl_line : 134 + <4b5> DW_AT_linkage_name: _Z3t12v + <4bd> DW_AT_type : <0x249> +- <4c1> DW_AT_low_pc : (addr_index: 0xd): <no .debug_addr section> ++ <4c1> DW_AT_low_pc : (addr_index: 0xd): 0 + <4c2> DW_AT_high_pc : 0x19 + <4ca> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <4cc> DW_AT_GNU_all_tail_call_sites: 1 +@@ -489,7 +489,7 @@ Contents of the .debug_info.dwo section: + <4d2> DW_AT_decl_line : 142 + <4d3> DW_AT_linkage_name: _Z3t13v + <4db> DW_AT_type : <0x249> +- <4df> DW_AT_low_pc : (addr_index: 0xe): <no .debug_addr section> ++ <4df> DW_AT_low_pc : (addr_index: 0xe): 0 + <4e0> DW_AT_high_pc : 0x14 + <4e8> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <4ea> DW_AT_GNU_all_tail_call_sites: 1 +@@ -500,13 +500,13 @@ Contents of the .debug_info.dwo section: + <4f0> DW_AT_decl_line : 150 + <4f1> DW_AT_linkage_name: _Z3t14v + <4f9> DW_AT_type : <0x249> +- <4fd> DW_AT_low_pc : (addr_index: 0xf): <no .debug_addr section> ++ <4fd> DW_AT_low_pc : (addr_index: 0xf): 0 + <4fe> DW_AT_high_pc : 0x61 + <506> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <508> DW_AT_GNU_all_tail_call_sites: 1 + <508> DW_AT_sibling : <0x532> + <2><50c>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <50d> DW_AT_low_pc : (addr_index: 0x10): <no .debug_addr section> ++ <50d> DW_AT_low_pc : (addr_index: 0x10): 0 + <50e> DW_AT_high_pc : 0x57 + <3><516>: Abbrev Number: 25 (DW_TAG_variable) + <517> DW_AT_name : s1 +@@ -538,13 +538,13 @@ Contents of the .debug_info.dwo section: + <54b> DW_AT_decl_line : 163 + <54c> DW_AT_linkage_name: _Z3t15v + <554> DW_AT_type : <0x249> +- <558> DW_AT_low_pc : (addr_index: 0x11): <no .debug_addr section> ++ <558> DW_AT_low_pc : (addr_index: 0x11): 0 + <559> DW_AT_high_pc : 0x5d + <561> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <563> DW_AT_GNU_all_tail_call_sites: 1 + <563> DW_AT_sibling : <0x58d> + <2><567>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <568> DW_AT_low_pc : (addr_index: 0x12): <no .debug_addr section> ++ <568> DW_AT_low_pc : (addr_index: 0x12): 0 + <569> DW_AT_high_pc : 0x53 + <3><571>: Abbrev Number: 25 (DW_TAG_variable) + <572> DW_AT_name : s1 +@@ -576,7 +576,7 @@ Contents of the .debug_info.dwo section: + <5a9> DW_AT_decl_line : 176 + <5aa> DW_AT_linkage_name: _Z3t16v + <5b2> DW_AT_type : <0x249> +- <5b6> DW_AT_low_pc : (addr_index: 0x13): <no .debug_addr section> ++ <5b6> DW_AT_low_pc : (addr_index: 0x13): 0 + <5b7> DW_AT_high_pc : 0x13 + <5bf> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <5c1> DW_AT_GNU_all_tail_call_sites: 1 +@@ -587,13 +587,13 @@ Contents of the .debug_info.dwo section: + <5c7> DW_AT_decl_line : 184 + <5c8> DW_AT_linkage_name: _Z3t17v + <5d0> DW_AT_type : <0x249> +- <5d4> DW_AT_low_pc : (addr_index: 0x14): <no .debug_addr section> ++ <5d4> DW_AT_low_pc : (addr_index: 0x14): 0 + <5d5> DW_AT_high_pc : 0x5f + <5dd> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <5df> DW_AT_GNU_all_call_sites: 1 + <5df> DW_AT_sibling : <0x612> + <2><5e3>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <5e4> DW_AT_low_pc : (addr_index: 0x15): <no .debug_addr section> ++ <5e4> DW_AT_low_pc : (addr_index: 0x15): 0 + <5e5> DW_AT_high_pc : 0x59 + <3><5ed>: Abbrev Number: 25 (DW_TAG_variable) + <5ee> DW_AT_name : c +@@ -602,7 +602,7 @@ Contents of the .debug_info.dwo section: + <5f2> DW_AT_type : <0x53d> + <5f6> DW_AT_location : 2 byte block: 91 6f (DW_OP_fbreg: -17) + <3><5f9>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <5fa> DW_AT_low_pc : (addr_index: 0x16): <no .debug_addr section> ++ <5fa> DW_AT_low_pc : (addr_index: 0x16): 0 + <5fb> DW_AT_high_pc : 0x50 + <4><603>: Abbrev Number: 25 (DW_TAG_variable) + <604> DW_AT_name : i +@@ -620,13 +620,13 @@ Contents of the .debug_info.dwo section: + <618> DW_AT_decl_line : 199 + <619> DW_AT_linkage_name: _Z3t18v + <621> DW_AT_type : <0x249> +- <625> DW_AT_low_pc : (addr_index: 0x17): <no .debug_addr section> ++ <625> DW_AT_ow_pc : (addr_index: 0x17): 0 + <626> DW_AT_high_pc : 0x5f + <62e> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <630> DW_AT_GNU_all_tail_call_sites: 1 + <630> DW_AT_sibling : <0x67a> + <2><634>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <635> DW_AT_low_pc : (addr_index: 0x18): <no .debug_addr section> ++ <635> DW_AT_low_pc : (addr_index: 0x18): 0 + <636> DW_AT_high_pc : 0x55 + <3><63e>: Abbrev Number: 25 (DW_TAG_variable) + <63f> DW_AT_name : c +@@ -635,7 +635,7 @@ Contents of the .debug_info.dwo section: + <643> DW_AT_type : <0x53d> + <647> DW_AT_location : 2 byte block: 91 6f (DW_OP_fbreg: -17) + <3><64a>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <64b> DW_AT_low_pc : (addr_index: 0x19): <no .debug_addr section> ++ <64b> DW_AT_low_pc : (addr_index: 0x19): 0 + <64c> DW_AT_high_pc : 0x4c + <4><654>: Abbrev Number: 25 (DW_TAG_variable) + <655> DW_AT_name : i +@@ -644,7 +644,7 @@ Contents of the .debug_info.dwo section: + <659> DW_AT_type : <0x242> + <65d> DW_AT_location : 2 byte block: 91 68 (DW_OP_fbreg: -24) + <4><660>: Abbrev Number: 24 (DW_TAG_lexical_block) +- <661> DW_AT_low_pc : (addr_index: 0x1a): <no .debug_addr section> ++ <661> DW_AT_low_pc : (addr_index: 0x1a): 0 + <662> DW_AT_high_pc : 0x34 + <5><66a>: Abbrev Number: 25 (DW_TAG_variable) + <66b> DW_AT_name : s +@@ -786,7 +786,7 @@ Contents of the .debug_info.dwo section: + <7d3> DW_AT_decl_line : 32 + <7d4> DW_AT_linkage_name: _Z4t16av + <7dd> DW_AT_type : <0x7c4> +- <7e1> DW_AT_low_pc : (addr_index: 0x0): <no .debug_addr section> ++ <7e1> DW_AT_low_pc : (addr_index: 0x0): 0 + <7e2> DW_AT_high_pc : 0x13 + <7ea> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <7ec> DW_AT_GNU_all_tail_call_sites: 1 +@@ -878,14 +878,14 @@ Contents of the .debug_info.dwo section: + <908> DW_AT_decl_file : 1 + <909> DW_AT_decl_line : 70 + <90a> DW_AT_linkage_name: _Z4f13iv +- <913> DW_AT_low_pc : (addr_index: 0x0): <no .debug_addr section> ++ <913> DW_AT_low_pc : (addr_index: 0x0): 0 + <914> DW_AT_high_pc : 0x6 + <91c> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <91e> DW_AT_GNU_all_call_sites: 1 + <1><91e>: Abbrev Number: 17 (DW_TAG_subprogram) + <91f> DW_AT_specification: <0x8a8> + <923> DW_AT_decl_file : 2 +- <924> DW_AT_low_pc : (addr_index: 0x1): <no .debug_addr section> ++ <924> DW_AT_low_pc : (addr_index: 0x1): 0 + <925> DW_AT_high_pc : 0xf + <92d> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <92f> DW_AT_object_pointer: <0x937> +@@ -903,7 +903,7 @@ Contents of the .debug_info.dwo section: + <94b> DW_AT_specification: <0x89b> + <94f> DW_AT_decl_file : 2 + <950> DW_AT_decl_line : 36 +- <951> DW_AT_low_pc : (addr_index: 0x2): <no .debug_addr section> ++ <951> DW_AT_low_pc : (addr_index: 0x2): 0 + <952> DW_AT_high_pc : 0x20 + <95a> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <95c> DW_AT_object_pointer: <0x964> +@@ -922,7 +922,7 @@ Contents of the .debug_info.dwo section: + <978> DW_AT_decl_line : 72 + <979> DW_AT_linkage_name: _Z3f10v + <981> DW_AT_type : <0x8b7> +- <985> DW_AT_low_pc : (addr_index: 0x3): <no .debug_addr section> ++ <985> DW_AT_low_pc : (addr_index: 0x3): 0 + <986> DW_AT_high_pc : 0xb + <98e> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <990> DW_AT_GNU_all_call_sites: 1 +@@ -933,7 +933,7 @@ Contents of the .debug_info.dwo section: + <997> DW_AT_decl_line : 80 + <998> DW_AT_linkage_name: _Z4f11bPFivE + <9a5> DW_AT_type : <0x8b7> +- <9a9> DW_AT_low_pc : (addr_index: 0x4): <no .debug_addr section> ++ <9a9> DW_AT_low_pc : (addr_index: 0x4): 0 + <9aa> DW_AT_high_pc : 0x14 + <9b2> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <9b4> DW_AT_GNU_all_tail_call_sites: 1 +@@ -954,7 +954,7 @@ Contents of the .debug_info.dwo section: + <9d3> DW_AT_specification: <0x8e0> + <9d7> DW_AT_decl_file : 2 + <9d8> DW_AT_decl_line : 88 +- <9d9> DW_AT_low_pc : (addr_index: 0x5): <no .debug_addr section> ++ <9d9> DW_AT_low_pc : (addr_index: 0x5): 0 + <9da> DW_AT_high_pc : 0xf + <9e2> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <9e4> DW_AT_object_pointer: <0x9ec> +@@ -976,7 +976,7 @@ Contents of the .debug_info.dwo section: + <a06> DW_AT_decl_line : 96 + <a07> DW_AT_linkage_name: _Z3f13v + <a0f> DW_AT_type : <0xa1e> +- <a13> DW_AT_low_pc : (addr_index: 0x6): <no .debug_addr section> ++ <a13> DW_AT_low_pc : (addr_index: 0x6): 0 + <a14> DW_AT_high_pc : 0xb + <a1c> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <a1e> DW_AT_GNU_all_call_sites: 1 +@@ -990,7 +990,7 @@ Contents of the .debug_info.dwo section: + <a2a> DW_AT_decl_line : 104 + <a2b> DW_AT_linkage_name: _Z3f14v + <a33> DW_AT_type : <0xa42> +- <a37> DW_AT_low_pc : (addr_index: 0x7): <no .debug_addr section> ++ <a37> DW_AT_low_pc : (addr_index: 0x7): 0 + <a38> DW_AT_high_pc : 0xb + <a40> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <a42> DW_AT_GNU_all_call_sites: 1 +@@ -1010,7 +1010,7 @@ Contents of the .debug_info.dwo section: + <a5b> DW_AT_decl_line : 112 + <a5c> DW_AT_linkage_name: _Z3f15v + <a64> DW_AT_type : <0xa73> +- <a68> DW_AT_low_pc : (addr_index: 0x8): <no .debug_addr section> ++ <a68> DW_AT_low_pc : (addr_index: 0x8): 0 + <a69> DW_AT_high_pc : 0xb + <a71> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <a73> DW_AT_GNU_all_call_sites: 1 +@@ -1030,7 +1030,7 @@ Contents of the .debug_info.dwo section: + <a8f> DW_AT_decl_line : 127 + <a90> DW_AT_linkage_name: _Z3f18i + <a98> DW_AT_type : <0xa42> +- <a9c> DW_AT_low_pc : (addr_index: 0x9): <no .debug_addr section> ++ <a9c> DW_AT_low_pc : (addr_index: 0x9): 0 + <a9d> DW_AT_high_pc : 0x44 + <aa5> DW_AT_frame_base : 1 byte block: 9c (DW_OP_call_frame_cfa) + <aa7> DW_AT_GNU_all_call_sites: 1 diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-2.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-2.patch new file mode 100644 index 0000000000..0583bfcfab --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-2.patch @@ -0,0 +1,188 @@ +From ec41dd75c866599fc03c390c6afb5736c159c0ff Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 21 Jun 2022 16:37:27 +0100 +Subject: [PATCH] Binutils support for dwarf-5 (location and range lists + related) + + * dwarf.h (struct debug_info): Add rnglists_base field. + * dwarf.c (read_and_display_attr_value): Read attribute DW_AT_rnglists_base. + (display_debug_rnglists_list): While handling DW_RLE_base_addressx, + DW_RLE_startx_endx, DW_RLE_startx_length items, pass the proper parameter + value to fetch_indexed_addr(), i.e. fetch the proper entry in .debug_addr section. + (display_debug_ranges): Add rnglists_base to the .debug_rnglists base address. + (load_separate_debug_files): Load .debug_addr section, if exists. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ec41dd75c866599fc03c390c6afb5736c159c0ff] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/ChangeLog | 10 +++++++++ + binutils/dwarf.c | 53 ++++++++++++++++++++++++++++++++++------------ + binutils/dwarf.h | 1 + + 3 files changed, 51 insertions(+), 13 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index cb2523af1f3..30b64ac68a8 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -2812,7 +2812,12 @@ read_and_display_attr_value (unsigned lo + dwarf_vmatoa ("x", debug_info_p->cu_offset)); + debug_info_p->loclists_base = uvalue; + break; +- ++ case DW_AT_rnglists_base: ++ if (debug_info_p->rnglists_base) ++ warn (_("CU @ 0x%s has multiple rnglists_base values"), ++ dwarf_vmatoa ("x", debug_info_p->cu_offset)); ++ debug_info_p->rnglists_base = uvalue; ++ break; + case DW_AT_frame_base: + have_frame_base = 1; + /* Fall through. */ +@@ -3303,6 +3308,7 @@ read_and_display_attr_value (unsigned lo + /* Fall through. */ + case DW_AT_location: + case DW_AT_loclists_base: ++ case DW_AT_rnglists_base: + case DW_AT_string_length: + case DW_AT_return_addr: + case DW_AT_data_member_location: +@@ -3322,7 +3328,10 @@ read_and_display_attr_value (unsigned lo + && (form == DW_FORM_data4 || form == DW_FORM_data8)) + || form == DW_FORM_sec_offset + || form == DW_FORM_loclistx) +- printf (_(" (location list)")); ++ { ++ if (attribute != DW_AT_rnglists_base) ++ printf (_(" (location list)")); ++ } + /* Fall through. */ + case DW_AT_allocated: + case DW_AT_associated: +@@ -3809,6 +3818,7 @@ process_debug_info (struct dwarf_section + debug_information [unit].range_lists = NULL; + debug_information [unit].max_range_lists= 0; + debug_information [unit].num_range_lists = 0; ++ debug_information [unit].rnglists_base = 0; + } + + if (!do_loc && dwarf_start_die == 0) +@@ -7932,9 +7942,16 @@ display_debug_rnglists_list (unsigned ch + unsigned char * finish, + unsigned int pointer_size, + dwarf_vma offset, +- dwarf_vma base_address) ++ dwarf_vma base_address, ++ unsigned int offset_size) + { + unsigned char *next = start; ++ unsigned int debug_addr_section_hdr_len; ++ ++ if (offset_size == 4) ++ debug_addr_section_hdr_len = 8; ++ else ++ debug_addr_section_hdr_len = 16; + + while (1) + { +@@ -7964,20 +7981,24 @@ display_debug_rnglists_list (unsigned ch + READ_ULEB (base_address, start, finish); + print_dwarf_vma (base_address, pointer_size); + printf (_("(base address index) ")); +- base_address = fetch_indexed_addr (base_address, pointer_size); ++ base_address = fetch_indexed_addr ((base_address * pointer_size) ++ + debug_addr_section_hdr_len, pointer_size); + print_dwarf_vma (base_address, pointer_size); + printf (_("(base address)\n")); + break; + case DW_RLE_startx_endx: + READ_ULEB (begin, start, finish); + READ_ULEB (end, start, finish); +- begin = fetch_indexed_addr (begin, pointer_size); +- end = fetch_indexed_addr (begin, pointer_size); ++ begin = fetch_indexed_addr ((begin * pointer_size) ++ + debug_addr_section_hdr_len, pointer_size); ++ end = fetch_indexed_addr ((begin * pointer_size) ++ + debug_addr_section_hdr_len, pointer_size); + break; + case DW_RLE_startx_length: + READ_ULEB (begin, start, finish); + READ_ULEB (length, start, finish); +- begin = fetch_indexed_addr (begin, pointer_size); ++ begin = fetch_indexed_addr ((begin * pointer_size) ++ + debug_addr_section_hdr_len, pointer_size); + end = begin + length; + break; + case DW_RLE_offset_pair: +@@ -8003,6 +8024,7 @@ display_debug_rnglists_list (unsigned ch + rlet = DW_RLE_end_of_list; + break; + } ++ + if (rlet == DW_RLE_end_of_list) + break; + if (rlet == DW_RLE_base_address || rlet == DW_RLE_base_addressx) +@@ -8043,6 +8065,7 @@ display_debug_ranges (struct dwarf_secti + /* Initialize it due to a false compiler warning. */ + unsigned char address_size = 0; + dwarf_vma last_offset = 0; ++ unsigned int offset_size = 0; + + if (bytes == 0) + { +@@ -8054,10 +8077,10 @@ display_debug_ranges (struct dwarf_secti + + if (is_rnglists) + { +- dwarf_vma initial_length; +- unsigned char segment_selector_size; +- unsigned int offset_size, offset_entry_count; +- unsigned short version; ++ dwarf_vma initial_length; ++ unsigned char segment_selector_size; ++ unsigned int offset_entry_count; ++ unsigned short version; + + /* Get and check the length of the block. */ + SAFE_BYTE_GET_AND_INC (initial_length, start, 4, finish); +@@ -8230,7 +8253,8 @@ display_debug_ranges (struct dwarf_secti + (unsigned long) offset, i); + continue; + } +- next = section_begin + offset; ++ ++ next = section_begin + offset + debug_info_p->rnglists_base; + + /* If multiple DWARF entities reference the same range then we will + have multiple entries in the `range_entries' list for the same +@@ -8262,7 +8286,7 @@ display_debug_ranges (struct dwarf_secti + + if (is_rnglists) + display_debug_rnglists_list +- (start, finish, pointer_size, offset, base_address); ++ (start, finish, pointer_size, offset, base_address, offset_size); + else + display_debug_ranges_list + (start, finish, pointer_size, offset, base_address); +@@ -11911,6 +11935,9 @@ load_separate_debug_files (void * file, + && load_debug_section (abbrev, file) + && load_debug_section (info, file)) + { ++ /* Load the .debug_addr section, if it exists. */ ++ load_debug_section (debug_addr, file); ++ + free_dwo_info (); + + if (process_debug_info (& debug_displays[info].section, file, abbrev, +diff --git a/binutils/dwarf.h b/binutils/dwarf.h +index 040e674c6ce..8a89c08e7c2 100644 +--- a/binutils/dwarf.h ++++ b/binutils/dwarf.h +@@ -192,6 +192,7 @@ typedef struct + dwarf_vma * range_lists; + unsigned int num_range_lists; + unsigned int max_range_lists; ++ dwarf_vma rnglists_base; + } + debug_info; + diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-3.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-3.patch new file mode 100644 index 0000000000..56331b1128 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-3.patch @@ -0,0 +1,211 @@ +From f18acc9c4e5d18f4783f3a7d59e3ec95d7af0199 Mon Sep 17 00:00:00 2001 +From: "Kumar N, Bhuvanendra" <Kavitha.Natarajan@amd.com> +Date: Wed, 22 Jun 2022 17:07:25 +0100 +Subject: [PATCH] Binutils support for split-dwarf and dwarf-5 + + * dwarf.c (fetch_indexed_string): Added new parameter + str_offsets_base to calculate the string offset. + (read_and_display_attr_value): Read DW_AT_str_offsets_base + attribute. + (process_debug_info): While allocating memory and initializing + debug_information, do it for do_debug_info also, if its true. + (load_separate_debug_files): Load .debug_str_offsets if exists. + * dwarf.h (struct debug_info): Add str_offsets_base field. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f18acc9c4e5d18f4783f3a7d59e3ec95d7af0199] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/ChangeLog | 13 ++++++++++- + binutils/dwarf.c | 57 ++++++++++++++++++++++++++++++++++------------ + binutils/dwarf.h | 1 + + 3 files changed, 56 insertions(+), 15 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index f9c46cf54dd..d9a3144023c 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -687,8 +687,11 @@ fetch_indirect_line_string (dwarf_vma of + } + + static const char * +-fetch_indexed_string (dwarf_vma idx, struct cu_tu_set *this_set, +- dwarf_vma offset_size, bool dwo) ++fetch_indexed_string (dwarf_vma idx, ++ struct cu_tu_set * this_set, ++ dwarf_vma offset_size, ++ bool dwo, ++ dwarf_vma str_offsets_base) + { + enum dwarf_section_display_enum str_sec_idx = dwo ? str_dwo : str; + enum dwarf_section_display_enum idx_sec_idx = dwo ? str_index_dwo : str_index; +@@ -776,7 +779,15 @@ fetch_indexed_string (dwarf_vma idx, str + return _("<index offset is too big>"); + } + +- str_offset = byte_get (curr + index_offset, offset_size); ++ if (str_offsets_base > 0) ++ { ++ if (offset_size == 8) ++ str_offsets_base -= 16; ++ else ++ str_offsets_base -= 8; ++ } ++ ++ str_offset = byte_get (curr + index_offset + str_offsets_base, offset_size); + str_offset -= str_section->address; + if (str_offset >= str_section->size) + { +@@ -2721,11 +2732,13 @@ read_and_display_attr_value (unsigned lo + /* We have already displayed the form name. */ + printf (_("%c(offset: 0x%s): %s"), delimiter, + dwarf_vmatoa ("x", uvalue), +- fetch_indexed_string (uvalue, this_set, offset_size, dwo)); ++ fetch_indexed_string (uvalue, this_set, offset_size, dwo, ++ debug_info_p->str_offsets_base)); + else + printf (_("%c(indexed string: 0x%s): %s"), delimiter, + dwarf_vmatoa ("x", uvalue), +- fetch_indexed_string (uvalue, this_set, offset_size, dwo)); ++ fetch_indexed_string (uvalue, this_set, offset_size, dwo, ++ debug_info_p->str_offsets_base)); + } + break; + +@@ -2800,7 +2813,7 @@ read_and_display_attr_value (unsigned lo + break; + } + +- if ((do_loc || do_debug_loc || do_debug_ranges) ++ if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info) + && num_debug_info_entries == 0 + && debug_info_p != NULL) + { +@@ -2818,6 +2831,13 @@ read_and_display_attr_value (unsigned lo + dwarf_vmatoa ("x", debug_info_p->cu_offset)); + debug_info_p->rnglists_base = uvalue; + break; ++ case DW_AT_str_offsets_base: ++ if (debug_info_p->str_offsets_base) ++ warn (_("CU @ 0x%s has multiple str_offsets_base values"), ++ dwarf_vmatoa ("x", debug_info_p->cu_offset)); ++ debug_info_p->str_offsets_base = uvalue; ++ break; ++ + case DW_AT_frame_base: + have_frame_base = 1; + /* Fall through. */ +@@ -2956,7 +2976,9 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx2: + case DW_FORM_strx3: + case DW_FORM_strx4: +- add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false), cu_offset); ++ add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false, ++ debug_info_p->str_offsets_base), ++ cu_offset); + break; + case DW_FORM_string: + add_dwo_name ((const char *) orig_data, cu_offset); +@@ -2988,7 +3010,9 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx2: + case DW_FORM_strx3: + case DW_FORM_strx4: +- add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false), cu_offset); ++ add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false, ++ debug_info_p->str_offsets_base), ++ cu_offset); + break; + case DW_FORM_string: + add_dwo_dir ((const char *) orig_data, cu_offset); +@@ -3309,6 +3333,7 @@ read_and_display_attr_value (unsigned lo + case DW_AT_location: + case DW_AT_loclists_base: + case DW_AT_rnglists_base: ++ case DW_AT_str_offsets_base: + case DW_AT_string_length: + case DW_AT_return_addr: + case DW_AT_data_member_location: +@@ -3329,7 +3354,8 @@ read_and_display_attr_value (unsigned lo + || form == DW_FORM_sec_offset + || form == DW_FORM_loclistx) + { +- if (attribute != DW_AT_rnglists_base) ++ if (attribute != DW_AT_rnglists_base ++ && attribute != DW_AT_str_offsets_base) + printf (_(" (location list)")); + } + /* Fall through. */ +@@ -3562,7 +3588,7 @@ process_debug_info (struct dwarf_section + return false; + } + +- if ((do_loc || do_debug_loc || do_debug_ranges) ++ if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info) + && num_debug_info_entries == 0 + && ! do_types) + { +@@ -3797,7 +3823,7 @@ process_debug_info (struct dwarf_section + continue; + } + +- if ((do_loc || do_debug_loc || do_debug_ranges) ++ if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info) + && num_debug_info_entries == 0 + && alloc_num_debug_info_entries > unit + && ! do_types) +@@ -3819,6 +3845,7 @@ process_debug_info (struct dwarf_section + debug_information [unit].max_range_lists= 0; + debug_information [unit].num_range_lists = 0; + debug_information [unit].rnglists_base = 0; ++ debug_information [unit].str_offsets_base = 0; + } + + if (!do_loc && dwarf_start_die == 0) +@@ -4089,7 +4116,7 @@ process_debug_info (struct dwarf_section + + /* Set num_debug_info_entries here so that it can be used to check if + we need to process .debug_loc and .debug_ranges sections. */ +- if ((do_loc || do_debug_loc || do_debug_ranges) ++ if ((do_loc || do_debug_loc || do_debug_ranges || do_debug_info) + && num_debug_info_entries == 0 + && ! do_types) + { +@@ -6237,7 +6264,7 @@ display_debug_macro (struct dwarf_sectio + READ_ULEB (lineno, curr, end); + READ_ULEB (offset, curr, end); + string = (const unsigned char *) +- fetch_indexed_string (offset, NULL, offset_size, false); ++ fetch_indexed_string (offset, NULL, offset_size, false, 0); + if (op == DW_MACRO_define_strx) + printf (" DW_MACRO_define_strx "); + else +@@ -7851,7 +7878,7 @@ display_debug_str_offsets (struct dwarf_ + SAFE_BYTE_GET_AND_INC (offset, curr, entry_length, entries_end); + if (dwo) + string = (const unsigned char *) +- fetch_indexed_string (idx, NULL, entry_length, dwo); ++ fetch_indexed_string (idx, NULL, entry_length, dwo, 0); + else + string = fetch_indirect_string (offset); + +@@ -11937,6 +11964,8 @@ load_separate_debug_files (void * file, + { + /* Load the .debug_addr section, if it exists. */ + load_debug_section (debug_addr, file); ++ /* Load the .debug_str_offsets section, if it exists. */ ++ load_debug_section (str_index, file); + + free_dwo_info (); + +diff --git a/binutils/dwarf.h b/binutils/dwarf.h +index 8a89c08e7c2..adbf20f9a28 100644 +--- a/binutils/dwarf.h ++++ b/binutils/dwarf.h +@@ -193,6 +193,7 @@ typedef struct + unsigned int num_range_lists; + unsigned int max_range_lists; + dwarf_vma rnglists_base; ++ dwarf_vma str_offsets_base; + } + debug_info; + diff --git a/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-4.patch b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-4.patch new file mode 100644 index 0000000000..e59b19c184 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0017-CVE-2022-38127-4.patch @@ -0,0 +1,43 @@ +From e98e7d9a70dcc987bff0e925f20b78cd4a2979ed Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 27 Jun 2022 13:30:35 +0100 +Subject: [PATCH] Fix NULL pointer indirection when parsing corrupt DWARF data. + + PR 29290 + * dwarf.c (read_and_display_attr_value): Check that debug_info_p + is set before dereferencing it. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e98e7d9a70dcc987bff0e925f20b78cd4a2979ed] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 11 +++++------ + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index bcabb61b871..37b477b886d 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -2727,18 +2727,17 @@ read_and_display_attr_value (unsigned lo + { + const char *suffix = strrchr (section->name, '.'); + bool dwo = suffix && strcmp (suffix, ".dwo") == 0; ++ const char *strng; + ++ strng = fetch_indexed_string (uvalue, this_set, offset_size, dwo, ++ debug_info_p ? debug_info_p->str_offsets_base : 0); + if (do_wide) + /* We have already displayed the form name. */ + printf (_("%c(offset: 0x%s): %s"), delimiter, +- dwarf_vmatoa ("x", uvalue), +- fetch_indexed_string (uvalue, this_set, offset_size, dwo, +- debug_info_p->str_offsets_base)); ++ dwarf_vmatoa ("x", uvalue), strng); + else + printf (_("%c(indexed string: 0x%s): %s"), delimiter, +- dwarf_vmatoa ("x", uvalue), +- fetch_indexed_string (uvalue, this_set, offset_size, dwo, +- debug_info_p->str_offsets_base)); ++ dwarf_vmatoa ("x", uvalue), strng); + } + break; + diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch new file mode 100644 index 0000000000..0a490d86b3 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch @@ -0,0 +1,350 @@ +From f07c08e115e27cddf5a0030dc6332bbee1bd9c6a Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 21 Jul 2022 08:38:14 +0930 +Subject: [PATCH] binutils/dwarf.c: abbrev caching + +I'm inclined to think that abbrev caching is counter-productive. The +time taken to search the list of abbrevs converted to internal form is +non-zero, and it's easy to decode the raw abbrevs. It's especially +silly to cache empty lists of decoded abbrevs (happens with zero +padding in .debug_abbrev), or abbrevs as they are displayed when there +is no further use of those abbrevs. This patch stops caching in those +cases. + + * dwarf.c (record_abbrev_list_for_cu): Add free_list param. + Put abbrevs on abbrev_lists here. + (new_abbrev_list): Delete function. + (process_abbrev_set): Return newly allocated list. Move + abbrev base, offset and size checking to.. + (find_and_process_abbrev_set): ..here, new function. Handle + lookup of cached abbrevs here, and calculate start and end + for process_abbrev_set. Return free_list if newly alloc'd. + (process_debug_info): Consolidate cached list lookup, new list + alloc and processing into find_and_process_abbrev_set call. + Free list when not cached. + (display_debug_abbrev): Similarly. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f07c08e115e27cddf5a0030dc6332bbee1bd9c6a] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 208 +++++++++++++++++++++++++---------------------- + 1 file changed, 110 insertions(+), 98 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 267ed3bb382..2fc352f74c5 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -882,8 +882,15 @@ static unsigned long next_free_abbrev_m + #define ABBREV_MAP_ENTRIES_INCREMENT 8 + + static void +-record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, abbrev_list * list) ++record_abbrev_list_for_cu (dwarf_vma start, dwarf_vma end, ++ abbrev_list *list, abbrev_list *free_list) + { ++ if (free_list != NULL) ++ { ++ list->next = abbrev_lists; ++ abbrev_lists = list; ++ } ++ + if (cu_abbrev_map == NULL) + { + num_abbrev_map_entries = INITIAL_NUM_ABBREV_MAP_ENTRIES; +@@ -936,20 +943,6 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-new_abbrev_list (dwarf_vma abbrev_base, dwarf_vma abbrev_offset) +-{ +- abbrev_list * list = (abbrev_list *) xcalloc (sizeof * list, 1); +- +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- +- list->next = abbrev_lists; +- abbrev_lists = list; +- +- return list; +-} +- +-static abbrev_list * + find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, + dwarf_vma abbrev_offset) + { +@@ -966,7 +959,7 @@ find_abbrev_list_by_abbrev_offset (dwarf + /* Find the abbreviation map for the CU that includes OFFSET. + OFFSET is an absolute offset from the start of the .debug_info section. */ + /* FIXME: This function is going to slow down readelf & objdump. +- Consider using a better algorithm to mitigate this effect. */ ++ Not caching abbrevs is likely the answer. */ + + static abbrev_map * + find_abbrev_map_by_offset (dwarf_vma offset) +@@ -1033,40 +1026,18 @@ add_abbrev_attr (unsigned long attrib + list->last_abbrev->last_attr = attr; + } + +-/* Processes the (partial) contents of a .debug_abbrev section. +- Returns NULL if the end of the section was encountered. +- Returns the address after the last byte read if the end of +- an abbreviation set was found. */ ++/* Return processed (partial) contents of a .debug_abbrev section. ++ Returns NULL on errors. */ + +-static unsigned char * ++static abbrev_list * + process_abbrev_set (struct dwarf_section *section, +- dwarf_vma abbrev_base, +- dwarf_vma abbrev_size, +- dwarf_vma abbrev_offset, +- abbrev_list *list) ++ unsigned char *start, ++ unsigned char *end) + { +- if (abbrev_base >= section->size +- || abbrev_size > section->size - abbrev_base) +- { +- /* PR 17531: file:4bcd9ce9. */ +- warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) (abbrev_base + abbrev_size), +- (unsigned long) section->size); +- return NULL; +- } +- if (abbrev_offset >= abbrev_size) +- { +- warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " +- "abbrev section size (%lx)\n"), +- (unsigned long) abbrev_offset, +- (unsigned long) abbrev_size); +- return NULL; +- } ++ abbrev_list *list = xmalloc (sizeof (*list)); ++ list->first_abbrev = NULL; ++ list->last_abbrev = NULL; + +- unsigned char *start = section->start + abbrev_base; +- unsigned char *end = start + abbrev_size; +- start += abbrev_offset; + while (start < end) + { + unsigned long entry; +@@ -1079,14 +1050,18 @@ process_abbrev_set (struct dwarf_section + /* A single zero is supposed to end the set according + to the standard. If there's more, then signal that to + the caller. */ +- if (start == end) +- return NULL; +- if (entry == 0) +- return start; ++ if (start == end || entry == 0) ++ { ++ list->start_of_next_abbrevs = start != end ? start : NULL; ++ return list; ++ } + + READ_ULEB (tag, start, end); + if (start == end) +- return NULL; ++ { ++ free (list); ++ return NULL; ++ } + + children = *start++; + +@@ -1121,9 +1096,67 @@ process_abbrev_set (struct dwarf_section + /* Report the missing single zero which ends the section. */ + error (_(".debug_abbrev section not zero terminated\n")); + ++ free (list); + return NULL; + } + ++/* Return a sequence of abbrevs in SECTION starting at ABBREV_BASE ++ plus ABBREV_OFFSET and finishing at ABBREV_BASE + ABBREV_SIZE. ++ If FREE_LIST is non-NULL search the already decoded abbrevs on ++ abbrev_lists first and if found set *FREE_LIST to NULL. If ++ searching doesn't find a matching abbrev, set *FREE_LIST to the ++ newly allocated list. If FREE_LIST is NULL, no search is done and ++ the returned abbrev_list is always newly allocated. */ ++ ++static abbrev_list * ++find_and_process_abbrev_set (struct dwarf_section *section, ++ dwarf_vma abbrev_base, ++ dwarf_vma abbrev_size, ++ dwarf_vma abbrev_offset, ++ abbrev_list **free_list) ++{ ++ if (free_list) ++ *free_list = NULL; ++ ++ if (abbrev_base >= section->size ++ || abbrev_size > section->size - abbrev_base) ++ { ++ /* PR 17531: file:4bcd9ce9. */ ++ warn (_("Debug info is corrupted, abbrev size (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) (abbrev_base + abbrev_size), ++ (unsigned long) section->size); ++ return NULL; ++ } ++ if (abbrev_offset >= abbrev_size) ++ { ++ warn (_("Debug info is corrupted, abbrev offset (%lx) is larger than " ++ "abbrev section size (%lx)\n"), ++ (unsigned long) abbrev_offset, ++ (unsigned long) abbrev_size); ++ return NULL; ++ } ++ ++ unsigned char *start = section->start + abbrev_base + abbrev_offset; ++ unsigned char *end = section->start + abbrev_base + abbrev_size; ++ abbrev_list *list = NULL; ++ if (free_list) ++ list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ if (list == NULL) ++ { ++ list = process_abbrev_set (section, start, end); ++ if (list) ++ { ++ list->abbrev_base = abbrev_base; ++ list->abbrev_offset = abbrev_offset; ++ list->next = NULL; ++ } ++ if (free_list) ++ *free_list = list; ++ } ++ return list; ++} ++ + static const char * + get_TAG_name (unsigned long tag) + { +@@ -3670,7 +3703,6 @@ process_debug_info (struct dwarf_section + dwarf_vma cu_offset; + unsigned int offset_size; + struct cu_tu_set * this_set; +- abbrev_list * list; + unsigned char *end_cu; + + hdrptr = start; +@@ -3726,22 +3758,18 @@ process_debug_info (struct dwarf_section + abbrev_size = this_set->section_sizes [DW_SECT_ABBREV]; + } + +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char * next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ abbrev_list *free_list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, ++ &free_list); + start = end_cu; +- record_abbrev_list_for_cu (cu_offset, start - section_begin, list); ++ if (list != NULL && list->first_abbrev != NULL) ++ record_abbrev_list_for_cu (cu_offset, start - section_begin, ++ list, free_list); ++ else if (free_list != NULL) ++ free_abbrev_list (free_list); + } + + for (start = section_begin, unit = 0; start < end; unit++) +@@ -3757,7 +3785,6 @@ process_debug_info (struct dwarf_section + struct cu_tu_set *this_set; + dwarf_vma abbrev_base; + size_t abbrev_size; +- abbrev_list * list = NULL; + unsigned char *end_cu; + + hdrptr = start; +@@ -3936,20 +3963,10 @@ process_debug_info (struct dwarf_section + } + + /* Process the abbrevs used by this compilation unit. */ +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, +- compunit.cu_abbrev_offset); +- if (list == NULL) +- { +- unsigned char *next; +- +- list = new_abbrev_list (abbrev_base, +- compunit.cu_abbrev_offset); +- next = process_abbrev_set (&debug_displays[abbrev_sec].section, +- abbrev_base, abbrev_size, +- compunit.cu_abbrev_offset, list); +- list->start_of_next_abbrevs = next; +- } +- ++ abbrev_list *list; ++ list = find_and_process_abbrev_set (&debug_displays[abbrev_sec].section, ++ abbrev_base, abbrev_size, ++ compunit.cu_abbrev_offset, NULL); + level = 0; + last_level = level; + saved_level = -1; +@@ -4128,6 +4145,8 @@ process_debug_info (struct dwarf_section + if (entry->children) + ++level; + } ++ if (list != NULL) ++ free_abbrev_list (list); + } + + /* Set num_debug_info_entries here so that it can be used to check if +@@ -6353,24 +6372,15 @@ display_debug_abbrev (struct dwarf_secti + + do + { +- abbrev_list * list; +- dwarf_vma offset; +- +- offset = start - section->start; +- list = find_abbrev_list_by_abbrev_offset (0, offset); ++ dwarf_vma offset = start - section->start; ++ abbrev_list *list = find_and_process_abbrev_set (section, 0, ++ section->size, offset, ++ NULL); + if (list == NULL) +- { +- list = new_abbrev_list (0, offset); +- start = process_abbrev_set (section, 0, section->size, offset, list); +- list->start_of_next_abbrevs = start; +- } +- else +- start = list->start_of_next_abbrevs; +- +- if (list->first_abbrev == NULL) +- continue; ++ break; + +- printf (_(" Number TAG (0x%lx)\n"), (long) offset); ++ if (list->first_abbrev) ++ printf (_(" Number TAG (0x%lx)\n"), (long) offset); + + for (entry = list->first_abbrev; entry; entry = entry->next) + { +@@ -6391,6 +6401,8 @@ display_debug_abbrev (struct dwarf_secti + putchar ('\n'); + } + } ++ start = list->start_of_next_abbrevs; ++ free_abbrev_list (list); + } + while (start); + diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch new file mode 100644 index 0000000000..b867b04e96 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch @@ -0,0 +1,436 @@ +From 175b91507b83ad42607d2f6dadaf55b7b511bdbe Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 20 Jul 2022 18:28:50 +0930 +Subject: [PATCH] miscellaneous dwarf.c tidies + + * dwarf.c: Leading and trailing whitespace fixes. + (free_abbrev_list): New function. + (free_all_abbrevs): Use the above. Free cu_abbrev_map here too. + (process_abbrev_set): Print actual section name on error. + (get_type_abbrev_from_form): Add overflow check. + (free_debug_memory): Don't free cu_abbrev_map here.. + (process_debug_info): ..or here. Warn on another case of not + finding a neeeded abbrev. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=175b91507b83ad42607d2f6dadaf55b7b511bdbe] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 216 +++++++++++++++++++++++------------------------ + 1 file changed, 106 insertions(+), 110 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2b1eec49422..267ed3bb382 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -954,38 +954,41 @@ record_abbrev_list_for_cu (dwarf_vma sta + next_free_abbrev_map_entry ++; + } + +-static void +-free_all_abbrevs (void) ++static abbrev_list * ++free_abbrev_list (abbrev_list *list) + { +- abbrev_list * list; ++ abbrev_entry *abbrv = list->first_abbrev; + +- for (list = abbrev_lists; list != NULL;) ++ while (abbrv) + { +- abbrev_list * next = list->next; +- abbrev_entry * abbrv; ++ abbrev_attr *attr = abbrv->first_attr; + +- for (abbrv = list->first_abbrev; abbrv != NULL;) ++ while (attr) + { +- abbrev_entry * next_abbrev = abbrv->next; +- abbrev_attr * attr; +- +- for (attr = abbrv->first_attr; attr;) +- { +- abbrev_attr *next_attr = attr->next; +- +- free (attr); +- attr = next_attr; +- } +- +- free (abbrv); +- abbrv = next_abbrev; ++ abbrev_attr *next_attr = attr->next; ++ free (attr); ++ attr = next_attr; + } + +- free (list); +- list = next; ++ abbrev_entry *next_abbrev = abbrv->next; ++ free (abbrv); ++ abbrv = next_abbrev; + } + +- abbrev_lists = NULL; ++ abbrev_list *next = list->next; ++ free (list); ++ return next; ++} ++ ++static void ++free_all_abbrevs (void) ++{ ++ while (abbrev_lists) ++ abbrev_lists = free_abbrev_list (abbrev_lists); ++ ++ free (cu_abbrev_map); ++ cu_abbrev_map = NULL; ++ next_free_abbrev_map_entry = 0; + } + + static abbrev_list * +@@ -1017,7 +1020,7 @@ find_abbrev_map_by_offset (dwarf_vma off + && cu_abbrev_map[i].end > offset) + return cu_abbrev_map + i; + +- return NULL; ++ return NULL; + } + + static void +@@ -1140,7 +1143,7 @@ process_abbrev_set (struct dwarf_section + } + + /* Report the missing single zero which ends the section. */ +- error (_(".debug_abbrev section not zero terminated\n")); ++ error (_("%s section not zero terminated\n"), section->name); + + free (list); + return NULL; +@@ -1917,7 +1920,7 @@ fetch_alt_indirect_string (dwarf_vma off + dwarf_vmatoa ("x", offset)); + return _("<offset is too big>"); + } +- ++ + static const char * + get_AT_name (unsigned long attribute) + { +@@ -2199,7 +2202,8 @@ get_type_abbrev_from_form (unsigned long + case DW_FORM_ref4: + case DW_FORM_ref8: + case DW_FORM_ref_udata: +- if (uvalue + cu_offset > (size_t) (cu_end - section->start)) ++ if (uvalue + cu_offset < uvalue ++ || uvalue + cu_offset > (size_t) (cu_end - section->start)) + { + warn (_("Unable to resolve ref form: uvalue %lx + cu_offset %lx > CU size %lx\n"), + uvalue, (long) cu_offset, (long) (cu_end - section->start)); +@@ -2236,7 +2240,7 @@ get_type_abbrev_from_form (unsigned long + else + *map_return = NULL; + } +- ++ + READ_ULEB (abbrev_number, data, section->start + section->size); + + for (entry = map->list->first_abbrev; entry != NULL; entry = entry->next) +@@ -2837,7 +2841,7 @@ read_and_display_attr_value (unsigned lo + if (!do_loc) + printf ("%c<0x%s>", delimiter, dwarf_vmatoa ("x", uvalue + cu_offset)); + break; +- ++ + default: + warn (_("Unrecognized form: 0x%lx\n"), form); + /* What to do? Consume a byte maybe? */ +@@ -3009,7 +3013,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_name (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3043,7 +3047,7 @@ read_and_display_attr_value (unsigned lo + case DW_FORM_strx3: + case DW_FORM_strx4: + add_dwo_dir (fetch_indexed_string (uvalue, this_set, offset_size, false, +- debug_info_p->str_offsets_base), ++ debug_info_p->str_offsets_base), + cu_offset); + break; + case DW_FORM_string: +@@ -3671,11 +3675,8 @@ process_debug_info (struct dwarf_section + introduce (section, false); + + free_all_abbrevs (); +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; + +- /* In order to be able to resolve DW_FORM_ref_attr forms we need ++ /* In order to be able to resolve DW_FORM_ref_addr forms we need + to load *all* of the abbrevs for all CUs in this .debug_info + section. This does effectively mean that we (partially) read + every CU header twice. */ +@@ -4029,12 +4030,11 @@ process_debug_info (struct dwarf_section + + /* Scan through the abbreviation list until we reach the + correct entry. */ +- if (list == NULL) +- continue; +- +- for (entry = list->first_abbrev; entry != NULL; entry = entry->next) +- if (entry->number == abbrev_number) +- break; ++ entry = NULL; ++ if (list != NULL) ++ for (entry = list->first_abbrev; entry != NULL; entry = entry->next) ++ if (entry->number == abbrev_number) ++ break; + + if (entry == NULL) + { +@@ -4442,7 +4442,7 @@ display_debug_sup (struct dwarf_section + + SAFE_BYTE_GET_AND_INC (is_supplementary, start, 1, end); + if (is_supplementary != 0 && is_supplementary != 1) +- warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); ++ warn (_("corrupt .debug_sup section: is_supplementary not 0 or 1\n")); + + sup_filename = start; + if (is_supplementary && sup_filename[0] != 0) +@@ -5621,7 +5621,7 @@ display_debug_lines_decoded (struct dwar + printf ("%s %11d %#18" DWARF_VMA_FMT "x", + newFileName, state_machine_regs.line, + state_machine_regs.address); +- } ++ } + else + { + if (xop == -DW_LNE_end_sequence) +@@ -6075,7 +6075,7 @@ display_debug_macro (struct dwarf_sectio + load_debug_section_with_follow (str, file); + load_debug_section_with_follow (line, file); + load_debug_section_with_follow (str_index, file); +- ++ + introduce (section, false); + + while (curr < end) +@@ -6519,7 +6519,7 @@ display_loc_list (struct dwarf_section * + + /* Check base address specifiers. */ + if (is_max_address (begin, pointer_size) +- && !is_max_address (end, pointer_size)) ++ && !is_max_address (end, pointer_size)) + { + base_address = end; + print_dwarf_vma (begin, pointer_size); +@@ -6697,7 +6697,7 @@ display_loclists_list (struct dwarf_sect + case DW_LLE_default_location: + begin = end = 0; + break; +- ++ + case DW_LLE_offset_pair: + READ_ULEB (begin, start, section_end); + begin += base_address; +@@ -6993,7 +6993,7 @@ display_offset_entry_loclists (struct dw + unsigned char * start = section->start; + unsigned char * const end = start + section->size; + +- introduce (section, false); ++ introduce (section, false); + + do + { +@@ -7042,14 +7042,14 @@ display_offset_entry_loclists (struct dw + section->name, segment_selector_size); + return 0; + } +- ++ + if (offset_entry_count == 0) + { + warn (_("The %s section contains a table without offset\n"), + section->name); + return 0; + } +- ++ + printf (_("\n Offset Entries starting at 0x%lx:\n"), + (long)(start - section->start)); + +@@ -8295,12 +8295,12 @@ display_debug_ranges (struct dwarf_secti + next = section_begin + offset + debug_info_p->rnglists_base; + + /* If multiple DWARF entities reference the same range then we will +- have multiple entries in the `range_entries' list for the same +- offset. Thanks to the sort above these will all be consecutive in +- the `range_entries' list, so we can easily ignore duplicates +- here. */ ++ have multiple entries in the `range_entries' list for the same ++ offset. Thanks to the sort above these will all be consecutive in ++ the `range_entries' list, so we can easily ignore duplicates ++ here. */ + if (i > 0 && last_offset == offset) +- continue; ++ continue; + last_offset = offset; + + if (dwarf_check != 0 && i > 0) +@@ -10336,7 +10336,7 @@ display_debug_names (struct dwarf_sectio + break; + if (tagno >= 0) + printf ("%s<%lu>", +- (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), ++ (tagno == 0 && second_abbrev_tag == 0 ? " " : "\n\t"), + (unsigned long) abbrev_tag); + + for (entry = abbrev_lookup; +@@ -10901,7 +10901,7 @@ process_cu_tu_index (struct dwarf_sectio + Check for integer overflow (can occur when size_t is 32-bit) + with overlarge ncols or nused values. */ + if (nused == -1u +- || _mul_overflow ((size_t) ncols, 4, &temp) ++ || _mul_overflow ((size_t) ncols, 4, &temp) + || _mul_overflow ((size_t) nused + 1, temp, &total) + || total > (size_t) (limit - ppool)) + { +@@ -10909,7 +10909,7 @@ process_cu_tu_index (struct dwarf_sectio + section->name); + return 0; + } +- ++ + if (do_display) + { + printf (_(" Offset table\n")); +@@ -11413,8 +11413,8 @@ add_separate_debug_file (const char * fi + + static bool + debuginfod_fetch_separate_debug_info (struct dwarf_section * section, +- char ** filename, +- void * file) ++ char ** filename, ++ void * file) + { + size_t build_id_len; + unsigned char * build_id; +@@ -11432,14 +11432,14 @@ debuginfod_fetch_separate_debug_info (st + + filelen = strnlen ((const char *)section->start, section->size); + if (filelen == section->size) +- /* Corrupt debugaltlink. */ +- return false; ++ /* Corrupt debugaltlink. */ ++ return false; + + build_id = section->start + filelen + 1; + build_id_len = section->size - (filelen + 1); + + if (build_id_len == 0) +- return false; ++ return false; + } + else + return false; +@@ -11451,25 +11451,25 @@ debuginfod_fetch_separate_debug_info (st + + client = debuginfod_begin (); + if (client == NULL) +- return false; ++ return false; + + /* Query debuginfod servers for the target file. If found its path +- will be stored in filename. */ ++ will be stored in filename. */ + fd = debuginfod_find_debuginfo (client, build_id, build_id_len, filename); + debuginfod_end (client); + + /* Only free build_id if we allocated space for a hex string +- in get_build_id (). */ ++ in get_build_id (). */ + if (build_id_len == 0) +- free (build_id); ++ free (build_id); + + if (fd >= 0) +- { +- /* File successfully retrieved. Close fd since we want to +- use open_debug_file () on filename instead. */ +- close (fd); +- return true; +- } ++ { ++ /* File successfully retrieved. Close fd since we want to ++ use open_debug_file () on filename instead. */ ++ close (fd); ++ return true; ++ } + } + + return false; +@@ -11482,7 +11482,7 @@ load_separate_debug_info (const char * + parse_func_type parse_func, + check_func_type check_func, + void * func_data, +- void * file ATTRIBUTE_UNUSED) ++ void * file ATTRIBUTE_UNUSED) + { + const char * separate_filename; + char * debug_filename; +@@ -11597,11 +11597,11 @@ load_separate_debug_info (const char * + & tmp_filename, + file)) + { +- /* File successfully downloaded from server, replace +- debug_filename with the file's path. */ +- free (debug_filename); +- debug_filename = tmp_filename; +- goto found; ++ /* File successfully downloaded from server, replace ++ debug_filename with the file's path. */ ++ free (debug_filename); ++ debug_filename = tmp_filename; ++ goto found; + } + } + #endif +@@ -11766,12 +11766,12 @@ load_build_id_debug_file (const char * m + /* In theory we should extract the contents of the section into + a note structure and then check the fields. For now though + just use hard coded offsets instead: +- ++ + Field Bytes Contents + NSize 0...3 4 + DSize 4...7 8+ + Type 8..11 3 (NT_GNU_BUILD_ID) +- Name 12.15 GNU\0 ++ Name 12.15 GNU\0 + Data 16.... */ + + /* FIXME: Check the name size, name and type fields. */ +@@ -11783,7 +11783,7 @@ load_build_id_debug_file (const char * m + warn (_(".note.gnu.build-id data size is too small\n")); + return; + } +- ++ + if (build_id_size > (section->size - 16)) + { + warn (_(".note.gnu.build-id data size is too bug\n")); +@@ -12075,10 +12075,6 @@ free_debug_memory (void) + + free_all_abbrevs (); + +- free (cu_abbrev_map); +- cu_abbrev_map = NULL; +- next_free_abbrev_map_entry = 0; +- + free (shndx_pool); + shndx_pool = NULL; + shndx_pool_size = 0; diff --git a/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch new file mode 100644 index 0000000000..04d06ed6b6 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch @@ -0,0 +1,95 @@ +From 695c6dfe7e85006b98c8b746f3fd5f913c94ebff Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Thu, 21 Jul 2022 09:56:15 +0930 +Subject: [PATCH] PR29370, infinite loop in display_debug_abbrev + +The PR29370 testcase is a fuzzed object file with multiple +.trace_abbrev sections. Multiple .trace_abbrev or .debug_abbrev +sections are not a violation of the DWARF standard. The DWARF5 +standard even gives an example of multiple .debug_abbrev sections +contained in groups. Caching and lookup of processed abbrevs thus +needs to be done by section and offset rather than base and offset. +(Why base anyway?) Or, since section contents are kept, by a pointer +into the contents. + + PR 29370 + * dwarf.c (struct abbrev_list): Replace abbrev_base and + abbrev_offset with raw field. + (find_abbrev_list_by_abbrev_offset): Delete. + (find_abbrev_list_by_raw_abbrev): New function. + (process_abbrev_set): Set list->raw and list->next. + (find_and_process_abbrev_set): Replace abbrev list lookup with + new function. Don't set list abbrev_base, abbrev_offset or next. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=695c6dfe7e85006b98c8b746f3fd5f913c94ebff] + +Signed-off-by: Pgowda <pgowda.cve@gmail.com> +--- + binutils/dwarf.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 2fc352f74c5..99fb3566994 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -856,8 +856,7 @@ typedef struct abbrev_list + { + abbrev_entry * first_abbrev; + abbrev_entry * last_abbrev; +- dwarf_vma abbrev_base; +- dwarf_vma abbrev_offset; ++ unsigned char * raw; + struct abbrev_list * next; + unsigned char * start_of_next_abbrevs; + } +@@ -946,14 +945,12 @@ free_all_abbrevs (void) + } + + static abbrev_list * +-find_abbrev_list_by_abbrev_offset (dwarf_vma abbrev_base, +- dwarf_vma abbrev_offset) ++find_abbrev_list_by_raw_abbrev (unsigned char *raw) + { + abbrev_list * list; + + for (list = abbrev_lists; list != NULL; list = list->next) +- if (list->abbrev_base == abbrev_base +- && list->abbrev_offset == abbrev_offset) ++ if (list->raw == raw) + return list; + + return NULL; +@@ -1040,6 +1037,7 @@ process_abbrev_set (struct dwarf_section + abbrev_list *list = xmalloc (sizeof (*list)); + list->first_abbrev = NULL; + list->last_abbrev = NULL; ++ list->raw = start; + + while (start < end) + { +@@ -1055,6 +1053,7 @@ process_abbrev_set (struct dwarf_section + the caller. */ + if (start == end || entry == 0) + { ++ list->next = NULL; + list->start_of_next_abbrevs = start != end ? start : NULL; + return list; + } +@@ -1144,16 +1143,10 @@ find_and_process_abbrev_set (struct dwar + unsigned char *end = section->start + abbrev_base + abbrev_size; + abbrev_list *list = NULL; + if (free_list) +- list = find_abbrev_list_by_abbrev_offset (abbrev_base, abbrev_offset); ++ list = find_abbrev_list_by_raw_abbrev (start); + if (list == NULL) + { + list = process_abbrev_set (section, start, end); +- if (list) +- { +- list->abbrev_base = abbrev_base; +- list->abbrev_offset = abbrev_offset; +- list->next = NULL; +- } + if (free_list) + *free_list = list; + } diff --git a/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch b/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch new file mode 100644 index 0000000000..e5e404982e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0019-CVE-2022-4285.patch @@ -0,0 +1,37 @@ +From 5c831a3c7f3ca98d6aba1200353311e1a1f84c70 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 19 Oct 2022 15:09:12 +0100 +Subject: [PATCH] Fix an illegal memory access when parsing an ELF file + containing corrupt symbol version information. + + PR 29699 + * elf.c (_bfd_elf_slurp_version_tables): Fail if the sh_info field + of the section header is zero. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70] +CVE: CVE-2022-4285 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> +--- + bfd/ChangeLog | 6 ++++++ + bfd/elf.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/bfd/elf.c b/bfd/elf.c +index fe00e0f9189..7cd7febcf95 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -8918,7 +8918,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verref; + } +- elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_alloc (abfd, amt); ++ if (amt == 0) ++ goto error_return_verref; ++ elf_tdata (abfd)->verref = (Elf_Internal_Verneed *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verref == NULL) + goto error_return_verref; + +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch new file mode 100644 index 0000000000..18d4ac5f9d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-1.patch @@ -0,0 +1,506 @@ +From 116aac1447ee92df25599859293752648e3c6ea0 Mon Sep 17 00:00:00 2001 +From: "Steinar H. Gunderson" <sesse@google.com> +Date: Fri, 20 May 2022 16:10:34 +0200 +Subject: [PATCH] add a trie to map quickly from address range to compilation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + unit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using perf to profile large binaries, _bfd_dwarf2_find_nearest_line() +becomes a hotspot, as perf wants to get line number information +(for inline-detection purposes) for each and every sample. In Chromium +in particular (the content_shell binary), this entails going through +475k address ranges, which takes a long time when done repeatedly. + +Add a radix-256 trie over the address space to quickly map address to +compilation unit spaces; for content_shell, which is 1.6 GB when some +(but not full) debug information turned is on, we go from 6 ms to +0.006 ms (6 µs) for each lookup from address to compilation unit, a 1000x +speedup. + +There is a modest RAM increase of 180 MB in this binary (the existing +linked list over ranges uses about 10 MB, and the entire perf job uses +between 2-3 GB for a medium-size profile); for smaller binaries with few +ranges, there should be hardly any extra RAM usage at all. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=b43771b045fb5616da3964f2994eefbe8ae70d32] + +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 326 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 312 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index fdf071c3..0ae50a37 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -82,6 +82,77 @@ struct adjusted_section + bfd_vma adj_vma; + }; + ++/* A trie to map quickly from address range to compilation unit. ++ ++ This is a fairly standard radix-256 trie, used to quickly locate which ++ compilation unit any given address belongs to. Given that each compilation ++ unit may register hundreds of very small and unaligned ranges (which may ++ potentially overlap, due to inlining and other concerns), and a large ++ program may end up containing hundreds of thousands of such ranges, we cannot ++ scan through them linearly without undue slowdown. ++ ++ We use a hybrid trie to avoid memory explosion: There are two types of trie ++ nodes, leaves and interior nodes. (Almost all nodes are leaves, so they ++ take up the bulk of the memory usage.) Leaves contain a simple array of ++ ranges (high/low address) and which compilation unit contains those ranges, ++ and when we get to a leaf, we scan through it linearly. Interior nodes ++ contain pointers to 256 other nodes, keyed by the next byte of the address. ++ So for a 64-bit address like 0x1234567abcd, we would start at the root and go ++ down child[0x00]->child[0x00]->child[0x01]->child[0x23]->child[0x45] etc., ++ until we hit a leaf. (Nodes are, in general, leaves until they exceed the ++ default allocation of 16 elements, at which point they are converted to ++ interior node if possible.) This gives us near-constant lookup times; ++ the only thing that can be costly is if there are lots of overlapping ranges ++ within a single 256-byte segment of the binary, in which case we have to ++ scan through them all to find the best match. ++ ++ For a binary with few ranges, we will in practice only have a single leaf ++ node at the root, containing a simple array. Thus, the scheme is efficient ++ for both small and large binaries. ++ */ ++ ++/* Experiments have shown 16 to be a memory-efficient default leaf size. ++ The only case where a leaf will hold more memory than this, is at the ++ bottomost level (covering 256 bytes in the binary), where we'll expand ++ the leaf to be able to hold more ranges if needed. ++ */ ++#define TRIE_LEAF_SIZE 16 ++ ++/* All trie_node pointers will really be trie_leaf or trie_interior, ++ but they have this common head. */ ++struct trie_node ++{ ++ /* If zero, we are an interior node. ++ Otherwise, how many ranges we have room for in this leaf. */ ++ unsigned int num_room_in_leaf; ++}; ++ ++struct trie_leaf ++{ ++ struct trie_node head; ++ unsigned int num_stored_in_leaf; ++ struct { ++ struct comp_unit *unit; ++ bfd_vma low_pc, high_pc; ++ } ranges[TRIE_LEAF_SIZE]; ++}; ++ ++struct trie_interior ++{ ++ struct trie_node head; ++ struct trie_node *children[256]; ++}; ++ ++static struct trie_node *alloc_trie_leaf (bfd *abfd) ++{ ++ struct trie_leaf *leaf = ++ bfd_zalloc (abfd, sizeof (struct trie_leaf)); ++ if (leaf == NULL) ++ return NULL; ++ leaf->head.num_room_in_leaf = TRIE_LEAF_SIZE; ++ return &leaf->head; ++} ++ + struct dwarf2_debug_file + { + /* The actual bfd from which debug info was loaded. Might be +@@ -139,6 +210,9 @@ struct dwarf2_debug_file + /* A list of all previously read comp_units. */ + struct comp_unit *all_comp_units; + ++ /* A list of all previously read comp_units with no ranges (yet). */ ++ struct comp_unit *all_comp_units_without_ranges; ++ + /* Last comp unit in list above. */ + struct comp_unit *last_comp_unit; + +@@ -147,6 +221,9 @@ struct dwarf2_debug_file + + /* Hash table to map offsets to decoded abbrevs. */ + htab_t abbrev_offsets; ++ ++ /* Root of a trie to map addresses to compilation units. */ ++ struct trie_node *trie_root; + }; + + struct dwarf2_debug +@@ -220,6 +297,11 @@ struct comp_unit + /* Chain the previously read compilation units. */ + struct comp_unit *next_unit; + ++ /* Chain the previously read compilation units that have no ranges yet. ++ We scan these separately when we have a trie over the ranges. ++ Unused if arange.high != 0. */ ++ struct comp_unit *next_unit_without_ranges; ++ + /* Likewise, chain the compilation unit read after this one. + The comp units are stored in reversed reading order. */ + struct comp_unit *prev_unit; +@@ -296,6 +378,10 @@ struct comp_unit + + /* TRUE if symbols are cached in hash table for faster lookup by name. */ + bool cached; ++ ++ /* Used when iterating over trie leaves to know which units we have ++ already seen in this iteration. */ ++ bool mark; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -1766,9 +1852,189 @@ concat_filename (struct line_info_table *table, unsigned int file) + return strdup (filename); + } + ++/* Number of bits in a bfd_vma. */ ++#define VMA_BITS (8 * sizeof (bfd_vma)) ++ ++/* Check whether [low1, high1) can be combined with [low2, high2), ++ i.e., they touch or overlap. */ ++static bool ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) ++{ ++ if (low1 == low2 || high1 == high2) ++ return true; ++ ++ /* Sort so that low1 is below low2. */ ++ if (low1 > low2) ++ { ++ bfd_vma tmp; ++ ++ tmp = low1; ++ low1 = low2; ++ low2 = tmp; ++ ++ tmp = high1; ++ high1 = high2; ++ high2 = tmp; ++ } ++ ++ /* We touch iff low2 == high1. ++ We overlap iff low2 is within [low1, high1). */ ++ return (low2 <= high1); ++} ++ ++/* Insert an address range in the trie mapping addresses to compilation units. ++ Will return the new trie node (usually the same as is being sent in, but ++ in case of a leaf-to-interior conversion, or expansion of a leaf, it may be ++ different), or NULL on failure. ++ */ ++static struct trie_node *insert_arange_in_trie(bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) ++{ ++ bfd_vma clamped_low_pc, clamped_high_pc; ++ int ch, from_ch, to_ch; ++ bool is_full_leaf = false; ++ ++ /* See if we can extend any of the existing ranges. This merging ++ isn't perfect (if merging opens up the possibility of merging two existing ++ ranges, we won't find them), but it takes the majority of the cases. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (leaf->ranges[i].unit == unit && ++ ranges_overlap(low_pc, high_pc, ++ leaf->ranges[i].low_pc, leaf->ranges[i].high_pc)) ++ { ++ if (low_pc < leaf->ranges[i].low_pc) ++ leaf->ranges[i].low_pc = low_pc; ++ if (high_pc > leaf->ranges[i].high_pc) ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ } ++ ++ is_full_leaf = leaf->num_stored_in_leaf == trie->num_room_in_leaf; ++ } ++ ++ /* If we're a leaf with no more room and we're _not_ at the bottom, ++ convert to an interior node. */ ++ if (is_full_leaf && trie_pc_bits < VMA_BITS) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int i; ++ ++ trie = bfd_zalloc (abfd, sizeof (struct trie_interior)); ++ if (!trie) ++ return NULL; ++ is_full_leaf = false; ++ ++ /* TODO: If we wanted to save a little more memory at the cost of ++ complexity, we could have reused the old leaf node as one of the ++ children of the new interior node, instead of throwing it away. */ ++ for (i = 0; i < leaf->num_stored_in_leaf; ++i) ++ { ++ if (!insert_arange_in_trie (abfd, trie, trie_pc, trie_pc_bits, ++ leaf->ranges[i].unit, leaf->ranges[i].low_pc, ++ leaf->ranges[i].high_pc)) ++ return NULL; ++ } ++ } ++ ++ /* If we're a leaf with no more room and we _are_ at the bottom, ++ we have no choice but to just make it larger. */ ++ if (is_full_leaf) ++ { ++ const struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ unsigned int new_room_in_leaf = trie->num_room_in_leaf * 2; ++ struct trie_leaf *new_leaf; ++ ++ new_leaf = bfd_zalloc (abfd, ++ sizeof (struct trie_leaf) + ++ (new_room_in_leaf - TRIE_LEAF_SIZE) * sizeof (leaf->ranges[0])); ++ new_leaf->head.num_room_in_leaf = new_room_in_leaf; ++ new_leaf->num_stored_in_leaf = leaf->num_stored_in_leaf; ++ ++ memcpy (new_leaf->ranges, ++ leaf->ranges, ++ leaf->num_stored_in_leaf * sizeof (leaf->ranges[0])); ++ trie = &new_leaf->head; ++ is_full_leaf = false; ++ ++ /* Now the insert below will go through. */ ++ } ++ ++ /* If we're a leaf (now with room), we can just insert at the end. */ ++ if (trie->num_room_in_leaf > 0) ++ { ++ struct trie_leaf *leaf = (struct trie_leaf *) trie; ++ ++ unsigned int i = leaf->num_stored_in_leaf++; ++ leaf->ranges[i].unit = unit; ++ leaf->ranges[i].low_pc = low_pc; ++ leaf->ranges[i].high_pc = high_pc; ++ return trie; ++ } ++ ++ /* Now we are definitely an interior node, so recurse into all ++ the relevant buckets. */ ++ ++ /* Clamp the range to the current trie bucket. */ ++ clamped_low_pc = low_pc; ++ clamped_high_pc = high_pc; ++ if (trie_pc_bits > 0) ++ { ++ bfd_vma bucket_high_pc = ++ trie_pc + ((bfd_vma)-1 >> trie_pc_bits); /* Inclusive. */ ++ if (clamped_low_pc < trie_pc) ++ clamped_low_pc = trie_pc; ++ if (clamped_high_pc > bucket_high_pc) ++ clamped_high_pc = bucket_high_pc; ++ } ++ ++ /* Insert the ranges in all buckets that it spans. */ ++ from_ch = (clamped_low_pc >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ to_ch = ((clamped_high_pc - 1) >> (VMA_BITS - trie_pc_bits - 8)) & 0xff; ++ for (ch = from_ch; ch <= to_ch; ++ch) ++ { ++ struct trie_interior *interior = (struct trie_interior *) trie; ++ struct trie_node *child = interior->children[ch]; ++ ++ if (child == NULL) ++ { ++ child = alloc_trie_leaf (abfd); ++ if (!child) ++ return NULL; ++ } ++ child = insert_arange_in_trie (abfd, ++ child, ++ trie_pc + ((bfd_vma)ch << (VMA_BITS - trie_pc_bits - 8)), ++ trie_pc_bits + 8, ++ unit, ++ low_pc, ++ high_pc); ++ if (!child) ++ return NULL; ++ ++ interior->children[ch] = child; ++ } ++ ++ return trie; ++} ++ ++ + static bool +-arange_add (const struct comp_unit *unit, struct arange *first_arange, +- bfd_vma low_pc, bfd_vma high_pc) ++arange_add (struct comp_unit *unit, struct arange *first_arange, ++ struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) + { + struct arange *arange; + +@@ -1776,6 +2042,19 @@ arange_add (const struct comp_unit *unit, struct arange *first_arange, + if (low_pc == high_pc) + return true; + ++ if (trie_root != NULL) ++ { ++ *trie_root = insert_arange_in_trie (unit->file->bfd_ptr, ++ *trie_root, ++ 0, ++ 0, ++ unit, ++ low_pc, ++ high_pc); ++ if (*trie_root == NULL) ++ return false; ++ } ++ + /* If the first arange is empty, use it. */ + if (first_arange->high == 0) + { +@@ -2410,7 +2689,8 @@ decode_line_info (struct comp_unit *unit) + low_pc = address; + if (address > high_pc) + high_pc = address; +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto line_fail; + break; + case DW_LNE_set_address: +@@ -3134,7 +3414,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3169,7 +3449,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + base_address = high_pc; + else + { +- if (!arange_add (unit, arange, ++ if (!arange_add (unit, arange, trie_root, + base_address + low_pc, base_address + high_pc)) + return false; + } +@@ -3179,7 +3459,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3253,19 +3533,19 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + return false; + } + +- if (!arange_add (unit, arange, low_pc, high_pc)) ++ if (!arange_add (unit, arange, trie_root, low_pc, high_pc)) + return false; + } + } + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- bfd_uint64_t offset) ++ struct trie_node **trie_root, bfd_uint64_t offset) + { + if (unit->version <= 4) +- return read_ranges (unit, arange, offset); ++ return read_ranges (unit, arange, trie_root, offset); + else +- return read_rnglists (unit, arange, offset); ++ return read_rnglists (unit, arange, trie_root, offset); + } + + static struct funcinfo * +@@ -3563,7 +3843,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &func->arange, attr.u.val)) ++ && !read_rangelist (unit, &func->arange, ++ &unit->file->trie_root, attr.u.val)) + goto fail; + break; + +@@ -3679,7 +3960,8 @@ scan_unit_for_symbols (struct comp_unit *unit) + + if (func && high_pc != 0) + { +- if (!arange_add (unit, &func->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &func->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + goto fail; + } + } +@@ -3874,7 +4156,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + + case DW_AT_ranges: + if (is_int_form (&attr) +- && !read_rangelist (unit, &unit->arange, attr.u.val)) ++ && !read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr.u.val)) + return NULL; + break; + +@@ -3916,7 +4199,8 @@ parse_comp_unit (struct dwarf2_debug *stash, + high_pc += low_pc; + if (high_pc != 0) + { +- if (!arange_add (unit, &unit->arange, low_pc, high_pc)) ++ if (!arange_add (unit, &unit->arange, &unit->file->trie_root, ++ low_pc, high_pc)) + return NULL; + } + +@@ -4747,6 +5031,14 @@ _bfd_dwarf2_slurp_debug_info (bfd *abfd, bfd *debug_bfd, + if (!stash->alt.abbrev_offsets) + return false; + ++ stash->f.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->f.trie_root) ++ return false; ++ ++ stash->alt.trie_root = alloc_trie_leaf (abfd); ++ if (!stash->alt.trie_root) ++ return false; ++ + *pinfo = stash; + + if (debug_bfd == NULL) +@@ -4918,6 +5210,12 @@ stash_comp_unit (struct dwarf2_debug *stash, struct dwarf2_debug_file *file) + each->next_unit = file->all_comp_units; + file->all_comp_units = each; + ++ if (each->arange.high == 0) ++ { ++ each->next_unit_without_ranges = file->all_comp_units_without_ranges; ++ file->all_comp_units_without_ranges = each->next_unit_without_ranges; ++ } ++ + file->info_ptr += length; + return each; + } diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch new file mode 100644 index 0000000000..a58b8dccdc --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-2.patch @@ -0,0 +1,210 @@ +From 1e716c1b160d56c2ab8711e199cad5b4db47cedf Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Tue, 30 Aug 2022 16:01:20 +0100 +Subject: [PATCH] BFD library: Use entry 0 in directory and filename tables of + + DWARF-5 debug info. + + PR 29529 + * dwarf2.c (struct line_info_table): Add new field: + use_dir_and_file_0. + (concat_filename): Use new field to help select the correct table + slot. + (read_formatted_entries): Do not skip entry 0. + (decode_line_info): Set new field depending upon the version of + DWARF being parsed. Initialise filename based upon the setting of + the new field. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=37833b966576c5d25e797ea3b6c33d0459a71892] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 86 ++++++++++++++++++++---------- + ld/testsuite/ld-x86-64/pr27587.err | 2 +- + 2 files changed, 59 insertions(+), 29 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0ae50a37..b7839ad6 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1571,6 +1571,7 @@ struct line_info_table + unsigned int num_files; + unsigned int num_dirs; + unsigned int num_sequences; ++ bool use_dir_and_file_0; + char * comp_dir; + char ** dirs; + struct fileinfo* files; +@@ -1791,16 +1792,30 @@ concat_filename (struct line_info_table *table, unsigned int file) + { + char *filename; + +- if (table == NULL || file - 1 >= table->num_files) ++ /* Pre DWARF-5 entry 0 in the directory and filename tables was not used. ++ So in order to save space in the tables used here the info for, eg ++ directory 1 is stored in slot 0 of the directory table, directory 2 ++ in slot 1 and so on. ++ ++ Starting with DWARF-5 the 0'th entry is used so there is a one to one ++ mapping between DWARF slots and internal table entries. */ ++ if (! table->use_dir_and_file_0) + { +- /* FILE == 0 means unknown. */ +- if (file) +- _bfd_error_handler +- (_("DWARF error: mangled line number section (bad file number)")); ++ /* Pre DWARF-5, FILE == 0 means unknown. */ ++ if (file == 0) ++ return strdup ("<unknown>"); ++ -- file; ++ } ++ ++ if (table == NULL || file >= table->num_files) ++ { ++ _bfd_error_handler ++ (_("DWARF error: mangled line number section (bad file number)")); + return strdup ("<unknown>"); + } + +- filename = table->files[file - 1].name; ++ filename = table->files[file].name; ++ + if (filename == NULL) + return strdup ("<unknown>"); + +@@ -1811,12 +1826,17 @@ concat_filename (struct line_info_table *table, unsigned int file) + char *name; + size_t len; + +- if (table->files[file - 1].dir ++ if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file - 1].dir <= table->num_dirs ++ && table->files[file].dir <= table->num_dirs + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) +- subdir_name = table->dirs[table->files[file - 1].dir - 1]; ++ { ++ if (table->use_dir_and_file_0) ++ subdir_name = table->dirs[table->files[file].dir]; ++ else ++ subdir_name = table->dirs[table->files[file].dir - 1]; ++ } + + if (!subdir_name || !IS_ABSOLUTE_PATH (subdir_name)) + dir_name = table->comp_dir; +@@ -1857,10 +1877,12 @@ concat_filename (struct line_info_table *table, unsigned int file) + + /* Check whether [low1, high1) can be combined with [low2, high2), + i.e., they touch or overlap. */ +-static bool ranges_overlap (bfd_vma low1, +- bfd_vma high1, +- bfd_vma low2, +- bfd_vma high2) ++ ++static bool ++ranges_overlap (bfd_vma low1, ++ bfd_vma high1, ++ bfd_vma low2, ++ bfd_vma high2) + { + if (low1 == low2 || high1 == high2) + return true; +@@ -1887,15 +1909,16 @@ static bool ranges_overlap (bfd_vma low1, + /* Insert an address range in the trie mapping addresses to compilation units. + Will return the new trie node (usually the same as is being sent in, but + in case of a leaf-to-interior conversion, or expansion of a leaf, it may be +- different), or NULL on failure. +- */ +-static struct trie_node *insert_arange_in_trie(bfd *abfd, +- struct trie_node *trie, +- bfd_vma trie_pc, +- unsigned int trie_pc_bits, +- struct comp_unit *unit, +- bfd_vma low_pc, +- bfd_vma high_pc) ++ different), or NULL on failure. */ ++ ++static struct trie_node * ++insert_arange_in_trie (bfd *abfd, ++ struct trie_node *trie, ++ bfd_vma trie_pc, ++ unsigned int trie_pc_bits, ++ struct comp_unit *unit, ++ bfd_vma low_pc, ++ bfd_vma high_pc) + { + bfd_vma clamped_low_pc, clamped_high_pc; + int ch, from_ch, to_ch; +@@ -2031,7 +2054,6 @@ static struct trie_node *insert_arange_in_trie(bfd *abfd, + return trie; + } + +- + static bool + arange_add (struct comp_unit *unit, struct arange *first_arange, + struct trie_node **trie_root, bfd_vma low_pc, bfd_vma high_pc) +@@ -2412,10 +2434,8 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + } + } + +- /* Skip the first "zero entry", which is the compilation dir/file. */ +- if (datai != 0) +- if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) +- return false; ++ if (!callback (table, fe.name, fe.dir, fe.time, fe.size)) ++ return false; + } + + *bufp = buf; +@@ -2592,6 +2612,7 @@ decode_line_info (struct comp_unit *unit) + if (!read_formatted_entries (unit, &line_ptr, line_end, table, + line_info_add_file_name)) + goto fail; ++ table->use_dir_and_file_0 = true; + } + else + { +@@ -2614,6 +2635,7 @@ decode_line_info (struct comp_unit *unit) + if (!line_info_add_file_name (table, cur_file, dir, xtime, size)) + goto fail; + } ++ table->use_dir_and_file_0 = false; + } + + /* Read the statement sequences until there's nothing left. */ +@@ -2622,7 +2644,7 @@ decode_line_info (struct comp_unit *unit) + /* State machine registers. */ + bfd_vma address = 0; + unsigned char op_index = 0; +- char * filename = table->num_files ? concat_filename (table, 1) : NULL; ++ char * filename = NULL; + unsigned int line = 1; + unsigned int column = 0; + unsigned int discriminator = 0; +@@ -2637,6 +2659,14 @@ decode_line_info (struct comp_unit *unit) + bfd_vma low_pc = (bfd_vma) -1; + bfd_vma high_pc = 0; + ++ if (table->num_files) ++ { ++ if (table->use_dir_and_file_0) ++ filename = concat_filename (table, 0); ++ else ++ filename = concat_filename (table, 1); ++ } ++ + /* Decode the table. */ + while (!end_sequence && line_ptr < line_end) + { +diff --git a/ld/testsuite/ld-x86-64/pr27587.err b/ld/testsuite/ld-x86-64/pr27587.err +index fa870790..807750ca 100644 +--- a/ld/testsuite/ld-x86-64/pr27587.err ++++ b/ld/testsuite/ld-x86-64/pr27587.err +@@ -1,3 +1,3 @@ + #... +-.*pr27587.i:4: undefined reference to `stack_size' ++.*pr27587/<artificial>:4: undefined reference to `stack_size' + #... diff --git a/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch new file mode 100644 index 0000000000..a1b74248ce --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0020-CVE-2023-22608-3.patch @@ -0,0 +1,32 @@ +From 4b8386a90802ed8e43eac2266f6e03c92b4462ed Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 23 Dec 2022 13:02:04 +0000 +Subject: [PATCH] Fix illegal memory access parsing corrupt DWARF information. + + PR 29936 + * dwarf2.c (concat_filename): Fix check for a directory index off + the end of the directory table. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09] +CVE: CVE-2023-22608 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index b7839ad6..8b07a24c 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1828,7 +1828,8 @@ concat_filename (struct line_info_table *table, unsigned int file) + + if (table->files[file].dir + /* PR 17512: file: 0317e960. */ +- && table->files[file].dir <= table->num_dirs ++ && table->files[file].dir ++ <= (table->use_dir_and_file_0 ? table->num_dirs - 1 : table->num_dirs) + /* PR 17512: file: 7f3d2e4b. */ + && table->dirs != NULL) + { diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch new file mode 100644 index 0000000000..1e9c03e70e --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch @@ -0,0 +1,459 @@ +From f67741e172bf342291fe3abd2b395899ce6433a0 Mon Sep 17 00:00:00 2001 +From: "Potharla, Rupesh" <Rupesh.Potharla@amd.com> +Date: Tue, 24 May 2022 00:01:49 +0000 +Subject: [PATCH] bfd: Add Support for DW_FORM_strx* and DW_FORM_addrx* + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=f67741e172bf342291fe3abd2b395899ce6433a0] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 282 ++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 268 insertions(+), 14 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index f6b0183720b..45e286754e4 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -189,6 +189,18 @@ struct dwarf2_debug_file + /* Length of the loaded .debug_str section. */ + bfd_size_type dwarf_str_size; + ++ /* Pointer to the .debug_str_offsets section loaded into memory. */ ++ bfd_byte *dwarf_str_offsets_buffer; ++ ++ /* Length of the loaded .debug_str_offsets section. */ ++ bfd_size_type dwarf_str_offsets_size; ++ ++ /* Pointer to the .debug_addr section loaded into memory. */ ++ bfd_byte *dwarf_addr_buffer; ++ ++ /* Length of the loaded .debug_addr section. */ ++ bfd_size_type dwarf_addr_size; ++ + /* Pointer to the .debug_line_str section loaded into memory. */ + bfd_byte *dwarf_line_str_buffer; + +@@ -382,6 +394,12 @@ struct comp_unit + /* Used when iterating over trie leaves to know which units we have + already seen in this iteration. */ + bool mark; ++ ++ /* Base address of debug_addr section. */ ++ size_t dwarf_addr_offset; ++ ++ /* Base address of string offset table. */ ++ size_t dwarf_str_offset; + }; + + /* This data structure holds the information of an abbrev. */ +@@ -424,6 +442,8 @@ const struct dwarf_debug_section dwarf_debug_sections[] = + { ".debug_static_vars", ".zdebug_static_vars" }, + { ".debug_str", ".zdebug_str", }, + { ".debug_str", ".zdebug_str", }, ++ { ".debug_str_offsets", ".zdebug_str_offsets", }, ++ { ".debug_addr", ".zdebug_addr", }, + { ".debug_line_str", ".zdebug_line_str", }, + { ".debug_types", ".zdebug_types" }, + /* GNU DWARF 1 extensions */ +@@ -458,6 +478,8 @@ enum dwarf_debug_section_enum + debug_static_vars, + debug_str, + debug_str_alt, ++ debug_str_offsets, ++ debug_addr, + debug_line_str, + debug_types, + debug_sfnames, +@@ -1307,12 +1329,92 @@ is_int_form (const struct attribute *attr) + } + } + ++/* Returns true if the form is strx[1-4]. */ ++ ++static inline bool ++is_strx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_strx ++ || form == DW_FORM_strx1 ++ || form == DW_FORM_strx2 ++ || form == DW_FORM_strx3 ++ || form == DW_FORM_strx4); ++} ++ ++/* Return true if the form is addrx[1-4]. */ ++ ++static inline bool ++is_addrx_form (enum dwarf_form form) ++{ ++ return (form == DW_FORM_addrx ++ || form == DW_FORM_addrx1 ++ || form == DW_FORM_addrx2 ++ || form == DW_FORM_addrx3 ++ || form == DW_FORM_addrx4); ++} ++ ++/* Returns the address in .debug_addr section using DW_AT_addr_base. ++ Used to implement DW_FORM_addrx*. */ ++static bfd_vma ++read_indexed_address (bfd_uint64_t idx, ++ struct comp_unit *unit) ++{ ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ size_t addr_base = unit->dwarf_addr_offset; ++ bfd_byte *info_ptr; ++ ++ if (stash == NULL) ++ return 0; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_addr], ++ file->syms, 0, ++ &file->dwarf_addr_buffer, &file->dwarf_addr_size)) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ ++ if (unit->offset_size == 4) ++ return bfd_get_32 (unit->abfd, info_ptr); ++ else ++ return bfd_get_64 (unit->abfd, info_ptr); ++} ++ ++/* Returns the string using DW_AT_str_offsets_base. ++ Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx ATTRIBUTE_UNUSED, +- struct comp_unit * unit ATTRIBUTE_UNUSED) ++read_indexed_string (bfd_uint64_t idx, ++ struct comp_unit *unit) + { +- /* FIXME: Add support for indexed strings. */ +- return "<indexed strings not yet supported>"; ++ struct dwarf2_debug *stash = unit->stash; ++ struct dwarf2_debug_file *file = unit->file; ++ bfd_byte *info_ptr; ++ unsigned long str_offset; ++ ++ if (stash == NULL) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str], ++ file->syms, 0, ++ &file->dwarf_str_buffer, &file->dwarf_str_size)) ++ return NULL; ++ ++ if (!read_section (unit->abfd, &stash->debug_sections[debug_str_offsets], ++ file->syms, 0, ++ &file->dwarf_str_offsets_buffer, ++ &file->dwarf_str_offsets_size)) ++ return NULL; ++ ++ info_ptr = (file->dwarf_str_offsets_buffer ++ + unit->dwarf_str_offset ++ + idx * unit->offset_size); ++ ++ if (unit->offset_size == 4) ++ str_offset = bfd_get_32 (unit->abfd, info_ptr); ++ else ++ str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ ++ return (const char *) file->dwarf_str_buffer + str_offset; + } + + /* Read and fill in the value of attribute ATTR as described by FORM. +@@ -1381,21 +1483,37 @@ read_attribute_value (struct attribute * attr, + case DW_FORM_ref1: + case DW_FORM_flag: + case DW_FORM_data1: ++ attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); ++ /* dwarf_addr_offset value 0 indicates the attribute DW_AT_addr_base ++ is not yet read. */ ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data2: +- case DW_FORM_addrx2: + case DW_FORM_ref2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + break; ++ case DW_FORM_addrx2: ++ attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ break; + case DW_FORM_addrx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address(attr->u.val, unit); + break; + case DW_FORM_ref4: + case DW_FORM_data4: ++ attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ break; + case DW_FORM_addrx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_data8: + case DW_FORM_ref8: +@@ -1416,24 +1534,31 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_strx1: + attr->u.val = read_1_byte (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ /* dwarf_str_offset value 0 indicates the attribute DW_AT_str_offsets_base ++ is not yet read. */ ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); +- attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (unit->dwarf_str_offset != 0) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); + break; + case DW_FORM_exprloc: + case DW_FORM_block: +@@ -1455,9 +1580,14 @@ read_attribute_value (struct attribute * attr, + break; + case DW_FORM_ref_udata: + case DW_FORM_udata: ++ attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, ++ false, info_ptr_end); ++ break; + case DW_FORM_addrx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); ++ if (unit->dwarf_addr_offset != 0) ++ attr->u.val = read_indexed_address (attr->u.val, unit); + break; + case DW_FORM_indirect: + form = _bfd_safe_read_leb128 (abfd, &info_ptr, +@@ -2396,6 +2526,11 @@ read_formatted_entries (struct comp_unit *unit, bfd_byte **bufp, + { + case DW_FORM_string: + case DW_FORM_line_strp: ++ case DW_FORM_strx: ++ case DW_FORM_strx1: ++ case DW_FORM_strx2: ++ case DW_FORM_strx3: ++ case DW_FORM_strx4: + *stringp = attr.u.str; + break; + +@@ -4031,6 +4166,80 @@ scan_unit_for_symbols (struct comp_unit *unit) + return false; + } + ++/* Read the attributes of the form strx and addrx. */ ++ ++static void ++reread_attribute (struct comp_unit *unit, ++ struct attribute *attr, ++ bfd_vma *low_pc, ++ bfd_vma *high_pc, ++ bool *high_pc_relative, ++ bool compunit) ++{ ++ if (is_strx_form (attr->form)) ++ attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ if (is_addrx_form (attr->form)) ++ attr->u.val = read_indexed_address (attr->u.val, unit); ++ ++ switch (attr->name) ++ { ++ case DW_AT_stmt_list: ++ unit->stmtlist = 1; ++ unit->line_offset = attr->u.val; ++ break; ++ ++ case DW_AT_name: ++ if (is_str_form (attr)) ++ unit->name = attr->u.str; ++ break; ++ ++ case DW_AT_low_pc: ++ *low_pc = attr->u.val; ++ if (compunit) ++ unit->base_address = *low_pc; ++ break; ++ ++ case DW_AT_high_pc: ++ *high_pc = attr->u.val; ++ *high_pc_relative = attr->form != DW_FORM_addr; ++ break; ++ ++ case DW_AT_ranges: ++ if (!read_rangelist (unit, &unit->arange, ++ &unit->file->trie_root, attr->u.val)) ++ return; ++ break; ++ ++ case DW_AT_comp_dir: ++ { ++ char *comp_dir = attr->u.str; ++ ++ if (!is_str_form (attr)) ++ { ++ _bfd_error_handler ++ (_("DWARF error: DW_AT_comp_dir attribute encountered " ++ "with a non-string form")); ++ comp_dir = NULL; ++ } ++ ++ if (comp_dir) ++ { ++ char *cp = strchr (comp_dir, ':'); ++ ++ if (cp && cp != comp_dir && cp[-1] == '.' && cp[1] == '/') ++ comp_dir = cp + 1; ++ } ++ unit->comp_dir = comp_dir; ++ break; ++ } ++ ++ case DW_AT_language: ++ unit->lang = attr->u.val; ++ default: ++ break; ++ } ++} ++ + /* Parse a DWARF2 compilation unit starting at INFO_PTR. UNIT_LENGTH + includes the compilation unit header that proceeds the DIE's, but + does not include the length field that precedes each compilation +@@ -4064,6 +4273,10 @@ parse_comp_unit (struct dwarf2_debug *stash, + bfd *abfd = file->bfd_ptr; + bool high_pc_relative = false; + enum dwarf_unit_type unit_type; ++ struct attribute *str_addrp = NULL; ++ size_t str_count = 0; ++ size_t str_alloc = 0; ++ bool compunit_flag = false; + + version = read_2_bytes (abfd, &info_ptr, end_ptr); + if (version < 2 || version > 5) +@@ -4168,11 +4381,33 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->file = file; + unit->info_ptr_unit = info_ptr_unit; + ++ if (abbrev->tag == DW_TAG_compile_unit) ++ compunit_flag = true; ++ + for (i = 0; i < abbrev->num_attrs; ++i) + { + info_ptr = read_attribute (&attr, &abbrev->attrs[i], unit, info_ptr, end_ptr); + if (info_ptr == NULL) +- return NULL; ++ goto err_exit; ++ ++ /* Identify attributes of the form strx* and addrx* which come before ++ DW_AT_str_offsets_base and DW_AT_addr_base respectively in the CU. ++ Store the attributes in an array and process them later. */ ++ if ((unit->dwarf_str_offset == 0 && is_strx_form (attr.form)) ++ || (unit->dwarf_addr_offset == 0 && is_addrx_form (attr.form))) ++ { ++ if (str_count <= str_alloc) ++ { ++ str_alloc = 2 * str_alloc + 200; ++ str_addrp = bfd_realloc (str_addrp, ++ str_alloc * sizeof (*str_addrp)); ++ if (str_addrp == NULL) ++ goto err_exit; ++ } ++ str_addrp[str_count] = attr; ++ str_count++; ++ continue; ++ } + + /* Store the data if it is of an attribute we want to keep in a + partial symbol table. */ +@@ -4198,7 +4433,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + /* If the compilation unit DIE has a DW_AT_low_pc attribute, + this is the base address to use when reading location + lists or range lists. */ +- if (abbrev->tag == DW_TAG_compile_unit) ++ if (compunit_flag) + unit->base_address = low_pc; + } + break; +@@ -4215,7 +4450,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + if (is_int_form (&attr) + && !read_rangelist (unit, &unit->arange, + &unit->file->trie_root, attr.u.val)) +- return NULL; ++ goto err_exit; + break; + + case DW_AT_comp_dir: +@@ -4248,21 +4483,40 @@ parse_comp_unit (struct dwarf2_debug *stash, + unit->lang = attr.u.val; + break; + ++ case DW_AT_addr_base: ++ unit->dwarf_addr_offset = attr.u.val; ++ break; ++ ++ case DW_AT_str_offsets_base: ++ unit->dwarf_str_offset = attr.u.val; ++ break; ++ + default: + break; + } + } ++ ++ for (i = 0; i < str_count; ++i) ++ reread_attribute (unit, &str_addrp[i], &low_pc, &high_pc, ++ &high_pc_relative, compunit_flag); ++ + if (high_pc_relative) + high_pc += low_pc; + if (high_pc != 0) + { + if (!arange_add (unit, &unit->arange, &unit->file->trie_root, + low_pc, high_pc)) +- return NULL; ++ goto err_exit; + } + + unit->first_child_die_ptr = info_ptr; ++ ++ free (str_addrp); + return unit; ++ ++ err_exit: ++ free (str_addrp); ++ return NULL; + } + + /* Return TRUE if UNIT may contain the address given by ADDR. When +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch new file mode 100644 index 0000000000..be698ef5c1 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch @@ -0,0 +1,2127 @@ +From 0e3c1eebb22e0ade28b619fb41f42d66ed6fb145 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 27 May 2022 12:37:21 +0930 +Subject: [PATCH] Remove use of bfd_uint64_t and similar + +Requiring C99 means that uses of bfd_uint64_t can be replaced with +uint64_t, and similarly for bfd_int64_t, BFD_HOST_U_64_BIT, and +BFD_HOST_64_BIT. This patch does that, removes #ifdef BFD_HOST_* +and tidies a few places that print 64-bit values. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=0e3c1eebb22e0ade28b619fb41f42d66ed6fb145] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/aix386-core.c | 6 +-- + bfd/bfd-in.h | 24 ++++++------ + bfd/bfd-in2.h | 36 +++++++++--------- + bfd/coff-rs6000.c | 10 +---- + bfd/coff-x86_64.c | 2 +- + bfd/cpu-ia64-opc.c | 22 +++++------ + bfd/dwarf2.c | 83 ++++++++++++++++++++--------------------- + bfd/elf32-score.c | 16 ++++---- + bfd/elf64-ia64-vms.c | 8 ++-- + bfd/elflink.c | 16 +------- + bfd/elfxx-ia64.c | 6 +-- + bfd/hppabsd-core.c | 6 +-- + bfd/hpux-core.c | 6 +-- + bfd/irix-core.c | 6 +-- + bfd/libbfd.c | 65 +++++++++----------------------- + bfd/mach-o.c | 2 +- + bfd/mach-o.h | 8 ++-- + bfd/netbsd-core.c | 6 +-- + bfd/osf-core.c | 6 +-- + bfd/ptrace-core.c | 6 +-- + bfd/sco5-core.c | 6 +-- + bfd/targets.c | 12 +++--- + bfd/trad-core.c | 6 +-- + bfd/vms-alpha.c | 2 +- + binutils/nm.c | 49 +++--------------------- + binutils/od-macho.c | 50 ++++++++----------------- + binutils/prdbg.c | 39 +++---------------- + binutils/readelf.c | 21 +++++------ + gas/config/tc-arm.c | 28 ++++---------- + gas/config/tc-csky.c | 10 ++--- + gas/config/tc-sparc.c | 35 +++++++++-------- + gas/config/tc-tilegx.c | 20 +++++----- + gas/config/tc-tilepro.c | 20 +++++----- + gas/config/tc-z80.c | 8 ++-- + gas/config/te-vms.c | 2 +- + gas/config/te-vms.h | 2 +- + gdb/findcmd.c | 2 +- + gdb/tilegx-tdep.c | 2 +- + gprof/gmon_io.c | 44 ++++++---------------- + include/elf/nfp.h | 2 +- + include/opcode/csky.h | 62 +++++++++++++++--------------- + include/opcode/ia64.h | 2 +- + opcodes/csky-dis.c | 2 +- + opcodes/csky-opc.h | 4 +- + opcodes/ia64-dis.c | 2 +- + 45 files changed, 297 insertions(+), 475 deletions(-) + +diff --git a/bfd/aix386-core.c b/bfd/aix386-core.c +index 3443e49ed46..977a6bd1fb4 100644 +--- a/bfd/aix386-core.c ++++ b/bfd/aix386-core.c +@@ -220,9 +220,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_aix386_vec = + { +diff --git a/bfd/bfd-in.h b/bfd/bfd-in.h +index a1c4bf139fc..09c5728e944 100644 +--- a/bfd/bfd-in.h ++++ b/bfd/bfd-in.h +@@ -116,10 +116,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -447,10 +447,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -459,8 +459,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -470,8 +470,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +diff --git a/bfd/bfd-in2.h b/bfd/bfd-in2.h +index 50e26fc691d..d50885e76cf 100644 +--- a/bfd/bfd-in2.h ++++ b/bfd/bfd-in2.h +@@ -123,10 +123,10 @@ typedef struct bfd bfd; + #error No 64 bit integer type available + #endif /* ! defined (BFD_HOST_64_BIT) */ + +-typedef BFD_HOST_U_64_BIT bfd_vma; +-typedef BFD_HOST_64_BIT bfd_signed_vma; +-typedef BFD_HOST_U_64_BIT bfd_size_type; +-typedef BFD_HOST_U_64_BIT symvalue; ++typedef uint64_t bfd_vma; ++typedef int64_t bfd_signed_vma; ++typedef uint64_t bfd_size_type; ++typedef uint64_t symvalue; + + #if BFD_HOST_64BIT_LONG + #define BFD_VMA_FMT "l" +@@ -454,10 +454,10 @@ extern bool bfd_record_phdr + + /* Byte swapping routines. */ + +-bfd_uint64_t bfd_getb64 (const void *); +-bfd_uint64_t bfd_getl64 (const void *); +-bfd_int64_t bfd_getb_signed_64 (const void *); +-bfd_int64_t bfd_getl_signed_64 (const void *); ++uint64_t bfd_getb64 (const void *); ++uint64_t bfd_getl64 (const void *); ++int64_t bfd_getb_signed_64 (const void *); ++int64_t bfd_getl_signed_64 (const void *); + bfd_vma bfd_getb32 (const void *); + bfd_vma bfd_getl32 (const void *); + bfd_signed_vma bfd_getb_signed_32 (const void *); +@@ -466,8 +466,8 @@ bfd_vma bfd_getb16 (const void *); + bfd_vma bfd_getl16 (const void *); + bfd_signed_vma bfd_getb_signed_16 (const void *); + bfd_signed_vma bfd_getl_signed_16 (const void *); +-void bfd_putb64 (bfd_uint64_t, void *); +-void bfd_putl64 (bfd_uint64_t, void *); ++void bfd_putb64 (uint64_t, void *); ++void bfd_putl64 (uint64_t, void *); + void bfd_putb32 (bfd_vma, void *); + void bfd_putl32 (bfd_vma, void *); + void bfd_putb24 (bfd_vma, void *); +@@ -477,8 +477,8 @@ void bfd_putl16 (bfd_vma, void *); + + /* Byte swapping routines which take size and endiannes as arguments. */ + +-bfd_uint64_t bfd_get_bits (const void *, int, bool); +-void bfd_put_bits (bfd_uint64_t, void *, int, bool); ++uint64_t bfd_get_bits (const void *, int, bool); ++void bfd_put_bits (uint64_t, void *, int, bool); + + + /* mmap hacks */ +@@ -7416,9 +7416,9 @@ typedef struct bfd_target + /* Entries for byte swapping for data. These are different from the + other entry points, since they don't take a BFD as the first argument. + Certain other handlers could do the same. */ +- bfd_uint64_t (*bfd_getx64) (const void *); +- bfd_int64_t (*bfd_getx_signed_64) (const void *); +- void (*bfd_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_getx64) (const void *); ++ int64_t (*bfd_getx_signed_64) (const void *); ++ void (*bfd_putx64) (uint64_t, void *); + bfd_vma (*bfd_getx32) (const void *); + bfd_signed_vma (*bfd_getx_signed_32) (const void *); + void (*bfd_putx32) (bfd_vma, void *); +@@ -7427,9 +7427,9 @@ typedef struct bfd_target + void (*bfd_putx16) (bfd_vma, void *); + + /* Byte swapping for the headers. */ +- bfd_uint64_t (*bfd_h_getx64) (const void *); +- bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +- void (*bfd_h_putx64) (bfd_uint64_t, void *); ++ uint64_t (*bfd_h_getx64) (const void *); ++ int64_t (*bfd_h_getx_signed_64) (const void *); ++ void (*bfd_h_putx64) (uint64_t, void *); + bfd_vma (*bfd_h_getx32) (const void *); + bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/coff-rs6000.c b/bfd/coff-rs6000.c +index 8819187ab42..48ce5c0516b 100644 +--- a/bfd/coff-rs6000.c ++++ b/bfd/coff-rs6000.c +@@ -1890,18 +1890,12 @@ xcoff_write_armap_old (bfd *abfd, unsigned int elength ATTRIBUTE_UNUSED, + } + + static char buff20[XCOFFARMAGBIG_ELEMENT_SIZE + 1]; +-#if BFD_HOST_64BIT_LONG +-#define FMT20 "%-20ld" +-#elif defined (__MSVCRT__) +-#define FMT20 "%-20I64d" +-#else +-#define FMT20 "%-20lld" +-#endif ++#define FMT20 "%-20" PRId64 + #define FMT12 "%-12d" + #define FMT12_OCTAL "%-12o" + #define FMT4 "%-4d" + #define PRINT20(d, v) \ +- sprintf (buff20, FMT20, (bfd_uint64_t)(v)), \ ++ sprintf (buff20, FMT20, (uint64_t) (v)), \ + memcpy ((void *) (d), buff20, 20) + + #define PRINT12(d, v) \ +diff --git a/bfd/coff-x86_64.c b/bfd/coff-x86_64.c +index e8e16d3ce4b..cf339c93215 100644 +--- a/bfd/coff-x86_64.c ++++ b/bfd/coff-x86_64.c +@@ -201,7 +201,7 @@ coff_amd64_reloc (bfd *abfd, + + case 4: + { +- bfd_uint64_t x = bfd_get_64 (abfd, addr); ++ uint64_t x = bfd_get_64 (abfd, addr); + DOIT (x); + bfd_put_64 (abfd, x, addr); + } +diff --git a/bfd/cpu-ia64-opc.c b/bfd/cpu-ia64-opc.c +index e2b5c2694b6..01e3c3f476a 100644 +--- a/bfd/cpu-ia64-opc.c ++++ b/bfd/cpu-ia64-opc.c +@@ -99,14 +99,14 @@ ins_immu (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_immu (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_U_64_BIT value = 0; ++ uint64_t value = 0; + int i, bits = 0, total = 0; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + value |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + *valuep = value; +@@ -161,7 +161,7 @@ static const char* + ins_imms_scaled (const struct ia64_operand *self, ia64_insn value, + ia64_insn *code, int scale) + { +- BFD_HOST_64_BIT svalue = value, sign_bit = 0; ++ int64_t svalue = value, sign_bit = 0; + ia64_insn new_insn = 0; + int i; + +@@ -186,17 +186,17 @@ ext_imms_scaled (const struct ia64_operand *self, ia64_insn code, + ia64_insn *valuep, int scale) + { + int i, bits = 0, total = 0; +- BFD_HOST_U_64_BIT val = 0, sign; ++ uint64_t val = 0, sign; + + for (i = 0; i < NELEMS (self->field) && self->field[i].bits; ++i) + { + bits = self->field[i].bits; + val |= ((code >> self->field[i].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << bits) - 1)) << total; ++ & (((uint64_t) 1 << bits) - 1)) << total; + total += bits; + } + /* sign extend: */ +- sign = (BFD_HOST_U_64_BIT) 1 << (total - 1); ++ sign = (uint64_t) 1 << (total - 1); + val = (val ^ sign) - sign; + + *valuep = val << scale; +@@ -312,7 +312,7 @@ static const char* + ins_cnt (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { + --value; +- if (value >= ((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) ++ if (value >= (uint64_t) 1 << self->field[0].bits) + return "count out of range"; + + *code |= value << self->field[0].shift; +@@ -323,7 +323,7 @@ static const char* + ext_cnt (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { + *valuep = ((code >> self->field[0].shift) +- & ((((BFD_HOST_U_64_BIT) 1) << self->field[0].bits) - 1)) + 1; ++ & (((uint64_t) 1 << self->field[0].bits) - 1)) + 1; + return 0; + } + +@@ -421,8 +421,8 @@ ext_strd5b (const struct ia64_operand *self, ia64_insn code, + static const char* + ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + { +- BFD_HOST_64_BIT val = value; +- BFD_HOST_U_64_BIT sign = 0; ++ int64_t val = value; ++ uint64_t sign = 0; + + if (val < 0) + { +@@ -444,7 +444,7 @@ ins_inc3 (const struct ia64_operand *self, ia64_insn value, ia64_insn *code) + static const char* + ext_inc3 (const struct ia64_operand *self, ia64_insn code, ia64_insn *valuep) + { +- BFD_HOST_64_BIT val; ++ int64_t val; + int negate; + + val = (code >> self->field[0].shift) & 0x7; +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 45e286754e4..6a728fc38b0 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -63,8 +63,8 @@ struct attribute + { + char *str; + struct dwarf_block *blk; +- bfd_uint64_t val; +- bfd_int64_t sval; ++ uint64_t val; ++ int64_t sval; + } + u; + }; +@@ -632,12 +632,12 @@ lookup_info_hash_table (struct info_hash_table *hash_table, const char *key) + the located section does not contain at least OFFSET bytes. */ + + static bool +-read_section (bfd * abfd, ++read_section (bfd *abfd, + const struct dwarf_debug_section *sec, +- asymbol ** syms, +- bfd_uint64_t offset, +- bfd_byte ** section_buffer, +- bfd_size_type * section_size) ++ asymbol **syms, ++ uint64_t offset, ++ bfd_byte **section_buffer, ++ bfd_size_type *section_size) + { + const char *section_name = sec->uncompressed_name; + bfd_byte *contents = *section_buffer; +@@ -848,7 +848,7 @@ read_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -882,7 +882,7 @@ read_indirect_line_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + char *str; +@@ -919,7 +919,7 @@ read_alt_indirect_string (struct comp_unit *unit, + bfd_byte **ptr, + bfd_byte *buf_end) + { +- bfd_uint64_t offset; ++ uint64_t offset; + struct dwarf2_debug *stash = unit->stash; + char *str; + +@@ -975,8 +975,7 @@ read_alt_indirect_string (struct comp_unit *unit, + or NULL upon failure. */ + + static bfd_byte * +-read_alt_indirect_ref (struct comp_unit * unit, +- bfd_uint64_t offset) ++read_alt_indirect_ref (struct comp_unit *unit, uint64_t offset) + { + struct dwarf2_debug *stash = unit->stash; + +@@ -1012,7 +1011,7 @@ read_alt_indirect_ref (struct comp_unit * unit, + return stash->alt.dwarf_info_buffer + offset; + } + +-static bfd_uint64_t ++static uint64_t + read_address (struct comp_unit *unit, bfd_byte **ptr, bfd_byte *buf_end) + { + bfd_byte *buf = *ptr; +@@ -1131,7 +1130,7 @@ del_abbrev (void *p) + in a hash table. */ + + static struct abbrev_info** +-read_abbrevs (bfd *abfd, bfd_uint64_t offset, struct dwarf2_debug *stash, ++read_abbrevs (bfd *abfd, uint64_t offset, struct dwarf2_debug *stash, + struct dwarf2_debug_file *file) + { + struct abbrev_info **abbrevs; +@@ -1356,8 +1355,7 @@ is_addrx_form (enum dwarf_form form) + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ + static bfd_vma +-read_indexed_address (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1383,8 +1381,7 @@ read_indexed_address (bfd_uint64_t idx, + /* Returns the string using DW_AT_str_offsets_base. + Used to implement DW_FORM_strx*. */ + static const char * +-read_indexed_string (bfd_uint64_t idx, +- struct comp_unit *unit) ++read_indexed_string (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +@@ -1717,39 +1714,39 @@ struct line_info_table + struct funcinfo + { + /* Pointer to previous function in list of all functions. */ +- struct funcinfo * prev_func; ++ struct funcinfo *prev_func; + /* Pointer to function one scope higher. */ +- struct funcinfo * caller_func; ++ struct funcinfo *caller_func; + /* Source location file name where caller_func inlines this func. */ +- char * caller_file; ++ char *caller_file; + /* Source location file name. */ +- char * file; ++ char *file; + /* Source location line number where caller_func inlines this func. */ +- int caller_line; ++ int caller_line; + /* Source location line number. */ +- int line; +- int tag; +- bool is_linkage; +- const char * name; +- struct arange arange; ++ int line; ++ int tag; ++ bool is_linkage; ++ const char *name; ++ struct arange arange; + /* Where the symbol is defined. */ +- asection * sec; ++ asection *sec; + /* The offset of the funcinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + }; + + struct lookup_funcinfo + { + /* Function information corresponding to this lookup table entry. */ +- struct funcinfo * funcinfo; ++ struct funcinfo *funcinfo; + + /* The lowest address for this specific function. */ +- bfd_vma low_addr; ++ bfd_vma low_addr; + + /* The highest address of this function before the lookup table is sorted. + The highest address of all prior functions after the lookup table is + sorted, which is used for binary search. */ +- bfd_vma high_addr; ++ bfd_vma high_addr; + /* Index of this function, used to ensure qsort is stable. */ + unsigned int idx; + }; +@@ -1759,7 +1756,7 @@ struct varinfo + /* Pointer to previous variable in list of all variables. */ + struct varinfo *prev_var; + /* The offset of the varinfo from the start of the unit. */ +- bfd_uint64_t unit_offset; ++ uint64_t unit_offset; + /* Source location file name. */ + char *file; + /* Source location line number. */ +@@ -3335,7 +3332,7 @@ find_abstract_instance (struct comp_unit *unit, + bfd_byte *info_ptr_end; + unsigned int abbrev_number, i; + struct abbrev_info *abbrev; +- bfd_uint64_t die_ref = attr_ptr->u.val; ++ uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; + const char *name = NULL; + +@@ -3549,7 +3546,7 @@ find_abstract_instance (struct comp_unit *unit, + + static bool + read_ranges (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *ranges_ptr; + bfd_byte *ranges_end; +@@ -3594,7 +3591,7 @@ read_ranges (struct comp_unit *unit, struct arange *arange, + + static bool + read_rnglists (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + bfd_byte *rngs_ptr; + bfd_byte *rngs_end; +@@ -3675,7 +3672,7 @@ read_rnglists (struct comp_unit *unit, struct arange *arange, + + static bool + read_rangelist (struct comp_unit *unit, struct arange *arange, +- struct trie_node **trie_root, bfd_uint64_t offset) ++ struct trie_node **trie_root, uint64_t offset) + { + if (unit->version <= 4) + return read_ranges (unit, arange, trie_root, offset); +@@ -3684,7 +3681,7 @@ read_rangelist (struct comp_unit *unit, struct arange *arange, + } + + static struct funcinfo * +-lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) ++lookup_func_by_offset (uint64_t offset, struct funcinfo * table) + { + for (; table != NULL; table = table->prev_func) + if (table->unit_offset == offset) +@@ -3693,7 +3690,7 @@ lookup_func_by_offset (bfd_uint64_t offset, struct funcinfo * table) + } + + static struct varinfo * +-lookup_var_by_offset (bfd_uint64_t offset, struct varinfo * table) ++lookup_var_by_offset (uint64_t offset, struct varinfo * table) + { + while (table) + { +@@ -3775,7 +3772,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + struct abbrev_info *abbrev; + struct funcinfo *func; + struct varinfo *var; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -3909,7 +3906,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + bfd_vma low_pc = 0; + bfd_vma high_pc = 0; + bool high_pc_relative = false; +- bfd_uint64_t current_offset; ++ uint64_t current_offset; + + /* PR 17512: file: 9f405d9d. */ + if (info_ptr >= info_ptr_end) +@@ -4259,7 +4256,7 @@ parse_comp_unit (struct dwarf2_debug *stash, + { + struct comp_unit* unit; + unsigned int version; +- bfd_uint64_t abbrev_offset = 0; ++ uint64_t abbrev_offset = 0; + /* Initialize it just to avoid a GCC false warning. */ + unsigned int addr_size = -1; + struct abbrev_info** abbrevs; +diff --git a/bfd/elf32-score.c b/bfd/elf32-score.c +index c868707347c..5bc78d523ea 100644 +--- a/bfd/elf32-score.c ++++ b/bfd/elf32-score.c +@@ -230,14 +230,14 @@ static bfd_vma + score3_bfd_getl48 (const void *p) + { + const bfd_byte *addr = p; +- bfd_uint64_t v; +- +- v = (bfd_uint64_t) addr[4]; +- v |= (bfd_uint64_t) addr[5] << 8; +- v |= (bfd_uint64_t) addr[2] << 16; +- v |= (bfd_uint64_t) addr[3] << 24; +- v |= (bfd_uint64_t) addr[0] << 32; +- v |= (bfd_uint64_t) addr[1] << 40; ++ uint64_t v; ++ ++ v = (uint64_t) addr[4]; ++ v |= (uint64_t) addr[5] << 8; ++ v |= (uint64_t) addr[2] << 16; ++ v |= (uint64_t) addr[3] << 24; ++ v |= (uint64_t) addr[0] << 32; ++ v |= (uint64_t) addr[1] << 40; + return v; + } + +diff --git a/bfd/elf64-ia64-vms.c b/bfd/elf64-ia64-vms.c +index 59cc6b6fe85..4d8f98550a3 100644 +--- a/bfd/elf64-ia64-vms.c ++++ b/bfd/elf64-ia64-vms.c +@@ -179,7 +179,7 @@ struct elf64_ia64_vms_obj_tdata + struct elf_obj_tdata root; + + /* Ident for shared library. */ +- bfd_uint64_t ident; ++ uint64_t ident; + + /* Used only during link: offset in the .fixups section for this bfd. */ + bfd_vma fixups_off; +@@ -2791,7 +2791,7 @@ elf64_ia64_size_dynamic_sections (bfd *output_bfd ATTRIBUTE_UNUSED, + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_IDENT, 0)) + return false; + if (!_bfd_elf_add_dynamic_entry (info, DT_IA_64_VMS_LINKTIME, +- (((bfd_uint64_t)time_hi) << 32) ++ ((uint64_t) time_hi << 32) + + time_lo)) + return false; + +@@ -4720,7 +4720,7 @@ elf64_vms_close_and_cleanup (bfd *abfd) + if ((isize & 7) != 0) + { + int ishort = 8 - (isize & 7); +- bfd_uint64_t pad = 0; ++ uint64_t pad = 0; + + bfd_seek (abfd, isize, SEEK_SET); + bfd_bwrite (&pad, ishort, abfd); +@@ -4853,7 +4853,7 @@ elf64_vms_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info) + bed->s->swap_dyn_in (abfd, extdyn, &dyn); + if (dyn.d_tag == DT_IA_64_VMS_IDENT) + { +- bfd_uint64_t tagv = dyn.d_un.d_val; ++ uint64_t tagv = dyn.d_un.d_val; + elf_ia64_vms_ident (abfd) = tagv; + break; + } +diff --git a/bfd/elflink.c b/bfd/elflink.c +index 96eb36aa5bf..fc3a335c72d 100644 +--- a/bfd/elflink.c ++++ b/bfd/elflink.c +@@ -6354,15 +6354,11 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + size_t best_size = 0; + unsigned long int i; + +- /* We have a problem here. The following code to optimize the table +- size requires an integer type with more the 32 bits. If +- BFD_HOST_U_64_BIT is set we know about such a type. */ +-#ifdef BFD_HOST_U_64_BIT + if (info->optimize) + { + size_t minsize; + size_t maxsize; +- BFD_HOST_U_64_BIT best_chlen = ~((BFD_HOST_U_64_BIT) 0); ++ uint64_t best_chlen = ~((uint64_t) 0); + bfd *dynobj = elf_hash_table (info)->dynobj; + size_t dynsymcount = elf_hash_table (info)->dynsymcount; + const struct elf_backend_data *bed = get_elf_backend_data (dynobj); +@@ -6399,7 +6395,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + for (i = minsize; i < maxsize; ++i) + { + /* Walk through the array of hashcodes and count the collisions. */ +- BFD_HOST_U_64_BIT max; ++ uint64_t max; + unsigned long int j; + unsigned long int fact; + +@@ -6464,11 +6460,7 @@ compute_bucket_count (struct bfd_link_info *info ATTRIBUTE_UNUSED, + free (counts); + } + else +-#endif /* defined (BFD_HOST_U_64_BIT) */ + { +- /* This is the fallback solution if no 64bit type is available or if we +- are not supposed to spend much time on optimizations. We select the +- bucket count using a fixed set of numbers. */ + for (i = 0; elf_buckets[i] != 0; i++) + { + best_size = elf_buckets[i]; +@@ -9354,7 +9346,6 @@ ext32b_r_offset (const void *p) + return aval; + } + +-#ifdef BFD_HOST_64_BIT + static bfd_vma + ext64l_r_offset (const void *p) + { +@@ -9398,7 +9389,6 @@ ext64b_r_offset (const void *p) + | (uint64_t) a->c[7]); + return aval; + } +-#endif + + /* When performing a relocatable link, the input relocations are + preserved. But, if they reference global symbols, the indices +@@ -9502,13 +9492,11 @@ elf_link_adjust_relocs (bfd *abfd, + } + else + { +-#ifdef BFD_HOST_64_BIT + if (abfd->xvec->header_byteorder == BFD_ENDIAN_LITTLE) + ext_r_off = ext64l_r_offset; + else if (abfd->xvec->header_byteorder == BFD_ENDIAN_BIG) + ext_r_off = ext64b_r_offset; + else +-#endif + abort (); + } + +diff --git a/bfd/elfxx-ia64.c b/bfd/elfxx-ia64.c +index c126adf6890..a108324ca39 100644 +--- a/bfd/elfxx-ia64.c ++++ b/bfd/elfxx-ia64.c +@@ -555,11 +555,7 @@ ia64_elf_install_value (bfd_byte *hit_addr, bfd_vma v, unsigned int r_type) + enum ia64_opnd opnd; + const char *err; + size_t size = 8; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val = (BFD_HOST_U_64_BIT) v; +-#else +- bfd_vma val = v; +-#endif ++ uint64_t val = v; + + opnd = IA64_OPND_NIL; + switch (r_type) +diff --git a/bfd/hppabsd-core.c b/bfd/hppabsd-core.c +index acfa5f69a95..d87af955838 100644 +--- a/bfd/hppabsd-core.c ++++ b/bfd/hppabsd-core.c +@@ -213,9 +213,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hppabsd_vec = + { +diff --git a/bfd/hpux-core.c b/bfd/hpux-core.c +index 4f03b84909a..654532c6bb9 100644 +--- a/bfd/hpux-core.c ++++ b/bfd/hpux-core.c +@@ -362,9 +362,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_hpux_vec = + { +diff --git a/bfd/irix-core.c b/bfd/irix-core.c +index 694fe2e2e07..b12aef9ce8b 100644 +--- a/bfd/irix-core.c ++++ b/bfd/irix-core.c +@@ -275,9 +275,9 @@ swap_abort(void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_irix_vec = + { +diff --git a/bfd/libbfd.c b/bfd/libbfd.c +index 2781671ddba..d33f3416206 100644 +--- a/bfd/libbfd.c ++++ b/bfd/libbfd.c +@@ -617,7 +617,7 @@ DESCRIPTION + #define COERCE16(x) (((bfd_vma) (x) ^ 0x8000) - 0x8000) + #define COERCE32(x) (((bfd_vma) (x) ^ 0x80000000) - 0x80000000) + #define COERCE64(x) \ +- (((bfd_uint64_t) (x) ^ ((bfd_uint64_t) 1 << 63)) - ((bfd_uint64_t) 1 << 63)) ++ (((uint64_t) (x) ^ ((uint64_t) 1 << 63)) - ((uint64_t) 1 << 63)) + + bfd_vma + bfd_getb16 (const void *p) +@@ -757,12 +757,11 @@ bfd_getl_signed_32 (const void *p) + return COERCE32 (v); + } + +-bfd_uint64_t +-bfd_getb64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getb64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -774,18 +773,13 @@ bfd_getb64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_uint64_t +-bfd_getl64 (const void *p ATTRIBUTE_UNUSED) ++uint64_t ++bfd_getl64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -797,19 +791,13 @@ bfd_getl64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return v; +-#else +- BFD_FAIL(); +- return 0; +-#endif +- + } + +-bfd_int64_t +-bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getb_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[0]; v <<= 8; + v |= addr[1]; v <<= 8; +@@ -821,18 +809,13 @@ bfd_getb_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[7]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + +-bfd_int64_t +-bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) ++int64_t ++bfd_getl_signed_64 (const void *p) + { +-#ifdef BFD_HOST_64_BIT + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t v; ++ uint64_t v; + + v = addr[7]; v <<= 8; + v |= addr[6]; v <<= 8; +@@ -844,10 +827,6 @@ bfd_getl_signed_64 (const void *p ATTRIBUTE_UNUSED) + v |= addr[0]; + + return COERCE64 (v); +-#else +- BFD_FAIL(); +- return 0; +-#endif + } + + void +@@ -871,9 +850,8 @@ bfd_putl32 (bfd_vma data, void *p) + } + + void +-bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putb64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[0] = (data >> (7*8)) & 0xff; + addr[1] = (data >> (6*8)) & 0xff; +@@ -883,15 +861,11 @@ bfd_putb64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[5] = (data >> (2*8)) & 0xff; + addr[6] = (data >> (1*8)) & 0xff; + addr[7] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) ++bfd_putl64 (uint64_t data, void *p) + { +-#ifdef BFD_HOST_64_BIT + bfd_byte *addr = (bfd_byte *) p; + addr[7] = (data >> (7*8)) & 0xff; + addr[6] = (data >> (6*8)) & 0xff; +@@ -901,13 +875,10 @@ bfd_putl64 (bfd_uint64_t data ATTRIBUTE_UNUSED, void *p ATTRIBUTE_UNUSED) + addr[2] = (data >> (2*8)) & 0xff; + addr[1] = (data >> (1*8)) & 0xff; + addr[0] = (data >> (0*8)) & 0xff; +-#else +- BFD_FAIL(); +-#endif + } + + void +-bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) ++bfd_put_bits (uint64_t data, void *p, int bits, bool big_p) + { + bfd_byte *addr = (bfd_byte *) p; + int i; +@@ -926,11 +897,11 @@ bfd_put_bits (bfd_uint64_t data, void *p, int bits, bool big_p) + } + } + +-bfd_uint64_t ++uint64_t + bfd_get_bits (const void *p, int bits, bool big_p) + { + const bfd_byte *addr = (const bfd_byte *) p; +- bfd_uint64_t data; ++ uint64_t data; + int i; + int bytes; + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index e32b7873cef..9f3f1f13e4e 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -4773,7 +4773,7 @@ bfd_mach_o_read_source_version (bfd *abfd, bfd_mach_o_load_command *command) + { + bfd_mach_o_source_version_command *cmd = &command->command.source_version; + struct mach_o_source_version_command_external raw; +- bfd_uint64_t ver; ++ uint64_t ver; + + if (command->len < sizeof (raw) + 8) + return false; +diff --git a/bfd/mach-o.h b/bfd/mach-o.h +index 5a068d8d970..f7418ad8d40 100644 +--- a/bfd/mach-o.h ++++ b/bfd/mach-o.h +@@ -545,8 +545,8 @@ bfd_mach_o_encryption_info_command; + + typedef struct bfd_mach_o_main_command + { +- bfd_uint64_t entryoff; +- bfd_uint64_t stacksize; ++ uint64_t entryoff; ++ uint64_t stacksize; + } + bfd_mach_o_main_command; + +@@ -563,8 +563,8 @@ bfd_mach_o_source_version_command; + typedef struct bfd_mach_o_note_command + { + char data_owner[16]; +- bfd_uint64_t offset; +- bfd_uint64_t size; ++ uint64_t offset; ++ uint64_t size; + } + bfd_mach_o_note_command; + +diff --git a/bfd/netbsd-core.c b/bfd/netbsd-core.c +index cb215937da6..ffc8e50842c 100644 +--- a/bfd/netbsd-core.c ++++ b/bfd/netbsd-core.c +@@ -257,9 +257,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_netbsd_vec = + { +diff --git a/bfd/osf-core.c b/bfd/osf-core.c +index 09a04a07624..04434b2045c 100644 +--- a/bfd/osf-core.c ++++ b/bfd/osf-core.c +@@ -169,9 +169,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_osf_vec = + { +diff --git a/bfd/ptrace-core.c b/bfd/ptrace-core.c +index 3d077d21200..c4afffbfb95 100644 +--- a/bfd/ptrace-core.c ++++ b/bfd/ptrace-core.c +@@ -160,9 +160,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_ptrace_vec = + { +diff --git a/bfd/sco5-core.c b/bfd/sco5-core.c +index d1f80c9079f..7807ac86a65 100644 +--- a/bfd/sco5-core.c ++++ b/bfd/sco5-core.c +@@ -340,9 +340,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_sco5_vec = + { +diff --git a/bfd/targets.c b/bfd/targets.c +index 05dd8236d91..f44b5c67724 100644 +--- a/bfd/targets.c ++++ b/bfd/targets.c +@@ -226,9 +226,9 @@ DESCRIPTION + . {* Entries for byte swapping for data. These are different from the + . other entry points, since they don't take a BFD as the first argument. + . Certain other handlers could do the same. *} +-. bfd_uint64_t (*bfd_getx64) (const void *); +-. bfd_int64_t (*bfd_getx_signed_64) (const void *); +-. void (*bfd_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_getx64) (const void *); ++. int64_t (*bfd_getx_signed_64) (const void *); ++. void (*bfd_putx64) (uint64_t, void *); + . bfd_vma (*bfd_getx32) (const void *); + . bfd_signed_vma (*bfd_getx_signed_32) (const void *); + . void (*bfd_putx32) (bfd_vma, void *); +@@ -237,9 +237,9 @@ DESCRIPTION + . void (*bfd_putx16) (bfd_vma, void *); + . + . {* Byte swapping for the headers. *} +-. bfd_uint64_t (*bfd_h_getx64) (const void *); +-. bfd_int64_t (*bfd_h_getx_signed_64) (const void *); +-. void (*bfd_h_putx64) (bfd_uint64_t, void *); ++. uint64_t (*bfd_h_getx64) (const void *); ++. int64_t (*bfd_h_getx_signed_64) (const void *); ++. void (*bfd_h_putx64) (uint64_t, void *); + . bfd_vma (*bfd_h_getx32) (const void *); + . bfd_signed_vma (*bfd_h_getx_signed_32) (const void *); + . void (*bfd_h_putx32) (bfd_vma, void *); +diff --git a/bfd/trad-core.c b/bfd/trad-core.c +index 92a279b6a72..8e9ee0d6667 100644 +--- a/bfd/trad-core.c ++++ b/bfd/trad-core.c +@@ -249,9 +249,9 @@ swap_abort (void) + #define NO_GET ((bfd_vma (*) (const void *)) swap_abort) + #define NO_PUT ((void (*) (bfd_vma, void *)) swap_abort) + #define NO_GETS ((bfd_signed_vma (*) (const void *)) swap_abort) +-#define NO_GET64 ((bfd_uint64_t (*) (const void *)) swap_abort) +-#define NO_PUT64 ((void (*) (bfd_uint64_t, void *)) swap_abort) +-#define NO_GETS64 ((bfd_int64_t (*) (const void *)) swap_abort) ++#define NO_GET64 ((uint64_t (*) (const void *)) swap_abort) ++#define NO_PUT64 ((void (*) (uint64_t, void *)) swap_abort) ++#define NO_GETS64 ((int64_t (*) (const void *)) swap_abort) + + const bfd_target core_trad_vec = + { +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 1129c98f0e2..fd0762811df 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -522,7 +522,7 @@ _bfd_vms_slurp_eisd (bfd *abfd, unsigned int offset) + struct vms_eisd *eisd; + unsigned int rec_size; + unsigned int size; +- bfd_uint64_t vaddr; ++ uint64_t vaddr; + unsigned int flags; + unsigned int vbn; + char *name = NULL; +diff --git a/binutils/nm.c b/binutils/nm.c +index 60e4d850885..539c5688425 100644 +--- a/binutils/nm.c ++++ b/binutils/nm.c +@@ -1557,29 +1557,15 @@ get_print_format (void) + padding = "016"; + } + +- const char * length = "l"; +- if (print_width == 64) +- { +-#if BFD_HOST_64BIT_LONG +- ; +-#elif BFD_HOST_64BIT_LONG_LONG +-#ifndef __MSVCRT__ +- length = "ll"; +-#else +- length = "I64"; +-#endif +-#endif +- } +- + const char * radix = NULL; + switch (print_radix) + { +- case 8: radix = "o"; break; +- case 10: radix = "d"; break; +- case 16: radix = "x"; break; ++ case 8: radix = PRIo64; break; ++ case 10: radix = PRId64; break; ++ case 16: radix = PRIx64; break; + } + +- return concat ("%", padding, length, radix, NULL); ++ return concat ("%", padding, radix, NULL); + } + + static void +@@ -1874,33 +1860,8 @@ print_value (bfd *abfd ATTRIBUTE_UNUSED, bfd_vma val) + switch (print_width) + { + case 32: +- printf (print_format_string, (unsigned long) val); +- break; +- + case 64: +-#if BFD_HOST_64BIT_LONG || BFD_HOST_64BIT_LONG_LONG +- printf (print_format_string, val); +-#else +- /* We have a 64 bit value to print, but the host is only 32 bit. */ +- if (print_radix == 16) +- bfd_fprintf_vma (abfd, stdout, val); +- else +- { +- char buf[30]; +- char *s; +- +- s = buf + sizeof buf; +- *--s = '\0'; +- while (val > 0) +- { +- *--s = (val % print_radix) + '0'; +- val /= print_radix; +- } +- while ((buf + sizeof buf - 1) - s < 16) +- *--s = '0'; +- printf ("%s", s); +- } +-#endif ++ printf (print_format_string, (uint64_t) val); + break; + + default: +diff --git a/binutils/od-macho.c b/binutils/od-macho.c +index 56d448ac3bd..e91c87d2acf 100644 +--- a/binutils/od-macho.c ++++ b/binutils/od-macho.c +@@ -283,15 +283,6 @@ bfd_mach_o_print_flags (const bfd_mach_o_xlat_name *table, + printf ("-"); + } + +-/* Print a bfd_uint64_t, using a platform independent style. */ +- +-static void +-printf_uint64 (bfd_uint64_t v) +-{ +- printf ("0x%08lx%08lx", +- (unsigned long)((v >> 16) >> 16), (unsigned long)(v & 0xffffffffUL)); +-} +- + static const char * + bfd_mach_o_get_name_or_null (const bfd_mach_o_xlat_name *table, + unsigned long val) +@@ -1729,26 +1720,20 @@ dump_load_command (bfd *abfd, bfd_mach_o_load_command *cmd, + } + case BFD_MACH_O_LC_MAIN: + { +- bfd_mach_o_main_command *entry = &cmd->command.main; +- printf (" entry offset: "); +- printf_uint64 (entry->entryoff); +- printf ("\n" +- " stack size: "); +- printf_uint64 (entry->stacksize); +- printf ("\n"); +- break; ++ bfd_mach_o_main_command *entry = &cmd->command.main; ++ printf (" entry offset: %#016" PRIx64 "\n" ++ " stack size: %#016" PRIx64 "\n", ++ entry->entryoff, entry->stacksize); ++ break; + } + case BFD_MACH_O_LC_NOTE: + { +- bfd_mach_o_note_command *note = &cmd->command.note; +- printf (" data owner: %.16s\n", note->data_owner); +- printf (" offset: "); +- printf_uint64 (note->offset); +- printf ("\n" +- " size: "); +- printf_uint64 (note->size); +- printf ("\n"); +- break; ++ bfd_mach_o_note_command *note = &cmd->command.note; ++ printf (" data owner: %.16s\n" ++ " offset: %#016" PRIx64 "\n" ++ " size: %#016" PRIx64 "\n", ++ note->data_owner, note->offset, note->size); ++ break; + } + case BFD_MACH_O_LC_BUILD_VERSION: + dump_build_version (abfd, cmd); +@@ -2013,14 +1998,11 @@ dump_obj_compact_unwind (bfd *abfd, + { + e = (struct mach_o_compact_unwind_64 *) p; + +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->start)); +- printf (" %08lx", (unsigned long)bfd_get_32 (abfd, e->length)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->personality)); +- putchar (' '); +- printf_uint64 (bfd_get_64 (abfd, e->lsda)); +- putchar ('\n'); ++ printf (" %#016" PRIx64 " %#08x %#016" PRIx64 " %#016" PRIx64 "\n", ++ (uint64_t) bfd_get_64 (abfd, e->start), ++ (unsigned int) bfd_get_32 (abfd, e->length), ++ (uint64_t) bfd_get_64 (abfd, e->personality), ++ (uint64_t) bfd_get_64 (abfd, e->lsda)); + + printf (" encoding: "); + dump_unwind_encoding (mdata, bfd_get_32 (abfd, e->encoding)); +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index d6cbab8578b..c1e41628d26 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -485,41 +485,12 @@ pop_type (struct pr_handle *info) + static void + print_vma (bfd_vma vma, char *buf, bool unsignedp, bool hexp) + { +- if (sizeof (vma) <= sizeof (unsigned long)) +- { +- if (hexp) +- sprintf (buf, "0x%lx", (unsigned long) vma); +- else if (unsignedp) +- sprintf (buf, "%lu", (unsigned long) vma); +- else +- sprintf (buf, "%ld", (long) vma); +- } +-#if BFD_HOST_64BIT_LONG_LONG +- else if (sizeof (vma) <= sizeof (unsigned long long)) +- { +-#ifndef __MSVCRT__ +- if (hexp) +- sprintf (buf, "0x%llx", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%llu", (unsigned long long) vma); +- else +- sprintf (buf, "%lld", (long long) vma); +-#else +- if (hexp) +- sprintf (buf, "0x%I64x", (unsigned long long) vma); +- else if (unsignedp) +- sprintf (buf, "%I64u", (unsigned long long) vma); +- else +- sprintf (buf, "%I64d", (long long) vma); +-#endif +- } +-#endif ++ if (hexp) ++ sprintf (buf, "%#" PRIx64, (uint64_t) vma); ++ else if (unsignedp) ++ sprintf (buf, "%" PRIu64, (uint64_t) vma); + else +- { +- buf[0] = '0'; +- buf[1] = 'x'; +- sprintf_vma (buf + 2, vma); +- } ++ sprintf (buf, "%" PRId64, (int64_t) vma); + } + + /* Start a new compilation unit. */ +diff --git a/binutils/readelf.c b/binutils/readelf.c +index c35bfc12366..4c0a2a34767 100644 +--- a/binutils/readelf.c ++++ b/binutils/readelf.c +@@ -10729,7 +10729,7 @@ dynamic_section_parisc_val (Elf_Internal_Dyn * entry) + /* Display a VMS time in a human readable format. */ + + static void +-print_vms_time (bfd_int64_t vmstime) ++print_vms_time (int64_t vmstime) + { + struct tm *tm = NULL; + time_t unxtime; +@@ -20764,7 +20764,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + /* FIXME: Generate an error if descsz > 8 ? */ + + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata, 8)); + break; + + case NT_VMS_LINKTIME: +@@ -20773,8 +20773,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20784,8 +20783,7 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + /* FIXME: Generate an error if descsz > 8 ? */ + +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata, 8)); + printf ("\n"); + break; + +@@ -20794,16 +20792,15 @@ print_ia64_vms_note (Elf_Internal_Note * pnote) + goto desc_size_fail; + + printf (_(" Major id: %u, minor id: %u\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata, 4), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 4, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata, 4), ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 4, 4)); + printf (_(" Last modified : ")); +- print_vms_time +- ((bfd_int64_t) byte_get ((unsigned char *)pnote->descdata + 8, 8)); ++ print_vms_time (byte_get ((unsigned char *) pnote->descdata + 8, 8)); + printf (_("\n Link flags : ")); + printf ("0x%016" BFD_VMA_FMT "x\n", +- (bfd_vma) byte_get ((unsigned char *)pnote->descdata + 16, 8)); ++ (bfd_vma) byte_get ((unsigned char *) pnote->descdata + 16, 8)); + printf (_(" Header flags: 0x%08x\n"), +- (unsigned) byte_get ((unsigned char *)pnote->descdata + 24, 4)); ++ (unsigned) byte_get ((unsigned char *) pnote->descdata + 24, 4)); + printf (_(" Image id : %.*s\n"), maxlen - 32, pnote->descdata + 32); + break; + #endif +diff --git a/gas/config/tc-arm.c b/gas/config/tc-arm.c +index 1721097cfca..2e6d175482e 100644 +--- a/gas/config/tc-arm.c ++++ b/gas/config/tc-arm.c +@@ -3565,7 +3565,7 @@ add_to_lit_pool (unsigned int nbytes) + imm1 = inst.operands[1].imm; + imm2 = (inst.operands[1].regisimm ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned ? 0 +- : ((bfd_int64_t) inst.operands[1].imm) >> 32); ++ : (int64_t) inst.operands[1].imm >> 32); + if (target_big_endian) + { + imm1 = imm2; +@@ -8819,15 +8819,14 @@ neon_cmode_for_move_imm (unsigned immlo, unsigned immhi, int float_p, + return FAIL; + } + +-#if defined BFD_HOST_64_BIT + /* Returns TRUE if double precision value V may be cast + to single precision without loss of accuracy. */ + + static bool +-is_double_a_single (bfd_uint64_t v) ++is_double_a_single (uint64_t v) + { + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + return ((exp == 0 || exp == 0x7FF + || (exp >= 1023 - 126 && exp <= 1023 + 127)) +@@ -8838,11 +8837,11 @@ is_double_a_single (bfd_uint64_t v) + (ignoring the least significant bits in exponent and mantissa). */ + + static int +-double_to_single (bfd_uint64_t v) ++double_to_single (uint64_t v) + { + unsigned int sign = (v >> 63) & 1; + int exp = (v >> 52) & 0x7FF; +- bfd_uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; ++ uint64_t mantissa = v & 0xFFFFFFFFFFFFFULL; + + if (exp == 0x7FF) + exp = 0xFF; +@@ -8865,7 +8864,6 @@ double_to_single (bfd_uint64_t v) + mantissa >>= 29; + return (sign << 31) | (exp << 23) | mantissa; + } +-#endif /* BFD_HOST_64_BIT */ + + enum lit_type + { +@@ -8914,11 +8912,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + if (inst.relocs[0].exp.X_op == O_constant + || inst.relocs[0].exp.X_op == O_big) + { +-#if defined BFD_HOST_64_BIT +- bfd_uint64_t v; +-#else +- valueT v; +-#endif ++ uint64_t v; + if (inst.relocs[0].exp.X_op == O_big) + { + LITTLENUM_TYPE w[X_PRECISION]; +@@ -8933,7 +8927,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + else + l = generic_bignum; + +-#if defined BFD_HOST_64_BIT + v = l[3] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[2] & LITTLENUM_MASK; +@@ -8941,11 +8934,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + v |= l[1] & LITTLENUM_MASK; + v <<= LITTLENUM_NUMBER_OF_BITS; + v |= l[0] & LITTLENUM_MASK; +-#else +- v = l[1] & LITTLENUM_MASK; +- v <<= LITTLENUM_NUMBER_OF_BITS; +- v |= l[0] & LITTLENUM_MASK; +-#endif + } + else + v = inst.relocs[0].exp.X_add_number; +@@ -9041,7 +9029,7 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + ? inst.operands[1].reg + : inst.relocs[0].exp.X_unsigned + ? 0 +- : ((bfd_int64_t)((int) immlo)) >> 32; ++ : (int64_t) (int) immlo >> 32; + int cmode = neon_cmode_for_move_imm (immlo, immhi, false, &immbits, + &op, 64, NT_invtype); + +@@ -9090,7 +9078,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + discrepancy between the output produced by an assembler built for + a 32-bit-only host and the output produced from a 64-bit host, but + this cannot be helped. */ +-#if defined BFD_HOST_64_BIT + else if (!inst.operands[1].issingle + && ARM_CPU_HAS_FEATURE (cpu_variant, fpu_vfp_ext_v3)) + { +@@ -9103,7 +9090,6 @@ move_or_literal_pool (int i, enum lit_type t, bool mode_3) + return true; + } + } +-#endif + } + } + +diff --git a/gas/config/tc-csky.c b/gas/config/tc-csky.c +index 2371eeb747e..5b824d89af0 100644 +--- a/gas/config/tc-csky.c ++++ b/gas/config/tc-csky.c +@@ -215,7 +215,7 @@ enum + unsigned int mach_flag = 0; + unsigned int arch_flag = 0; + unsigned int other_flag = 0; +-BFD_HOST_U_64_BIT isa_flag = 0; ++uint64_t isa_flag = 0; + unsigned int dsp_flag = 0; + + typedef struct stack_size_entry +@@ -245,7 +245,7 @@ struct csky_macro_info + const char *name; + /* How many operands : if operands == 5, all of 1,2,3,4 are ok. */ + long oprnd_num; +- BFD_HOST_U_64_BIT isa_flag; ++ uint64_t isa_flag; + /* Do the work. */ + void (*handle_func)(void); + }; +@@ -591,14 +591,14 @@ struct csky_cpu_feature + { + const char unique; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + struct csky_cpu_version + { + int r; + int p; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + }; + + #define CSKY_FEATURE_MAX 10 +@@ -608,7 +608,7 @@ struct csky_cpu_info + { + const char *name; + unsigned int arch_flag; +- bfd_uint64_t isa_flag; ++ uint64_t isa_flag; + struct csky_cpu_feature features[CSKY_FEATURE_MAX]; + struct csky_cpu_version ver[CSKY_CPU_REVERISON_MAX]; + }; +diff --git a/gas/config/tc-sparc.c b/gas/config/tc-sparc.c +index 222223f3549..4e443b1d28d 100644 +--- a/gas/config/tc-sparc.c ++++ b/gas/config/tc-sparc.c +@@ -75,10 +75,10 @@ static enum { MM_TSO, MM_PSO, MM_RMO } sparc_memory_model = MM_RMO; + #ifndef TE_SOLARIS + /* Bitmask of instruction types seen so far, used to populate the + GNU attributes section with hwcap information. */ +-static bfd_uint64_t hwcap_seen; ++static uint64_t hwcap_seen; + #endif + +-static bfd_uint64_t hwcap_allowed; ++static uint64_t hwcap_allowed; + + static int architecture_requested; + static int warn_on_bump; +@@ -498,15 +498,15 @@ md_parse_option (int c, const char *arg) + || opcode_arch > max_architecture) + max_architecture = opcode_arch; + +- /* The allowed hardware capabilities are the implied by the +- opcodes arch plus any extra capabilities defined in the GAS +- arch. */ +- hwcap_allowed +- = (hwcap_allowed +- | (((bfd_uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2) << 32) +- | (((bfd_uint64_t) sa->hwcap2_allowed) << 32) +- | sparc_opcode_archs[opcode_arch].hwcaps +- | sa->hwcap_allowed); ++ /* The allowed hardware capabilities are the implied by the ++ opcodes arch plus any extra capabilities defined in the GAS ++ arch. */ ++ hwcap_allowed ++ = (hwcap_allowed ++ | ((uint64_t) sparc_opcode_archs[opcode_arch].hwcaps2 << 32) ++ | ((uint64_t) sa->hwcap2_allowed << 32) ++ | sparc_opcode_archs[opcode_arch].hwcaps ++ | sa->hwcap_allowed); + architecture_requested = 1; + } + break; +@@ -1607,7 +1607,7 @@ md_assemble (char *str) + } + + static const char * +-get_hwcap_name (bfd_uint64_t mask) ++get_hwcap_name (uint64_t mask) + { + if (mask & HWCAP_MUL32) + return "mul32"; +@@ -3171,8 +3171,7 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + msg_str = sasi->name; + } + +- bfd_uint64_t hwcaps +- = (((bfd_uint64_t) insn->hwcaps2) << 32) | insn->hwcaps; ++ uint64_t hwcaps = ((uint64_t) insn->hwcaps2 << 32) | insn->hwcaps; + + #ifndef TE_SOLARIS + if (hwcaps) +@@ -3211,10 +3210,10 @@ sparc_ip (char *str, const struct sparc_opcode **pinsn) + } + current_architecture = needed_architecture; + hwcap_allowed +- = (hwcap_allowed +- | hwcaps +- | (((bfd_uint64_t) sparc_opcode_archs[current_architecture].hwcaps2) << 32) +- | sparc_opcode_archs[current_architecture].hwcaps); ++ = (hwcap_allowed ++ | hwcaps ++ | ((uint64_t) sparc_opcode_archs[current_architecture].hwcaps2 << 32) ++ | sparc_opcode_archs[current_architecture].hwcaps); + } + /* Conflict. */ + /* ??? This seems to be a bit fragile. What if the next entry in +diff --git a/gas/config/tc-tilegx.c b/gas/config/tc-tilegx.c +index b627b7080e5..4fcc38c9034 100644 +--- a/gas/config/tc-tilegx.c ++++ b/gas/config/tc-tilegx.c +@@ -789,16 +789,16 @@ emit_tilegx_instruction (tilegx_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilegx_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -808,12 +808,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -825,7 +825,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-tilepro.c b/gas/config/tc-tilepro.c +index af0be422f98..ca092d77a4b 100644 +--- a/gas/config/tc-tilepro.c ++++ b/gas/config/tc-tilepro.c +@@ -677,16 +677,16 @@ emit_tilepro_instruction (tilepro_bundle_bits bits, + static void + check_illegal_reg_writes (void) + { +- BFD_HOST_U_64_BIT all_regs_written = 0; ++ uint64_t all_regs_written = 0; + int j; + + for (j = 0; j < current_bundle_index; j++) + { + const struct tilepro_instruction *instr = ¤t_bundle[j]; + int k; +- BFD_HOST_U_64_BIT regs = +- ((BFD_HOST_U_64_BIT)1) << instr->opcode->implicitly_written_register; +- BFD_HOST_U_64_BIT conflict; ++ uint64_t regs = ++ (uint64_t) 1 << instr->opcode->implicitly_written_register; ++ uint64_t conflict; + + for (k = 0; k < instr->opcode->num_operands; k++) + { +@@ -696,12 +696,12 @@ check_illegal_reg_writes (void) + if (operand->is_dest_reg) + { + int regno = instr->operand_values[k].X_add_number; +- BFD_HOST_U_64_BIT mask = ((BFD_HOST_U_64_BIT)1) << regno; ++ uint64_t mask = (uint64_t) 1 << regno; + +- if ((mask & ( (((BFD_HOST_U_64_BIT)1) << TREG_IDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN1) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN2) +- | (((BFD_HOST_U_64_BIT)1) << TREG_UDN3))) != 0 ++ if ((mask & ( ((uint64_t) 1 << TREG_IDN1) ++ | ((uint64_t) 1 << TREG_UDN1) ++ | ((uint64_t) 1 << TREG_UDN2) ++ | ((uint64_t) 1 << TREG_UDN3))) != 0 + && !allow_suspicious_bundles) + { + as_bad (_("Writes to register '%s' are not allowed."), +@@ -713,7 +713,7 @@ check_illegal_reg_writes (void) + } + + /* Writing to the zero register doesn't count. */ +- regs &= ~(((BFD_HOST_U_64_BIT)1) << TREG_ZERO); ++ regs &= ~((uint64_t) 1 << TREG_ZERO); + + conflict = all_regs_written & regs; + if (conflict != 0 && !allow_suspicious_bundles) +diff --git a/gas/config/tc-z80.c b/gas/config/tc-z80.c +index 81fbfe3b0ae..714e704e24a 100644 +--- a/gas/config/tc-z80.c ++++ b/gas/config/tc-z80.c +@@ -3910,11 +3910,11 @@ z80_tc_label_is_local (const char *name) + #define EXP_MIN -0x10000 + #define EXP_MAX 0x10000 + static int +-str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) ++str_to_broken_float (bool *signP, uint64_t *mantissaP, int *expP) + { + char *p; + bool sign; +- bfd_uint64_t mantissa = 0; ++ uint64_t mantissa = 0; + int exponent = 0; + int i; + +@@ -4029,7 +4029,7 @@ str_to_broken_float (bool *signP, bfd_uint64_t *mantissaP, int *expP) + static const char * + str_to_zeda32(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +@@ -4088,7 +4088,7 @@ str_to_zeda32(char *litP, int *sizeP) + static const char * + str_to_float48(char *litP, int *sizeP) + { +- bfd_uint64_t mantissa; ++ uint64_t mantissa; + bool sign; + int exponent; + unsigned i; +diff --git a/gas/config/te-vms.c b/gas/config/te-vms.c +index 015c95867f0..6661a3b6a72 100644 +--- a/gas/config/te-vms.c ++++ b/gas/config/te-vms.c +@@ -339,7 +339,7 @@ vms_file_stats_name (const char *dirname, + return 0; + } + +-bfd_uint64_t ++uint64_t + vms_dwarf2_file_time_name (const char *filename, const char *dirname) + { + long long cdt; +diff --git a/gas/config/te-vms.h b/gas/config/te-vms.h +index ffe7f5e8f37..08f218502de 100644 +--- a/gas/config/te-vms.h ++++ b/gas/config/te-vms.h +@@ -20,7 +20,7 @@ + #define TE_VMS + #include "obj-format.h" + +-extern bfd_uint64_t vms_dwarf2_file_time_name (const char *, const char *); ++extern uint64_t vms_dwarf2_file_time_name (const char *, const char *); + extern long vms_dwarf2_file_size_name (const char *, const char *); + extern char *vms_dwarf2_file_name (const char *, const char *); + +diff --git a/gdb/findcmd.c b/gdb/findcmd.c +index ff13f22e970..ed2cea7b74d 100644 +--- a/gdb/findcmd.c ++++ b/gdb/findcmd.c +@@ -30,7 +30,7 @@ + /* Copied from bfd_put_bits. */ + + static void +-put_bits (bfd_uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) ++put_bits (uint64_t data, gdb::byte_vector &buf, int bits, bfd_boolean big_p) + { + int i; + int bytes; +diff --git a/gdb/tilegx-tdep.c b/gdb/tilegx-tdep.c +index 7930db72779..9668aa80b53 100644 +--- a/gdb/tilegx-tdep.c ++++ b/gdb/tilegx-tdep.c +@@ -375,7 +375,7 @@ tilegx_analyze_prologue (struct gdbarch* gdbarch, + CORE_ADDR instbuf_start; + unsigned int instbuf_size; + int status; +- bfd_uint64_t bundle; ++ uint64_t bundle; + struct tilegx_decoded_instruction + decoded[TILEGX_MAX_INSTRUCTIONS_PER_BUNDLE]; + int num_insns; +diff --git a/gprof/gmon_io.c b/gprof/gmon_io.c +index c613809d396..2b4dd26375b 100644 +--- a/gprof/gmon_io.c ++++ b/gprof/gmon_io.c +@@ -48,10 +48,8 @@ enum gmon_ptr_signedness { + static enum gmon_ptr_size gmon_get_ptr_size (void); + static enum gmon_ptr_signedness gmon_get_ptr_signedness (void); + +-#ifdef BFD_HOST_U_64_BIT +-static int gmon_io_read_64 (FILE *, BFD_HOST_U_64_BIT *); +-static int gmon_io_write_64 (FILE *, BFD_HOST_U_64_BIT); +-#endif ++static int gmon_io_read_64 (FILE *, uint64_t *); ++static int gmon_io_write_64 (FILE *, uint64_t); + static int gmon_read_raw_arc + (FILE *, bfd_vma *, bfd_vma *, unsigned long *); + static int gmon_write_raw_arc +@@ -109,9 +107,8 @@ gmon_io_read_32 (FILE *ifp, unsigned int *valp) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) ++gmon_io_read_64 (FILE *ifp, uint64_t *valp) + { + char buf[8]; + +@@ -120,15 +117,12 @@ gmon_io_read_64 (FILE *ifp, BFD_HOST_U_64_BIT *valp) + *valp = bfd_get_64 (core_bfd, buf); + return 0; + } +-#endif + + int + gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + { + unsigned int val32; +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT val64; +-#endif ++ uint64_t val64; + + switch (gmon_get_ptr_size ()) + { +@@ -136,23 +130,19 @@ gmon_io_read_vma (FILE *ifp, bfd_vma *valp) + if (gmon_io_read_32 (ifp, &val32)) + return 1; + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (int) val32; ++ *valp = (int) val32; + else +- *valp = val32; ++ *valp = val32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &val64)) + return 1; +-#ifdef BFD_HOST_64_BIT + if (gmon_get_ptr_signedness () == ptr_signed) +- *valp = (BFD_HOST_64_BIT) val64; ++ *valp = (int64_t) val64; + else +-#endif +- *valp = val64; ++ *valp = val64; + break; +-#endif + } + return 0; + } +@@ -176,9 +166,8 @@ gmon_io_write_32 (FILE *ofp, unsigned int val) + return 0; + } + +-#ifdef BFD_HOST_U_64_BIT + static int +-gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) ++gmon_io_write_64 (FILE *ofp, uint64_t val) + { + char buf[8]; + +@@ -187,7 +176,6 @@ gmon_io_write_64 (FILE *ofp, BFD_HOST_U_64_BIT val) + return 1; + return 0; + } +-#endif + + int + gmon_io_write_vma (FILE *ofp, bfd_vma val) +@@ -200,12 +188,10 @@ gmon_io_write_vma (FILE *ofp, bfd_vma val) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) val)) ++ if (gmon_io_write_64 (ofp, (uint64_t) val)) + return 1; + break; +-#endif + } + return 0; + } +@@ -232,9 +218,7 @@ gmon_io_write (FILE *ofp, char *buf, size_t n) + static int + gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + { +-#ifdef BFD_HOST_U_64_BIT +- BFD_HOST_U_64_BIT cnt64; +-#endif ++ uint64_t cnt64; + unsigned int cnt32; + + if (gmon_io_read_vma (ifp, fpc) +@@ -249,13 +233,11 @@ gmon_read_raw_arc (FILE *ifp, bfd_vma *fpc, bfd_vma *spc, unsigned long *cnt) + *cnt = cnt32; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: + if (gmon_io_read_64 (ifp, &cnt64)) + return 1; + *cnt = cnt64; + break; +-#endif + + default: + return 1; +@@ -278,12 +260,10 @@ gmon_write_raw_arc (FILE *ofp, bfd_vma fpc, bfd_vma spc, unsigned long cnt) + return 1; + break; + +-#ifdef BFD_HOST_U_64_BIT + case ptr_64bit: +- if (gmon_io_write_64 (ofp, (BFD_HOST_U_64_BIT) cnt)) ++ if (gmon_io_write_64 (ofp, (uint64_t) cnt)) + return 1; + break; +-#endif + } + return 0; + } +diff --git a/include/elf/nfp.h b/include/elf/nfp.h +index 5a06051196c..c89cefff27b 100644 +--- a/include/elf/nfp.h ++++ b/include/elf/nfp.h +@@ -102,7 +102,7 @@ extern "C" + #define SHF_NFP_INIT 0x80000000 + #define SHF_NFP_INIT2 0x40000000 + #define SHF_NFP_SCS(shf) (((shf) >> 32) & 0xFF) +-#define SHF_NFP_SET_SCS(v) (((BFD_HOST_U_64_BIT)((v) & 0xFF)) << 32) ++#define SHF_NFP_SET_SCS(v) ((uint64_t) ((v) & 0xFF) << 32) + + /* NFP Section Info + For PROGBITS and NOBITS sections: +diff --git a/include/opcode/csky.h b/include/opcode/csky.h +index ed00bfd7cd6..faecba11611 100644 +--- a/include/opcode/csky.h ++++ b/include/opcode/csky.h +@@ -22,46 +22,46 @@ + #include "dis-asm.h" + + /* The following bitmasks control instruction set architecture. */ +-#define CSKYV1_ISA_E1 ((bfd_uint64_t)1 << 0) +-#define CSKYV2_ISA_E1 ((bfd_uint64_t)1 << 1) +-#define CSKYV2_ISA_1E2 ((bfd_uint64_t)1 << 2) +-#define CSKYV2_ISA_2E3 ((bfd_uint64_t)1 << 3) +-#define CSKYV2_ISA_3E7 ((bfd_uint64_t)1 << 4) +-#define CSKYV2_ISA_7E10 ((bfd_uint64_t)1 << 5) +-#define CSKYV2_ISA_3E3R1 ((bfd_uint64_t)1 << 6) +-#define CSKYV2_ISA_3E3R2 ((bfd_uint64_t)1 << 7) +-#define CSKYV2_ISA_10E60 ((bfd_uint64_t)1 << 8) +-#define CSKYV2_ISA_3E3R3 ((bfd_uint64_t)1 << 9) +- +-#define CSKY_ISA_TRUST ((bfd_uint64_t)1 << 11) +-#define CSKY_ISA_CACHE ((bfd_uint64_t)1 << 12) +-#define CSKY_ISA_NVIC ((bfd_uint64_t)1 << 13) +-#define CSKY_ISA_CP ((bfd_uint64_t)1 << 14) +-#define CSKY_ISA_MP ((bfd_uint64_t)1 << 15) +-#define CSKY_ISA_MP_1E2 ((bfd_uint64_t)1 << 16) +-#define CSKY_ISA_JAVA ((bfd_uint64_t)1 << 17) +-#define CSKY_ISA_MAC ((bfd_uint64_t)1 << 18) +-#define CSKY_ISA_MAC_DSP ((bfd_uint64_t)1 << 19) ++#define CSKYV1_ISA_E1 ((uint64_t) 1 << 0) ++#define CSKYV2_ISA_E1 ((uint64_t) 1 << 1) ++#define CSKYV2_ISA_1E2 ((uint64_t) 1 << 2) ++#define CSKYV2_ISA_2E3 ((uint64_t) 1 << 3) ++#define CSKYV2_ISA_3E7 ((uint64_t) 1 << 4) ++#define CSKYV2_ISA_7E10 ((uint64_t) 1 << 5) ++#define CSKYV2_ISA_3E3R1 ((uint64_t) 1 << 6) ++#define CSKYV2_ISA_3E3R2 ((uint64_t) 1 << 7) ++#define CSKYV2_ISA_10E60 ((uint64_t) 1 << 8) ++#define CSKYV2_ISA_3E3R3 ((uint64_t) 1 << 9) ++ ++#define CSKY_ISA_TRUST ((uint64_t) 1 << 11) ++#define CSKY_ISA_CACHE ((uint64_t) 1 << 12) ++#define CSKY_ISA_NVIC ((uint64_t) 1 << 13) ++#define CSKY_ISA_CP ((uint64_t) 1 << 14) ++#define CSKY_ISA_MP ((uint64_t) 1 << 15) ++#define CSKY_ISA_MP_1E2 ((uint64_t) 1 << 16) ++#define CSKY_ISA_JAVA ((uint64_t) 1 << 17) ++#define CSKY_ISA_MAC ((uint64_t) 1 << 18) ++#define CSKY_ISA_MAC_DSP ((uint64_t) 1 << 19) + + /* Base ISA for csky v1 and v2. */ +-#define CSKY_ISA_DSP ((bfd_uint64_t)1 << 20) +-#define CSKY_ISA_DSP_1E2 ((bfd_uint64_t)1 << 21) +-#define CSKY_ISA_DSP_ENHANCE ((bfd_uint64_t)1 << 22) +-#define CSKY_ISA_DSPE60 ((bfd_uint64_t)1 << 23) ++#define CSKY_ISA_DSP ((uint64_t) 1 << 20) ++#define CSKY_ISA_DSP_1E2 ((uint64_t) 1 << 21) ++#define CSKY_ISA_DSP_ENHANCE ((uint64_t) 1 << 22) ++#define CSKY_ISA_DSPE60 ((uint64_t) 1 << 23) + + /* Base float instruction (803f & 810f). */ +-#define CSKY_ISA_FLOAT_E1 ((bfd_uint64_t)1 << 25) ++#define CSKY_ISA_FLOAT_E1 ((uint64_t) 1 << 25) + /* M_FLOAT support (810f). */ +-#define CSKY_ISA_FLOAT_1E2 ((bfd_uint64_t)1 << 26) ++#define CSKY_ISA_FLOAT_1E2 ((uint64_t) 1 << 26) + /* 803 support (803f). */ +-#define CSKY_ISA_FLOAT_1E3 ((bfd_uint64_t)1 << 27) ++#define CSKY_ISA_FLOAT_1E3 ((uint64_t) 1 << 27) + /* 807 support (803f & 807f). */ +-#define CSKY_ISA_FLOAT_3E4 ((bfd_uint64_t)1 << 28) ++#define CSKY_ISA_FLOAT_3E4 ((uint64_t) 1 << 28) + /* 860 support. */ +-#define CSKY_ISA_FLOAT_7E60 ((bfd_uint64_t)1 << 36) ++#define CSKY_ISA_FLOAT_7E60 ((uint64_t) 1 << 36) + /* Vector DSP support. */ +-#define CSKY_ISA_VDSP ((bfd_uint64_t)1 << 29) +-#define CSKY_ISA_VDSP_2 ((bfd_uint64_t)1 << 30) ++#define CSKY_ISA_VDSP ((uint64_t) 1 << 29) ++#define CSKY_ISA_VDSP_2 ((uint64_t) 1 << 30) + + /* The following bitmasks control cpu architecture for CSKY. */ + #define CSKY_ABI_V1 (1 << 28) +diff --git a/include/opcode/ia64.h b/include/opcode/ia64.h +index fbdd8f14e65..42a6812c3f8 100644 +--- a/include/opcode/ia64.h ++++ b/include/opcode/ia64.h +@@ -29,7 +29,7 @@ + extern "C" { + #endif + +-typedef BFD_HOST_U_64_BIT ia64_insn; ++typedef uint64_t ia64_insn; + + enum ia64_insn_type + { +diff --git a/opcodes/csky-dis.c b/opcodes/csky-dis.c +index b7c833623e5..99103ff57b5 100644 +--- a/opcodes/csky-dis.c ++++ b/opcodes/csky-dis.c +@@ -49,7 +49,7 @@ struct csky_dis_info + disassemble_info *info; + /* Opcode information. */ + struct csky_opcode_info const *opinfo; +- BFD_HOST_U_64_BIT isa; ++ uint64_t isa; + /* The value of operand to show. */ + int value; + /* Whether to look up/print a symbol name. */ +diff --git a/opcodes/csky-opc.h b/opcodes/csky-opc.h +index b65efe19d9f..d2db90ede95 100644 +--- a/opcodes/csky-opc.h ++++ b/opcodes/csky-opc.h +@@ -271,8 +271,8 @@ struct csky_opcode + /* Encodings for 32-bit opcodes. */ + struct csky_opcode_info op32[OP_TABLE_NUM]; + /* Instruction set flag. */ +- BFD_HOST_U_64_BIT isa_flag16; +- BFD_HOST_U_64_BIT isa_flag32; ++ uint64_t isa_flag16; ++ uint64_t isa_flag32; + /* Whether this insn needs relocation, 0: no, !=0: yes. */ + signed int reloc16; + signed int reloc32; +diff --git a/opcodes/ia64-dis.c b/opcodes/ia64-dis.c +index 5eb37277a5d..e76f40393c6 100644 +--- a/opcodes/ia64-dis.c ++++ b/opcodes/ia64-dis.c +@@ -73,7 +73,7 @@ print_insn_ia64 (bfd_vma memaddr, struct disassemble_info *info) + const struct ia64_operand *odesc; + const struct ia64_opcode *idesc; + const char *err, *str, *tname; +- BFD_HOST_U_64_BIT value; ++ uint64_t value; + bfd_byte bundle[16]; + enum ia64_unit unit; + char regname[16]; +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch new file mode 100644 index 0000000000..6a838ea3ea --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch @@ -0,0 +1,156 @@ +From 31d6c13defeba7716ebc9d5c8f81f2f35fe39980 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Tue, 14 Jun 2022 12:46:42 +0930 +Subject: [PATCH] PR29230, segv in lookup_symbol_in_variable_table + +The PR23230 testcase uses indexed strings without specifying +SW_AT_str_offsets_base. In this case we left u.str with garbage (from +u.val) which then led to a segfault when attempting to access the +string. Fix that by clearing u.str. The patch also adds missing +sanity checks in the recently committed read_indexed_address and +read_indexed_string functions. + + PR 29230 + * dwarf2.c (read_indexed_address): Return uint64_t. Sanity check idx. + (read_indexed_string): Use uint64_t for str_offset. Sanity check idx. + (read_attribute_value): Clear u.str for indexed string forms when + DW_AT_str_offsets_base is not yet read or missing. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=31d6c13defeba7716ebc9d5c8f81f2f35fe39980] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/dwarf2.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 42 insertions(+), 9 deletions(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 51018e1ab45..aaa2d84887f 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1353,13 +1353,13 @@ is_addrx_form (enum dwarf_form form) + + /* Returns the address in .debug_addr section using DW_AT_addr_base. + Used to implement DW_FORM_addrx*. */ +-static bfd_vma ++static uint64_t + read_indexed_address (uint64_t idx, struct comp_unit *unit) + { + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; +- size_t addr_base = unit->dwarf_addr_offset; + bfd_byte *info_ptr; ++ size_t offset; + + if (stash == NULL) + return 0; +@@ -1369,12 +1369,23 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + &file->dwarf_addr_buffer, &file->dwarf_addr_size)) + return 0; + +- info_ptr = file->dwarf_addr_buffer + addr_base + idx * unit->offset_size; ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return 0; ++ ++ offset += unit->dwarf_addr_offset; ++ if (offset < unit->dwarf_addr_offset ++ || offset > file->dwarf_addr_size ++ || file->dwarf_addr_size - offset < unit->offset_size) ++ return 0; ++ ++ info_ptr = file->dwarf_addr_buffer + offset; + + if (unit->offset_size == 4) + return bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + return bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return 0; + } + + /* Returns the string using DW_AT_str_offsets_base. +@@ -1385,7 +1396,8 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + struct dwarf2_debug *stash = unit->stash; + struct dwarf2_debug_file *file = unit->file; + bfd_byte *info_ptr; +- unsigned long str_offset; ++ uint64_t str_offset; ++ size_t offset; + + if (stash == NULL) + return NULL; +@@ -1401,15 +1413,26 @@ read_indexed_string (uint64_t idx, struct comp_unit *unit) + &file->dwarf_str_offsets_size)) + return NULL; + +- info_ptr = (file->dwarf_str_offsets_buffer +- + unit->dwarf_str_offset +- + idx * unit->offset_size); ++ if (_bfd_mul_overflow (idx, unit->offset_size, &offset)) ++ return NULL; ++ ++ offset += unit->dwarf_str_offset; ++ if (offset < unit->dwarf_str_offset ++ || offset > file->dwarf_str_offsets_size ++ || file->dwarf_str_offsets_size - offset < unit->offset_size) ++ return NULL; ++ ++ info_ptr = file->dwarf_str_offsets_buffer + offset; + + if (unit->offset_size == 4) + str_offset = bfd_get_32 (unit->abfd, info_ptr); +- else ++ else if (unit->offset_size == 8) + str_offset = bfd_get_64 (unit->abfd, info_ptr); ++ else ++ return NULL; + ++ if (str_offset >= file->dwarf_str_size) ++ return NULL; + return (const char *) file->dwarf_str_buffer + str_offset; + } + +@@ -1534,27 +1557,37 @@ read_attribute_value (struct attribute * attr, + is not yet read. */ + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx2: + attr->u.val = read_2_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx3: + attr->u.val = read_3_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx4: + attr->u.val = read_4_bytes (abfd, &info_ptr, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_strx: + attr->u.val = _bfd_safe_read_leb128 (abfd, &info_ptr, + false, info_ptr_end); + if (unit->dwarf_str_offset != 0) + attr->u.str = (char *) read_indexed_string (attr->u.val, unit); ++ else ++ attr->u.str = NULL; + break; + case DW_FORM_exprloc: + case DW_FORM_block: +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch new file mode 100644 index 0000000000..c5a869ca9d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch @@ -0,0 +1,37 @@ +From 3e307d538c351aa9327cbad672c884059ecc20dd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 11 Jan 2023 12:13:46 +0000 +Subject: [PATCH] Fix a potential illegal memory access in the BFD library when + parsing a corrupt DWARF file. + + PR 29988 + * dwarf2.c (read_indexed_address): Fix check for an out of range + offset. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3e307d538c351aa9327cbad672c884059ecc20dd] + +CVE: CVE-2023-1579 + +Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> + +--- + bfd/ChangeLog | 6 ++++++ + bfd/dwarf2.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 6eb6e04e6e5..4ec0053a111 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1412,7 +1412,7 @@ read_indexed_address (uint64_t idx, struct comp_unit *unit) + offset += unit->dwarf_addr_offset; + if (offset < unit->dwarf_addr_offset + || offset > file->dwarf_addr_size +- || file->dwarf_addr_size - offset < unit->offset_size) ++ || file->dwarf_addr_size - offset < unit->addr_size) + return 0; + + info_ptr = file->dwarf_addr_buffer + offset; +-- +2.31.1 + diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch new file mode 100644 index 0000000000..990243f5c9 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-1.patch @@ -0,0 +1,56 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 17 Mar 2022 09:35:39 +0000 (+1030) +Subject: ubsan: Null dereference in parse_module +X-Git-Tag: gdb-12.1-release~59 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2 + +ubsan: Null dereference in parse_module + + * vms-alpha.c (parse_module): Sanity check that DST__K_RTNBEG + has set module->func_table for DST__K_RTNEND. Check return + of bfd_zalloc. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c9178f285acf19e066be8367185d52837161b0a2] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 4a92574c850..1129c98f0e2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4352,9 +4352,13 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + /* Initialize tables with zero element. */ + curr_srec = (struct srecinfo *) bfd_zalloc (abfd, sizeof (struct srecinfo)); ++ if (!curr_srec) ++ return false; + module->srec_table = curr_srec; + + curr_line = (struct lineinfo *) bfd_zalloc (abfd, sizeof (struct lineinfo)); ++ if (!curr_line) ++ return false; + module->line_table = curr_line; + + while (length == -1 || ptr < maxptr) +@@ -4389,6 +4393,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + case DST__K_RTNBEG: + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); ++ if (!funcinfo) ++ return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, + maxptr - (ptr + DST_S_B_RTNBEG_NAME)); +@@ -4401,6 +4407,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (!module->func_table) ++ return false; + module->func_table->high = module->func_table->low + + bfd_getl32 (ptr + DST_S_L_RTNEND_SIZE) - 1; + diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch new file mode 100644 index 0000000000..f4c5ed2aff --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-2.patch @@ -0,0 +1,38 @@ +From da928f639002002dfc649ed9f50492d5d6cb4cee Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Mon, 5 Dec 2022 11:11:44 +0000 +Subject: [PATCH] Fix an illegal memory access when parsing a corrupt VMS Alpha + file. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix an illegal memory access when parsing a corrupt VMS Alpha file. + + PR 29848 + * vms-alpha.c (parse_module): Fix potential out of bounds memory + access. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=942fa4fb32738ecbb447546d54f1e5f0312d2ed4] + +CVE: CVE-2023-25584 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + bfd/vms-alpha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c548722c..53b3f1bf 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || ptr < maxptr) ++ while (length == -1 || (ptr + 3) < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; diff --git a/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch new file mode 100644 index 0000000000..47cc3f310b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0022-CVE-2023-25584-3.patch @@ -0,0 +1,536 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 12 Dec 2022 07:58:49 +0000 (+1030) +Subject: Lack of bounds checking in vms-alpha.c parse_module +X-Git-Tag: gdb-13-branchpoint~87 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44 + +Lack of bounds checking in vms-alpha.c parse_module + + PR 29873 + PR 29874 + PR 29875 + PR 29876 + PR 29877 + PR 29878 + PR 29879 + PR 29880 + PR 29881 + PR 29882 + PR 29883 + PR 29884 + PR 29885 + PR 29886 + PR 29887 + PR 29888 + PR 29889 + PR 29890 + PR 29891 + * vms-alpha.c (parse_module): Make length param bfd_size_type. + Delete length == -1 checks. Sanity check record_length. + Sanity check DST__K_MODBEG, DST__K_RTNBEG, DST__K_RTNEND lengths. + Sanity check DST__K_SOURCE and DST__K_LINE_NUM elements + before accessing. + (build_module_list): Pass dst_section size to parse_module. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=77c225bdeb410cf60da804879ad41622f5f1aa44] + +CVE: CVE-2023-25584 +CVE: CVE-2022-47673 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index c0eb5bc5a2a..3b63259cc81 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4340,7 +4340,7 @@ new_module (bfd *abfd) + + static bool + parse_module (bfd *abfd, struct module *module, unsigned char *ptr, +- int length) ++ bfd_size_type length) + { + unsigned char *maxptr = ptr + length; + unsigned char *src_ptr, *pcl_ptr; +@@ -4361,7 +4361,7 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + return false; + module->line_table = curr_line; + +- while (length == -1 || (ptr + 3) < maxptr) ++ while (ptr + 3 < maxptr) + { + /* The first byte is not counted in the recorded length. */ + int rec_length = bfd_getl16 (ptr) + 1; +@@ -4369,15 +4369,19 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((2, "DST record: leng %d, type %d\n", rec_length, rec_type)); + +- if (length == -1 && rec_type == DST__K_MODEND) ++ if (rec_length > maxptr - ptr) ++ break; ++ if (rec_type == DST__K_MODEND) + break; + + switch (rec_type) + { + case DST__K_MODBEG: ++ if (rec_length <= DST_S_B_MODBEG_NAME) ++ break; + module->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_MODBEG_NAME, +- maxptr - (ptr + DST_S_B_MODBEG_NAME)); ++ rec_length - DST_S_B_MODBEG_NAME); + + curr_pc = 0; + prev_pc = 0; +@@ -4391,13 +4395,15 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNBEG: ++ if (rec_length <= DST_S_B_RTNBEG_NAME) ++ break; + funcinfo = (struct funcinfo *) + bfd_zalloc (abfd, sizeof (struct funcinfo)); + if (!funcinfo) + return false; + funcinfo->name + = _bfd_vms_save_counted_string (abfd, ptr + DST_S_B_RTNBEG_NAME, +- maxptr - (ptr + DST_S_B_RTNBEG_NAME)); ++ rec_length - DST_S_B_RTNBEG_NAME); + funcinfo->low = bfd_getl32 (ptr + DST_S_L_RTNBEG_ADDRESS); + funcinfo->next = module->func_table; + module->func_table = funcinfo; +@@ -4407,6 +4413,8 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + break; + + case DST__K_RTNEND: ++ if (rec_length < DST_S_L_RTNEND_SIZE + 4) ++ break; + if (!module->func_table) + return false; + module->func_table->high = module->func_table->low +@@ -4439,10 +4447,63 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "source info\n")); + +- while (src_ptr < ptr + rec_length) ++ while (src_ptr - ptr < rec_length) + { + int cmd = src_ptr[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_SRC_DECLFILE: ++ if (src_ptr - ptr + DST_S_B_SRC_DF_LENGTH >= rec_length) ++ cmd_length = 0x10000; ++ else ++ cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_DEFLINES_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_INCRLNUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SRC_SETFILE: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETLNUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETLNUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_SETREC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SRC_SETREC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SRC_FORMFEED: ++ cmd_length = 1; ++ break; ++ ++ default: ++ cmd_length = 2; ++ break; ++ } ++ ++ if (src_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_SRC_DECLFILE: +@@ -4467,7 +4528,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + module->file_table [fileid].name = filename; + module->file_table [fileid].srec = 1; +- cmd_length = src_ptr[DST_S_B_SRC_DF_LENGTH] + 2; + vms_debug2 ((4, "DST_S_C_SRC_DECLFILE: %d, %s\n", + fileid, module->file_table [fileid].name)); + } +@@ -4484,7 +4544,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_B: %d\n", data)); + break; + +@@ -4499,14 +4558,12 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + srec->sfile = curr_srec->sfile; + curr_srec->next = srec; + curr_srec = srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_DEFLINES_W: %d\n", data)); + break; + + case DST__K_SRC_INCRLNUM_B: + data = src_ptr[DST_S_B_SRC_UNSBYTE]; + curr_srec->line += data; +- cmd_length = 2; + vms_debug2 ((4, "DST_S_C_SRC_INCRLNUM_B: %d\n", data)); + break; + +@@ -4514,21 +4571,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->sfile = data; + curr_srec->srec = module->file_table[data].srec; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETFILE: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_L: + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->line = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_L: %d\n", data)); + break; + + case DST__K_SRC_SETLNUM_W: + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->line = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETLNUM_W: %d\n", data)); + break; + +@@ -4536,7 +4590,6 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (src_ptr + DST_S_L_SRC_UNSLONG); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 5; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_L: %d\n", data)); + break; + +@@ -4544,19 +4597,16 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl16 (src_ptr + DST_S_W_SRC_UNSWORD); + curr_srec->srec = data; + module->file_table[curr_srec->sfile].srec = data; +- cmd_length = 3; + vms_debug2 ((4, "DST_S_C_SRC_SETREC_W: %d\n", data)); + break; + + case DST__K_SRC_FORMFEED: +- cmd_length = 1; + vms_debug2 ((4, "DST_S_C_SRC_FORMFEED\n")); + break; + + default: + _bfd_error_handler (_("unknown source command %d"), + cmd); +- cmd_length = 2; + break; + } + +@@ -4569,18 +4619,114 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + + vms_debug2 ((3, "line info\n")); + +- while (pcl_ptr < ptr + rec_length) ++ while (pcl_ptr - ptr < rec_length) + { + /* The command byte is signed so we must sign-extend it. */ + int cmd = ((signed char *)pcl_ptr)[0], cmd_length, data; + ++ switch (cmd) ++ { ++ case DST__K_DELTA_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_DELTA_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_INCR_LINUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_INCR_LINUM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_INCR_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_LINUM_INCR: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM_INCR_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_RESET_LINUM_INCR: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_BEG_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_END_STMT_MODE: ++ cmd_length = 1; ++ break; ++ ++ case DST__K_SET_LINUM_B: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_LINUM: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_LINUM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_PC: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_SET_PC_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_SET_PC_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_STMTNUM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM: ++ cmd_length = 2; ++ break; ++ ++ case DST__K_TERM_W: ++ cmd_length = 3; ++ break; ++ ++ case DST__K_TERM_L: ++ cmd_length = 5; ++ break; ++ ++ case DST__K_SET_ABS_PC: ++ cmd_length = 5; ++ break; ++ ++ default: ++ if (cmd <= 0) ++ cmd_length = 1; ++ else ++ cmd_length = 2; ++ break; ++ } ++ ++ if (pcl_ptr - ptr + cmd_length > rec_length) ++ break; ++ + switch (cmd) + { + case DST__K_DELTA_PC_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_DELTA_PC_W: %d\n", data)); + break; + +@@ -4588,131 +4734,111 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; + curr_linenum += 1; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_DELTA_PC_L: %d\n", data)); + break; + + case DST__K_INCR_LINUM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_INCR_LINUM: %d\n", data)); + break; + + case DST__K_INCR_LINUM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_INCR_LINUM_W: %d\n", data)); + break; + + case DST__K_INCR_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_INCR_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR"); +- cmd_length = 2; + break; + + case DST__K_SET_LINUM_INCR_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_LINUM_INCR_W"); +- cmd_length = 3; + break; + + case DST__K_RESET_LINUM_INCR: + _bfd_error_handler + (_("%s not implemented"), "DST__K_RESET_LINUM_INCR"); +- cmd_length = 1; + break; + + case DST__K_BEG_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_BEG_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_END_STMT_MODE: + _bfd_error_handler + (_("%s not implemented"), "DST__K_END_STMT_MODE"); +- cmd_length = 1; + break; + + case DST__K_SET_LINUM_B: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_linenum = data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_SET_LINUM_B: %d\n", data)); + break; + + case DST__K_SET_LINUM: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_linenum = data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_SET_LINE_NUM: %d\n", data)); + break; + + case DST__K_SET_LINUM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_linenum = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_LINUM_L: %d\n", data)); + break; + + case DST__K_SET_PC: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC"); +- cmd_length = 2; + break; + + case DST__K_SET_PC_W: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_W"); +- cmd_length = 3; + break; + + case DST__K_SET_PC_L: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_PC_L"); +- cmd_length = 5; + break; + + case DST__K_SET_STMTNUM: + _bfd_error_handler + (_("%s not implemented"), "DST__K_SET_STMTNUM"); +- cmd_length = 2; + break; + + case DST__K_TERM: + data = pcl_ptr[DST_S_B_PCLINE_UNSBYTE]; + curr_pc += data; +- cmd_length = 2; + vms_debug2 ((4, "DST__K_TERM: %d\n", data)); + break; + + case DST__K_TERM_W: + data = bfd_getl16 (pcl_ptr + DST_S_W_PCLINE_UNSWORD); + curr_pc += data; +- cmd_length = 3; + vms_debug2 ((4, "DST__K_TERM_W: %d\n", data)); + break; + + case DST__K_TERM_L: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc += data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_TERM_L: %d\n", data)); + break; + + case DST__K_SET_ABS_PC: + data = bfd_getl32 (pcl_ptr + DST_S_L_PCLINE_UNSLONG); + curr_pc = data; +- cmd_length = 5; + vms_debug2 ((4, "DST__K_SET_ABS_PC: 0x%x\n", data)); + break; + +@@ -4721,15 +4847,11 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + { + curr_pc -= cmd; + curr_linenum += 1; +- cmd_length = 1; + vms_debug2 ((4, "bump pc to 0x%lx and line to %d\n", + (unsigned long)curr_pc, curr_linenum)); + } + else +- { +- _bfd_error_handler (_("unknown line command %d"), cmd); +- cmd_length = 2; +- } ++ _bfd_error_handler (_("unknown line command %d"), cmd); + break; + } + +@@ -4859,7 +4981,8 @@ build_module_list (bfd *abfd) + return NULL; + + module = new_module (abfd); +- if (!parse_module (abfd, module, PRIV (dst_section)->contents, -1)) ++ if (!parse_module (abfd, module, PRIV (dst_section)->contents, ++ PRIV (dst_section)->size)) + return NULL; + list = module; + } diff --git a/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch new file mode 100644 index 0000000000..e31a027b9f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0023-CVE-2023-25585.patch @@ -0,0 +1,54 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 12 Dec 2022 08:31:08 +0000 (+1030) +Subject: PR29892, Field file_table of struct module is uninitialized +X-Git-Tag: gdb-13-branchpoint~86 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7 + +PR29892, Field file_table of struct module is uninitialized + + PR 29892 + * vms-alphs.c (new_module): Use bfd_zmalloc to alloc file_table. + (parse_module): Rewrite file_table reallocation code and clear. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=65cf035b8dc1df5d8020e0b1449514a3c42933e7] + +CVE: CVE-2023-25585 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/vms-alpha.c b/bfd/vms-alpha.c +index 3b63259cc81..6ee7060b0b2 100644 +--- a/bfd/vms-alpha.c ++++ b/bfd/vms-alpha.c +@@ -4337,7 +4337,7 @@ new_module (bfd *abfd) + = (struct module *) bfd_zalloc (abfd, sizeof (struct module)); + module->file_table_count = 16; /* Arbitrary. */ + module->file_table +- = bfd_malloc (module->file_table_count * sizeof (struct fileinfo)); ++ = bfd_zmalloc (module->file_table_count * sizeof (struct fileinfo)); + return module; + } + +@@ -4520,15 +4520,18 @@ parse_module (bfd *abfd, struct module *module, unsigned char *ptr, + src_ptr + DST_S_B_SRC_DF_FILENAME, + ptr + rec_length - (src_ptr + DST_S_B_SRC_DF_FILENAME)); + +- while (fileid >= module->file_table_count) ++ if (fileid >= module->file_table_count) + { +- module->file_table_count *= 2; ++ unsigned int old_count = module->file_table_count; ++ module->file_table_count += fileid; + module->file_table + = bfd_realloc_or_free (module->file_table, + module->file_table_count + * sizeof (struct fileinfo)); + if (module->file_table == NULL) + return false; ++ memset (module->file_table + old_count, 0, ++ fileid * sizeof (struct fileinfo)); + } + + module->file_table [fileid].name = filename; diff --git a/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch new file mode 100644 index 0000000000..9b5825037f --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0025-CVE-2023-25588.patch @@ -0,0 +1,149 @@ +From: Alan Modra <amodra@gmail.com> +Date: Fri, 14 Oct 2022 00:00:21 +0000 (+1030) +Subject: PR29677, Field `the_bfd` of `asymbol` is uninitialised +X-Git-Tag: gdb-13-branchpoint~871 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1 + +PR29677, Field `the_bfd` of `asymbol` is uninitialised + +Besides not initialising the_bfd of synthetic symbols, counting +symbols when sizing didn't match symbols created if there were any +dynsyms named "". We don't want synthetic symbols without names +anyway, so get rid of them. Also, simplify and correct sanity checks. + + PR 29677 + * mach-o.c (bfd_mach_o_get_synthetic_symtab): Rewrite. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1] + +CVE: CVE-2023-25588 +CVE: CVE-2022-47696 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> + +--- + +diff --git a/bfd/mach-o.c b/bfd/mach-o.c +index acb35e7f0c6..5279343768c 100644 +--- a/bfd/mach-o.c ++++ b/bfd/mach-o.c +@@ -938,11 +938,9 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + bfd_mach_o_symtab_command *symtab = mdata->symtab; + asymbol *s; + char * s_start; +- char * s_end; + unsigned long count, i, j, n; + size_t size; + char *names; +- char *nul_name; + const char stub [] = "$stub"; + + *ret = NULL; +@@ -955,27 +953,27 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + /* We need to allocate a bfd symbol for every indirect symbol and to + allocate the memory for its name. */ + count = dysymtab->nindirectsyms; +- size = count * sizeof (asymbol) + 1; +- ++ size = 0; + for (j = 0; j < count; j++) + { +- const char * strng; + unsigned int isym = dysymtab->indirect_syms[j]; ++ const char *str; + + /* Some indirect symbols are anonymous. */ +- if (isym < symtab->nsyms && (strng = symtab->symbols[isym].symbol.name)) +- /* PR 17512: file: f5b8eeba. */ +- size += strnlen (strng, symtab->strsize - (strng - symtab->strtab)) + sizeof (stub); ++ if (isym < symtab->nsyms ++ && (str = symtab->symbols[isym].symbol.name) != NULL) ++ { ++ /* PR 17512: file: f5b8eeba. */ ++ size += strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ size += sizeof (stub); ++ } + } + +- s_start = bfd_malloc (size); ++ s_start = bfd_malloc (size + count * sizeof (asymbol)); + s = *ret = (asymbol *) s_start; + if (s == NULL) + return -1; + names = (char *) (s + count); +- nul_name = names; +- *names++ = 0; +- s_end = s_start + size; + + n = 0; + for (i = 0; i < mdata->nsects; i++) +@@ -997,47 +995,39 @@ bfd_mach_o_get_synthetic_symtab (bfd *abfd, + entry_size = bfd_mach_o_section_get_entry_size (abfd, sec); + + /* PR 17512: file: 08e15eec. */ +- if (first >= count || last >= count || first > last) ++ if (first >= count || last > count || first > last) + goto fail; + + for (j = first; j < last; j++) + { + unsigned int isym = dysymtab->indirect_syms[j]; +- +- /* PR 17512: file: 04d64d9b. */ +- if (((char *) s) + sizeof (* s) > s_end) +- goto fail; +- +- s->flags = BSF_GLOBAL | BSF_SYNTHETIC; +- s->section = sec->bfdsection; +- s->value = addr - sec->addr; +- s->udata.p = NULL; ++ const char *str; ++ size_t len; + + if (isym < symtab->nsyms +- && symtab->symbols[isym].symbol.name) ++ && (str = symtab->symbols[isym].symbol.name) != NULL) + { +- const char *sym = symtab->symbols[isym].symbol.name; +- size_t len; +- +- s->name = names; +- len = strlen (sym); +- /* PR 17512: file: 47dfd4d2. */ +- if (names + len >= s_end) ++ /* PR 17512: file: 04d64d9b. */ ++ if (n >= count) + goto fail; +- memcpy (names, sym, len); +- names += len; +- /* PR 17512: file: 18f340a4. */ +- if (names + sizeof (stub) >= s_end) ++ len = strnlen (str, symtab->strsize - (str - symtab->strtab)); ++ /* PR 17512: file: 47dfd4d2, 18f340a4. */ ++ if (size < len + sizeof (stub)) + goto fail; +- memcpy (names, stub, sizeof (stub)); +- names += sizeof (stub); ++ memcpy (names, str, len); ++ memcpy (names + len, stub, sizeof (stub)); ++ s->name = names; ++ names += len + sizeof (stub); ++ size -= len + sizeof (stub); ++ s->the_bfd = symtab->symbols[isym].symbol.the_bfd; ++ s->flags = BSF_GLOBAL | BSF_SYNTHETIC; ++ s->section = sec->bfdsection; ++ s->value = addr - sec->addr; ++ s->udata.p = NULL; ++ s++; ++ n++; + } +- else +- s->name = nul_name; +- + addr += entry_size; +- s++; +- n++; + } + break; + default: diff --git a/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch new file mode 100644 index 0000000000..f86adad217 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0026-CVE-2023-1972.patch @@ -0,0 +1,41 @@ +From: Nick Clifton <nickc@redhat.com> +Date: Thu, 30 Mar 2023 09:10:09 +0000 (+0100) +Subject: Fix an illegal memory access when an accessing a zer0-lengthverdef table. +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 + +Fix an illegal memory access when an accessing a zer0-lengthverdef table. + + PR 30285 + * elf.c (_bfd_elf_slurp_version_tables): Fail if no version definitions are allocated. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57] + +CVE: CVE-2023-1972 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; diff --git a/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch b/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch new file mode 100644 index 0000000000..a3fff65409 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch @@ -0,0 +1,67 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 16 Jun 2022 23:43:38 +0000 (+0930) +Subject: PR29255, memory leak in make_tempdir +X-Git-Tag: binutils-2_39~236 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682 + +PR29255, memory leak in make_tempdir + + PR 29255 + * bucomm.c (make_tempdir, make_tempname): Free template on all + failure paths. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d6e1d48c83b165c129cb0aa78905f7ca80a1f682] + +CVE: CVE-2022-47008 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/binutils/bucomm.c b/binutils/bucomm.c +index fdc2209df9c..4395cb9f7f5 100644 +--- a/binutils/bucomm.c ++++ b/binutils/bucomm.c +@@ -537,8 +537,9 @@ make_tempname (const char *filename, int *ofd) + #else + tmpname = mktemp (tmpname); + if (tmpname == NULL) +- return NULL; +- fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); ++ fd = -1; ++ else ++ fd = open (tmpname, O_RDWR | O_CREAT | O_EXCL, 0600); + #endif + if (fd == -1) + { +@@ -556,22 +557,23 @@ char * + make_tempdir (const char *filename) + { + char *tmpname = template_in_dir (filename); ++ char *ret; + + #ifdef HAVE_MKDTEMP +- return mkdtemp (tmpname); ++ ret = mkdtemp (tmpname); + #else +- tmpname = mktemp (tmpname); +- if (tmpname == NULL) +- return NULL; ++ ret = mktemp (tmpname); + #if defined (_WIN32) && !defined (__CYGWIN32__) + if (mkdir (tmpname) != 0) +- return NULL; ++ ret = NULL; + #else + if (mkdir (tmpname, 0700) != 0) +- return NULL; ++ ret = NULL; + #endif +- return tmpname; + #endif ++ if (ret == NULL) ++ free (tmpname); ++ return ret; + } + + /* Parse a string into a VMA, with a fatal error if it can't be diff --git a/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch b/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch new file mode 100644 index 0000000000..73ae46e218 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch @@ -0,0 +1,35 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 01:09:13 +0000 (+0930) +Subject: PR29261, memory leak in parse_stab_struct_fields +X-Git-Tag: binutils-2_39~225 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35 + +PR29261, memory leak in parse_stab_struct_fields + + PR 29261 + * stabs.c (parse_stab_struct_fields): Free "fields" on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8a24927bc8dbf6beac2000593b21235c3796dc35] + +CVE: CVE-2022-47011 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 796ff85b86a..bf3f578cbcc 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -2367,7 +2367,10 @@ parse_stab_struct_fields (void *dhandle, + + if (! parse_stab_one_struct_field (dhandle, info, pp, p, fields + c, + staticsp, p_end)) +- return false; ++ { ++ free (fields); ++ return false; ++ } + + ++c; + } diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch new file mode 100644 index 0000000000..4642251f9b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-1.patch @@ -0,0 +1,31 @@ +From: Jan Beulich <jbeulich@suse.com> +Date: Tue, 29 Mar 2022 06:19:14 +0000 (+0200) +Subject: bfd/Dwarf2: gas doesn't mangle names +X-Git-Tag: binutils-2_39~1287 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09 + +bfd/Dwarf2: gas doesn't mangle names + +Include the language identifier emitted by gas in the set of ones where +no mangled names are expected. Even if there could be "hand-mangled" +names, gas doesn't emit DW_AT_linkage_name in the first place. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=ddfc2f56d5782af79c696d7fef7c73bba11e8b09] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 8cd0ce9d425..9aa4e955a5e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -1441,6 +1441,7 @@ non_mangled (int lang) + case DW_LANG_PLI: + case DW_LANG_UPC: + case DW_LANG_C11: ++ case DW_LANG_Mips_Assembler: + return true; + } + } diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch new file mode 100644 index 0000000000..8aa21f2716 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-2.patch @@ -0,0 +1,115 @@ +From: Alan Modra <amodra@gmail.com> +Date: Wed, 21 Sep 2022 05:15:44 +0000 (+0930) +Subject: dwarf2.c: mangle_style +X-Git-Tag: gdb-13-branchpoint~1165 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4 + +dwarf2.c: mangle_style + +non_mangled incorrectly returned "true" for Ada. Correct that, and +add a few more non-mangled entries. Return a value suitable for +passing to cplus_demangle to control demangling. + + * dwarf2.c: Include demangle.h. + (mangle_style): Rename from non_mangled. Return DMGL_* value + to suit lang. Adjust all callers. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=4609af80c29db6015ce01b67c48f237c210da9b4] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index e7c12c3e9de..138cdbb00bb 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -32,6 +32,7 @@ + #include "sysdep.h" + #include "bfd.h" + #include "libiberty.h" ++#include "demangle.h" + #include "libbfd.h" + #include "elf-bfd.h" + #include "dwarf2.h" +@@ -1711,31 +1712,52 @@ read_attribute (struct attribute * attr, + return info_ptr; + } + +-/* Return whether DW_AT_name will return the same as DW_AT_linkage_name +- for a function. */ ++/* Return mangling style given LANG. */ + +-static bool +-non_mangled (int lang) ++static int ++mangle_style (int lang) + { + switch (lang) + { ++ case DW_LANG_Ada83: ++ case DW_LANG_Ada95: ++ return DMGL_GNAT; ++ ++ case DW_LANG_C_plus_plus: ++ case DW_LANG_C_plus_plus_03: ++ case DW_LANG_C_plus_plus_11: ++ case DW_LANG_C_plus_plus_14: ++ return DMGL_GNU_V3; ++ ++ case DW_LANG_Java: ++ return DMGL_JAVA; ++ ++ case DW_LANG_D: ++ return DMGL_DLANG; ++ ++ case DW_LANG_Rust: ++ case DW_LANG_Rust_old: ++ return DMGL_RUST; ++ + default: +- return false; ++ return DMGL_AUTO; + + case DW_LANG_C89: + case DW_LANG_C: +- case DW_LANG_Ada83: + case DW_LANG_Cobol74: + case DW_LANG_Cobol85: + case DW_LANG_Fortran77: + case DW_LANG_Pascal83: +- case DW_LANG_C99: +- case DW_LANG_Ada95: + case DW_LANG_PLI: ++ case DW_LANG_C99: + case DW_LANG_UPC: + case DW_LANG_C11: + case DW_LANG_Mips_Assembler: +- return true; ++ case DW_LANG_Upc: ++ case DW_LANG_HP_Basic91: ++ case DW_LANG_HP_IMacro: ++ case DW_LANG_HP_Assembler: ++ return 0; + } + } + +@@ -3599,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + if (name == NULL && is_str_form (&attr)) + { + name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } + break; +@@ -4095,7 +4117,7 @@ scan_unit_for_symbols (struct comp_unit *unit) + if (func->name == NULL && is_str_form (&attr)) + { + func->name = attr.u.str; +- if (non_mangled (unit->lang)) ++ if (mangle_style (unit->lang) == 0) + func->is_linkage = true; + } + break; diff --git a/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch new file mode 100644 index 0000000000..35a658a22c --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0029-CVE-2022-48065-3.patch @@ -0,0 +1,122 @@ +From: Alan Modra <amodra@gmail.com> +Date: Wed, 21 Dec 2022 11:10:12 +0000 (+1030) +Subject: PR29925, Memory leak in find_abstract_instance +X-Git-Tag: binutils-2_40~192 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a + +PR29925, Memory leak in find_abstract_instance + +The testcase in the PR had a variable with both DW_AT_decl_file and +DW_AT_specification, where the DW_AT_specification also specified +DW_AT_decl_file. This leads to a memory leak as the file name is +malloced and duplicates are not expected. + +I've also changed find_abstract_instance to not use a temp for "name", +because that can result in a change in behaviour from the usual last +of duplicate attributes wins. + + PR 29925 + * dwarf2.c (find_abstract_instance): Delete "name" variable. + Free *filename_ptr before assigning new file name. + (scan_unit_for_symbols): Similarly free func->file and + var->file before assigning. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a] + +CVE: CVE-2022-48065 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 0cd8152ee6e..b608afbc0cf 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -3441,7 +3441,6 @@ find_abstract_instance (struct comp_unit *unit, + struct abbrev_info *abbrev; + uint64_t die_ref = attr_ptr->u.val; + struct attribute attr; +- const char *name = NULL; + + if (recur_count == 100) + { +@@ -3602,9 +3601,9 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_name: + /* Prefer DW_AT_MIPS_linkage_name or DW_AT_linkage_name + over DW_AT_name. */ +- if (name == NULL && is_str_form (&attr)) ++ if (*pname == NULL && is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + if (mangle_style (unit->lang) == 0) + *is_linkage = true; + } +@@ -3612,7 +3611,7 @@ find_abstract_instance (struct comp_unit *unit, + case DW_AT_specification: + if (is_int_form (&attr) + && !find_abstract_instance (unit, &attr, recur_count + 1, +- &name, is_linkage, ++ pname, is_linkage, + filename_ptr, linenumber_ptr)) + return false; + break; +@@ -3622,7 +3621,7 @@ find_abstract_instance (struct comp_unit *unit, + non-string forms into these attributes. */ + if (is_str_form (&attr)) + { +- name = attr.u.str; ++ *pname = attr.u.str; + *is_linkage = true; + } + break; +@@ -3630,8 +3629,11 @@ find_abstract_instance (struct comp_unit *unit, + if (!comp_unit_maybe_decode_line_info (unit)) + return false; + if (is_int_form (&attr)) +- *filename_ptr = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (*filename_ptr); ++ *filename_ptr = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + case DW_AT_decl_line: + if (is_int_form (&attr)) +@@ -3643,7 +3645,6 @@ find_abstract_instance (struct comp_unit *unit, + } + } + } +- *pname = name; + return true; + } + +@@ -4139,8 +4140,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- func->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (func->file); ++ func->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: +@@ -4182,8 +4186,11 @@ scan_unit_for_symbols (struct comp_unit *unit) + + case DW_AT_decl_file: + if (is_int_form (&attr)) +- var->file = concat_filename (unit->line_table, +- attr.u.val); ++ { ++ free (var->file); ++ var->file = concat_filename (unit->line_table, ++ attr.u.val); ++ } + break; + + case DW_AT_decl_line: diff --git a/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch new file mode 100644 index 0000000000..2f4c38044b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch @@ -0,0 +1,151 @@ +From: Alan Modra <amodra@gmail.com> +Date: Sun, 30 Oct 2022 08:38:51 +0000 (+1030) +Subject: Pool section entries for DWP version 1 +X-Git-Tag: gdb-13-branchpoint~664 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=28750e3b967da2207d51cbce9fc8be262817ee59 + +Pool section entries for DWP version 1 + +Ref: https://gcc.gnu.org/wiki/DebugFissionDWP?action=recall&rev=3 + +Fuzzers have found a weakness in the code stashing pool section +entries. With random nonsensical values in the index entries (rather +than each index pointing to its own set distinct from other sets), +it's possible to overflow the space allocated, losing the NULL +terminator. Without a terminator, find_section_in_set can run off the +end of the shndx_pool buffer. Fix this by scanning the pool directly. + +binutils/ + * dwarf.c (add_shndx_to_cu_tu_entry): Delete range check. + (end_cu_tu_entry): Likewise. + (process_cu_tu_index): Fill shndx_pool by directly scanning + pool, rather than indirectly from index entries. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=7730293326ac1049451eb4a037ac86d827030700;hp=c6340a28906114e9df29d7401472c7dc0a98c2b1;hb=28750e3b967da2207d51cbce9fc8be262817ee59;hpb=60095ba3b8f8ba26a6389dded732fa446422c98f] + +CVE: CVE-2022-44840 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index c6340a28906..7730293326a 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10652,22 +10652,12 @@ prealloc_cu_tu_list (unsigned int nshndx) + static void + add_shndx_to_cu_tu_entry (unsigned int shndx) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = shndx; + } + + static void + end_cu_tu_entry (void) + { +- if (shndx_pool_used >= shndx_pool_size) +- { +- error (_("Internal error: out of space in the shndx pool.\n")); +- return; +- } + shndx_pool [shndx_pool_used++] = 0; + } + +@@ -10773,53 +10763,55 @@ process_cu_tu_index (struct dwarf_section *section, int do_display) + + if (version == 1) + { ++ unsigned char *shndx_list; ++ unsigned int shndx; ++ + if (!do_display) +- prealloc_cu_tu_list ((limit - ppool) / 4); +- for (i = 0; i < nslots; i++) + { +- unsigned char *shndx_list; +- unsigned int shndx; +- +- SAFE_BYTE_GET (signature, phash, 8, limit); +- if (signature != 0) ++ prealloc_cu_tu_list ((limit - ppool) / 4); ++ for (shndx_list = ppool + 4; shndx_list <= limit - 4; shndx_list += 4) + { +- SAFE_BYTE_GET (j, pindex, 4, limit); +- shndx_list = ppool + j * 4; +- /* PR 17531: file: 705e010d. */ +- if (shndx_list < ppool) +- { +- warn (_("Section index pool located before start of section\n")); +- return 0; +- } ++ shndx = byte_get (shndx_list, 4); ++ add_shndx_to_cu_tu_entry (shndx); ++ } ++ end_cu_tu_entry (); ++ } ++ else ++ for (i = 0; i < nslots; i++) ++ { ++ SAFE_BYTE_GET (signature, phash, 8, limit); ++ if (signature != 0) ++ { ++ SAFE_BYTE_GET (j, pindex, 4, limit); ++ shndx_list = ppool + j * 4; ++ /* PR 17531: file: 705e010d. */ ++ if (shndx_list < ppool) ++ { ++ warn (_("Section index pool located before start of section\n")); ++ return 0; ++ } + +- if (do_display) + printf (_(" [%3d] Signature: 0x%s Sections: "), + i, dwarf_vmatoa ("x", signature)); +- for (;;) +- { +- if (shndx_list >= limit) +- { +- warn (_("Section %s too small for shndx pool\n"), +- section->name); +- return 0; +- } +- SAFE_BYTE_GET (shndx, shndx_list, 4, limit); +- if (shndx == 0) +- break; +- if (do_display) ++ for (;;) ++ { ++ if (shndx_list >= limit) ++ { ++ warn (_("Section %s too small for shndx pool\n"), ++ section->name); ++ return 0; ++ } ++ SAFE_BYTE_GET (shndx, shndx_list, 4, limit); ++ if (shndx == 0) ++ break; + printf (" %d", shndx); +- else +- add_shndx_to_cu_tu_entry (shndx); +- shndx_list += 4; +- } +- if (do_display) ++ shndx_list += 4; ++ } + printf ("\n"); +- else +- end_cu_tu_entry (); +- } +- phash += 8; +- pindex += 4; +- } ++ } ++ phash += 8; ++ pindex += 4; ++ } + } + else if (version == 2) + { diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch new file mode 100644 index 0000000000..3db4385e13 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch @@ -0,0 +1,147 @@ +From: Alan Modra <amodra@gmail.com> +Date: Tue, 24 May 2022 00:02:14 +0000 (+0930) +Subject: PR29169, invalid read displaying fuzzed .gdb_index +X-Git-Tag: binutils-2_39~530 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636 + +PR29169, invalid read displaying fuzzed .gdb_index + + PR 29169 + * dwarf.c (display_gdb_index): Combine sanity checks. Calculate + element counts, not word counts. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=244e19c79111eed017ee38ab1d44fb2a6cd1b636] + +CVE: CVE-2022-45703 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +--- + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 7de6f28161f..c855972a12f 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10406,7 +10406,7 @@ display_gdb_index (struct dwarf_section *section, + uint32_t cu_list_offset, tu_list_offset; + uint32_t address_table_offset, symbol_table_offset, constant_pool_offset; + unsigned int cu_list_elements, tu_list_elements; +- unsigned int address_table_size, symbol_table_slots; ++ unsigned int address_table_elements, symbol_table_slots; + unsigned char *cu_list, *tu_list; + unsigned char *address_table, *symbol_table, *constant_pool; + unsigned int i; +@@ -10454,48 +10454,19 @@ display_gdb_index (struct dwarf_section *section, + || tu_list_offset > section->size + || address_table_offset > section->size + || symbol_table_offset > section->size +- || constant_pool_offset > section->size) ++ || constant_pool_offset > section->size ++ || tu_list_offset < cu_list_offset ++ || address_table_offset < tu_list_offset ++ || symbol_table_offset < address_table_offset ++ || constant_pool_offset < symbol_table_offset) + { + warn (_("Corrupt header in the %s section.\n"), section->name); + return 0; + } + +- /* PR 17531: file: 418d0a8a. */ +- if (tu_list_offset < cu_list_offset) +- { +- warn (_("TU offset (%x) is less than CU offset (%x)\n"), +- tu_list_offset, cu_list_offset); +- return 0; +- } +- +- cu_list_elements = (tu_list_offset - cu_list_offset) / 8; +- +- if (address_table_offset < tu_list_offset) +- { +- warn (_("Address table offset (%x) is less than TU offset (%x)\n"), +- address_table_offset, tu_list_offset); +- return 0; +- } +- +- tu_list_elements = (address_table_offset - tu_list_offset) / 8; +- +- /* PR 17531: file: 18a47d3d. */ +- if (symbol_table_offset < address_table_offset) +- { +- warn (_("Symbol table offset (%x) is less then Address table offset (%x)\n"), +- symbol_table_offset, address_table_offset); +- return 0; +- } +- +- address_table_size = symbol_table_offset - address_table_offset; +- +- if (constant_pool_offset < symbol_table_offset) +- { +- warn (_("Constant pool offset (%x) is less than symbol table offset (%x)\n"), +- constant_pool_offset, symbol_table_offset); +- return 0; +- } +- ++ cu_list_elements = (tu_list_offset - cu_list_offset) / 16; ++ tu_list_elements = (address_table_offset - tu_list_offset) / 24; ++ address_table_elements = (symbol_table_offset - address_table_offset) / 20; + symbol_table_slots = (constant_pool_offset - symbol_table_offset) / 8; + + cu_list = start + cu_list_offset; +@@ -10504,31 +10475,25 @@ display_gdb_index (struct dwarf_section *section, + symbol_table = start + symbol_table_offset; + constant_pool = start + constant_pool_offset; + +- if (address_table_offset + address_table_size > section->size) +- { +- warn (_("Address table extends beyond end of section.\n")); +- return 0; +- } +- + printf (_("\nCU table:\n")); +- for (i = 0; i < cu_list_elements; i += 2) ++ for (i = 0; i < cu_list_elements; i++) + { +- uint64_t cu_offset = byte_get_little_endian (cu_list + i * 8, 8); +- uint64_t cu_length = byte_get_little_endian (cu_list + i * 8 + 8, 8); ++ uint64_t cu_offset = byte_get_little_endian (cu_list + i * 16, 8); ++ uint64_t cu_length = byte_get_little_endian (cu_list + i * 16 + 8, 8); + +- printf (_("[%3u] 0x%lx - 0x%lx\n"), i / 2, ++ printf (_("[%3u] 0x%lx - 0x%lx\n"), i, + (unsigned long) cu_offset, + (unsigned long) (cu_offset + cu_length - 1)); + } + + printf (_("\nTU table:\n")); +- for (i = 0; i < tu_list_elements; i += 3) ++ for (i = 0; i < tu_list_elements; i++) + { +- uint64_t tu_offset = byte_get_little_endian (tu_list + i * 8, 8); +- uint64_t type_offset = byte_get_little_endian (tu_list + i * 8 + 8, 8); +- uint64_t signature = byte_get_little_endian (tu_list + i * 8 + 16, 8); ++ uint64_t tu_offset = byte_get_little_endian (tu_list + i * 24, 8); ++ uint64_t type_offset = byte_get_little_endian (tu_list + i * 24 + 8, 8); ++ uint64_t signature = byte_get_little_endian (tu_list + i * 24 + 16, 8); + +- printf (_("[%3u] 0x%lx 0x%lx "), i / 3, ++ printf (_("[%3u] 0x%lx 0x%lx "), i, + (unsigned long) tu_offset, + (unsigned long) type_offset); + print_dwarf_vma (signature, 8); +@@ -10536,12 +10501,11 @@ display_gdb_index (struct dwarf_section *section, + } + + printf (_("\nAddress table:\n")); +- for (i = 0; i < address_table_size && i <= address_table_size - (2 * 8 + 4); +- i += 2 * 8 + 4) ++ for (i = 0; i < address_table_elements; i++) + { +- uint64_t low = byte_get_little_endian (address_table + i, 8); +- uint64_t high = byte_get_little_endian (address_table + i + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 16, 4); ++ uint64_t low = byte_get_little_endian (address_table + i * 20, 8); ++ uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); ++ uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch new file mode 100644 index 0000000000..1fac9739dd --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch @@ -0,0 +1,31 @@ +From 69bfd1759db41c8d369f9dcc98a135c5a5d97299 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Fri, 18 Nov 2022 11:29:13 +1030 +Subject: [PATCH] PR29799 heap buffer overflow in display_gdb_index + dwarf.c:10548 + + PR 29799 + * dwarf.c (display_gdb_index): Typo fix. +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff_plain;f=binutils/dwarf.c;h=4bba8dfb81a6df49f5e61b3fae99dd545cc5c7dd;hp=7730293326ac1049451eb4a037ac86d827030700;hb=69bfd1759db41c8d369f9dcc98a135c5a5d97299;hpb=7828dfa93b210b6bbc6596e6e096cc150a9f8aa4] + +CVE: CVE-2022-45703 + +Signed-off-by: yash shinde <yash.shinde@windriver.com> + +--- + binutils/dwarf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/binutils/dwarf.c b/binutils/dwarf.c +index 7730293326a..4bba8dfb81a 100644 +--- a/binutils/dwarf.c ++++ b/binutils/dwarf.c +@@ -10562,7 +10562,7 @@ display_gdb_index (struct dwarf_section + { + uint64_t low = byte_get_little_endian (address_table + i * 20, 8); + uint64_t high = byte_get_little_endian (address_table + i * 20 + 8, 8); +- uint32_t cu_index = byte_get_little_endian (address_table + i + 20 + 16, 4); ++ uint32_t cu_index = byte_get_little_endian (address_table + i * 20 + 16, 4); + + print_dwarf_vma (low, 8); + print_dwarf_vma (high, 8); diff --git a/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch new file mode 100644 index 0000000000..f2e9cea027 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch @@ -0,0 +1,58 @@ +From 2f7426b9bb2d2450b32cad3d79fab9abe3ec42bb Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Sun, 4 Dec 2022 22:15:40 +1030 +Subject: [PATCH] PR29846, segmentation fault in objdump.c compare_symbols + +Fixes a fuzzed object file problem where plt relocs were manipulated +in such a way that two synthetic symbols were generated at the same +plt location. Won't occur in real object files. + + PR 29846 + PR 20337 + * objdump.c (compare_symbols): Test symbol flags to exclude + section and synthetic symbols before attempting to check flavour. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] + +CVE: CVE-2022-47695 + +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> +--- + binutils/objdump.c | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/binutils/objdump.c b/binutils/objdump.c +index 08a0fe521d8..21f75f4db40 100644 +--- a/binutils/objdump.c ++++ b/binutils/objdump.c +@@ -1165,20 +1165,17 @@ compare_symbols (const void *ap, const void *bp) + return 1; + } + +- if (bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour ++ /* Sort larger size ELF symbols before smaller. See PR20337. */ ++ bfd_vma asz = 0; ++ if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 ++ && bfd_get_flavour (bfd_asymbol_bfd (a)) == bfd_target_elf_flavour) ++ asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; ++ bfd_vma bsz = 0; ++ if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0 + && bfd_get_flavour (bfd_asymbol_bfd (b)) == bfd_target_elf_flavour) +- { +- bfd_vma asz, bsz; +- +- asz = 0; +- if ((a->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- asz = ((elf_symbol_type *) a)->internal_elf_sym.st_size; +- bsz = 0; +- if ((b->flags & (BSF_SECTION_SYM | BSF_SYNTHETIC)) == 0) +- bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; +- if (asz != bsz) +- return asz > bsz ? -1 : 1; +- } ++ bsz = ((elf_symbol_type *) b)->internal_elf_sym.st_size; ++ if (asz != bsz) ++ return asz > bsz ? -1 : 1; + + /* Symbols that start with '.' might be section names, so sort them + after symbols that don't start with '.'. */ diff --git a/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch b/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch new file mode 100644 index 0000000000..9648033e67 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch @@ -0,0 +1,38 @@ +From: Alan Modra <amodra@gmail.com> +Date: Mon, 20 Jun 2022 01:09:31 +0000 (+0930) +Subject: PR29262, memory leak in pr_function_type +X-Git-Tag: binutils-2_39~224 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab + +PR29262, memory leak in pr_function_type + + PR 29262 + * prdbg.c (pr_function_type): Free "s" on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0d02e70b197c786f26175b9a73f94e01d14abdab] + +CVE: CVE-2022-47010 + +Signed-off-by: Sanjana Venkatesh <Sanjana.Venkatesh@windriver.com> + +--- + +diff --git a/binutils/prdbg.c b/binutils/prdbg.c +index c1e41628d26..bb42a5b6c2d 100644 +--- a/binutils/prdbg.c ++++ b/binutils/prdbg.c +@@ -742,12 +742,9 @@ pr_function_type (void *p, int argcount, bool varargs) + + strcat (s, ")"); + +- if (! substitute_type (info, s)) +- return false; +- ++ bool ret = substitute_type (info, s); + free (s); +- +- return true; ++ return ret; + } + + /* Turn the top type on the stack into a reference to that type. */ diff --git a/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch new file mode 100644 index 0000000000..cc6dfe684b --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0033-CVE-2022-47007.patch @@ -0,0 +1,34 @@ +From: Alan Modra <amodra@gmail.com> +Date: Thu, 16 Jun 2022 23:30:41 +0000 (+0930) +Subject: PR29254, memory leak in stab_demangle_v3_arg +X-Git-Tag: binutils-2_39~237 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb + +PR29254, memory leak in stab_demangle_v3_arg + + PR 29254 + * stabs.c (stab_demangle_v3_arg): Free dt on failure path. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=0ebc886149c22aceaf8ed74267821a59ca9d03eb] + +CVE: CVE-2022-47007 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +--- + +diff --git a/binutils/stabs.c b/binutils/stabs.c +index 2b5241637c1..796ff85b86a 100644 +--- a/binutils/stabs.c ++++ b/binutils/stabs.c +@@ -5467,7 +5467,10 @@ stab_demangle_v3_arg (void *dhandle, struct stab_handle *info, + dc->u.s_binary.right, + &varargs); + if (pargs == NULL) +- return NULL; ++ { ++ free (dt); ++ return NULL; ++ } + + return debug_make_function_type (dhandle, dt, pargs, varargs); + } diff --git a/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch b/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch new file mode 100644 index 0000000000..b0840366c7 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0034-CVE-2022-48064.patch @@ -0,0 +1,57 @@ +From: Alan Modra <amodra@gmail.com> +Date: Tue, 20 Dec 2022 13:17:03 +0000 (+1030) +Subject: PR29922, SHT_NOBITS section avoids section size sanity check +X-Git-Tag: binutils-2_40~202 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8f2c64de86bc3d7556121fe296dd679000283931 + +PR29922, SHT_NOBITS section avoids section size sanity check + + PR 29922 + * dwarf2.c (find_debug_info): Ignore sections without + SEC_HAS_CONTENTS. + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=8f2c64de86bc3d7556121fe296dd679000283931] + +CVE: CVE-2022-48064 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +--- + +diff --git a/bfd/dwarf2.c b/bfd/dwarf2.c +index 95f45708e9d..0cd8152ee6e 100644 +--- a/bfd/dwarf2.c ++++ b/bfd/dwarf2.c +@@ -4831,16 +4831,19 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + { + look = debug_sections[debug_info].uncompressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ /* Testing SEC_HAS_CONTENTS is an anti-fuzzer measure. Of ++ course debug sections always have contents. */ ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + look = debug_sections[debug_info].compressed_name; + msec = bfd_get_section_by_name (abfd, look); +- if (msec != NULL) ++ if (msec != NULL && (msec->flags & SEC_HAS_CONTENTS) != 0) + return msec; + + for (msec = abfd->sections; msec != NULL; msec = msec->next) +- if (startswith (msec->name, GNU_LINKONCE_INFO)) ++ if ((msec->flags & SEC_HAS_CONTENTS) != 0 ++ && startswith (msec->name, GNU_LINKONCE_INFO)) + return msec; + + return NULL; +@@ -4848,6 +4851,9 @@ find_debug_info (bfd *abfd, const struct dwarf_debug_section *debug_sections, + + for (msec = after_sec->next; msec != NULL; msec = msec->next) + { ++ if ((msec->flags & SEC_HAS_CONTENTS) == 0) ++ continue; ++ + look = debug_sections[debug_info].uncompressed_name; + if (strcmp (msec->name, look) == 0) + return msec; diff --git a/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz <keiths@...> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else diff --git a/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch b/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch new file mode 100644 index 0000000000..bfd5b18d7d --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch @@ -0,0 +1,326 @@ +From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 9 Aug 2023 09:58:36 +0930 +Subject: [PATCH] gdb: warn unused result for bfd IO functions + +This fixes the compilation warnings introduced by my bfdio.c patch. + +The removed bfd_seeks in coff_symfile_read date back to 1994, commit +7f4c859520, prior to which the file used stdio rather than bfd to read +symbols. Since it now uses bfd to read the file there should be no +need to synchronise to bfd's idea of the file position. I also fixed +a potential uninitialised memory access. + +Approved-By: Andrew Burgess <aburgess@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80] +CVE: CVE-2023-39130 +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +--- + gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++---------------- + gdb/coffread.c | 27 ++--------- + gdb/dbxread.c | 7 +-- + gdb/xcoffread.c | 5 +- + 4 files changed, 85 insertions(+), 68 deletions(-) + +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c +--- a/gdb/coff-pe-read.c ++++ b/gdb/coff-pe-read.c +@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name) + + /* Low-level support functions, direct from the ld module pe-dll.c. */ + static unsigned int +-pe_get16 (bfd *abfd, int where) ++pe_get16 (bfd *abfd, int where, bool *fail) + { + unsigned char b[2]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 2, abfd); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 2, abfd) != 2) ++ { ++ *fail = true; ++ return 0; ++ } + return b[0] + (b[1] << 8); + } + + static unsigned int +-pe_get32 (bfd *abfd, int where) ++pe_get32 (bfd *abfd, int where, bool *fail) + { + unsigned char b[4]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 4, abfd); +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 4, abfd) != 4) ++ { ++ *fail = true; ++ return 0; ++ } ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + static unsigned int +@@ -323,7 +331,7 @@ pe_as32 (void *ptr) + { + unsigned char *b = (unsigned char *) ptr; + +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + /* Read the (non-debug) export symbol table from a portable +@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_re + || strcmp (target, "pei-i386") == 0 + || strcmp (target, "pe-arm-wince-little") == 0 + || strcmp (target, "pei-arm-wince-little") == 0); ++ ++ /* Possibly print a debug message about DLL not having a valid format. */ ++ auto maybe_print_debug_msg = [&] () -> void { ++ if (debug_coff_pe_read) ++ fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"), ++ bfd_get_filename (dll)); ++ }; ++ + if (!is_pe32 && !is_pe64) +- { +- /* This is not a recognized PE format file. Abort now, because +- the code is untested on anything else. *FIXME* test on +- further architectures and loosen or remove this test. */ +- return; +- } ++ return maybe_print_debug_msg (); + + /* Get pe_header, optional header and numbers of export entries. */ +- pe_header_offset = pe_get32 (dll, 0x3c); ++ bool fail = false; ++ pe_header_offset = pe_get32 (dll, 0x3c, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + opthdr_ofs = pe_header_offset + 4 + 20; + if (is_pe64) +- num_entries = pe_get32 (dll, opthdr_ofs + 108); ++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail); + else +- num_entries = pe_get32 (dll, opthdr_ofs + 92); ++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + + if (num_entries < 1) /* No exports. */ + return; + if (is_pe64) + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail); + } + else + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail); + } +- nsections = pe_get16 (dll, pe_header_offset + 4 + 2); ++ if (fail) ++ return maybe_print_debug_msg (); ++ ++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (dll, pe_header_offset + 4 + 16)); ++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return maybe_print_debug_msg (); + expptr = 0; + export_size = 0; + +@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_re + { + char sname[8]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long vsize = pe_get32 (dll, secptr1 + 16); +- unsigned long fptr = pe_get32 (dll, secptr1 + 20); +- +- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) sizeof (sname), dll); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail); ++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail); ++ ++ if (fail ++ || bfd_seek (dll, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname)) + + if ((strcmp (sname, ".edata") == 0) + || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize)) +@@ -461,16 +483,18 @@ read_pe_exported_syms (minimal_symbol_re + for (i = 0; i < nsections; i++) + { + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vsize = pe_get32 (dll, secptr1 + 8); +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long characteristics = pe_get32 (dll, secptr1 + 36); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail); + char sec_name[SCNNMLEN + 1]; + int sectix; + unsigned int bfd_section_index; + asection *section; + +- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET); +- bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll); ++ if (fail ++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0 ++ || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN) ++ return maybe_print_debug_msg (); + sec_name[SCNNMLEN] = '\0'; + + sectix = read_pe_section_index (sec_name); +@@ -509,8 +533,9 @@ read_pe_exported_syms (minimal_symbol_re + gdb::def_vector<unsigned char> expdata_storage (export_size); + expdata = expdata_storage.data (); + +- bfd_seek (dll, (file_ptr) expptr, SEEK_SET); +- bfd_bread (expdata, (bfd_size_type) export_size, dll); ++ if (bfd_seek (dll, expptr, SEEK_SET) != 0 ++ || bfd_bread (expdata, export_size, dll) != export_size) ++ return maybe_print_debug_msg (); + erva = expdata - export_rva; + + nexp = pe_as32 (expdata + 24); +@@ -658,20 +683,27 @@ pe_text_section_offset (struct bfd *abfd + } + + /* Get pe_header, optional header and numbers of sections. */ +- pe_header_offset = pe_get32 (abfd, 0x3c); +- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2); ++ bool fail = false; ++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; ++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (abfd, pe_header_offset + 4 + 16)); ++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + + /* Get the rva and size of the export section. */ + for (i = 0; i < nsections; i++) + { + char sname[SCNNMLEN + 1]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12); ++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail); + +- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd); ++ if (fail ++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + sname[SCNNMLEN] = '\0'; + if (strcmp (sname, ".text") == 0) + return vaddr; +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -690,8 +690,6 @@ coff_symfile_read (struct objfile *objfi + + /* FIXME: dubious. Why can't we use something normal like + bfd_get_section_contents? */ +- bfd_seek (abfd, abfd->where, 0); +- + stabstrsize = bfd_section_size (info->stabstrsect); + + coffstab_build_psymtabs (objfile, +@@ -780,22 +778,6 @@ coff_symtab_read (minimal_symbol_reader + + scoped_free_pendings free_pending; + +- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous.... +- it's hard to know I've really worked around it. The fix should +- be harmless, anyway). The symptom of the bug is that the first +- fread (in read_one_sym), will (in my example) actually get data +- from file offset 268, when the fseek was to 264 (and ftell shows +- 264). This causes all hell to break loose. I was unable to +- reproduce this on a short test program which operated on the same +- file, performing (I think) the same sequence of operations. +- +- It stopped happening when I put in this (former) rewind(). +- +- FIXME: Find out if this has been reported to Sun, whether it has +- been fixed in a later release, etc. */ +- +- bfd_seek (objfile->obfd, 0, 0); +- + /* Position to read the symbol table. */ + val = bfd_seek (objfile->obfd, symtab_offset, 0); + if (val < 0) +@@ -1285,12 +1267,13 @@ init_stringtab (bfd *abfd, file_ptr offs + if (bfd_seek (abfd, offset, 0) < 0) + return -1; + +- val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd); +- length = bfd_h_get_32 (symfile_bfd, lengthbuf); +- ++ val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd); + /* If no string table is needed, then the file may end immediately + after the symbols. Just return with `stringtab' set to null. */ +- if (val != sizeof lengthbuf || length < sizeof lengthbuf) ++ if (val != sizeof lengthbuf) ++ return 0; ++ length = bfd_h_get_32 (symfile_bfd, lengthbuf); ++ if (length < sizeof lengthbuf) + return 0; + + storage->reset ((char *) xmalloc (length)); +diff --git a/gdb/dbxread.c b/gdb/dbxread.c +--- a/gdb/dbxread.c ++++ b/gdb/dbxread.c +@@ -812,7 +812,8 @@ stabs_seek (int sym_offset) + symbuf_left -= sym_offset; + } + else +- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR); ++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0) ++ perror_with_name (bfd_get_filename (symfile_bfd)); + } + + #define INTERNALIZE_SYMBOL(intern, extern, abfd) \ +@@ -2095,8 +2096,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, + symbol_size = SYMBOL_SIZE (pst); + + /* Read in this file's symbols. */ +- bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET); +- read_ofile_symtab (objfile, pst); ++ if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0) ++ read_ofile_symtab (objfile, pst); + } + + pst->readin = true; +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c +--- a/gdb/xcoffread.c ++++ b/gdb/xcoffread.c +@@ -865,8 +865,9 @@ enter_line_range (struct subfile *subfil + + while (curoffset <= limit_offset) + { +- bfd_seek (abfd, curoffset, SEEK_SET); +- bfd_bread (ext_lnno, linesz, abfd); ++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0 ++ || bfd_bread (ext_lnno, linesz, abfd) != linesz) ++ return; + bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno); + + /* Find the address this line represents. */ +-- +2.39.3 diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch new file mode 100644 index 0000000000..ea2e030503 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch @@ -0,0 +1,48 @@ +From 75393a2d54bcc40053e5262a3de9d70c5ebfbbfd Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Wed, 21 Dec 2022 11:51:23 +0000 +Subject: [PATCH] Fix an attempt to allocate an unreasonably large amount of + memory when parsing a corrupt ELF file. + + PR 29924 + * objdump.c (load_specific_debug_section): Check for excessively + large sections. + +Upstream-Status: Backport +CVE: CVE-2022-48063 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + binutils/ChangeLog | 6 ++++++ + binutils/objdump.c | 4 +++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +Index: git/binutils/objdump.c +=================================================================== +--- git.orig/binutils/objdump.c ++++ git/binutils/objdump.c +@@ -3768,7 +3768,9 @@ load_specific_debug_section (enum dwarf_ + section->size = bfd_section_size (sec); + /* PR 24360: On 32-bit hosts sizeof (size_t) < sizeof (bfd_size_type). */ + alloced = amt = section->size + 1; +- if (alloced != amt || alloced == 0) ++ if (alloced != amt ++ || alloced == 0 ++ || (bfd_get_size (abfd) != 0 && alloced >= bfd_get_size (abfd))) + { + section->start = NULL; + free_debug_section (debug); +Index: git/binutils/ChangeLog +=================================================================== +--- git.orig/binutils/ChangeLog ++++ git/binutils/ChangeLog +@@ -1,3 +1,9 @@ ++2022-12-21 Nick Clifton <nickc@redhat.com> ++ ++ PR 29924 ++ * objdump.c (load_specific_debug_section): Check for excessively ++ large sections. ++ + 2022-03-23 Nick Clifton <nickc@redhat.com> + + Import patch from mainline: diff --git a/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch b/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch deleted file mode 100644 index 88597cf3a9..0000000000 --- a/meta/recipes-devtools/bootchart2/bootchart2/0001-bootchart2-support-usrmerge.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b6d1a1ff2de363b1b76c8c70f77ae56a4e4d4b56 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 5 Sep 2019 18:37:31 +0800 -Subject: [PATCH] bootchart2: support usrmerge - -Upstream-Status: Inappropriate [oe-specific] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 1cc2974..f988904 100644 ---- a/Makefile -+++ b/Makefile -@@ -36,7 +36,7 @@ endif - PY_SITEDIR ?= $(PY_LIBDIR)/site-packages - LIBC_A_PATH = /usr$(LIBDIR) - # Always lib, even on systems that otherwise use lib64 --SYSTEMD_UNIT_DIR = $(EARLY_PREFIX)/lib/systemd/system -+SYSTEMD_UNIT_DIR ?= $(EARLY_PREFIX)/lib/systemd/system - COLLECTOR = \ - collector/collector.o \ - collector/output.o \ -@@ -99,7 +99,7 @@ install-chroot: - install -d $(DESTDIR)$(PKGLIBDIR)/tmpfs - - install-collector: all install-chroot -- install -m 755 -D bootchartd $(DESTDIR)$(EARLY_PREFIX)/sbin/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX) -+ install -m 755 -D bootchartd $(DESTDIR)${BASE_SBINDIR}/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX) - install -m 644 -D bootchartd.conf $(DESTDIR)/etc/$(PROGRAM_PREFIX)bootchartd$(PROGRAM_SUFFIX).conf - install -m 755 -D bootchart-collector $(DESTDIR)$(PKGLIBDIR)/$(PROGRAM_PREFIX)bootchart$(PROGRAM_SUFFIX)-collector - --- -2.7.4 - diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb index b1628075a7..38a1c9d147 100644 --- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb +++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb @@ -93,7 +93,6 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)" SRC_URI = "git://github.com/xrmx/bootchart.git;branch=master;protocol=https \ file://bootchartd_stop.sh \ file://0001-collector-Allocate-space-on-heap-for-chunks.patch \ - file://0001-bootchart2-support-usrmerge.patch \ file://0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch \ " @@ -119,12 +118,11 @@ UPDATERCPN = "bootchartd-stop-initscript" INITSCRIPT_NAME = "bootchartd_stop.sh" INITSCRIPT_PARAMS = "start 99 2 3 4 5 ." -EXTRA_OEMAKE = 'BASE_SBINDIR="${base_sbindir}"' - do_compile:prepend () { export PY_LIBDIR="${libdir}/${PYTHON_DIR}" export BINDIR="${bindir}" - export LIBDIR="${base_libdir}" + export LIBDIR="/${baselib}" + export EARLY_PREFIX="${root_prefix}" } do_install () { @@ -132,9 +130,8 @@ do_install () { export PY_LIBDIR="${libdir}/${PYTHON_DIR}" export BINDIR="${bindir}" export DESTDIR="${D}" - export LIBDIR="${base_libdir}" - export PKGLIBDIR="${base_libdir}/bootchart" - export SYSTEMD_UNIT_DIR="${systemd_system_unitdir}" + export LIBDIR="/${baselib}" + export EARLY_PREFIX="${root_prefix}" oe_runmake install NO_PYTHON_COMPILE=1 install -d ${D}${sysconfdir}/init.d diff --git a/meta/recipes-devtools/ccache/ccache/0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch b/meta/recipes-devtools/ccache/ccache/0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch new file mode 100644 index 0000000000..d62e1ef26b --- /dev/null +++ b/meta/recipes-devtools/ccache/ccache/0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch @@ -0,0 +1,92 @@ +From 1523eaeff4669e421b3f60618b43c878e4860fe6 Mon Sep 17 00:00:00 2001 +From: Joel Rosdahl <joel@rosdahl.net> +Date: Tue, 5 Jul 2022 21:42:58 +0200 +Subject: [PATCH] build: Fix FTBFS with not yet released GCC 13 + +Reference: https://gcc.gnu.org/gcc-13/porting_to.html#header-dep-changes + +Fixes #1105. + +Upstream-Status: Backport [v4.7 https://github.com/ccache/ccache/commit/19ef6e267d38d4d8b3e11c915213472d5662d593] +Signed-off-by: Martin Jansa <martin.jansa@gmail.com> +--- + src/Stat.hpp | 1 + + src/core/CacheEntryHeader.hpp | 2 ++ + src/core/Sloppiness.hpp | 1 + + src/core/Statistics.hpp | 3 ++- + src/util/TextTable.hpp | 3 ++- + 5 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/Stat.hpp b/src/Stat.hpp +index 2f56214a..074cdeeb 100644 +--- a/src/Stat.hpp ++++ b/src/Stat.hpp +@@ -23,6 +23,7 @@ + #include <sys/stat.h> + #include <sys/types.h> + ++#include <cstdint> + #include <ctime> + #include <string> + +diff --git a/src/core/CacheEntryHeader.hpp b/src/core/CacheEntryHeader.hpp +index 4c3e04c7..dcc32e1c 100644 +--- a/src/core/CacheEntryHeader.hpp ++++ b/src/core/CacheEntryHeader.hpp +@@ -21,6 +21,8 @@ + #include <compression/types.hpp> + #include <core/types.hpp> + ++#include <cstdint> ++ + // Cache entry format + // ================== + // +diff --git a/src/core/Sloppiness.hpp b/src/core/Sloppiness.hpp +index 917526bf..1ab31d71 100644 +--- a/src/core/Sloppiness.hpp ++++ b/src/core/Sloppiness.hpp +@@ -18,6 +18,7 @@ + + #pragma once + ++#include <cstdint> + #include <string> + + namespace core { +diff --git a/src/core/Statistics.hpp b/src/core/Statistics.hpp +index 3e9ed816..54f32e9c 100644 +--- a/src/core/Statistics.hpp ++++ b/src/core/Statistics.hpp +@@ -1,4 +1,4 @@ +-// Copyright (C) 2020-2021 Joel Rosdahl and other contributors ++// Copyright (C) 2020-2022 Joel Rosdahl and other contributors + // + // See doc/AUTHORS.adoc for a complete list of contributors. + // +@@ -20,6 +20,7 @@ + + #include <core/StatisticsCounters.hpp> + ++#include <cstdint> + #include <string> + #include <unordered_map> + #include <vector> +diff --git a/src/util/TextTable.hpp b/src/util/TextTable.hpp +index 05c0e0e5..60edee75 100644 +--- a/src/util/TextTable.hpp ++++ b/src/util/TextTable.hpp +@@ -1,4 +1,4 @@ +-// Copyright (C) 2021 Joel Rosdahl and other contributors ++// Copyright (C) 2021-2022 Joel Rosdahl and other contributors + // + // See doc/AUTHORS.adoc for a complete list of contributors. + // +@@ -18,6 +18,7 @@ + + #pragma once + ++#include <cstdint> + #include <string> + #include <vector> + diff --git a/meta/recipes-devtools/ccache/ccache_4.6.bb b/meta/recipes-devtools/ccache/ccache_4.6.bb index f019679cf1..d94c5d591a 100644 --- a/meta/recipes-devtools/ccache/ccache_4.6.bb +++ b/meta/recipes-devtools/ccache/ccache_4.6.bb @@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://LICENSE.adoc;md5=ff5327dc93e2b286c931dda3d6079da9" DEPENDS = "zstd" -SRC_URI = "https://github.com/ccache/ccache/releases/download/v${PV}/${BP}.tar.gz" +SRC_URI = "https://github.com/ccache/ccache/releases/download/v${PV}/${BP}.tar.gz \ + file://0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch \ +" SRC_URI[sha256sum] = "73a1767ac6b7c0404a1a55f761a746d338e702883c7137fbf587023062258625" UPSTREAM_CHECK_URI = "https://github.com/ccache/ccache/releases/" diff --git a/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb b/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb index ee1f7761c4..45ea78ae00 100644 --- a/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb +++ b/meta/recipes-devtools/cmake/cmake-native_3.22.3.bb @@ -32,6 +32,7 @@ CMAKE_EXTRACONF = "\ -DCMAKE_USE_SYSTEM_LIBRARY_EXPAT=0 \ -DENABLE_ACL=0 -DHAVE_ACL_LIBACL_H=0 \ -DHAVE_SYS_ACL_H=0 \ + -DCURL_LIBRARIES=-lcurl \ " do_configure () { diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake index 86446c3ace..6434b27371 100644 --- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake +++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake @@ -1,7 +1,6 @@ set( CMAKE_SYSTEM_NAME Linux ) set( CMAKE_C_FLAGS $ENV{CFLAGS} CACHE STRING "" FORCE ) set( CMAKE_CXX_FLAGS $ENV{CXXFLAGS} CACHE STRING "" FORCE ) -set( CMAKE_ASM_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE ) set( CMAKE_SYSROOT $ENV{OECORE_TARGET_SYSROOT} ) set( CMAKE_FIND_ROOT_PATH $ENV{OECORE_TARGET_SYSROOT} ) @@ -12,13 +11,13 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY ) set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}") -# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming processor-distro-os). -if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+") - set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1}) -endif() +set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} ) # Include the toolchain configuration subscripts file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" ) foreach(config ${toolchain_config_files}) include(${config}) endforeach() + +unset(CMAKE_C_IMPLICIT_INCLUDE_DIRECTORIES) +unset(CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES) diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch new file mode 100644 index 0000000000..bf93fbc13c --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1a.patch @@ -0,0 +1,236 @@ +From ee6db10dd70b8fdc7a93cffd7cf5bc7a28f9d3d7 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Mon, 20 Feb 2023 14:53:21 +0100 +Subject: [PATCH 1/5] dmidecode: Split table fetching from decoding + +Clean up function dmi_table so that it does only one thing: +* dmi_table() is renamed to dmi_table_get(). It now retrieves the + DMI table, but does not process it any longer. +* Decoding or dumping the table is now done in smbios3_decode(), + smbios_decode() and legacy_decode(). +No functional change. + +A side effect of this change is that writing the header and body of +dump files is now done in a single location. This is required to +further consolidate the writing of dump files. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab719b920e96ed832cfb4bdd664e808] + +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> +--- + dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 62 insertions(+), 24 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index cd2b5c9..b082c03 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5247,8 +5247,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) + } + } + +-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, +- u32 flags) ++/* Allocates a buffer for the table, must be freed by the caller */ ++static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver, ++ const char *devmem, u32 flags) + { + u8 *buf; + +@@ -5267,7 +5268,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + { + if (num) + pr_info("%u structures occupying %u bytes.", +- num, len); ++ num, *len); + if (!(opt.flags & FLAG_FROM_DUMP)) + pr_info("Table at 0x%08llX.", + (unsigned long long)base); +@@ -5285,19 +5286,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + * would be the result of the kernel truncating the table on + * parse error. + */ +- size_t size = len; ++ size_t size = *len; + buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base, + &size, devmem); +- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len) ++ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len) + { + fprintf(stderr, "Wrong DMI structures length: %u bytes " + "announced, only %lu bytes available.\n", +- len, (unsigned long)size); ++ *len, (unsigned long)size); + } +- len = size; ++ *len = size; + } + else +- buf = mem_chunk(base, len, devmem); ++ buf = mem_chunk(base, *len, devmem); + + if (buf == NULL) + { +@@ -5307,15 +5308,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem, + fprintf(stderr, + "Try compiling dmidecode with -DUSE_MMAP.\n"); + #endif +- return; + } + +- if (opt.flags & FLAG_DUMP_BIN) +- dmi_table_dump(buf, len); +- else +- dmi_table_decode(buf, len, num, ver >> 8, flags); +- +- free(buf); ++ return buf; + } + + +@@ -5350,8 +5345,9 @@ static void overwrite_smbios3_address(u8 *buf) + + static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + { +- u32 ver; ++ u32 ver, len; + u64 offset; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x06] > 0x20) +@@ -5377,8 +5373,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + return 0; + } + +- dmi_table(((off_t)offset.h << 32) | offset.l, +- DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT); ++ /* Maximum length, may get trimmed */ ++ len = DWORD(buf + 0x0C); ++ table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver, ++ devmem, flags | FLAG_STOP_AT_EOT); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5387,18 +5387,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + pr_comment("Writing %d bytes to %s.", crafted[0x06], + opt.dumpfile); + write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, 0, ver >> 8, ++ flags | FLAG_STOP_AT_EOT); ++ } ++ ++ free(table); + + return 1; + } + + static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + { +- u16 ver; ++ u16 ver, num; ++ u32 len; ++ u8 *table; + + /* Don't let checksum run beyond the buffer */ + if (buf[0x05] > 0x20) +@@ -5438,8 +5448,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + pr_info("SMBIOS %u.%u present.", + ver >> 8, ver & 0xFF); + +- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C), +- ver << 8, devmem, flags); ++ /* Maximum length, may get trimmed */ ++ len = WORD(buf + 0x16); ++ num = WORD(buf + 0x1C); ++ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8, ++ devmem, flags); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5448,27 +5463,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + pr_comment("Writing %d bytes to %s.", crafted[0x05], + opt.dumpfile); + write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, num, ver, flags); ++ } ++ ++ free(table); + + return 1; + } + + static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + { ++ u16 ver, num; ++ u32 len; ++ u8 *table; ++ + if (!checksum(buf, 0x0F)) + return 0; + ++ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F); + if (!(opt.flags & FLAG_QUIET)) + pr_info("Legacy DMI %u.%u present.", + buf[0x0E] >> 4, buf[0x0E] & 0x0F); + +- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C), +- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8), +- devmem, flags); ++ /* Maximum length, may get trimmed */ ++ len = WORD(buf + 0x06); ++ num = WORD(buf + 0x0C); ++ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8, ++ devmem, flags); ++ if (table == NULL) ++ return 1; + + if (opt.flags & FLAG_DUMP_BIN) + { +@@ -5477,11 +5508,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + ++ dmi_table_dump(table, len); + if (!(opt.flags & FLAG_QUIET)) + pr_comment("Writing %d bytes to %s.", 0x0F, + opt.dumpfile); + write_dump(0, 0x0F, crafted, opt.dumpfile, 1); + } ++ else ++ { ++ dmi_table_decode(table, len, num, ver, flags); ++ } ++ ++ free(table); + + return 1; + } +-- +2.41.0 + diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch new file mode 100644 index 0000000000..e03bda05e4 --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1b.patch @@ -0,0 +1,197 @@ +From d362549bce92ac22860cda8cad4532c1a3fe6928 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Mon, 20 Feb 2023 14:53:25 +0100 +Subject: [PATCH 2/5] dmidecode: Write the whole dump file at once + +When option --dump-bin is used, write the whole dump file at once, +instead of opening and closing the file separately for the table +and then for the entry point. + +As the file writing function is no longer generic, it gets moved +from util.c to dmidecode.c. + +One minor functional change resulting from the new implementation is +that the entry point is written first now, so the messages printed +are swapped. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206] + +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> +--- + dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++-------------- + util.c | 40 ------------------------------- + util.h | 1 - + 3 files changed, 51 insertions(+), 59 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index b082c03..a80a140 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5130,11 +5130,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + } + } + +-static void dmi_table_dump(const u8 *buf, u32 len) ++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, ++ u32 table_len) + { ++ FILE *f; ++ ++ f = fopen(opt.dumpfile, "wb"); ++ if (!f) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fopen"); ++ return -1; ++ } ++ ++ if (!(opt.flags & FLAG_QUIET)) ++ pr_comment("Writing %d bytes to %s.", ep_len, opt.dumpfile); ++ if (fwrite(ep, ep_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fseek(f, 32, SEEK_SET) != 0) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fseek"); ++ goto err_close; ++ } ++ + if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", len, opt.dumpfile); +- write_dump(32, len, buf, opt.dumpfile, 0); ++ pr_comment("Writing %d bytes to %s.", table_len, opt.dumpfile); ++ if (fwrite(table, table_len, 1, f) != 1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fwrite"); ++ goto err_close; ++ } ++ ++ if (fclose(f)) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("fclose"); ++ return -1; ++ } ++ ++ return 0; ++ ++err_close: ++ fclose(f); ++ return -1; + } + + static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags) +@@ -5387,11 +5432,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_smbios3_address(crafted); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x06], +- opt.dumpfile); +- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x06], table, len); + } + else + { +@@ -5463,11 +5504,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 32); + overwrite_dmi_address(crafted + 0x10); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", crafted[0x05], +- opt.dumpfile); +- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, crafted[0x05], table, len); + } + else + { +@@ -5508,11 +5545,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags) + memcpy(crafted, buf, 16); + overwrite_dmi_address(crafted); + +- dmi_table_dump(table, len); +- if (!(opt.flags & FLAG_QUIET)) +- pr_comment("Writing %d bytes to %s.", 0x0F, +- opt.dumpfile); +- write_dump(0, 0x0F, crafted, opt.dumpfile, 1); ++ dmi_table_dump(crafted, 0x0F, table, len); + } + else + { +diff --git a/util.c b/util.c +index 04aaadd..1547096 100644 +--- a/util.c ++++ b/util.c +@@ -259,46 +259,6 @@ out: + return p; + } + +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add) +-{ +- FILE *f; +- +- f = fopen(dumpfile, add ? "r+b" : "wb"); +- if (!f) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fopen"); +- return -1; +- } +- +- if (fseek(f, base, SEEK_SET) != 0) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fseek"); +- goto err_close; +- } +- +- if (fwrite(data, len, 1, f) != 1) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fwrite"); +- goto err_close; +- } +- +- if (fclose(f)) +- { +- fprintf(stderr, "%s: ", dumpfile); +- perror("fclose"); +- return -1; +- } +- +- return 0; +- +-err_close: +- fclose(f); +- return -1; +-} +- + /* Returns end - start + 1, assuming start < end */ + u64 u64_range(u64 start, u64 end) + { +diff --git a/util.h b/util.h +index 3094cf8..ef24eb9 100644 +--- a/util.h ++++ b/util.h +@@ -27,5 +27,4 @@ + int checksum(const u8 *buf, size_t len); + void *read_file(off_t base, size_t *len, const char *filename); + void *mem_chunk(off_t base, size_t len, const char *devmem); +-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add); + u64 u64_range(u64 start, u64 end); +-- +2.41.0 + diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch new file mode 100644 index 0000000000..37167a9c4f --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_2.patch @@ -0,0 +1,83 @@ +From 2d26f187c734635d072d24ea401255b84f03f4c4 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:03:53 +0000 +Subject: [PATCH 3/5] dmidecode: Do not let --dump-bin overwrite an existing + file + +Make sure that the file passed to option --dump-bin does not already +exist. In practice, it is rather unlikely that an honest user would +want to overwrite an existing dump file, while this possibility +could be used by a rogue user to corrupt a system file. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://github.com/mirror/dmidecode/commit/6ca381c1247c81f74e1ca4e7706f70bdda72e6f2] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 14 ++++++++++++-- + man/dmidecode.8 | 3 ++- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index a80a140..32a77cc 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -60,6 +60,7 @@ + * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf + */ + ++#include <fcntl.h> + #include <stdio.h> + #include <string.h> + #include <strings.h> +@@ -5133,13 +5134,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver + static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table, + u32 table_len) + { ++ int fd; + FILE *f; + +- f = fopen(opt.dumpfile, "wb"); ++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666); ++ if (fd == -1) ++ { ++ fprintf(stderr, "%s: ", opt.dumpfile); ++ perror("open"); ++ return -1; ++ } ++ ++ f = fdopen(fd, "wb"); + if (!f) + { + fprintf(stderr, "%s: ", opt.dumpfile); +- perror("fopen"); ++ perror("fdopen"); + return -1; + } + +diff --git a/man/dmidecode.8 b/man/dmidecode.8 +index 64dc7e7..d5b7f01 100644 +--- a/man/dmidecode.8 ++++ b/man/dmidecode.8 +@@ -1,4 +1,4 @@ +-.TH DMIDECODE 8 "January 2019" "dmidecode" ++.TH DMIDECODE 8 "February 2023" "dmidecode" + .\" + .SH NAME + dmidecode \- \s-1DMI\s0 table decoder +@@ -132,6 +132,7 @@ hexadecimal and \s-1ASCII\s0. This option is mainly useful for debugging. + Do not decode the entries, instead dump the DMI data to a file in binary + form. The generated file is suitable to pass to \fB--from-dump\fR + later. ++\fIFILE\fP must not exist. + .TP + .BR " " " " "--from-dump FILE" + Read the DMI data from a binary file previously generated using +-- +2.41.0 + diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch new file mode 100644 index 0000000000..181092a3fd --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_3.patch @@ -0,0 +1,71 @@ +From ac881f801b92b57fd8daac65fb16fff6d84fd366 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:25:50 +0000 +Subject: [PATCH 4/5] Consistently use read_file() when reading from a dump + file + +Use read_file() instead of mem_chunk() to read the entry point from a +dump file. This is faster, and consistent with how we then read the +actual DMI table from that dump file. + +This made no functional difference so far, which is why it went +unnoticed for years. But now that a file type check was added to the +mem_chunk() function, we must stop using it to read from regular +files. + +This will again allow root to use the --from-dump option. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Tested-by: Jerry Hoemann <jerry.hoemann@hpe.com> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=c76ddda0ba0aa99a55945e3290095c2ec493c892] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 32a77cc..9a691e0 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5693,17 +5693,25 @@ int main(int argc, char * const argv[]) + pr_comment("dmidecode %s", VERSION); + + /* Read from dump if so instructed */ ++ size = 0x20; + if (opt.flags & FLAG_FROM_DUMP) + { + if (!(opt.flags & FLAG_QUIET)) + pr_info("Reading SMBIOS/DMI data from file %s.", + opt.dumpfile); +- if ((buf = mem_chunk(0, 0x20, opt.dumpfile)) == NULL) ++ if ((buf = read_file(0, &size, opt.dumpfile)) == NULL) + { + ret = 1; + goto exit_free; + } + ++ /* Truncated entry point can't be processed */ ++ if (size < 0x20) ++ { ++ ret = 1; ++ goto done; ++ } ++ + if (memcmp(buf, "_SM3_", 5) == 0) + { + if (smbios3_decode(buf, opt.dumpfile, 0)) +@@ -5727,7 +5735,6 @@ int main(int argc, char * const argv[]) + * contain one of several types of entry points, so read enough for + * the largest one, then determine what type it contains. + */ +- size = 0x20; + if (!(opt.flags & FLAG_NO_SYSFS) + && (buf = read_file(0, &size, SYS_ENTRY_FILE)) != NULL) + { +-- +2.41.0 + diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch new file mode 100644 index 0000000000..b7d7f4ff96 --- /dev/null +++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_4.patch @@ -0,0 +1,138 @@ +From 2fb126eef436389a2dc48d4225b4a9888b0625a8 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Tue, 27 Jun 2023 10:58:11 +0000 +Subject: [PATCH 5/5] Don't read beyond sysfs entry point buffer + +Functions smbios_decode() and smbios3_decode() include a check +against buffer overrun. This check assumes that the buffer length is +always 32 bytes. This is true when reading from /dev/mem or from a +dump file, however when reading from sysfs, the buffer length is the +size of the actual sysfs attribute file, typically 31 bytes for an +SMBIOS 2.x entry point and 24 bytes for an SMBIOS 3.x entry point. + +In the unlikely event of a malformed entry point, with encoded length +larger than expected but smaller than or equal to 32, we would hit a +buffer overrun. So properly pass the actual buffer length as an +argument and perform the check against it. + +In practice, this will never happen, because on the Linux kernel +side, the size of the sysfs attribute file is decided from the entry +point length field. So it is technically impossible for them not to +match. But user-space code should not make such assumptions. + +Signed-off-by: Jean Delvare <jdelvare@suse.de> + +CVE: CVE-2023-30630 + +Upstream-Status: Backport +[https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=2b83c4b898f8325313162f588765411e8e3e5561] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + dmidecode.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/dmidecode.c b/dmidecode.c +index 9a691e0..e725801 100644 +--- a/dmidecode.c ++++ b/dmidecode.c +@@ -5398,14 +5398,14 @@ static void overwrite_smbios3_address(u8 *buf) + buf[0x17] = 0; + } + +-static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios3_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u32 ver, len; + u64 offset; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x06] > 0x20) ++ if (buf[0x06] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -5455,14 +5455,14 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags) + return 1; + } + +-static int smbios_decode(u8 *buf, const char *devmem, u32 flags) ++static int smbios_decode(u8 *buf, size_t buf_len, const char *devmem, u32 flags) + { + u16 ver, num; + u32 len; + u8 *table; + + /* Don't let checksum run beyond the buffer */ +- if (buf[0x05] > 0x20) ++ if (buf[0x05] > buf_len) + { + fprintf(stderr, + "Entry point length too large (%u bytes, expected %u).\n", +@@ -5714,12 +5714,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.dumpfile, 0)) ++ if (smbios3_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.dumpfile, 0)) ++ if (smbios_decode(buf, size, opt.dumpfile, 0)) + found++; + } + else if (memcmp(buf, "_DMI_", 5) == 0) +@@ -5742,12 +5742,12 @@ int main(int argc, char * const argv[]) + pr_info("Getting SMBIOS data from sysfs."); + if (size >= 24 && memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios3_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 31 && memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) ++ if (smbios_decode(buf, size, SYS_TABLE_FILE, FLAG_NO_FILE_OFFSET)) + found++; + } + else if (size >= 15 && memcmp(buf, "_DMI_", 5) == 0) +@@ -5784,12 +5784,12 @@ int main(int argc, char * const argv[]) + + if (memcmp(buf, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf, opt.devmem, 0)) ++ if (smbios3_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + else if (memcmp(buf, "_SM_", 4) == 0) + { +- if (smbios_decode(buf, opt.devmem, 0)) ++ if (smbios_decode(buf, 0x20, opt.devmem, 0)) + found++; + } + goto done; +@@ -5810,7 +5810,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM3_", 5) == 0) + { +- if (smbios3_decode(buf + fp, opt.devmem, 0)) ++ if (smbios3_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +@@ -5823,7 +5823,7 @@ memory_scan: + { + if (memcmp(buf + fp, "_SM_", 4) == 0 && fp <= 0xFFE0) + { +- if (smbios_decode(buf + fp, opt.devmem, 0)) ++ if (smbios_decode(buf + fp, 0x20, opt.devmem, 0)) + { + found++; + goto done; +-- +2.41.0 + diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb index 23540b2703..c0f6b45313 100644 --- a/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb +++ b/meta/recipes-devtools/dmidecode/dmidecode_3.3.bb @@ -6,6 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \ file://0001-Committing-changes-from-do_unpack_extra.patch \ + file://CVE-2023-30630_1a.patch \ + file://CVE-2023-30630_1b.patch \ + file://CVE-2023-30630_2.patch \ + file://CVE-2023-30630_3.patch \ + file://CVE-2023-30630_4.patch \ " COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux" diff --git a/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch new file mode 100644 index 0000000000..d249d854fb --- /dev/null +++ b/meta/recipes-devtools/dpkg/dpkg/0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch @@ -0,0 +1,328 @@ +From 6d8a6799639f8853a2af1f9036bc70fddbfdd2a2 Mon Sep 17 00:00:00 2001 +From: Guillem Jover <guillem@debian.org> +Date: Tue, 3 May 2022 02:09:32 +0200 +Subject: [PATCH] Dpkg::Source::Archive: Prevent directory traversal for + in-place extracts + +For untrusted v2 and v3 source package formats that include a debian.tar +archive, when we are extracting it, we do that as an in-place extraction, +which can lead to directory traversal situations on specially crafted +orig.tar and debian.tar tarballs. + +GNU tar replaces entries on the filesystem by the entries present on +the tarball, but it will follow symlinks when the symlink pathname +itself is not present as an actual directory on the tarball. + +This means we can create an orig.tar where there's a symlink pointing +out of the source tree root directory, and then a debian.tar that +contains an entry within that symlink as if it was a directory, without +a directory entry for the symlink pathname itself, which will be +extracted following the symlink outside the source tree root. + +This is currently noted as expected in GNU tar documentation. But even +if there was a new extraction mode avoiding this problem we'd need such +new version. Using perl's Archive::Tar would solve the problem, but +switching to such different pure perl implementation, could cause +compatibility or performance issues. + +What we do is when we are requested to perform an in-place extract, we +instead still use a temporary directory, then walk that directory and +remove any matching entry in the destination directory, replicating what +GNU tar would do, but in addition avoiding the directory traversal issue +for symlinks. Which should work with any tar implementation and be safe. + +Reported-by: Max Justicz <max@justi.cz> +Stable-Candidates: 1.18.x 1.19.x 1.20.x +Fixes: commit 0c0057a27fecccab77d2b3cffa9a7d172846f0b4 (1.14.17) +Fixes: CVE-2022-1664 + +CVE: CVE-2022-1664 +Upstream-Status: Backport [7a6c03cb34d4a09f35df2f10779cbf1b70a5200b] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + scripts/Dpkg/Source/Archive.pm | 122 +++++++++++++++++++++++++------- + scripts/t/Dpkg_Source_Archive.t | 110 +++++++++++++++++++++++++++- + 2 files changed, 204 insertions(+), 28 deletions(-) + +diff --git a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm +index 33c181b20..2ddd04af8 100644 +--- a/scripts/Dpkg/Source/Archive.pm ++++ b/scripts/Dpkg/Source/Archive.pm +@@ -21,9 +21,11 @@ use warnings; + our $VERSION = '0.01'; + + use Carp; ++use Errno qw(ENOENT); + use File::Temp qw(tempdir); + use File::Basename qw(basename); + use File::Spec; ++use File::Find; + use Cwd; + + use Dpkg (); +@@ -110,19 +112,13 @@ sub extract { + my %spawn_opts = (wait_child => 1); + + # Prepare destination +- my $tmp; +- if ($opts{in_place}) { +- $spawn_opts{chdir} = $dest; +- $tmp = $dest; # So that fixperms call works +- } else { +- my $template = basename($self->get_filename()) . '.tmp-extract.XXXXX'; +- unless (-e $dest) { +- # Kludge so that realpath works +- mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); +- } +- $tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); +- $spawn_opts{chdir} = $tmp; ++ my $template = basename($self->get_filename()) . '.tmp-extract.XXXXX'; ++ unless (-e $dest) { ++ # Kludge so that realpath works ++ mkdir($dest) or syserr(g_('cannot create directory %s'), $dest); + } ++ my $tmp = tempdir($template, DIR => Cwd::realpath("$dest/.."), CLEANUP => 1); ++ $spawn_opts{chdir} = $tmp; + + # Prepare stuff that handles the input of tar + $self->ensure_open('r', delete_sig => [ 'PIPE' ]); +@@ -145,22 +141,94 @@ sub extract { + # have to be calculated using mount options and other madness. + fixperms($tmp) unless $opts{no_fixperms}; + +- # Stop here if we extracted in-place as there's nothing to move around +- return if $opts{in_place}; +- +- # Rename extracted directory +- opendir(my $dir_dh, $tmp) or syserr(g_('cannot opendir %s'), $tmp); +- my @entries = grep { $_ ne '.' && $_ ne '..' } readdir($dir_dh); +- closedir($dir_dh); +- my $done = 0; +- erasedir($dest); +- if (scalar(@entries) == 1 && ! -l "$tmp/$entries[0]" && -d _) { +- rename("$tmp/$entries[0]", $dest) +- or syserr(g_('unable to rename %s to %s'), +- "$tmp/$entries[0]", $dest); ++ # If we are extracting "in-place" do not remove the destination directory. ++ if ($opts{in_place}) { ++ my $canon_basedir = Cwd::realpath($dest); ++ # On Solaris /dev/null points to /devices/pseudo/mm@0:null. ++ my $canon_devnull = Cwd::realpath('/dev/null'); ++ my $check_symlink = sub { ++ my $pathname = shift; ++ my $canon_pathname = Cwd::realpath($pathname); ++ if (not defined $canon_pathname) { ++ return if $! == ENOENT; ++ ++ syserr(g_("pathname '%s' cannot be canonicalized"), $pathname); ++ } ++ return if $canon_pathname eq $canon_devnull; ++ return if $canon_pathname eq $canon_basedir; ++ return if $canon_pathname =~ m{^\Q$canon_basedir/\E}; ++ warning(g_("pathname '%s' points outside source root (to '%s')"), ++ $pathname, $canon_pathname); ++ }; ++ ++ my $move_in_place = sub { ++ my $relpath = File::Spec->abs2rel($File::Find::name, $tmp); ++ my $destpath = File::Spec->catfile($dest, $relpath); ++ ++ my ($mode, $atime, $mtime); ++ lstat $File::Find::name ++ or syserr(g_('cannot get source pathname %s metadata'), $File::Find::name); ++ ((undef) x 2, $mode, (undef) x 5, $atime, $mtime) = lstat _; ++ my $src_is_dir = -d _; ++ ++ my $dest_exists = 1; ++ if (not lstat $destpath) { ++ if ($! == ENOENT) { ++ $dest_exists = 0; ++ } else { ++ syserr(g_('cannot get target pathname %s metadata'), $destpath); ++ } ++ } ++ my $dest_is_dir = -d _; ++ if ($dest_exists) { ++ if ($dest_is_dir && $src_is_dir) { ++ # Refresh the destination directory attributes with the ++ # ones from the tarball. ++ chmod $mode, $destpath ++ or syserr(g_('cannot change directory %s mode'), $File::Find::name); ++ utime $atime, $mtime, $destpath ++ or syserr(g_('cannot change directory %s times'), $File::Find::name); ++ ++ # We should do nothing, and just walk further tree. ++ return; ++ } elsif ($dest_is_dir) { ++ rmdir $destpath ++ or syserr(g_('cannot remove destination directory %s'), $destpath); ++ } else { ++ $check_symlink->($destpath); ++ unlink $destpath ++ or syserr(g_('cannot remove destination file %s'), $destpath); ++ } ++ } ++ # If we are moving a directory, we do not need to walk it. ++ if ($src_is_dir) { ++ $File::Find::prune = 1; ++ } ++ rename $File::Find::name, $destpath ++ or syserr(g_('cannot move %s to %s'), $File::Find::name, $destpath); ++ }; ++ ++ find({ ++ wanted => $move_in_place, ++ no_chdir => 1, ++ dangling_symlinks => 0, ++ }, $tmp); + } else { +- rename($tmp, $dest) +- or syserr(g_('unable to rename %s to %s'), $tmp, $dest); ++ # Rename extracted directory ++ opendir(my $dir_dh, $tmp) or syserr(g_('cannot opendir %s'), $tmp); ++ my @entries = grep { $_ ne '.' && $_ ne '..' } readdir($dir_dh); ++ closedir($dir_dh); ++ ++ erasedir($dest); ++ ++ if (scalar(@entries) == 1 && ! -l "$tmp/$entries[0]" && -d _) { ++ rename("$tmp/$entries[0]", $dest) ++ or syserr(g_('unable to rename %s to %s'), ++ "$tmp/$entries[0]", $dest); ++ } else { ++ rename($tmp, $dest) ++ or syserr(g_('unable to rename %s to %s'), $tmp, $dest); ++ } + } + erasedir($tmp); + } +diff --git a/scripts/t/Dpkg_Source_Archive.t b/scripts/t/Dpkg_Source_Archive.t +index 7b70da68e..504fbe1d4 100644 +--- a/scripts/t/Dpkg_Source_Archive.t ++++ b/scripts/t/Dpkg_Source_Archive.t +@@ -16,12 +16,120 @@ + use strict; + use warnings; + +-use Test::More tests => 1; ++use Test::More tests => 4; ++use Test::Dpkg qw(:paths); ++ ++use File::Spec; ++use File::Path qw(make_path rmtree); + + BEGIN { + use_ok('Dpkg::Source::Archive'); + } + ++use Dpkg; ++ ++my $tmpdir = test_get_temp_path(); ++ ++rmtree($tmpdir); ++ ++sub test_touch ++{ ++ my ($name, $data) = @_; ++ ++ open my $fh, '>', $name ++ or die "cannot touch file $name\n"; ++ print { $fh } $data if $data; ++ close $fh; ++} ++ ++sub test_path_escape ++{ ++ my $name = shift; ++ ++ my $treedir = File::Spec->rel2abs("$tmpdir/$name-tree"); ++ my $overdir = File::Spec->rel2abs("$tmpdir/$name-overlay"); ++ my $outdir = "$tmpdir/$name-out"; ++ my $expdir = "$tmpdir/$name-exp"; ++ ++ # This is the base directory, where we are going to be extracting stuff ++ # into, which include traps. ++ make_path("$treedir/subdir-a"); ++ test_touch("$treedir/subdir-a/file-a"); ++ test_touch("$treedir/subdir-a/file-pre-a"); ++ make_path("$treedir/subdir-b"); ++ test_touch("$treedir/subdir-b/file-b"); ++ test_touch("$treedir/subdir-b/file-pre-b"); ++ symlink File::Spec->abs2rel($outdir, $treedir), "$treedir/symlink-escape"; ++ symlink File::Spec->abs2rel("$outdir/nonexistent", $treedir), "$treedir/symlink-nonexistent"; ++ symlink "$treedir/file", "$treedir/symlink-within"; ++ test_touch("$treedir/supposed-dir"); ++ ++ # This is the overlay directory, which we'll pack and extract over the ++ # base directory. ++ make_path($overdir); ++ make_path("$overdir/subdir-a/aa"); ++ test_touch("$overdir/subdir-a/aa/file-aa", 'aa'); ++ test_touch("$overdir/subdir-a/file-a", 'a'); ++ make_path("$overdir/subdir-b/bb"); ++ test_touch("$overdir/subdir-b/bb/file-bb", 'bb'); ++ test_touch("$overdir/subdir-b/file-b", 'b'); ++ make_path("$overdir/symlink-escape"); ++ test_touch("$overdir/symlink-escape/escaped-file", 'escaped'); ++ test_touch("$overdir/symlink-nonexistent", 'nonexistent'); ++ make_path("$overdir/symlink-within"); ++ make_path("$overdir/supposed-dir"); ++ test_touch("$overdir/supposed-dir/supposed-file", 'something'); ++ ++ # Generate overlay tar. ++ system($Dpkg::PROGTAR, '-cf', "$overdir.tar", '-C', $overdir, qw( ++ subdir-a subdir-b ++ symlink-escape/escaped-file symlink-nonexistent symlink-within ++ supposed-dir ++ )) == 0 ++ or die "cannot create overlay tar archive\n"; ++ ++ # This is the expected directory, which we'll be comparing against. ++ make_path($expdir); ++ system('cp', '-a', $overdir, $expdir) == 0 ++ or die "cannot copy overlay hierarchy into expected directory\n"; ++ ++ # Store the expected and out reference directories into a tar to compare ++ # its structure against the result reference. ++ system($Dpkg::PROGTAR, '-cf', "$expdir.tar", '-C', $overdir, qw( ++ subdir-a subdir-b ++ symlink-escape/escaped-file symlink-nonexistent symlink-within ++ supposed-dir ++ ), '-C', $treedir, qw( ++ subdir-a/file-pre-a ++ subdir-b/file-pre-b ++ )) == 0 ++ or die "cannot create expected tar archive\n"; ++ ++ # This directory is supposed to remain empty, anything inside implies a ++ # directory traversal. ++ make_path($outdir); ++ ++ my $warnseen; ++ local $SIG{__WARN__} = sub { $warnseen = $_[0] }; ++ ++ # Perform the extraction. ++ my $tar = Dpkg::Source::Archive->new(filename => "$overdir.tar"); ++ $tar->extract($treedir, in_place => 1); ++ ++ # Store the result into a tar to compare its structure against a reference. ++ system($Dpkg::PROGTAR, '-cf', "$treedir.tar", '-C', $treedir, '.'); ++ ++ # Check results ++ ok(length $warnseen && $warnseen =~ m/points outside source root/, ++ 'expected warning seen'); ++ ok(system($Dpkg::PROGTAR, '--compare', '-f', "$expdir.tar", '-C', $treedir) == 0, ++ 'expected directory matches'); ++ ok(! -e "$outdir/escaped-file", ++ 'expected output directory is empty, directory traversal'); ++} ++ ++test_path_escape('in-place'); ++ + # TODO: Add actual test cases. + + 1; +-- +2.33.0 + diff --git a/meta/recipes-devtools/dpkg/dpkg_1.21.4.bb b/meta/recipes-devtools/dpkg/dpkg_1.21.4.bb index 681909f0bf..7ef6233ee4 100644 --- a/meta/recipes-devtools/dpkg/dpkg_1.21.4.bb +++ b/meta/recipes-devtools/dpkg/dpkg_1.21.4.bb @@ -14,6 +14,7 @@ SRC_URI = "git://salsa.debian.org/dpkg-team/dpkg.git;protocol=https;branch=main file://0001-dpkg-Support-muslx32-build.patch \ file://pager.patch \ file://0001-Add-support-for-riscv32-CPU.patch \ + file://0001-Dpkg-Source-Archive-Prevent-directory-traversal-for-.patch \ " SRC_URI:append:class-native = " file://0001-build.c-ignore-return-of-1-from-tar-cf.patch" diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest index c97c0377e9..279923db8e 100644 --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/run-ptest @@ -8,3 +8,4 @@ rm -f *.tmp rm -f *.ok rm -f *.failed rm -f *.log +cp ../data/test_data.tmp ./ diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb index 5b2d1921f0..68c620cf71 100644 --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb @@ -141,4 +141,7 @@ do_install_ptest() { install -d ${D}${PTEST_PATH}/lib install -m 0644 ${B}/lib/config.h ${D}${PTEST_PATH}/lib/ + + install -d ${D}${PTEST_PATH}/data + install -m 0644 ${B}/tests/test_data.tmp ${D}${PTEST_PATH}/data/ } diff --git a/meta/recipes-devtools/elfutils/elfutils_0.186.bb b/meta/recipes-devtools/elfutils/elfutils_0.186.bb index 46ee40cce6..d742a2e14e 100644 --- a/meta/recipes-devtools/elfutils/elfutils_0.186.bb +++ b/meta/recipes-devtools/elfutils/elfutils_0.186.bb @@ -35,6 +35,8 @@ PTEST_ENABLED:libc-musl = "0" EXTRA_OECONF = "--program-prefix=eu-" +BUILD_CFLAGS += "-Wno-error=stringop-overflow" + DEPENDS_BZIP2 = "bzip2-replacement-native" DEPENDS_BZIP2:class-target = "bzip2" diff --git a/meta/recipes-devtools/file/file/CVE-2022-48554.patch b/meta/recipes-devtools/file/file/CVE-2022-48554.patch new file mode 100644 index 0000000000..c285bd2c23 --- /dev/null +++ b/meta/recipes-devtools/file/file/CVE-2022-48554.patch @@ -0,0 +1,35 @@ +CVE: CVE-2022-48554 +Upstream-Status: Backport [ https://github.com/file/file/commit/497aabb29cd08d2a5aeb63e45798d65fcbe03502 ] +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> + +From 497aabb29cd08d2a5aeb63e45798d65fcbe03502 Mon Sep 17 00:00:00 2001 +From: Christos Zoulas <christos@zoulas.com> +Date: Mon, 14 Feb 2022 16:26:10 +0000 +Subject: [PATCH] PR/310: p870613: Don't use strlcpy to copy the string, it + will try to scan the source string to find out how much space is needed the + source string might not be NUL terminated. + +--- + src/funcs.c | 11 +++++++---- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/src/funcs.c b/src/funcs.c +index 89e1da597..dcfd352d2 100644 +--- a/src/funcs.c ++++ b/src/funcs.c +@@ -54,9 +54,12 @@ FILE_RCSID("@(#)$File: funcs.c,v 1.124 2022/01/10 14:15:08 christos Exp $") + protected char * + file_copystr(char *buf, size_t blen, size_t width, const char *str) + { +- if (++width > blen) +- width = blen; +- strlcpy(buf, str, width); ++ if (blen == 0) ++ return buf; ++ if (width >= blen) ++ width = blen - 1; ++ memcpy(buf, str, width); ++ buf[width] = '\0'; + return buf; + } + diff --git a/meta/recipes-devtools/file/file_5.41.bb b/meta/recipes-devtools/file/file_5.41.bb index 653887e97a..6fd4f2c746 100644 --- a/meta/recipes-devtools/file/file_5.41.bb +++ b/meta/recipes-devtools/file/file_5.41.bb @@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdd DEPENDS = "file-replacement-native" DEPENDS:class-native = "bzip2-replacement-native" -SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https" +SRC_URI = "git://github.com/file/file.git;branch=master;protocol=https \ + file://CVE-2022-48554.patch \ +" SRCREV = "504206e53a89fd6eed71aeaf878aa3512418eab1" S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/gcc/gcc-11.3.inc b/meta/recipes-devtools/gcc/gcc-11.4.inc index acbb43a25f..fd6a3e92e3 100644 --- a/meta/recipes-devtools/gcc/gcc-11.3.inc +++ b/meta/recipes-devtools/gcc/gcc-11.4.inc @@ -2,11 +2,11 @@ require gcc-common.inc # Third digit in PV should be incremented after a minor release -PV = "11.3.0" +PV = "11.4.0" # BINV should be incremented to a revision after a minor gcc release -BINV = "11.3.0" +BINV = "11.4.0" FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc:${FILE_DIRNAME}/gcc/backport:" @@ -48,7 +48,6 @@ SRC_URI = "\ file://0016-If-CXXFLAGS-contains-something-unsupported-by-the-bu.patch \ file://0017-handle-sysroot-support-for-nativesdk-gcc.patch \ file://0018-Search-target-sysroot-gcc-version-specific-dirs-with.patch \ - file://0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch \ file://0020-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch \ file://0021-Link-libgcc-using-LDFLAGS-not-just-SHLIB_LDFLAGS.patch \ file://0022-sync-gcc-stddef.h-with-musl.patch \ @@ -59,20 +58,27 @@ SRC_URI = "\ file://0027-libatomic-Do-not-enforce-march-on-aarch64.patch \ file://0028-debug-101473-apply-debug-prefix-maps-before-checksum.patch \ file://0029-Fix-install-path-of-linux64.h.patch \ - \ + file://0030-rust-recursion-limit.patch \ + file://0031-gcc-sanitizers-fix.patch \ file://0001-CVE-2021-42574.patch \ file://0002-CVE-2021-42574.patch \ file://0003-CVE-2021-42574.patch \ file://0004-CVE-2021-42574.patch \ file://0001-CVE-2021-46195.patch \ + file://0001-aarch64-Update-Neoverse-N2-core-defini.patch \ + file://0002-aarch64-add-armv9-a-to-march.patch \ + file://0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch \ + file://0004-arm-add-armv9-a-architecture-to-march.patch \ + file://CVE-2023-4039.patch \ " -SRC_URI[sha256sum] = "b47cf2818691f5b1e21df2bb38c795fac2cfbd640ede2d0a5e1c89e338a3ac39" + +SRC_URI[sha256sum] = "3f2db222b007e8a4a23cd5ba56726ef08e8b1f1eb2055ee72c1402cea73a8dd9" S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}" # For dev release snapshotting #S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${RELEASE}" -#B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" +B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}" # Language Overrides FORTRAN = "" diff --git a/meta/recipes-devtools/gcc/gcc-configure-common.inc b/meta/recipes-devtools/gcc/gcc-configure-common.inc index e4cdb73f0a..dba25eb754 100644 --- a/meta/recipes-devtools/gcc/gcc-configure-common.inc +++ b/meta/recipes-devtools/gcc/gcc-configure-common.inc @@ -40,7 +40,6 @@ EXTRA_OECONF = "\ ${@get_gcc_mips_plt_setting(bb, d)} \ ${@get_gcc_ppc_plt_settings(bb, d)} \ ${@get_gcc_multiarch_setting(bb, d)} \ - --enable-standard-branch-protection \ " # glibc version is a minimum controlling whether features are enabled. diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc index a87b446c4f..c36e4cba81 100644 --- a/meta/recipes-devtools/gcc/gcc-cross-canadian.inc +++ b/meta/recipes-devtools/gcc/gcc-cross-canadian.inc @@ -9,6 +9,7 @@ GCCMULTILIB = "--enable-multilib" require gcc-configure-common.inc +EXTRA_OECONF += "--with-plugin-ld=ld" EXTRA_OECONF_PATHS = "\ --with-gxx-include-dir=/not/exist${target_includedir}/c++/${BINV} \ --with-build-time-tools=${STAGING_DIR_NATIVE}${prefix_native}/${TARGET_SYS}/bin \ @@ -134,8 +135,6 @@ do_install () { ln -sf ${BINRELPATH}/${TARGET_PREFIX}$t$suffix $dest$t$suffix done - t=real-ld - ln -sf ${BINRELPATH}/${TARGET_PREFIX}ld$suffix $dest$t$suffix # libquadmath headers need to be available in the gcc libexec dir install -d ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/ diff --git a/meta/recipes-devtools/gcc/gcc-cross-canadian_11.3.bb b/meta/recipes-devtools/gcc/gcc-cross-canadian_11.4.bb index bf53c5cd78..bf53c5cd78 100644 --- a/meta/recipes-devtools/gcc/gcc-cross-canadian_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-cross-canadian_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-cross_11.3.bb b/meta/recipes-devtools/gcc/gcc-cross_11.4.bb index b43cca0c52..b43cca0c52 100644 --- a/meta/recipes-devtools/gcc/gcc-cross_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-cross_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-crosssdk_11.3.bb b/meta/recipes-devtools/gcc/gcc-crosssdk_11.4.bb index 40a6c4feff..40a6c4feff 100644 --- a/meta/recipes-devtools/gcc/gcc-crosssdk_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-crosssdk_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-multilib-config.inc b/meta/recipes-devtools/gcc/gcc-multilib-config.inc index 26bfed9507..2dbbc23c94 100644 --- a/meta/recipes-devtools/gcc/gcc-multilib-config.inc +++ b/meta/recipes-devtools/gcc/gcc-multilib-config.inc @@ -154,7 +154,7 @@ python gcc_multilib_setup() { gcc_header_config_files = { 'x86_64' : ['gcc/config/linux.h', 'gcc/config/i386/linux.h', 'gcc/config/i386/linux64.h'], 'i586' : ['gcc/config/linux.h', 'gcc/config/i386/linux.h', 'gcc/config/i386/linux64.h'], - 'i686' : ['gcc/config/linux.h', 'gcc/config/i386/linux64.h'], + 'i686' : ['gcc/config/linux.h', 'gcc/config/i386/linux.h', 'gcc/config/i386/linux64.h'], 'mips' : ['gcc/config/linux.h', 'gcc/config/mips/linux.h', 'gcc/config/mips/linux64.h'], 'mips64' : ['gcc/config/linux.h', 'gcc/config/mips/linux.h', 'gcc/config/mips/linux64.h'], 'powerpc' : ['gcc/config/linux.h', 'gcc/config/rs6000/linux64.h'], diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc b/meta/recipes-devtools/gcc/gcc-runtime.inc index e9f2cf16e8..d019b0790b 100644 --- a/meta/recipes-devtools/gcc/gcc-runtime.inc +++ b/meta/recipes-devtools/gcc/gcc-runtime.inc @@ -53,7 +53,7 @@ RUNTIMETARGET:libc-newlib = "libstdc++-v3" REL_S = "/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}" DEBUG_PREFIX_MAP:class-target = " \ - -fdebug-prefix-map=${WORKDIR}/recipe-sysroot= \ + -fdebug-prefix-map=${WORKDIR}/${MLPREFIX}recipe-sysroot= \ -fdebug-prefix-map=${WORKDIR}/recipe-sysroot-native= \ -fdebug-prefix-map=${S}=${REL_S} \ -fdebug-prefix-map=${S}/include=${REL_S}/libstdc++-v3/../include \ @@ -68,7 +68,8 @@ do_configure () { # libstdc++ isn't built yet so CXX would error not able to find it which breaks stdc++'s configure # tests. Create a dummy empty lib for the purposes of configure. mkdir -p ${WORKDIR}/dummylib - touch ${WORKDIR}/dummylib/libstdc++.so + ${CC} -x c /dev/null -c -o ${WORKDIR}/dummylib/dummylib.o + ${AR} rcs ${WORKDIR}/dummylib/libstdc++.a ${WORKDIR}/dummylib/dummylib.o for d in libgcc ${RUNTIMETARGET}; do echo "Configuring $d" rm -rf ${B}/${TARGET_SYS}/$d/ diff --git a/meta/recipes-devtools/gcc/gcc-runtime_11.3.bb b/meta/recipes-devtools/gcc/gcc-runtime_11.4.bb index dd430b57eb..dd430b57eb 100644 --- a/meta/recipes-devtools/gcc/gcc-runtime_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-runtime_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers_11.3.bb b/meta/recipes-devtools/gcc/gcc-sanitizers_11.4.bb index 8bda2ccad6..8bda2ccad6 100644 --- a/meta/recipes-devtools/gcc/gcc-sanitizers_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-sanitizers_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-shared-source.inc b/meta/recipes-devtools/gcc/gcc-shared-source.inc index aac4b49313..7aa1c22bf0 100644 --- a/meta/recipes-devtools/gcc/gcc-shared-source.inc +++ b/meta/recipes-devtools/gcc/gcc-shared-source.inc @@ -9,3 +9,16 @@ SRC_URI = "" do_configure[depends] += "gcc-source-${PV}:do_preconfigure" do_populate_lic[depends] += "gcc-source-${PV}:do_unpack" +do_deploy_source_date_epoch[depends] += "gcc-source-${PV}:do_deploy_source_date_epoch" + +# Copy the SDE from the shared workdir to the recipe workdir +do_deploy_source_date_epoch () { + sde_file=${SDE_FILE} + sde_file=${sde_file#${WORKDIR}/} + mkdir -p ${SDE_DEPLOYDIR} $(dirname ${SDE_FILE}) + cp -p $(dirname ${S})/$sde_file ${SDE_DEPLOYDIR} + cp -p $(dirname ${S})/$sde_file ${SDE_FILE} +} + +# patch is available via gcc-source recipe +CVE_CHECK_IGNORE += "CVE-2023-4039" diff --git a/meta/recipes-devtools/gcc/gcc-source.inc b/meta/recipes-devtools/gcc/gcc-source.inc index 224b7778ef..265bcf4bef 100644 --- a/meta/recipes-devtools/gcc/gcc-source.inc +++ b/meta/recipes-devtools/gcc/gcc-source.inc @@ -17,6 +17,13 @@ STAMPCLEAN = "${STAMPS_DIR}/work-shared/gcc-${PV}-*" INHIBIT_DEFAULT_DEPS = "1" DEPENDS = "" PACKAGES = "" +TARGET_ARCH = "allarch" +TARGET_AS_ARCH = "none" +TARGET_CC_ARCH = "none" +TARGET_LD_ARCH = "none" +TARGET_OS = "linux" +baselib = "lib" +PACKAGE_ARCH = "all" B = "${WORKDIR}/build" @@ -25,8 +32,6 @@ python do_preconfigure () { import subprocess cmd = d.expand('cd ${S} && PATH=${PATH} gnu-configize') subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) - # See 0044-gengtypes.patch, we need to regenerate this file - bb.utils.remove(d.expand("${S}/gcc/gengtype-lex.c")) cmd = d.expand("sed -i 's/BUILD_INFO=info/BUILD_INFO=/' ${S}/gcc/configure") subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) diff --git a/meta/recipes-devtools/gcc/gcc-source_11.3.bb b/meta/recipes-devtools/gcc/gcc-source_11.4.bb index b890fa33ea..b890fa33ea 100644 --- a/meta/recipes-devtools/gcc/gcc-source_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc-source_11.4.bb diff --git a/meta/recipes-devtools/gcc/gcc-testsuite.inc b/meta/recipes-devtools/gcc/gcc-testsuite.inc index f68fec58ed..64f60c730f 100644 --- a/meta/recipes-devtools/gcc/gcc-testsuite.inc +++ b/meta/recipes-devtools/gcc/gcc-testsuite.inc @@ -51,9 +51,10 @@ python check_prepare() { # enable all valid instructions, since the test suite itself does not # limit itself to the target cpu options. # - valid for x86*, powerpc, arm, arm64 - if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "ppc", "arm", "aarch64"]: + if qemu_binary.lstrip("qemu-") in ["x86_64", "i386", "arm", "aarch64"]: args += ["-cpu", "max"] - + elif qemu_binary.lstrip("qemu-") in ["ppc"]: + args += d.getVar("QEMU_EXTRAOPTIONS_%s" % d.getVar('PACKAGE_ARCH')).split() sysroot = d.getVar("RECIPE_SYSROOT") args += ["-L", sysroot] # lib paths are static here instead of using $libdir since this is used by a -cross recipe diff --git a/meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-defini.patch b/meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-defini.patch new file mode 100644 index 0000000000..a0c9db72e1 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0001-aarch64-Update-Neoverse-N2-core-defini.patch @@ -0,0 +1,38 @@ +From 9f37d31324f89d0b7b2abac988a976d121ae29c6 Mon Sep 17 00:00:00 2001 +From: Andre Vieira <andre.simoesdiasvieira@arm.com> +Date: Thu, 8 Sep 2022 06:02:18 +0000 +Subject: [PATCH 1/4] aarch64: Update Neoverse N2 core definition + +commit 9f37d31324f89d0b7b2abac988a976d121ae29c6 from upstream. + +gcc/ChangeLog: + + * config/aarch64/aarch64-cores.def: Update Neoverse N2 core entry. + +Upstream-Status: Backport +Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> +--- + gcc/config/aarch64/aarch64-cores.def | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64-cores.def b/gcc/config/aarch64/aarch64-cores.def +index 4643e0e27..3478e567a 100644 +--- a/gcc/config/aarch64/aarch64-cores.def ++++ b/gcc/config/aarch64/aarch64-cores.def +@@ -147,7 +147,6 @@ + AARCH64_CORE("saphira", saphira, saphira, 8_4A, AARCH64_FL_FOR_ARCH8_4 | AARCH64_FL_CRYPTO, saphira, 0x51, 0xC01, -1) + + /* Armv8.5-A Architecture Processors. */ +-AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoversen2, 0x41, 0xd49, -1) + AARCH64_CORE("neoverse-v2", neoversev2, cortexa57, 8_5A, AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_F16 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG, neoverse512tvb, 0x41, 0xd4f, -1) + + /* ARMv8-A big.LITTLE implementations. */ +@@ -165,4 +164,7 @@ + /* Armv8-R Architecture Processors. */ + AARCH64_CORE("cortex-r82", cortexr82, cortexa53, 8R, AARCH64_FL_FOR_ARCH8_R, cortexa53, 0x41, 0xd15, -1) + ++/* Armv9-A Architecture Processors. */ ++AARCH64_CORE("neoverse-n2", neoversen2, cortexa57, 9A, AARCH64_FL_FOR_ARCH9 | AARCH64_FL_I8MM | AARCH64_FL_BF16 | AARCH64_FL_SVE2_BITPERM | AARCH64_FL_RNG | AARCH64_FL_MEMTAG | AARCH64_FL_PROFILE, neoversen2, 0x41, 0xd49, -1) ++ + #undef AARCH64_CORE + diff --git a/meta/recipes-devtools/gcc/gcc/0002-aarch64-add-armv9-a-to-march.patch b/meta/recipes-devtools/gcc/gcc/0002-aarch64-add-armv9-a-to-march.patch new file mode 100644 index 0000000000..2b1c17f53e --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0002-aarch64-add-armv9-a-to-march.patch @@ -0,0 +1,89 @@ +From d3cf45d15b2fabc767b2d10a0c6bb9fb845e4f99 Mon Sep 17 00:00:00 2001 +From: Przemyslaw Wirkus <przemyslaw.wirkus@arm.com> +Date: Fri, 1 Oct 2021 10:06:45 +0100 +Subject: [PATCH 2/4] aarch64: add armv9-a to -march + +commit f0688d42c9b74a6999548ff2e79ae440b049b87f from upstream + +gcc/ChangeLog: + + * config/aarch64/aarch64-arches.def (AARCH64_ARCH): Added + armv9-a. + * config/aarch64/aarch64.h (AARCH64_FL_V9): New. + (AARCH64_FL_FOR_ARCH9): New flags for Armv9-A. + (AARCH64_ISA_V9): New ISA flag. + * doc/invoke.texi: Update docs. + +Upstream-Status: Backport +Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> +--- + gcc/config/aarch64/aarch64-arches.def | 1 + + gcc/config/aarch64/aarch64.h | 5 +++++ + gcc/doc/invoke.texi | 3 +++ + 3 files changed, 9 insertions(+) + +diff --git a/gcc/config/aarch64/aarch64-arches.def b/gcc/config/aarch64/aarch64-arches.def +index b7497277b..c47ca622c 100644 +--- a/gcc/config/aarch64/aarch64-arches.def ++++ b/gcc/config/aarch64/aarch64-arches.def +@@ -38,5 +38,6 @@ AARCH64_ARCH("armv8.4-a", generic, 8_4A, 8, AARCH64_FL_FOR_ARCH8_4) + AARCH64_ARCH("armv8.5-a", generic, 8_5A, 8, AARCH64_FL_FOR_ARCH8_5) + AARCH64_ARCH("armv8.6-a", generic, 8_6A, 8, AARCH64_FL_FOR_ARCH8_6) + AARCH64_ARCH("armv8-r", generic, 8R , 8, AARCH64_FL_FOR_ARCH8_R) ++AARCH64_ARCH("armv9-a", generic, 9A , 9, AARCH64_FL_FOR_ARCH9) + + #undef AARCH64_ARCH +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index bfffbcd6a..b914bfb5c 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -230,6 +230,8 @@ extern unsigned aarch64_architecture_version; + + /* Pointer Authentication (PAUTH) extension. */ + #define AARCH64_FL_PAUTH (1ULL << 40) ++/* Armv9.0-A. */ ++#define AARCH64_FL_V9 (1ULL << 41) /* Armv9.0-A Architecture. */ + + /* Has FP and SIMD. */ + #define AARCH64_FL_FPSIMD (AARCH64_FL_FP | AARCH64_FL_SIMD) +@@ -257,6 +259,8 @@ extern unsigned aarch64_architecture_version; + | AARCH64_FL_I8MM | AARCH64_FL_BF16) + #define AARCH64_FL_FOR_ARCH8_R \ + (AARCH64_FL_FOR_ARCH8_4 | AARCH64_FL_V8_R) ++#define AARCH64_FL_FOR_ARCH9 \ ++ (AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_V9) + + /* Macros to test ISA flags. */ + +@@ -295,6 +299,7 @@ extern unsigned aarch64_architecture_version; + #define AARCH64_ISA_SB (aarch64_isa_flags & AARCH64_FL_SB) + #define AARCH64_ISA_V8_R (aarch64_isa_flags & AARCH64_FL_V8_R) + #define AARCH64_ISA_PAUTH (aarch64_isa_flags & AARCH64_FL_PAUTH) ++#define AARCH64_ISA_V9 (aarch64_isa_flags & AARCH64_FL_V9) + + /* Crypto is an optional extension to AdvSIMD. */ + #define TARGET_CRYPTO (TARGET_SIMD && AARCH64_ISA_CRYPTO) +diff --git a/gcc/doc/invoke.texi b/gcc/doc/invoke.texi +index c47cfd472..7184a62d0 100644 +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -18270,6 +18270,8 @@ and the features that they enable by default: + @item @samp{armv8.4-a} @tab Armv8.4-A @tab @samp{armv8.3-a}, @samp{+flagm}, @samp{+fp16fml}, @samp{+dotprod} + @item @samp{armv8.5-a} @tab Armv8.5-A @tab @samp{armv8.4-a}, @samp{+sb}, @samp{+ssbs}, @samp{+predres} + @item @samp{armv8.6-a} @tab Armv8.6-A @tab @samp{armv8.5-a}, @samp{+bf16}, @samp{+i8mm} ++@item @samp{armv8.7-a} @tab Armv8.7-A @tab @samp{armv8.6-a}, @samp{+ls64} ++@item @samp{armv9-a} @tab Armv9-A @tab @samp{armv8.5-a}, @samp{+sve}, @samp{+sve2} + @item @samp{armv8-r} @tab Armv8-R @tab @samp{armv8-r} + @end multitable + +@@ -19692,6 +19694,7 @@ Permissible names are: + @samp{armv8.4-a}, + @samp{armv8.5-a}, + @samp{armv8.6-a}, ++@samp{armv9-a}, + @samp{armv7-r}, + @samp{armv8-r}, + @samp{armv6-m}, @samp{armv6s-m}, +-- +2.32.0 + diff --git a/meta/recipes-devtools/gcc/gcc/0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch b/meta/recipes-devtools/gcc/gcc/0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch new file mode 100644 index 0000000000..2e85384b43 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0003-aarch64-Enable-FP16-feature-by-default-for-Armv9.patch @@ -0,0 +1,38 @@ +From 49bfa1927813ae898dfa4e0d2bbde033c353e3dc Mon Sep 17 00:00:00 2001 +From: Andre Vieira <andre.simoesdiasvieira@arm.com> +Date: Tue, 22 Mar 2022 11:44:06 +0000 +Subject: [PATCH 3/4] aarch64: Enable FP16 feature by default for Armv9 + +commit 0bae246acc758d4b11dd575b05207fd69169109b from upstream + +This patch adds the feature bit for FP16 to the feature set for Armv9 since +Armv9 requires SVE to be implemented and SVE requires FP16 to be implemented. + +2022-03-22 Andre Vieira <andre.simoesdiasvieira@arm.com> + + * config/aarch64/aarch64.h (AARCH64_FL_FOR_ARCH9): Add FP16 feature + bit. + +Upstream-Status: Backport +Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> +--- + gcc/config/aarch64/aarch64.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index b914bfb5c..55b60d540 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -260,7 +260,8 @@ extern unsigned aarch64_architecture_version; + #define AARCH64_FL_FOR_ARCH8_R \ + (AARCH64_FL_FOR_ARCH8_4 | AARCH64_FL_V8_R) + #define AARCH64_FL_FOR_ARCH9 \ +- (AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_V9) ++ (AARCH64_FL_FOR_ARCH8_5 | AARCH64_FL_SVE | AARCH64_FL_SVE2 | AARCH64_FL_V9 \ ++ | AARCH64_FL_F16) + + /* Macros to test ISA flags. */ + +-- +2.32.0 + diff --git a/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch b/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch new file mode 100644 index 0000000000..b9b0988d5a --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0004-arm-add-armv9-a-architecture-to-march.patch @@ -0,0 +1,291 @@ +From e66a37acae62236611f951e706e9a2bfbd753f39 Mon Sep 17 00:00:00 2001 +From: Przemyslaw Wirkus <przemyslaw.wirkus@arm.com> +Date: Tue, 9 Nov 2021 09:40:05 +0000 +Subject: [PATCH 4/4] arm: add armv9-a architecture to -march + +commit 32ba7860ccaddd5219e6dae94a3d0653e124c9dd from upstream + +In this patch: + + Add `armv9-a` to -march. + + Update multilib with armv9-a and armv9-a+simd. + +gcc/ChangeLog: + + * config/arm/arm-cpus.in (armv9): New define. + (ARMv9a): New group. + (armv9-a): New arch definition. + * config/arm/arm-tables.opt: Regenerate. + * config/arm/arm.h (BASE_ARCH_9A): New arch enum value. + * config/arm/t-aprofile: Added armv9-a and armv9+simd. + * config/arm/t-arm-elf: Added arm9-a, v9_fps and all_v9_archs + to MULTILIB_MATCHES. + * config/arm/t-multilib: Added v9_a_nosimd_variants and + v9_a_simd_variants to MULTILIB_MATCHES. + * doc/invoke.texi: Update docs. + +gcc/testsuite/ChangeLog: + + * gcc.target/arm/multilib.exp: Update test with armv9-a entries. + * lib/target-supports.exp (v9a): Add new armflag. + (__ARM_ARCH_9A__): Add new armdef. + +Upstream-Status: Backport +Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> +--- + gcc/config/arm/arm-cpus.in | 19 +++++++++++++++++ + gcc/config/arm/arm-tables.opt | 7 +++++-- + gcc/config/arm/arm.h | 3 ++- + gcc/config/arm/t-aprofile | 25 +++++++++++++++++++---- + gcc/config/arm/t-arm-elf | 9 ++++++++ + gcc/config/arm/t-multilib | 12 +++++++++++ + gcc/doc/invoke.texi | 1 + + gcc/testsuite/gcc.target/arm/multilib.exp | 8 ++++++++ + gcc/testsuite/lib/target-supports.exp | 3 ++- + 9 files changed, 79 insertions(+), 8 deletions(-) + +Index: gcc/gcc/config/arm/arm-cpus.in +=================================================================== +--- a/gcc/config/arm/arm-cpus.in ++++ b/gcc/config/arm/arm-cpus.in +@@ -132,6 +132,9 @@ define feature cmse + # Architecture rel 8.1-M. + define feature armv8_1m_main + ++# Architecture rel 9.0. ++define feature armv9 ++ + # Floating point and Neon extensions. + # VFPv1 is not supported in GCC. + +@@ -293,6 +296,7 @@ define fgroup ARMv8m_base ARMv6m armv8 c + define fgroup ARMv8m_main ARMv7m armv8 cmse + define fgroup ARMv8r ARMv8a + define fgroup ARMv8_1m_main ARMv8m_main armv8_1m_main ++define fgroup ARMv9a ARMv8_5a armv9 + + # Useful combinations. + define fgroup VFPv2 vfpv2 +@@ -751,6 +755,21 @@ begin arch armv8.1-m.main + option cdecp7 add cdecp7 + end arch armv8.1-m.main + ++begin arch armv9-a ++ tune for cortex-a53 ++ tune flags CO_PROC ++ base 9A ++ profile A ++ isa ARMv9a ++ option simd add FP_ARMv8 DOTPROD ++ option fp16 add fp16 fp16fml FP_ARMv8 DOTPROD ++ option crypto add FP_ARMv8 CRYPTO DOTPROD ++ option nocrypto remove ALL_CRYPTO ++ option nofp remove ALL_FP ++ option i8mm add i8mm FP_ARMv8 DOTPROD ++ option bf16 add bf16 FP_ARMv8 DOTPROD ++end arch armv9-a ++ + begin arch iwmmxt + tune for iwmmxt + tune flags LDSCHED STRONG XSCALE +Index: gcc/gcc/config/arm/arm-tables.opt +=================================================================== +--- a/gcc/config/arm/arm-tables.opt ++++ b/gcc/config/arm/arm-tables.opt +@@ -380,10 +380,13 @@ EnumValue + Enum(arm_arch) String(armv8.1-m.main) Value(30) + + EnumValue +-Enum(arm_arch) String(iwmmxt) Value(31) ++Enum(arm_arch) String(armv9-a) Value(31) + + EnumValue +-Enum(arm_arch) String(iwmmxt2) Value(32) ++Enum(arm_arch) String(iwmmxt) Value(32) ++ ++EnumValue ++Enum(arm_arch) String(iwmmxt2) Value(33) + + Enum + Name(arm_fpu) Type(enum fpu_type) +Index: gcc/gcc/config/arm/arm.h +=================================================================== +--- a/gcc/config/arm/arm.h ++++ b/gcc/config/arm/arm.h +@@ -456,7 +456,8 @@ enum base_architecture + BASE_ARCH_8A = 8, + BASE_ARCH_8M_BASE = 8, + BASE_ARCH_8M_MAIN = 8, +- BASE_ARCH_8R = 8 ++ BASE_ARCH_8R = 8, ++ BASE_ARCH_9A = 9 + }; + + /* The major revision number of the ARM Architecture implemented by the target. */ +Index: gcc/gcc/config/arm/t-aprofile +=================================================================== +--- a/gcc/config/arm/t-aprofile ++++ b/gcc/config/arm/t-aprofile +@@ -26,8 +26,8 @@ + + # Arch and FPU variants to build libraries with + +-MULTI_ARCH_OPTS_A = march=armv7-a/march=armv7-a+fp/march=armv7-a+simd/march=armv7ve+simd/march=armv8-a/march=armv8-a+simd +-MULTI_ARCH_DIRS_A = v7-a v7-a+fp v7-a+simd v7ve+simd v8-a v8-a+simd ++MULTI_ARCH_OPTS_A = march=armv7-a/march=armv7-a+fp/march=armv7-a+simd/march=armv7ve+simd/march=armv8-a/march=armv8-a+simd/march=armv9-a/march=armv9-a+simd ++MULTI_ARCH_DIRS_A = v7-a v7-a+fp v7-a+simd v7ve+simd v8-a v8-a+simd v9-a v9-a+simd + + # ARMv7-A - build nofp, fp-d16 and SIMD variants + +@@ -46,6 +46,11 @@ MULTILIB_REQUIRED += mthumb/march=armv8- + MULTILIB_REQUIRED += mthumb/march=armv8-a+simd/mfloat-abi=hard + MULTILIB_REQUIRED += mthumb/march=armv8-a+simd/mfloat-abi=softfp + ++# Armv9-A - build nofp and SIMD variants. ++MULTILIB_REQUIRED += mthumb/march=armv9-a/mfloat-abi=soft ++MULTILIB_REQUIRED += mthumb/march=armv9-a+simd/mfloat-abi=hard ++MULTILIB_REQUIRED += mthumb/march=armv9-a+simd/mfloat-abi=softfp ++ + # Matches + + # Arch Matches +@@ -129,17 +134,29 @@ MULTILIB_MATCHES += march?armv8-a=march? + MULTILIB_MATCHES += $(foreach ARCH, $(v8_6_a_simd_variants), \ + march?armv8-a+simd=march?armv8.6-a$(ARCH)) + ++# Armv9 without SIMD: map down to base architecture ++MULTILIB_MATCHES += $(foreach ARCH, $(v9_a_nosimd_variants), \ ++ march?armv9-a=march?armv9-a$(ARCH)) ++ ++# Armv9 with SIMD: map down to base arch + simd ++MULTILIB_MATCHES += march?armv9-a+simd=march?armv9-a+crc+simd \ ++ $(foreach ARCH, $(filter-out +simd, $(v9_a_simd_variants)), \ ++ march?armv9-a+simd=march?armv9-a$(ARCH) \ ++ march?armv9-a+simd=march?armv9-a+crc$(ARCH)) ++ + # Use Thumb libraries for everything. + + MULTILIB_REUSE += mthumb/march.armv7-a/mfloat-abi.soft=marm/march.armv7-a/mfloat-abi.soft + + MULTILIB_REUSE += mthumb/march.armv8-a/mfloat-abi.soft=marm/march.armv8-a/mfloat-abi.soft + ++MULTILIB_REUSE += mthumb/march.armv9-a/mfloat-abi.soft=marm/march.armv9-a/mfloat-abi.soft ++ + MULTILIB_REUSE += $(foreach ABI, hard softfp, \ +- $(foreach ARCH, armv7-a+fp armv7-a+simd armv7ve+simd armv8-a+simd, \ ++ $(foreach ARCH, armv7-a+fp armv7-a+simd armv7ve+simd armv8-a+simd armv9-a+simd, \ + mthumb/march.$(ARCH)/mfloat-abi.$(ABI)=marm/march.$(ARCH)/mfloat-abi.$(ABI))) + + # Softfp but no FP, use the soft-float libraries. + MULTILIB_REUSE += $(foreach MODE, arm thumb, \ +- $(foreach ARCH, armv7-a armv8-a, \ ++ $(foreach ARCH, armv7-a armv8-a armv9-a, \ + mthumb/march.$(ARCH)/mfloat-abi.soft=m$(MODE)/march.$(ARCH)/mfloat-abi.softfp)) +Index: gcc/gcc/config/arm/t-arm-elf +=================================================================== +--- a/gcc/config/arm/t-arm-elf ++++ b/gcc/config/arm/t-arm-elf +@@ -38,6 +38,8 @@ v7ve_fps := vfpv3-d16 vfpv3 vfpv3-d16-fp + # it seems to work ok. + v8_fps := simd fp16 crypto fp16+crypto dotprod fp16fml + ++v9_fps := simd fp16 crypto fp16+crypto dotprod fp16fml ++ + # We don't do anything special with these. Pre-v4t probably doesn't work. + all_early_nofp := armv4 armv4t armv5t + +@@ -49,6 +51,8 @@ all_v7_a_r := armv7-a armv7ve armv7-r + all_v8_archs := armv8-a armv8-a+crc armv8.1-a armv8.2-a armv8.3-a armv8.4-a \ + armv8.5-a armv8.6-a + ++all_v9_archs := armv9-a ++ + # No floating point variants, require thumb1 softfp + all_nofp_t := armv6-m armv6s-m armv8-m.base + +@@ -110,6 +114,11 @@ MULTILIB_MATCHES += $(foreach ARCH, + $(foreach FPARCH, $(v8_fps), \ + march?armv7+fp=march?$(ARCH)+$(FPARCH))) + ++MULTILIB_MATCHES += $(foreach ARCH, $(all_v9_archs), \ ++ march?armv7+fp=march?$(ARCH) \ ++ $(foreach FPARCH, $(v9_fps), \ ++ march?armv7+fp=march?$(ARCH)+$(FPARCH))) ++ + MULTILIB_MATCHES += $(foreach ARCH, armv7e-m armv8-m.mainline, \ + march?armv7+fp=march?$(ARCH)+fp.dp) + +Index: gcc/gcc/config/arm/t-multilib +=================================================================== +--- a/gcc/config/arm/t-multilib ++++ b/gcc/config/arm/t-multilib +@@ -78,6 +78,8 @@ v8_4_a_simd_variants := $(call all_feat_ + v8_5_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) + v8_6_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) + v8_r_nosimd_variants := +crc ++v9_a_nosimd_variants := +crc ++v9_a_simd_variants := $(call all_feat_combs, simd fp16 crypto i8mm bf16) + + ifneq (,$(HAS_APROFILE)) + include $(srcdir)/config/arm/t-aprofile +@@ -202,6 +204,16 @@ MULTILIB_MATCHES += march?armv7=march?ar + MULTILIB_MATCHES += $(foreach ARCH, $(v8_6_a_simd_variants), \ + march?armv7+fp=march?armv8.6-a$(ARCH)) + ++# Armv9 ++MULTILIB_MATCHES += march?armv7=march?armv9-a ++MULTILIB_MATCHES += $(foreach ARCH, $(v9_a_nosimd_variants), \ ++ march?armv7=march?armv9-a$(ARCH)) ++ ++# Armv9 with SIMD ++MULTILIB_MATCHES += march?armv7+fp=march?armv9-a+crc+simd \ ++ $(foreach ARCH, $(v9_a_simd_variants), \ ++ march?armv7+fp=march?armv9-a$(ARCH) \ ++ march?armv7+fp=march?armv9-a+crc$(ARCH)) + endif # Not APROFILE. + + # Use Thumb libraries for everything. +Index: gcc/gcc/doc/invoke.texi +=================================================================== +--- a/gcc/doc/invoke.texi ++++ b/gcc/doc/invoke.texi +@@ -19701,6 +19701,7 @@ Permissible names are: + @samp{armv7-m}, @samp{armv7e-m}, + @samp{armv8-m.base}, @samp{armv8-m.main}, + @samp{armv8.1-m.main}, ++@samp{armv9-a}, + @samp{iwmmxt} and @samp{iwmmxt2}. + + Additionally, the following architectures, which lack support for the +Index: gcc/gcc/testsuite/gcc.target/arm/multilib.exp +=================================================================== +--- a/gcc/testsuite/gcc.target/arm/multilib.exp ++++ b/gcc/testsuite/gcc.target/arm/multilib.exp +@@ -135,6 +135,14 @@ if {[multilib_config "aprofile"] } { + {-march=armv8.6-a+simd+fp16 -mfloat-abi=softfp} "thumb/v8-a+simd/softfp" + {-march=armv8.6-a+simd+fp16+nofp -mfloat-abi=softfp} "thumb/v8-a/nofp" + {-march=armv8.6-a+simd+nofp+fp16 -mfloat-abi=softfp} "thumb/v8-a+simd/softfp" ++ {-march=armv9-a+crypto -mfloat-abi=soft} "thumb/v9-a/nofp" ++ {-march=armv9-a+simd+crypto -mfloat-abi=softfp} "thumb/v9-a+simd/softfp" ++ {-march=armv9-a+simd+crypto+nofp -mfloat-abi=softfp} "thumb/v9-a/nofp" ++ {-march=armv9-a+simd+nofp+crypto -mfloat-abi=softfp} "thumb/v9-a+simd/softfp" ++ {-march=armv9-a+fp16 -mfloat-abi=soft} "thumb/v9-a/nofp" ++ {-march=armv9-a+simd+fp16 -mfloat-abi=softfp} "thumb/v9-a+simd/softfp" ++ {-march=armv9-a+simd+fp16+nofp -mfloat-abi=softfp} "thumb/v9-a/nofp" ++ {-march=armv9-a+simd+nofp+fp16 -mfloat-abi=softfp} "thumb/v9-a+simd/softfp" + {-mcpu=cortex-a53+crypto -mfloat-abi=hard} "thumb/v8-a+simd/hard" + {-mcpu=cortex-a53+nofp -mfloat-abi=softfp} "thumb/v8-a/nofp" + {-march=armv8-a+crc -mfloat-abi=hard -mfpu=vfp} "thumb/v8-a+simd/hard" +Index: gcc/gcc/testsuite/lib/target-supports.exp +=================================================================== +--- a/gcc/testsuite/lib/target-supports.exp ++++ b/gcc/testsuite/lib/target-supports.exp +@@ -4820,7 +4820,8 @@ foreach { armfunc armflag armdefs } { + v8m_base "-march=armv8-m.base -mthumb -mfloat-abi=soft" + __ARM_ARCH_8M_BASE__ + v8m_main "-march=armv8-m.main -mthumb" __ARM_ARCH_8M_MAIN__ +- v8_1m_main "-march=armv8.1-m.main -mthumb" __ARM_ARCH_8M_MAIN__ } { ++ v8_1m_main "-march=armv8.1-m.main -mthumb" __ARM_ARCH_8M_MAIN__ ++ v9a "-march=armv9-a" __ARM_ARCH_9A__ } { + eval [string map [list FUNC $armfunc FLAG $armflag DEFS $armdefs ] { + proc check_effective_target_arm_arch_FUNC_ok { } { + return [check_no_compiler_messages arm_arch_FUNC_ok assembly { diff --git a/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch b/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch index ef19eef822..ece5873258 100644 --- a/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch +++ b/meta/recipes-devtools/gcc/gcc/0006-Define-GLIBC_DYNAMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch @@ -1,4 +1,4 @@ -From 84dd8ea4c982fc2c82af642293d29e9c1880de5b Mon Sep 17 00:00:00 2001 +From 4de00af67b57b5440bdf61ab364ad959ad0aeee7 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Fri, 29 Mar 2013 09:24:50 +0400 Subject: [PATCH] Define GLIBC_DYNAMIC_LINKER and UCLIBC_DYNAMIC_LINKER @@ -12,26 +12,35 @@ SH, sparc, alpha for possible future support (if any) Removes the do_headerfix task in metadata +Signed-off-by: Khem Raj <raj.khem@gmail.com> + Upstream-Status: Inappropriate [OE configuration] Signed-off-by: Khem Raj <raj.khem@gmail.com> + +Refresh patch from master to deduplicate patches and fix arm linker +Signed-off-by: Pavel Zhukov <pavel@zhukoff.net> --- gcc/config/aarch64/aarch64-linux.h | 4 ++-- gcc/config/alpha/linux-elf.h | 4 ++-- - gcc/config/arm/linux-eabi.h | 4 ++-- + gcc/config/arm/linux-eabi.h | 6 +++--- gcc/config/arm/linux-elf.h | 2 +- - gcc/config/i386/linux.h | 2 +- - gcc/config/i386/linux64.h | 6 +++--- + gcc/config/i386/linux.h | 4 ++-- + gcc/config/i386/linux64.h | 12 ++++++------ gcc/config/linux.h | 8 ++++---- - gcc/config/mips/linux.h | 12 ++++++------ - gcc/config/riscv/linux.h | 2 +- + gcc/config/microblaze/linux.h | 4 ++-- + gcc/config/mips/linux.h | 18 +++++++++--------- + gcc/config/nios2/linux.h | 4 ++-- + gcc/config/riscv/linux.h | 4 ++-- gcc/config/rs6000/linux64.h | 15 +++++---------- - gcc/config/sh/linux.h | 2 +- + gcc/config/rs6000/sysv4.h | 4 ++-- + gcc/config/s390/linux.h | 8 ++++---- + gcc/config/sh/linux.h | 4 ++-- gcc/config/sparc/linux.h | 2 +- gcc/config/sparc/linux64.h | 4 ++-- - 13 files changed, 31 insertions(+), 36 deletions(-) + 17 files changed, 53 insertions(+), 58 deletions(-) -diff --git a/gcc/config/aarch64/aarch64-linux.h b/gcc/config/aarch64/aarch64-linux.h -index 7f2529a2a1d..4bcae7f3110 100644 +Index: gcc/gcc/config/aarch64/aarch64-linux.h +=================================================================== --- a/gcc/config/aarch64/aarch64-linux.h +++ b/gcc/config/aarch64/aarch64-linux.h @@ -21,10 +21,10 @@ @@ -47,11 +56,11 @@ index 7f2529a2a1d..4bcae7f3110 100644 #undef ASAN_CC1_SPEC #define ASAN_CC1_SPEC "%{%:sanitize(address):-funwind-tables}" -diff --git a/gcc/config/alpha/linux-elf.h b/gcc/config/alpha/linux-elf.h -index c1dae8ca2cf..3ce2b76c1a4 100644 +Index: gcc/gcc/config/alpha/linux-elf.h +=================================================================== --- a/gcc/config/alpha/linux-elf.h +++ b/gcc/config/alpha/linux-elf.h -@@ -23,8 +23,8 @@ along with GCC; see the file COPYING3. If not see +@@ -23,8 +23,8 @@ along with GCC; see the file COPYING3. #define EXTRA_SPECS \ { "elf_dynamic_linker", ELF_DYNAMIC_LINKER }, @@ -62,8 +71,8 @@ index c1dae8ca2cf..3ce2b76c1a4 100644 #if DEFAULT_LIBC == LIBC_UCLIBC #define CHOOSE_DYNAMIC_LINKER(G, U) "%{mglibc:" G ";:" U "}" #elif DEFAULT_LIBC == LIBC_GLIBC -diff --git a/gcc/config/arm/linux-eabi.h b/gcc/config/arm/linux-eabi.h -index 85d0136e76e..6bd95855827 100644 +Index: gcc/gcc/config/arm/linux-eabi.h +=================================================================== --- a/gcc/config/arm/linux-eabi.h +++ b/gcc/config/arm/linux-eabi.h @@ -65,8 +65,8 @@ @@ -77,8 +86,17 @@ index 85d0136e76e..6bd95855827 100644 #define GLIBC_DYNAMIC_LINKER_DEFAULT GLIBC_DYNAMIC_LINKER_SOFT_FLOAT #define GLIBC_DYNAMIC_LINKER \ -diff --git a/gcc/config/arm/linux-elf.h b/gcc/config/arm/linux-elf.h -index 0c1c4e70b6b..6bd643ade11 100644 +@@ -89,7 +89,7 @@ + #define MUSL_DYNAMIC_LINKER_E "%{mbig-endian:eb}" + #endif + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" + + /* At this point, bpabi.h will have clobbered LINK_SPEC. We want to + use the GNU/Linux version, not the generic BPABI version. */ +Index: gcc/gcc/config/arm/linux-elf.h +=================================================================== --- a/gcc/config/arm/linux-elf.h +++ b/gcc/config/arm/linux-elf.h @@ -60,7 +60,7 @@ @@ -90,11 +108,11 @@ index 0c1c4e70b6b..6bd643ade11 100644 #define LINUX_TARGET_LINK_SPEC "%{h*} \ %{static:-Bstatic} \ -diff --git a/gcc/config/i386/linux.h b/gcc/config/i386/linux.h -index 04b274f1654..7aafcf3ac2d 100644 +Index: gcc/gcc/config/i386/linux.h +=================================================================== --- a/gcc/config/i386/linux.h +++ b/gcc/config/i386/linux.h -@@ -20,7 +20,7 @@ along with GCC; see the file COPYING3. If not see +@@ -20,7 +20,7 @@ along with GCC; see the file COPYING3. <http://www.gnu.org/licenses/>. */ #define GNU_USER_LINK_EMULATION "elf_i386" @@ -102,12 +120,13 @@ index 04b274f1654..7aafcf3ac2d 100644 +#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-linux.so.2" #undef MUSL_DYNAMIC_LINKER - #define MUSL_DYNAMIC_LINKER "/lib/ld-musl-i386.so.1" -diff --git a/gcc/config/i386/linux64.h b/gcc/config/i386/linux64.h -index b3822ced528..92d303e80d6 100644 +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-i386.so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-i386.so.1" +Index: gcc/gcc/config/i386/linux64.h +=================================================================== --- a/gcc/config/i386/linux64.h +++ b/gcc/config/i386/linux64.h -@@ -27,9 +27,9 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see +@@ -27,13 +27,13 @@ see the files COPYING3 and COPYING.RUNTI #define GNU_USER_LINK_EMULATION64 "elf_x86_64" #define GNU_USER_LINK_EMULATIONX32 "elf32_x86_64" @@ -119,12 +138,19 @@ index b3822ced528..92d303e80d6 100644 +#define GLIBC_DYNAMIC_LINKERX32 SYSTEMLIBS_DIR "ld-linux-x32.so.2" #undef MUSL_DYNAMIC_LINKER32 - #define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-i386.so.1" -diff --git a/gcc/config/linux.h b/gcc/config/linux.h -index 4e1db60fced..87efc5f69fe 100644 +-#define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-i386.so.1" ++#define MUSL_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld-musl-i386.so.1" + #undef MUSL_DYNAMIC_LINKER64 +-#define MUSL_DYNAMIC_LINKER64 "/lib/ld-musl-x86_64.so.1" ++#define MUSL_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld-musl-x86_64.so.1" + #undef MUSL_DYNAMIC_LINKERX32 +-#define MUSL_DYNAMIC_LINKERX32 "/lib/ld-musl-x32.so.1" ++#define MUSL_DYNAMIC_LINKERX32 SYSTEMLIBS_DIR "ld-musl-x32.so.1" +Index: gcc/gcc/config/linux.h +=================================================================== --- a/gcc/config/linux.h +++ b/gcc/config/linux.h -@@ -94,10 +94,10 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see +@@ -94,10 +94,10 @@ see the files COPYING3 and COPYING.RUNTI GLIBC_DYNAMIC_LINKER must be defined for each target using them, or GLIBC_DYNAMIC_LINKER32 and GLIBC_DYNAMIC_LINKER64 for targets supporting both 32-bit and 64-bit compilation. */ @@ -139,11 +165,33 @@ index 4e1db60fced..87efc5f69fe 100644 #define BIONIC_DYNAMIC_LINKER "/system/bin/linker" #define BIONIC_DYNAMIC_LINKER32 "/system/bin/linker" #define BIONIC_DYNAMIC_LINKER64 "/system/bin/linker64" -diff --git a/gcc/config/mips/linux.h b/gcc/config/mips/linux.h -index 44a85e410d9..8d41b5574f6 100644 +Index: gcc/gcc/config/microblaze/linux.h +=================================================================== +--- a/gcc/config/microblaze/linux.h ++++ b/gcc/config/microblaze/linux.h +@@ -28,7 +28,7 @@ + #undef TLS_NEEDS_GOT + #define TLS_NEEDS_GOT 1 + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "/ld.so.1" + #define UCLIBC_DYNAMIC_LINKER "/lib/ld-uClibc.so.0" + + #if TARGET_BIG_ENDIAN_DEFAULT == 0 /* LE */ +@@ -38,7 +38,7 @@ + #endif + + #undef MUSL_DYNAMIC_LINKER +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-microblaze" MUSL_DYNAMIC_LINKER_E ".so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-microblaze" MUSL_DYNAMIC_LINKER_E ".so.1" + + #undef SUBTARGET_EXTRA_SPECS + #define SUBTARGET_EXTRA_SPECS \ +Index: gcc/gcc/config/mips/linux.h +=================================================================== --- a/gcc/config/mips/linux.h +++ b/gcc/config/mips/linux.h -@@ -22,20 +22,20 @@ along with GCC; see the file COPYING3. If not see +@@ -22,29 +22,29 @@ along with GCC; see the file COPYING3. #define GNU_USER_LINK_EMULATIONN32 "elf32%{EB:b}%{EL:l}tsmipn32" #define GLIBC_DYNAMIC_LINKER32 \ @@ -170,11 +218,36 @@ index 44a85e410d9..8d41b5574f6 100644 #undef MUSL_DYNAMIC_LINKER32 #define MUSL_DYNAMIC_LINKER32 \ -diff --git a/gcc/config/riscv/linux.h b/gcc/config/riscv/linux.h -index fce5b896e6e..03aa55cb5ab 100644 +- "/lib/ld-musl-mips%{mips32r6|mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mips%{mips32r6|mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + #undef MUSL_DYNAMIC_LINKER64 + #define MUSL_DYNAMIC_LINKER64 \ +- "/lib/ld-musl-mips64%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mips64%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + #define MUSL_DYNAMIC_LINKERN32 \ +- "/lib/ld-musl-mipsn32%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-mipsn32%{mips64r6:r6}%{EL:el}%{msoft-float:-sf}.so.1" + + #define BIONIC_DYNAMIC_LINKERN32 "/system/bin/linker32" + #define GNU_USER_DYNAMIC_LINKERN32 \ +Index: gcc/gcc/config/nios2/linux.h +=================================================================== +--- a/gcc/config/nios2/linux.h ++++ b/gcc/config/nios2/linux.h +@@ -29,7 +29,7 @@ + #undef CPP_SPEC + #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}" + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-linux-nios2.so.1" + + #undef LINK_SPEC + #define LINK_SPEC LINK_SPEC_ENDIAN \ +Index: gcc/gcc/config/riscv/linux.h +=================================================================== --- a/gcc/config/riscv/linux.h +++ b/gcc/config/riscv/linux.h -@@ -22,7 +22,7 @@ along with GCC; see the file COPYING3. If not see +@@ -22,7 +22,7 @@ along with GCC; see the file COPYING3. GNU_USER_TARGET_OS_CPP_BUILTINS(); \ } while (0) @@ -183,8 +256,17 @@ index fce5b896e6e..03aa55cb5ab 100644 #define MUSL_ABI_SUFFIX \ "%{mabi=ilp32:-sf}" \ -diff --git a/gcc/config/rs6000/linux64.h b/gcc/config/rs6000/linux64.h -index e3f2cd254f6..a11e01faa3d 100644 +@@ -33,7 +33,7 @@ along with GCC; see the file COPYING3. + "%{mabi=lp64d:}" + + #undef MUSL_DYNAMIC_LINKER +-#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-riscv" XLEN_SPEC MUSL_ABI_SUFFIX ".so.1" ++#define MUSL_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld-musl-riscv" XLEN_SPEC MUSL_ABI_SUFFIX ".so.1" + + /* Because RISC-V only has word-sized atomics, it requries libatomic where + others do not. So link libatomic by default, as needed. */ +Index: gcc/gcc/config/rs6000/linux64.h +=================================================================== --- a/gcc/config/rs6000/linux64.h +++ b/gcc/config/rs6000/linux64.h @@ -336,24 +336,19 @@ extern int dot_symbols; @@ -217,12 +299,55 @@ index e3f2cd254f6..a11e01faa3d 100644 #undef DEFAULT_ASM_ENDIAN #if (TARGET_DEFAULT & MASK_LITTLE_ENDIAN) -diff --git a/gcc/config/sh/linux.h b/gcc/config/sh/linux.h -index 7558d2f7195..3aaa6c3a078 100644 +Index: gcc/gcc/config/rs6000/sysv4.h +=================================================================== +--- a/gcc/config/rs6000/sysv4.h ++++ b/gcc/config/rs6000/sysv4.h +@@ -780,10 +780,10 @@ GNU_USER_TARGET_CC1_SPEC + + #define MUSL_DYNAMIC_LINKER_E ENDIAN_SELECT("","le","") + +-#define GLIBC_DYNAMIC_LINKER "/lib/ld.so.1" ++#define GLIBC_DYNAMIC_LINKER SYSTEMLIBS_DIR "ld.so.1" + #undef MUSL_DYNAMIC_LINKER + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-powerpc" MUSL_DYNAMIC_LINKER_E "%{msoft-float:-sf}.so.1" ++ SYSTEMLIBS_DIR "ld-musl-powerpc" MUSL_DYNAMIC_LINKER_E "%{msoft-float:-sf}.so.1" + + #ifndef GNU_USER_DYNAMIC_LINKER + #define GNU_USER_DYNAMIC_LINKER GLIBC_DYNAMIC_LINKER +Index: gcc/gcc/config/s390/linux.h +=================================================================== +--- a/gcc/config/s390/linux.h ++++ b/gcc/config/s390/linux.h +@@ -72,13 +72,13 @@ along with GCC; see the file COPYING3. + #define MULTILIB_DEFAULTS { "m31" } + #endif + +-#define GLIBC_DYNAMIC_LINKER32 "/lib/ld.so.1" +-#define GLIBC_DYNAMIC_LINKER64 "/lib/ld64.so.1" ++#define GLIBC_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld.so.1" ++#define GLIBC_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld64.so.1" + + #undef MUSL_DYNAMIC_LINKER32 +-#define MUSL_DYNAMIC_LINKER32 "/lib/ld-musl-s390.so.1" ++#define MUSL_DYNAMIC_LINKER32 SYSTEMLIBS_DIR "ld-musl-s390.so.1" + #undef MUSL_DYNAMIC_LINKER64 +-#define MUSL_DYNAMIC_LINKER64 "/lib/ld-musl-s390x.so.1" ++#define MUSL_DYNAMIC_LINKER64 SYSTEMLIBS_DIR "ld-musl-s390x.so.1" + + #undef LINK_SPEC + #define LINK_SPEC \ +Index: gcc/gcc/config/sh/linux.h +=================================================================== --- a/gcc/config/sh/linux.h +++ b/gcc/config/sh/linux.h -@@ -64,7 +64,7 @@ along with GCC; see the file COPYING3. If not see - "/lib/ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ +@@ -61,10 +61,10 @@ along with GCC; see the file COPYING3. + + #undef MUSL_DYNAMIC_LINKER + #define MUSL_DYNAMIC_LINKER \ +- "/lib/ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ ++ SYSTEMLIBS_DIR "ld-musl-sh" MUSL_DYNAMIC_LINKER_E MUSL_DYNAMIC_LINKER_FP \ "%{mfdpic:-fdpic}.so.1" -#define GLIBC_DYNAMIC_LINKER "/lib/ld-linux.so.2" @@ -230,11 +355,11 @@ index 7558d2f7195..3aaa6c3a078 100644 #undef SUBTARGET_LINK_EMUL_SUFFIX #define SUBTARGET_LINK_EMUL_SUFFIX "%{mfdpic:_fd;:_linux}" -diff --git a/gcc/config/sparc/linux.h b/gcc/config/sparc/linux.h -index 2550d7ee8f0..a94f4cd8ba2 100644 +Index: gcc/gcc/config/sparc/linux.h +=================================================================== --- a/gcc/config/sparc/linux.h +++ b/gcc/config/sparc/linux.h -@@ -78,7 +78,7 @@ extern const char *host_detect_local_cpu (int argc, const char **argv); +@@ -78,7 +78,7 @@ extern const char *host_detect_local_cpu When the -shared link option is used a final link is not being done. */ @@ -243,11 +368,11 @@ index 2550d7ee8f0..a94f4cd8ba2 100644 #undef LINK_SPEC #define LINK_SPEC "-m elf32_sparc %{shared:-shared} \ -diff --git a/gcc/config/sparc/linux64.h b/gcc/config/sparc/linux64.h -index 95af8afa9b5..63127afb074 100644 +Index: gcc/gcc/config/sparc/linux64.h +=================================================================== --- a/gcc/config/sparc/linux64.h +++ b/gcc/config/sparc/linux64.h -@@ -78,8 +78,8 @@ along with GCC; see the file COPYING3. If not see +@@ -78,8 +78,8 @@ along with GCC; see the file COPYING3. When the -shared link option is used a final link is not being done. */ diff --git a/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch b/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch index ac139542f1..1ec942e977 100644 --- a/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch +++ b/meta/recipes-devtools/gcc/gcc/0009-gcc-armv4-pass-fix-v4bx-to-linker-to-support-EABI.patch @@ -18,13 +18,13 @@ Upstream-Status: Pending gcc/config/arm/linux-eabi.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) -diff --git a/gcc/config/arm/linux-eabi.h b/gcc/config/arm/linux-eabi.h -index 6bd95855827..77befab5da8 100644 +Index: gcc/gcc/config/arm/linux-eabi.h +=================================================================== --- a/gcc/config/arm/linux-eabi.h +++ b/gcc/config/arm/linux-eabi.h @@ -91,10 +91,14 @@ #define MUSL_DYNAMIC_LINKER \ - "/lib/ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" + SYSTEMLIBS_DIR "ld-musl-arm" MUSL_DYNAMIC_LINKER_E "%{mfloat-abi=hard:hf}%{mfdpic:-fdpic}.so.1" +/* For armv4 we pass --fix-v4bx to linker to support EABI */ +#undef TARGET_FIX_V4BX_SPEC diff --git a/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch b/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch deleted file mode 100644 index 76ebfd7f77..0000000000 --- a/meta/recipes-devtools/gcc/gcc/0019-nios2-Define-MUSL_DYNAMIC_LINKER.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9ec4db8e910d9a51ae43f6b20d4bf1dac2d8cca8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Tue, 2 Feb 2016 10:26:10 -0800 -Subject: [PATCH] nios2: Define MUSL_DYNAMIC_LINKER - -Upstream-Status: Backport [https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=e5ddbbf992b909d8e38851bd3179d29389e6ac97] - -Signed-off-by: Marek Vasut <marex@denx.de> -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gcc/config/nios2/linux.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/gcc/config/nios2/linux.h b/gcc/config/nios2/linux.h -index 08edf1521f6..15696d86241 100644 ---- a/gcc/config/nios2/linux.h -+++ b/gcc/config/nios2/linux.h -@@ -30,6 +30,7 @@ - #define CPP_SPEC "%{posix:-D_POSIX_SOURCE} %{pthread:-D_REENTRANT}" - - #define GLIBC_DYNAMIC_LINKER "/lib/ld-linux-nios2.so.1" -+#define MUSL_DYNAMIC_LINKER "/lib/ld-musl-nios2.so.1" - - #undef LINK_SPEC - #define LINK_SPEC LINK_SPEC_ENDIAN \ diff --git a/meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch b/meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch new file mode 100644 index 0000000000..bbe2f18f6f --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0030-rust-recursion-limit.patch @@ -0,0 +1,92 @@ +From 9234cdca6ee88badfc00297e72f13dac4e540c79 Mon Sep 17 00:00:00 2001 +From: Nick Clifton <nickc@redhat.com> +Date: Fri, 1 Jul 2022 15:58:52 +0100 +Subject: [PATCH] Add a recursion limit to the demangle_const function in the + Rust demangler. + +libiberty/ + PR demangler/105039 + * rust-demangle.c (demangle_const): Add recursion limit. + +Upstream-Status: Backport [https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=9234cdca6ee88badfc00297e72f13dac4e540c79] +--- + libiberty/rust-demangle.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/libiberty/rust-demangle.c b/libiberty/rust-demangle.c +index bb58d900e27..36afcfae278 100644 +--- a/libiberty/rust-demangle.c ++++ b/libiberty/rust-demangle.c +@@ -126,7 +126,7 @@ parse_integer_62 (struct rust_demangler *rdm) + return 0; + + x = 0; +- while (!eat (rdm, '_')) ++ while (!eat (rdm, '_') && !rdm->errored) + { + c = next (rdm); + x *= 62; +@@ -1148,6 +1148,15 @@ demangle_const (struct rust_demangler *rdm) + if (rdm->errored) + return; + ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ { ++ ++ rdm->recursion; ++ if (rdm->recursion > RUST_MAX_RECURSION_COUNT) ++ /* FIXME: There ought to be a way to report ++ that the recursion limit has been reached. */ ++ goto fail_return; ++ } ++ + if (eat (rdm, 'B')) + { + backref = parse_integer_62 (rdm); +@@ -1158,7 +1167,7 @@ demangle_const (struct rust_demangler *rdm) + demangle_const (rdm); + rdm->next = old_next; + } +- return; ++ goto pass_return; + } + + ty_tag = next (rdm); +@@ -1167,7 +1176,7 @@ demangle_const (struct rust_demangler *rdm) + /* Placeholder. */ + case 'p': + PRINT ("_"); +- return; ++ goto pass_return; + + /* Unsigned integer types. */ + case 'h': +@@ -1200,18 +1209,20 @@ demangle_const (struct rust_demangler *rdm) + break; + + default: +- rdm->errored = 1; +- return; ++ goto fail_return; + } + +- if (rdm->errored) +- return; +- +- if (rdm->verbose) ++ if (!rdm->errored && rdm->verbose) + { + PRINT (": "); + PRINT (basic_type (ty_tag)); + } ++ ++ fail_return: ++ rdm->errored = 1; ++ pass_return: ++ if (rdm->recursion != RUST_NO_RECURSION_LIMIT) ++ -- rdm->recursion; + } + + static void +-- +2.31.1 + diff --git a/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch new file mode 100644 index 0000000000..d63618132a --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch @@ -0,0 +1,63 @@ +From fb77ca05ffb4f8e666878f2f6718a9fb4d686839 Mon Sep 17 00:00:00 2001 +From: Thurston Dang <thurston@google.com> +Date: Thu, 13 Apr 2023 23:55:01 +0000 +Subject: [PATCH] Re-land 'ASan: move allocator base to avoid conflict with + high-entropy ASLR for x86-64 Linux' + +D147984 was reverted because it broke lit tests on Mac. This revision is based on D147984 +but maintains the old behavior for Apple. + +Note that, per the follow-up discussion with MaskRay in D147984, this patch excludes Apple +but includes other platforms (e.g., aarch64, MIPS64) and OSes (e.g., FreeBSD, S390X), not just +x86-64 Linux. + +Original commit message from D147984: + +Users have discovered [*] that when CONFIG_ARCH_MMAP_RND_BITS == 32, +it will frequently conflict with ASan's allocator on x86-64 Linux, because the +PIE program segment base address of 0x555555555554 plus an ASLR shift of up to +((2**32) * 4K == 0x100000000000) will sometimes exceed ASan's hardcoded +base address of 0x600000000000. We fix this by simply moving the allocator base +to 0x500000000000, which is below the PIE program segment base address. This is +cleaner than trying to move it to another location that is sandwiched between +the PIE program and library segments, because if either of those grow too large, +it will collide with the allocator region. + +Note that we will never need to change this base address again (unless we want to increase +the size of the allocator), because ASLR cannot be set above 32-bits for x86-64 Linux (the +PIE program segment and library segments would collide with each other; see also +ARCH_MMAP_RND_BITS_MAX in https://github.com/torvalds/linux/blob/master/arch/x86/Kconfig). + +[*] see https://b.corp.google.com/issues/276925478 +and https://groups.google.com/a/google.com/g/chrome-os-gardeners/c/BbfzCP3dEeo/m/h3C_vVUxCQAJ + +Differential Revision: https://reviews.llvm.org/D148280 + +Upstream-Status: Backport from llvm-project: https://github.com/llvm/llvm-project/commit/fb77ca05ffb4f8e666878f2f6718a9fb4d686839 +Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> +--- + libsanitizer/asan/asan_allocator.h | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/libsanitizer/asan/asan_allocator.h b/libsanitizer/asan/asan_allocator.h +index 0b4dbf03bb9d53..6a12a6c6025283 100644 +--- a/libsanitizer/asan/asan_allocator.h ++++ b/libsanitizer/asan/asan_allocator.h +@@ -143,11 +143,15 @@ typedef DefaultSizeClassMap SizeClassMap; + const uptr kAllocatorSpace = ~(uptr)0; + const uptr kAllocatorSize = 0x8000000000ULL; // 500G + typedef DefaultSizeClassMap SizeClassMap; +-# else ++# elif SANITIZER_APPLE + const uptr kAllocatorSpace = 0x600000000000ULL; + const uptr kAllocatorSize = 0x40000000000ULL; // 4T. + typedef DefaultSizeClassMap SizeClassMap; +-# endif ++# else ++const uptr kAllocatorSpace = 0x500000000000ULL; ++const uptr kAllocatorSize = 0x40000000000ULL; // 4T. ++typedef DefaultSizeClassMap SizeClassMap; ++# endif + template <typename AddressSpaceViewTy> + struct AP64 { // Allocator64 parameters. Deliberately using a short name. + static const uptr kSpaceBeg = kAllocatorSpace; diff --git a/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch b/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch new file mode 100644 index 0000000000..41684fe7dd --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc/CVE-2023-4039.patch @@ -0,0 +1,2893 @@ +From: Richard Sandiford <richard.sandiford@arm.com> +Subject: [PATCH 00/19] aarch64: Fix -fstack-protector issue +Date: Tue, 12 Sep 2023 16:25:10 +0100 + +This series of patches fixes deficiencies in GCC's -fstack-protector +implementation for AArch64 when using dynamically allocated stack space. +This is CVE-2023-4039. See: + +https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 +https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf + +for more details. + +The fix is to put the saved registers above the locals area when +-fstack-protector is used. + +The series also fixes a stack-clash problem that I found while working +on the CVE. In unpatched sources, the stack-clash problem would only +trigger for unrealistic numbers of arguments (8K 64-bit arguments, or an +equivalent). But it would be a more significant issue with the new +-fstack-protector frame layout. It's therefore important that both +problems are fixed together. + +Some reorganisation of the code seemed necessary to fix the problems in a +cleanish way. The series is therefore quite long, but only a handful of +patches should have any effect on code generation. + +See the individual patches for a detailed description. + +Tested on aarch64-linux-gnu. Pushed to trunk and to all active branches. +I've also pushed backports to GCC 7+ to vendors/ARM/heads/CVE-2023-4039. + +CVE: CVE-2023-4039 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + + +From 52816ab48f97968f3fbfb5656250f3de7c00166d Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:43 +0100 +Subject: [PATCH 01/19] aarch64: Use local frame vars in shrink-wrapping code + +aarch64_layout_frame uses a shorthand for referring to +cfun->machine->frame: + + aarch64_frame &frame = cfun->machine->frame; + +This patch does the same for some other heavy users of the structure. +No functional change intended. + +gcc/ + * config/aarch64/aarch64.c (aarch64_save_callee_saves): Use + a local shorthand for cfun->machine->frame. + (aarch64_restore_callee_saves, aarch64_get_separate_components): + (aarch64_process_components): Likewise. + (aarch64_allocate_and_probe_stack_space): Likewise. + (aarch64_expand_prologue, aarch64_expand_epilogue): Likewise. + (aarch64_layout_frame): Use existing shorthand for one more case. +--- + gcc/config/aarch64/aarch64.c | 115 ++++++++++++++++++----------------- + 1 file changed, 60 insertions(+), 55 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 391a93f3018..77c1d1300a5 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7994,6 +7994,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx_insn *insn; + unsigned regno; + unsigned regno2; +@@ -8008,8 +8009,8 @@ aarch64_save_callee_saves (poly_int64 start_offset, + bool frame_related_p = aarch64_emit_cfi_for_reg_p (regno); + + if (skip_wb +- && (regno == cfun->machine->frame.wb_candidate1 +- || regno == cfun->machine->frame.wb_candidate2)) ++ && (regno == frame.wb_candidate1 ++ || regno == frame.wb_candidate2)) + continue; + + if (cfun->machine->reg_is_wrapped_separately[regno]) +@@ -8017,7 +8018,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8030,7 +8031,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + { + gcc_assert (known_eq (start_offset, 0)); + poly_int64 fp_offset +- = cfun->machine->frame.below_hard_fp_saved_regs_size; ++ = frame.below_hard_fp_saved_regs_size; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8052,8 +8053,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -8103,6 +8103,7 @@ static void + aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { ++ aarch64_frame &frame = cfun->machine->frame; + unsigned regno; + unsigned regno2; + poly_int64 offset; +@@ -8119,13 +8120,13 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + rtx reg, mem; + + if (skip_wb +- && (regno == cfun->machine->frame.wb_candidate1 +- || regno == cfun->machine->frame.wb_candidate2)) ++ && (regno == frame.wb_candidate1 ++ || regno == frame.wb_candidate2)) + continue; + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + cfun->machine->frame.reg_offset[regno]; ++ offset = start_offset + frame.reg_offset[regno]; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -8136,8 +8137,7 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + && (regno2 = aarch64_next_callee_save (regno + 1, limit)) <= limit + && !cfun->machine->reg_is_wrapped_separately[regno2] + && known_eq (GET_MODE_SIZE (mode), +- cfun->machine->frame.reg_offset[regno2] +- - cfun->machine->frame.reg_offset[regno])) ++ frame.reg_offset[regno2] - frame.reg_offset[regno])) + { + rtx reg2 = gen_rtx_REG (mode, regno2); + rtx mem2; +@@ -8242,6 +8242,7 @@ offset_12bit_unsigned_scaled_p (machine_mode mode, poly_int64 offset) + static sbitmap + aarch64_get_separate_components (void) + { ++ aarch64_frame &frame = cfun->machine->frame; + sbitmap components = sbitmap_alloc (LAST_SAVED_REGNUM + 1); + bitmap_clear (components); + +@@ -8258,18 +8259,18 @@ aarch64_get_separate_components (void) + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + continue; + +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + + /* If the register is saved in the first SVE save slot, we use + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection +- && maybe_ne (cfun->machine->frame.below_hard_fp_saved_regs_size, 0) ++ && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) + && known_eq (offset, 0)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -8288,11 +8289,11 @@ aarch64_get_separate_components (void) + /* If the spare predicate register used by big-endian SVE code + is call-preserved, it must be saved in the main prologue + before any saves that use it. */ +- if (cfun->machine->frame.spare_pred_reg != INVALID_REGNUM) +- bitmap_clear_bit (components, cfun->machine->frame.spare_pred_reg); ++ if (frame.spare_pred_reg != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.spare_pred_reg); + +- unsigned reg1 = cfun->machine->frame.wb_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_candidate2; ++ unsigned reg1 = frame.wb_candidate1; ++ unsigned reg2 = frame.wb_candidate2; + /* If registers have been chosen to be stored/restored with + writeback don't interfere with them to avoid having to output explicit + stack adjustment instructions. */ +@@ -8401,6 +8402,7 @@ aarch64_get_next_set_bit (sbitmap bmp, unsigned int start) + static void + aarch64_process_components (sbitmap components, bool prologue_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + rtx ptr_reg = gen_rtx_REG (Pmode, frame_pointer_needed + ? HARD_FRAME_POINTER_REGNUM + : STACK_POINTER_REGNUM); +@@ -8415,9 +8417,9 @@ aarch64_process_components (sbitmap components, bool prologue_p) + machine_mode mode = aarch64_reg_save_mode (regno); + + rtx reg = gen_rtx_REG (mode, regno); +- poly_int64 offset = cfun->machine->frame.reg_offset[regno]; ++ poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset -= frame.below_hard_fp_saved_regs_size; + else + offset += crtl->outgoing_args_size; + +@@ -8442,14 +8444,14 @@ aarch64_process_components (sbitmap components, bool prologue_p) + break; + } + +- poly_int64 offset2 = cfun->machine->frame.reg_offset[regno2]; ++ poly_int64 offset2 = frame.reg_offset[regno2]; + /* The next register is not of the same class or its offset is not + mergeable with the current one into a pair. */ + if (aarch64_sve_mode_p (mode) + || !satisfies_constraint_Ump (mem) + || GP_REGNUM_P (regno) != GP_REGNUM_P (regno2) + || (crtl->abi->id () == ARM_PCS_SIMD && FP_REGNUM_P (regno)) +- || maybe_ne ((offset2 - cfun->machine->frame.reg_offset[regno]), ++ || maybe_ne ((offset2 - frame.reg_offset[regno]), + GET_MODE_SIZE (mode))) + { + insn = emit_insn (set); +@@ -8471,7 +8473,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= cfun->machine->frame.below_hard_fp_saved_regs_size; ++ offset2 -= frame.below_hard_fp_saved_regs_size; + else + offset2 += crtl->outgoing_args_size; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); +@@ -8566,6 +8568,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + bool frame_related_p, + bool final_adjustment_p) + { ++ aarch64_frame &frame = cfun->machine->frame; + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; +@@ -8586,25 +8589,25 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + register as a probe. We can't assume that LR was saved at position 0 + though, so treat any space below it as unprobed. */ + if (final_adjustment_p +- && known_eq (cfun->machine->frame.below_hard_fp_saved_regs_size, 0)) ++ && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = cfun->machine->frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else + gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); + } + +- poly_int64 frame_size = cfun->machine->frame.frame_size; ++ poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ + gcc_assert (min_probe_threshold > 0); + + if (flag_stack_clash_protection && !final_adjustment_p) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; + + if (known_eq (frame_size, 0)) + { +@@ -8893,17 +8896,18 @@ aarch64_epilogue_uses (int regno) + void + aarch64_expand_prologue (void) + { +- poly_int64 frame_size = cfun->machine->frame.frame_size; +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 frame_size = frame.frame_size; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_candidate2; +- bool emit_frame_chain = cfun->machine->frame.emit_frame_chain; ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_candidate1; ++ unsigned reg2 = frame.wb_candidate2; ++ bool emit_frame_chain = frame.emit_frame_chain; + rtx_insn *insn; + + if (flag_stack_clash_protection && known_eq (callee_adjust, 0)) +@@ -8969,7 +8973,7 @@ aarch64_expand_prologue (void) + + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - cfun->machine->frame.hard_fp_offset); ++ - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + + /* The offset of the bottom of the save area from the current SP. */ +@@ -9072,15 +9076,16 @@ aarch64_use_return_insn_p (void) + void + aarch64_expand_epilogue (bool for_sibcall) + { +- poly_int64 initial_adjust = cfun->machine->frame.initial_adjust; +- HOST_WIDE_INT callee_adjust = cfun->machine->frame.callee_adjust; +- poly_int64 final_adjust = cfun->machine->frame.final_adjust; +- poly_int64 callee_offset = cfun->machine->frame.callee_offset; +- poly_int64 sve_callee_adjust = cfun->machine->frame.sve_callee_adjust; ++ aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 initial_adjust = frame.initial_adjust; ++ HOST_WIDE_INT callee_adjust = frame.callee_adjust; ++ poly_int64 final_adjust = frame.final_adjust; ++ poly_int64 callee_offset = frame.callee_offset; ++ poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size +- = cfun->machine->frame.below_hard_fp_saved_regs_size; +- unsigned reg1 = cfun->machine->frame.wb_candidate1; +- unsigned reg2 = cfun->machine->frame.wb_candidate2; ++ = frame.below_hard_fp_saved_regs_size; ++ unsigned reg1 = frame.wb_candidate1; ++ unsigned reg2 = frame.wb_candidate2; + rtx cfi_ops = NULL; + rtx_insn *insn; + /* A stack clash protection prologue may not have left EP0_REGNUM or +@@ -9113,7 +9118,7 @@ aarch64_expand_epilogue (bool for_sibcall) + /* We need to add memory barrier to prevent read from deallocated stack. */ + bool need_barrier_p + = maybe_ne (get_frame_size () +- + cfun->machine->frame.saved_varargs_size, 0); ++ + frame.saved_varargs_size, 0); + + /* Emit a barrier to prevent loads from a deallocated stack. */ + if (maybe_gt (final_adjust, crtl->outgoing_args_size) +@@ -11744,24 +11749,24 @@ aarch64_can_eliminate (const int from ATTRIBUTE_UNUSED, const int to) + poly_int64 + aarch64_initial_elimination_offset (unsigned from, unsigned to) + { ++ aarch64_frame &frame = cfun->machine->frame; ++ + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset; ++ return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.hard_fp_offset +- - cfun->machine->frame.locals_offset; ++ return frame.hard_fp_offset - frame.locals_offset; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return cfun->machine->frame.frame_size +- - cfun->machine->frame.locals_offset; ++ return frame.frame_size - frame.locals_offset; + } + +- return cfun->machine->frame.frame_size; ++ return frame.frame_size; + } + + +-- +2.34.1 + + +From a2a57f7ec7912e77eb26919545807d90065584ff Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:44 +0100 +Subject: [PATCH 02/19] aarch64: Avoid a use of callee_offset + +When we emit the frame chain, i.e. when we reach Here in this statement +of aarch64_expand_prologue: + + if (emit_frame_chain) + { + // Here + ... + } + +the stack is in one of two states: + +- We've allocated up to the frame chain, but no more. + +- We've allocated the whole frame, and the frame chain is within easy + reach of the new SP. + +The offset of the frame chain from the current SP is available +in aarch64_frame as callee_offset. It is also available as the +chain_offset local variable, where the latter is calculated from other +data. (However, chain_offset is not always equal to callee_offset when +!emit_frame_chain, so chain_offset isn't redundant.) + +In c600df9a4060da3c6121ff4d0b93f179eafd69d1 I switched to using +chain_offset for the initialisation of the hard frame pointer: + + aarch64_add_offset (Pmode, hard_frame_pointer_rtx, +- stack_pointer_rtx, callee_offset, ++ stack_pointer_rtx, chain_offset, + tmp1_rtx, tmp0_rtx, frame_pointer_needed); + +But the later REG_CFA_ADJUST_CFA handling still used callee_offset. + +I think the difference is harmless, but it's more logical for the +CFA note to be in sync, and it's more convenient for later patches +if it uses chain_offset. + +gcc/ + * config/aarch64/aarch64.c (aarch64_expand_prologue): Use + chain_offset rather than callee_offset. +--- + gcc/config/aarch64/aarch64.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 77c1d1300a5..6bc026bd08f 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -8901,7 +8901,6 @@ aarch64_expand_prologue (void) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 below_hard_fp_saved_regs_size + = frame.below_hard_fp_saved_regs_size; +@@ -9010,8 +9009,7 @@ aarch64_expand_prologue (void) + implicit. */ + if (!find_reg_note (insn, REG_CFA_ADJUST_CFA, NULL_RTX)) + { +- rtx src = plus_constant (Pmode, stack_pointer_rtx, +- callee_offset); ++ rtx src = plus_constant (Pmode, stack_pointer_rtx, chain_offset); + add_reg_note (insn, REG_CFA_ADJUST_CFA, + gen_rtx_SET (hard_frame_pointer_rtx, src)); + } +-- +2.34.1 + + +From 5efdcc8ed19d9d9e708a001f5dc695560411496d Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:44 +0100 +Subject: [PATCH 03/19] aarch64: Explicitly handle frames with no saved + registers + +If a frame has no saved registers, it can be allocated in one go. +There is no need to treat the areas below and above the saved +registers as separate. + +And if we allocate the frame in one go, it should be allocated +as the initial_adjust rather than the final_adjust. This allows the +frame size to grow to guard_size - guard_used_by_caller before a stack +probe is needed. (A frame with no register saves is necessarily a +leaf frame.) + +This is a no-op as thing stand, since a leaf function will have +no outgoing arguments, and so all the frame will be above where +the saved registers normally go. + +gcc/ + * config/aarch64/aarch64.c (aarch64_layout_frame): Explicitly + allocate the frame in one go if there are no saved registers. +--- + gcc/config/aarch64/aarch64.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 6bc026bd08f..05e6ae8c0c9 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7609,9 +7609,11 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; +- if (frame.frame_size.is_constant (&const_size) +- && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ if (known_eq (frame.saved_regs_size, 0)) ++ frame.initial_adjust = frame.frame_size; ++ else if (frame.frame_size.is_constant (&const_size) ++ && const_size < max_push_offset ++ && known_eq (frame.hard_fp_offset, const_size)) + { + /* Simple, small frame with no outgoing arguments: + +-- +2.34.1 + + +From a8385d14318634f2e3a08a75bd2d6e2810f8cec9 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:45 +0100 +Subject: [PATCH 04/19] aarch64: Add bytes_below_saved_regs to frame info + +The frame layout code currently hard-codes the assumption that +the number of bytes below the saved registers is equal to the +size of the outgoing arguments. This patch abstracts that +value into a new field of aarch64_frame. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_saved_regs): New + field. + * config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it, + and use it instead of crtl->outgoing_args_size. + (aarch64_get_separate_components): Use bytes_below_saved_regs instead + of outgoing_args_size. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.c | 71 ++++++++++++++++++------------------ + gcc/config/aarch64/aarch64.h | 5 +++ + 2 files changed, 41 insertions(+), 35 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 05e6ae8c0c9..8fa5a0b2545 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7476,6 +7476,8 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + ++ frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small + offset range. These saves happen below the hard frame pointer. */ +@@ -7580,18 +7582,18 @@ aarch64_layout_frame (void) + + poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; + +- poly_int64 above_outgoing_args ++ poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + + frame.hard_fp_offset +- = above_outgoing_args - frame.below_hard_fp_saved_regs_size; ++ = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +- gcc_assert (multiple_p (crtl->outgoing_args_size, ++ gcc_assert (multiple_p (frame.bytes_below_saved_regs, + STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = above_outgoing_args + crtl->outgoing_args_size; ++ frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + + frame.locals_offset = frame.saved_varargs_size; + +@@ -7607,7 +7609,7 @@ aarch64_layout_frame (void) + else if (frame.wb_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_outgoing_args_size, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; +@@ -7615,31 +7617,31 @@ aarch64_layout_frame (void) + && const_size < max_push_offset + && known_eq (frame.hard_fp_offset, const_size)) + { +- /* Simple, small frame with no outgoing arguments: ++ /* Simple, small frame with no data below the saved registers. + + stp reg1, reg2, [sp, -frame_size]! + stp reg3, reg4, [sp, 16] */ + frame.callee_adjust = const_size; + } +- else if (crtl->outgoing_args_size.is_constant (&const_outgoing_args_size) ++ else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) + && frame.saved_regs_size.is_constant (&const_saved_regs_size) +- && const_outgoing_args_size + const_saved_regs_size < 512 +- /* We could handle this case even with outgoing args, provided +- that the number of args left us with valid offsets for all +- predicate and vector save slots. It's such a rare case that +- it hardly seems worth the effort though. */ +- && (!saves_below_hard_fp_p || const_outgoing_args_size == 0) ++ && const_below_saved_regs + const_saved_regs_size < 512 ++ /* We could handle this case even with data below the saved ++ registers, provided that that data left us with valid offsets ++ for all predicate and vector save slots. It's such a rare ++ case that it hardly seems worth the effort though. */ ++ && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca + && frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset)) + { +- /* Frame with small outgoing arguments: ++ /* Frame with small area below the saved registers: + + sub sp, sp, frame_size +- stp reg1, reg2, [sp, outgoing_args_size] +- stp reg3, reg4, [sp, outgoing_args_size + 16] */ ++ stp reg1, reg2, [sp, bytes_below_saved_regs] ++ stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_outgoing_args_size; ++ frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -7649,30 +7651,29 @@ aarch64_layout_frame (void) + + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = (frame.hard_fp_offset + + frame.below_hard_fp_saved_regs_size); +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.hard_fp_offset.is_constant (&const_fp_offset) + && const_fp_offset < max_push_offset) + { +- /* Frame with large outgoing arguments or SVE saves, but with +- a small local area: ++ /* Frame with large area below the saved registers, or with SVE saves, ++ but with a small area above: + + stp reg1, reg2, [sp, -hard_fp_offset]! + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + else + { +- /* Frame with large local area and outgoing arguments or SVE saves, +- using frame pointer: ++ /* General case: + + sub sp, sp, hard_fp_offset + stp x29, x30, [sp, 0] +@@ -7680,10 +7681,10 @@ aarch64_layout_frame (void) + stp reg3, reg4, [sp, 16] + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] +- sub sp, sp, outgoing_args_size */ ++ sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.hard_fp_offset; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; +- frame.final_adjust = crtl->outgoing_args_size; ++ frame.final_adjust = frame.bytes_below_saved_regs; + } + + /* Make sure the individual adjustments add up to the full frame size. */ +@@ -8274,7 +8275,7 @@ aarch64_get_separate_components (void) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -8423,7 +8424,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset -= frame.below_hard_fp_saved_regs_size; + else +- offset += crtl->outgoing_args_size; ++ offset += frame.bytes_below_saved_regs; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -8477,7 +8478,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + if (frame_pointer_needed) + offset2 -= frame.below_hard_fp_saved_regs_size; + else +- offset2 += crtl->outgoing_args_size; ++ offset2 += frame.bytes_below_saved_regs; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -8551,10 +8552,10 @@ aarch64_stack_clash_protection_alloca_probe_range (void) + registers. If POLY_SIZE is not large enough to require a probe this function + will only adjust the stack. When allocating the stack space + FRAME_RELATED_P is then used to indicate if the allocation is frame related. +- FINAL_ADJUSTMENT_P indicates whether we are allocating the outgoing +- arguments. If we are then we ensure that any allocation larger than the ABI +- defined buffer needs a probe so that the invariant of having a 1KB buffer is +- maintained. ++ FINAL_ADJUSTMENT_P indicates whether we are allocating the area below ++ the saved registers. If we are then we ensure that any allocation ++ larger than the ABI defined buffer needs a probe so that the ++ invariant of having a 1KB buffer is maintained. + + We emit barriers after each stack adjustment to prevent optimizations from + breaking the invariant that we never drop the stack more than a page. This +@@ -8763,7 +8764,7 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + /* Handle any residuals. Residuals of at least MIN_PROBE_THRESHOLD have to + be probed. This maintains the requirement that each page is probed at + least once. For initial probing we probe only if the allocation is +- more than GUARD_SIZE - buffer, and for the outgoing arguments we probe ++ more than GUARD_SIZE - buffer, and below the saved registers we probe + if the amount is larger than buffer. GUARD_SIZE - buffer + buffer == + GUARD_SIZE. This works that for any allocation that is large enough to + trigger a probe here, we'll have at least one, and if they're not large +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index bb383acfae8..6f0b8c7107e 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -837,6 +837,11 @@ struct GTY (()) aarch64_frame + /* The size of the callee-save registers with a slot in REG_OFFSET. */ + poly_int64 saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the bottom of the register save area. ++ This value is always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_saved_regs; ++ + /* The size of the callee-save registers with a slot in REG_OFFSET that + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; +-- +2.34.1 + + +From d3f6ceecc8a7f128a9e6cb7d8aecf0de81ed9705 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:45 +0100 +Subject: [PATCH 05/19] aarch64: Add bytes_below_hard_fp to frame info + +Following on from the previous bytes_below_saved_regs patch, this one +records the number of bytes that are below the hard frame pointer. +This eventually replaces below_hard_fp_saved_regs_size. + +If a frame pointer is not needed, the epilogue adds final_adjust +to the stack pointer before restoring registers: + + aarch64_add_sp (tmp1_rtx, tmp0_rtx, final_adjust, true); + +Therefore, if the epilogue needs to restore the stack pointer from +the hard frame pointer, the directly corresponding offset is: + + -bytes_below_hard_fp + final_adjust + +i.e. go from the hard frame pointer to the bottom of the frame, +then add the same amount as if we were using the stack pointer +from the outset. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::bytes_below_hard_fp): New + field. + * config/aarch64/aarch64.c (aarch64_layout_frame): Initialize it. + (aarch64_expand_epilogue): Use it instead of + below_hard_fp_saved_regs_size. +--- + gcc/config/aarch64/aarch64.c | 6 +++--- + gcc/config/aarch64/aarch64.h | 5 +++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 8fa5a0b2545..e03adf57226 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7528,6 +7528,7 @@ aarch64_layout_frame (void) + of the callee save area. */ + bool saves_below_hard_fp_p = maybe_ne (offset, 0); + frame.below_hard_fp_saved_regs_size = offset; ++ frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -9083,8 +9084,7 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 final_adjust = frame.final_adjust; + poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_candidate1; + unsigned reg2 = frame.wb_candidate2; + rtx cfi_ops = NULL; +@@ -9140,7 +9140,7 @@ aarch64_expand_epilogue (bool for_sibcall) + is restored on the instruction doing the writeback. */ + aarch64_add_offset (Pmode, stack_pointer_rtx, + hard_frame_pointer_rtx, +- -callee_offset - below_hard_fp_saved_regs_size, ++ -bytes_below_hard_fp + final_adjust, + tmp1_rtx, tmp0_rtx, callee_adjust == 0); + else + /* The case where we need to re-use the register here is very rare, so +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 6f0b8c7107e..21ac920a3fe 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -846,6 +846,11 @@ struct GTY (()) aarch64_frame + are saved below the hard frame pointer. */ + poly_int64 below_hard_fp_saved_regs_size; + ++ /* The number of bytes between the bottom of the static frame (the bottom ++ of the outgoing arguments) and the hard frame pointer. This value is ++ always a multiple of STACK_BOUNDARY. */ ++ poly_int64 bytes_below_hard_fp; ++ + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ +-- +2.34.1 + + +From e8a7ec87fcdbaa5f7c7bd499aebe5cefacbf8687 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:46 +0100 +Subject: [PATCH 06/19] aarch64: Tweak aarch64_save/restore_callee_saves + +aarch64_save_callee_saves and aarch64_restore_callee_saves took +a parameter called start_offset that gives the offset of the +bottom of the saved register area from the current stack pointer. +However, it's more convenient for later patches if we use the +bottom of the entire frame as the reference point, rather than +the bottom of the saved registers. + +Doing that removes the need for the callee_offset field. +Other than that, this is not a win on its own. It only really +makes sense in combination with the follow-on patches. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::callee_offset): Delete. + * config/aarch64/aarch64.c (aarch64_layout_frame): Remove + callee_offset handling. + (aarch64_save_callee_saves): Replace the start_offset parameter + with a bytes_below_sp parameter. + (aarch64_restore_callee_saves): Likewise. + (aarch64_expand_prologue): Update accordingly. + (aarch64_expand_epilogue): Likewise. +--- + gcc/config/aarch64/aarch64.c | 56 ++++++++++++++++++------------------ + gcc/config/aarch64/aarch64.h | 4 --- + 2 files changed, 28 insertions(+), 32 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index e03adf57226..96e99f6c17a 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7602,7 +7602,6 @@ aarch64_layout_frame (void) + frame.final_adjust = 0; + frame.callee_adjust = 0; + frame.sve_callee_adjust = 0; +- frame.callee_offset = 0; + + HOST_WIDE_INT max_push_offset = 0; + if (frame.wb_candidate2 != INVALID_REGNUM) +@@ -7642,7 +7641,6 @@ aarch64_layout_frame (void) + stp reg1, reg2, [sp, bytes_below_saved_regs] + stp reg3, reg4, [sp, bytes_below_saved_regs + 16] */ + frame.initial_adjust = frame.frame_size; +- frame.callee_offset = const_below_saved_regs; + } + else if (saves_below_hard_fp_p + && known_eq (frame.saved_regs_size, +@@ -7989,12 +7987,13 @@ aarch64_add_cfa_expression (rtx_insn *insn, rtx reg, + } + + /* Emit code to save the callee-saved registers from register number START +- to LIMIT to the stack at the location starting at offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. HARD_FP_VALID_P +- is true if the hard frame pointer has been set up. */ ++ to LIMIT to the stack. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. HARD_FP_VALID_P is true if the hard ++ frame pointer has been set up. */ + + static void +-aarch64_save_callee_saves (poly_int64 start_offset, ++aarch64_save_callee_saves (poly_int64 bytes_below_sp, + unsigned start, unsigned limit, bool skip_wb, + bool hard_fp_valid_p) + { +@@ -8022,7 +8021,9 @@ aarch64_save_callee_saves (poly_int64 start_offset, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8033,9 +8034,7 @@ aarch64_save_callee_saves (poly_int64 start_offset, + else if (GP_REGNUM_P (regno) + && (!offset.is_constant (&const_offset) || const_offset >= 512)) + { +- gcc_assert (known_eq (start_offset, 0)); +- poly_int64 fp_offset +- = frame.below_hard_fp_saved_regs_size; ++ poly_int64 fp_offset = frame.bytes_below_hard_fp - bytes_below_sp; + if (hard_fp_valid_p) + base_rtx = hard_frame_pointer_rtx; + else +@@ -8099,12 +8098,13 @@ aarch64_save_callee_saves (poly_int64 start_offset, + } + + /* Emit code to restore the callee registers from register number START +- up to and including LIMIT. Restore from the stack offset START_OFFSET, +- skipping any write-back candidates if SKIP_WB is true. Write the +- appropriate REG_CFA_RESTORE notes into CFI_OPS. */ ++ up to and including LIMIT. The stack pointer is currently BYTES_BELOW_SP ++ bytes above the bottom of the static frame. Skip any write-back ++ candidates if SKIP_WB is true. Write the appropriate REG_CFA_RESTORE ++ notes into CFI_OPS. */ + + static void +-aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, ++aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + unsigned limit, bool skip_wb, rtx *cfi_ops) + { + aarch64_frame &frame = cfun->machine->frame; +@@ -8130,7 +8130,9 @@ aarch64_restore_callee_saves (poly_int64 start_offset, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = start_offset + frame.reg_offset[regno]; ++ offset = (frame.reg_offset[regno] ++ + frame.bytes_below_saved_regs ++ - bytes_below_sp); + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -8906,8 +8908,6 @@ aarch64_expand_prologue (void) + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; +- poly_int64 below_hard_fp_saved_regs_size +- = frame.below_hard_fp_saved_regs_size; + unsigned reg1 = frame.wb_candidate1; + unsigned reg2 = frame.wb_candidate2; + bool emit_frame_chain = frame.emit_frame_chain; +@@ -8979,8 +8979,8 @@ aarch64_expand_prologue (void) + - frame.hard_fp_offset); + gcc_assert (known_ge (chain_offset, 0)); + +- /* The offset of the bottom of the save area from the current SP. */ +- poly_int64 saved_regs_offset = chain_offset - below_hard_fp_saved_regs_size; ++ /* The offset of the current SP from the bottom of the static frame. */ ++ poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { +@@ -8988,7 +8988,7 @@ aarch64_expand_prologue (void) + { + reg1 = R29_REGNUM; + reg2 = R30_REGNUM; +- aarch64_save_callee_saves (saved_regs_offset, reg1, reg2, ++ aarch64_save_callee_saves (bytes_below_sp, reg1, reg2, + false, false); + } + else +@@ -9028,7 +9028,7 @@ aarch64_expand_prologue (void) + emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + +- aarch64_save_callee_saves (saved_regs_offset, R0_REGNUM, R30_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, R0_REGNUM, R30_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + if (maybe_ne (sve_callee_adjust, 0)) +@@ -9038,16 +9038,17 @@ aarch64_expand_prologue (void) + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, + sve_callee_adjust, + !frame_pointer_needed, false); +- saved_regs_offset += sve_callee_adjust; ++ bytes_below_sp -= sve_callee_adjust; + } +- aarch64_save_callee_saves (saved_regs_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, P0_REGNUM, P15_REGNUM, + false, emit_frame_chain); +- aarch64_save_callee_saves (saved_regs_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_save_callee_saves (bytes_below_sp, V0_REGNUM, V31_REGNUM, + callee_adjust != 0 || emit_frame_chain, + emit_frame_chain); + + /* We may need to probe the final adjustment if it is larger than the guard + that is assumed by the called. */ ++ gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); + } +@@ -9082,7 +9083,6 @@ aarch64_expand_epilogue (bool for_sibcall) + poly_int64 initial_adjust = frame.initial_adjust; + HOST_WIDE_INT callee_adjust = frame.callee_adjust; + poly_int64 final_adjust = frame.final_adjust; +- poly_int64 callee_offset = frame.callee_offset; + poly_int64 sve_callee_adjust = frame.sve_callee_adjust; + poly_int64 bytes_below_hard_fp = frame.bytes_below_hard_fp; + unsigned reg1 = frame.wb_candidate1; +@@ -9150,13 +9150,13 @@ aarch64_expand_epilogue (bool for_sibcall) + + /* Restore the vector registers before the predicate registers, + so that we can use P4 as a temporary for big-endian SVE frames. */ +- aarch64_restore_callee_saves (callee_offset, V0_REGNUM, V31_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, V0_REGNUM, V31_REGNUM, + callee_adjust != 0, &cfi_ops); +- aarch64_restore_callee_saves (callee_offset, P0_REGNUM, P15_REGNUM, ++ aarch64_restore_callee_saves (final_adjust, P0_REGNUM, P15_REGNUM, + false, &cfi_ops); + if (maybe_ne (sve_callee_adjust, 0)) + aarch64_add_sp (NULL_RTX, NULL_RTX, sve_callee_adjust, true); +- aarch64_restore_callee_saves (callee_offset - sve_callee_adjust, ++ aarch64_restore_callee_saves (final_adjust + sve_callee_adjust, + R0_REGNUM, R30_REGNUM, + callee_adjust != 0, &cfi_ops); + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 21ac920a3fe..57e67217745 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -873,10 +873,6 @@ struct GTY (()) aarch64_frame + It is zero when no push is used. */ + HOST_WIDE_INT callee_adjust; + +- /* The offset from SP to the callee-save registers after initial_adjust. +- It may be non-zero if no push is used (ie. callee_adjust == 0). */ +- poly_int64 callee_offset; +- + /* The size of the stack adjustment before saving or after restoring + SVE registers. */ + poly_int64 sve_callee_adjust; +-- +2.34.1 + + +From 7356df0319aefe4c68ef57ec4c6bd18c72188a34 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:46 +0100 +Subject: [PATCH 07/19] aarch64: Only calculate chain_offset if there is a + chain + +After previous patches, it is no longer necessary to calculate +a chain_offset in cases where there is no chain record. + +gcc/ + * config/aarch64/aarch64.c (aarch64_expand_prologue): Move the + calculation of chain_offset into the emit_frame_chain block. +--- + gcc/config/aarch64/aarch64.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 96e99f6c17a..cf5244b7ec0 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -8974,16 +8974,16 @@ aarch64_expand_prologue (void) + if (callee_adjust != 0) + aarch64_push_regs (reg1, reg2, callee_adjust); + +- /* The offset of the frame chain record (if any) from the current SP. */ +- poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); +- gcc_assert (known_ge (chain_offset, 0)); +- + /* The offset of the current SP from the bottom of the static frame. */ + poly_int64 bytes_below_sp = frame_size - initial_adjust - callee_adjust; + + if (emit_frame_chain) + { ++ /* The offset of the frame chain record (if any) from the current SP. */ ++ poly_int64 chain_offset = (initial_adjust + callee_adjust ++ - frame.hard_fp_offset); ++ gcc_assert (known_ge (chain_offset, 0)); ++ + if (callee_adjust == 0) + { + reg1 = R29_REGNUM; +-- +2.34.1 + + +From 82fb69e75c21010f7afc72bb842751164fe8fc72 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:46 +0100 +Subject: [PATCH 08/19] aarch64: Rename locals_offset to bytes_above_locals +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +locals_offset was described as: + + /* Offset from the base of the frame (incomming SP) to the + top of the locals area. This value is always a multiple of + STACK_BOUNDARY. */ + +This is implicitly an “upside down” view of the frame: the incoming +SP is at offset 0, and anything N bytes below the incoming SP is at +offset N (rather than -N). + +However, reg_offset instead uses a “right way up” view; that is, +it views offsets in address terms. Something above X is at a +positive offset from X and something below X is at a negative +offset from X. + +Also, even on FRAME_GROWS_DOWNWARD targets like AArch64, +target-independent code views offsets in address terms too: +locals are allocated at negative offsets to virtual_stack_vars. + +It seems confusing to have *_offset fields of the same structure +using different polarities like this. This patch tries to avoid +that by renaming locals_offset to bytes_above_locals. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::locals_offset): Rename to... + (aarch64_frame::bytes_above_locals): ...this. + * config/aarch64/aarch64.c (aarch64_layout_frame) + (aarch64_initial_elimination_offset): Update accordingly. +--- + gcc/config/aarch64/aarch64.c | 6 +++--- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index cf5244b7ec0..d54f7a89306 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7596,7 +7596,7 @@ aarch64_layout_frame (void) + STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; + +- frame.locals_offset = frame.saved_varargs_size; ++ frame.bytes_above_locals = frame.saved_varargs_size; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +@@ -11758,13 +11758,13 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + return frame.hard_fp_offset; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.locals_offset; ++ return frame.hard_fp_offset - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) + { + if (from == FRAME_POINTER_REGNUM) +- return frame.frame_size - frame.locals_offset; ++ return frame.frame_size - frame.bytes_above_locals; + } + + return frame.frame_size; +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 57e67217745..3c5e3dd429d 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -851,10 +851,10 @@ struct GTY (()) aarch64_frame + always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_hard_fp; + +- /* Offset from the base of the frame (incomming SP) to the +- top of the locals area. This value is always a multiple of ++ /* The number of bytes between the top of the locals area and the top ++ of the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 locals_offset; ++ poly_int64 bytes_above_locals; + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of +-- +2.34.1 + + +From fa6600b55b49ee14d8288f13719ceea2a75eea60 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:47 +0100 +Subject: [PATCH 09/19] aarch64: Rename hard_fp_offset to bytes_above_hard_fp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Similarly to the previous locals_offset patch, hard_fp_offset +was described as: + + /* Offset from the base of the frame (incomming SP) to the + hard_frame_pointer. This value is always a multiple of + STACK_BOUNDARY. */ + poly_int64 hard_fp_offset; + +which again took an “upside-down” view: higher offsets meant lower +addresses. This patch renames the field to bytes_above_hard_fp instead. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::hard_fp_offset): Rename + to... + (aarch64_frame::bytes_above_hard_fp): ...this. + * config/aarch64/aarch64.c (aarch64_layout_frame) + (aarch64_expand_prologue): Update accordingly. + (aarch64_initial_elimination_offset): Likewise. +--- + gcc/config/aarch64/aarch64.c | 26 +++++++++++++------------- + gcc/config/aarch64/aarch64.h | 6 +++--- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index d54f7a89306..23cb084e5a7 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7588,7 +7588,7 @@ aarch64_layout_frame (void) + + get_frame_size (), + STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.hard_fp_offset ++ frame.bytes_above_hard_fp + = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; + + /* Both these values are already aligned. */ +@@ -7609,13 +7609,13 @@ aarch64_layout_frame (void) + else if (frame.wb_candidate1 != INVALID_REGNUM) + max_push_offset = 256; + +- HOST_WIDE_INT const_size, const_below_saved_regs, const_fp_offset; ++ HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; + if (known_eq (frame.saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +- && known_eq (frame.hard_fp_offset, const_size)) ++ && known_eq (frame.bytes_above_hard_fp, const_size)) + { + /* Simple, small frame with no data below the saved registers. + +@@ -7632,8 +7632,8 @@ aarch64_layout_frame (void) + case that it hardly seems worth the effort though. */ + && (!saves_below_hard_fp_p || const_below_saved_regs == 0) + && !(cfun->calls_alloca +- && frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset)) ++ && frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset)) + { + /* Frame with small area below the saved registers: + +@@ -7651,12 +7651,12 @@ aarch64_layout_frame (void) + sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.hard_fp_offset ++ frame.initial_adjust = (frame.bytes_above_hard_fp + + frame.below_hard_fp_saved_regs_size); + frame.final_adjust = frame.bytes_below_saved_regs; + } +- else if (frame.hard_fp_offset.is_constant (&const_fp_offset) +- && const_fp_offset < max_push_offset) ++ else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) ++ && const_above_fp < max_push_offset) + { + /* Frame with large area below the saved registers, or with SVE saves, + but with a small area above: +@@ -7666,7 +7666,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.callee_adjust = const_fp_offset; ++ frame.callee_adjust = const_above_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -7681,7 +7681,7 @@ aarch64_layout_frame (void) + [sub sp, sp, below_hard_fp_saved_regs_size] + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = frame.hard_fp_offset; ++ frame.initial_adjust = frame.bytes_above_hard_fp; + frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } +@@ -8981,7 +8981,7 @@ aarch64_expand_prologue (void) + { + /* The offset of the frame chain record (if any) from the current SP. */ + poly_int64 chain_offset = (initial_adjust + callee_adjust +- - frame.hard_fp_offset); ++ - frame.bytes_above_hard_fp); + gcc_assert (known_ge (chain_offset, 0)); + + if (callee_adjust == 0) +@@ -11755,10 +11755,10 @@ aarch64_initial_elimination_offset (unsigned from, unsigned to) + if (to == HARD_FRAME_POINTER_REGNUM) + { + if (from == ARG_POINTER_REGNUM) +- return frame.hard_fp_offset; ++ return frame.bytes_above_hard_fp; + + if (from == FRAME_POINTER_REGNUM) +- return frame.hard_fp_offset - frame.bytes_above_locals; ++ return frame.bytes_above_hard_fp - frame.bytes_above_locals; + } + + if (to == STACK_POINTER_REGNUM) +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 3c5e3dd429d..9291cfd3ec8 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -856,10 +856,10 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_locals; + +- /* Offset from the base of the frame (incomming SP) to the +- hard_frame_pointer. This value is always a multiple of ++ /* The number of bytes between the hard_frame_pointer and the top of ++ the frame (the incomming SP). This value is always a multiple of + STACK_BOUNDARY. */ +- poly_int64 hard_fp_offset; ++ poly_int64 bytes_above_hard_fp; + + /* The size of the frame. This value is the offset from base of the + frame (incomming SP) to the stack_pointer. This value is always +-- +2.34.1 + + +From b8cd5a0229da78c2d1289d54731fbef0126617d5 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:47 +0100 +Subject: [PATCH 10/19] aarch64: Tweak frame_size comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch fixes another case in which a value was described with +an “upside-down” view. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::frame_size): Tweak comment. +--- + gcc/config/aarch64/aarch64.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 9291cfd3ec8..82883ad5a0d 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -861,8 +861,8 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + poly_int64 bytes_above_hard_fp; + +- /* The size of the frame. This value is the offset from base of the +- frame (incomming SP) to the stack_pointer. This value is always ++ /* The size of the frame, i.e. the number of bytes between the bottom ++ of the outgoing arguments and the incoming SP. This value is always + a multiple of STACK_BOUNDARY. */ + poly_int64 frame_size; + +-- +2.34.1 + + +From 999c4a81cffddb850d6ab0f6d3a8de3e704d2f7a Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:48 +0100 +Subject: [PATCH 11/19] aarch64: Measure reg_offset from the bottom of the + frame + +reg_offset was measured from the bottom of the saved register area. +This made perfect sense with the original layout, since the bottom +of the saved register area was also the hard frame pointer address. +It became slightly less obvious with SVE, since we save SVE +registers below the hard frame pointer, but it still made sense. + +However, if we want to allow different frame layouts, it's more +convenient and obvious to measure reg_offset from the bottom of +the frame. After previous patches, it's also a slight simplification +in its own right. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame): Add comment above + reg_offset. + * config/aarch64/aarch64.c (aarch64_layout_frame): Walk offsets + from the bottom of the frame, rather than the bottom of the saved + register area. Measure reg_offset from the bottom of the frame + rather than the bottom of the saved register area. + (aarch64_save_callee_saves): Update accordingly. + (aarch64_restore_callee_saves): Likewise. + (aarch64_get_separate_components): Likewise. + (aarch64_process_components): Likewise. +--- + gcc/config/aarch64/aarch64.c | 53 ++++++++++++++++-------------------- + gcc/config/aarch64/aarch64.h | 3 ++ + 2 files changed, 27 insertions(+), 29 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 23cb084e5a7..45ff664cba6 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7398,7 +7398,6 @@ aarch64_needs_frame_chain (void) + static void + aarch64_layout_frame (void) + { +- poly_int64 offset = 0; + int regno, last_fp_reg = INVALID_REGNUM; + machine_mode vector_save_mode = aarch64_reg_save_mode (V8_REGNUM); + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); +@@ -7476,7 +7475,9 @@ aarch64_layout_frame (void) + gcc_assert (crtl->is_leaf + || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + +- frame.bytes_below_saved_regs = crtl->outgoing_args_size; ++ poly_int64 offset = crtl->outgoing_args_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.bytes_below_saved_regs = offset; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -7488,7 +7489,8 @@ aarch64_layout_frame (void) + offset += BYTES_PER_SVE_PRED; + } + +- if (maybe_ne (offset, 0)) ++ poly_int64 saved_prs_size = offset - frame.bytes_below_saved_regs; ++ if (maybe_ne (saved_prs_size, 0)) + { + /* If we have any vector registers to save above the predicate registers, + the offset of the vector register save slots need to be a multiple +@@ -7506,10 +7508,10 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + else + { +- if (known_le (offset, vector_save_size)) +- offset = vector_save_size; +- else if (known_le (offset, vector_save_size * 2)) +- offset = vector_save_size * 2; ++ if (known_le (saved_prs_size, vector_save_size)) ++ offset = frame.bytes_below_saved_regs + vector_save_size; ++ else if (known_le (saved_prs_size, vector_save_size * 2)) ++ offset = frame.bytes_below_saved_regs + vector_save_size * 2; + else + gcc_unreachable (); + } +@@ -7526,9 +7528,10 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- bool saves_below_hard_fp_p = maybe_ne (offset, 0); +- frame.below_hard_fp_saved_regs_size = offset; +- frame.bytes_below_hard_fp = offset + frame.bytes_below_saved_regs; ++ frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p ++ = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ frame.bytes_below_hard_fp = offset; + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +@@ -7579,9 +7582,10 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset; ++ frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size = offset + frame.saved_varargs_size; ++ poly_int64 varargs_and_saved_regs_size ++ = frame.saved_regs_size + frame.saved_varargs_size; + + poly_int64 saved_regs_and_above + = aligned_upper_bound (varargs_and_saved_regs_size +@@ -8021,9 +8025,7 @@ aarch64_save_callee_saves (poly_int64 bytes_below_sp, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + poly_int64 sp_offset = offset; + +@@ -8130,9 +8132,7 @@ aarch64_restore_callee_saves (poly_int64 bytes_below_sp, unsigned start, + + machine_mode mode = aarch64_reg_save_mode (regno); + reg = gen_rtx_REG (mode, regno); +- offset = (frame.reg_offset[regno] +- + frame.bytes_below_saved_regs +- - bytes_below_sp); ++ offset = frame.reg_offset[regno] - bytes_below_sp; + rtx base_rtx = stack_pointer_rtx; + if (mode == VNx2DImode && BYTES_BIG_ENDIAN) + aarch64_adjust_sve_callee_save_base (mode, base_rtx, anchor_reg, +@@ -8271,14 +8271,12 @@ aarch64_get_separate_components (void) + it as a stack probe for -fstack-clash-protection. */ + if (flag_stack_clash_protection + && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, 0)) ++ && known_eq (offset, frame.bytes_below_saved_regs)) + continue; + + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + /* Check that we can access the stack slot of the register with one + direct load with no adjustments needed. */ +@@ -8425,9 +8423,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + rtx reg = gen_rtx_REG (mode, regno); + poly_int64 offset = frame.reg_offset[regno]; + if (frame_pointer_needed) +- offset -= frame.below_hard_fp_saved_regs_size; +- else +- offset += frame.bytes_below_saved_regs; ++ offset -= frame.bytes_below_hard_fp; + + rtx addr = plus_constant (Pmode, ptr_reg, offset); + rtx mem = gen_frame_mem (mode, addr); +@@ -8479,9 +8475,7 @@ aarch64_process_components (sbitmap components, bool prologue_p) + /* REGNO2 can be saved/restored in a pair with REGNO. */ + rtx reg2 = gen_rtx_REG (mode, regno2); + if (frame_pointer_needed) +- offset2 -= frame.below_hard_fp_saved_regs_size; +- else +- offset2 += frame.bytes_below_saved_regs; ++ offset2 -= frame.bytes_below_hard_fp; + rtx addr2 = plus_constant (Pmode, ptr_reg, offset2); + rtx mem2 = gen_frame_mem (mode, addr2); + rtx set2 = prologue_p ? gen_rtx_SET (mem2, reg2) +@@ -8597,7 +8591,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p + && known_eq (frame.below_hard_fp_saved_regs_size, 0)) + { +- poly_int64 lr_offset = frame.reg_offset[LR_REGNUM]; ++ poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] ++ - frame.bytes_below_saved_regs); + if (known_ge (lr_offset, 0)) + min_probe_threshold -= lr_offset.to_constant (); + else +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 82883ad5a0d..c8ec3d58495 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -826,6 +826,9 @@ extern enum aarch64_processor aarch64_tune; + #ifdef HAVE_POLY_INT_H + struct GTY (()) aarch64_frame + { ++ /* The offset from the bottom of the static frame (the bottom of the ++ outgoing arguments) of each register save slot, or -2 if no save is ++ needed. */ + poly_int64 reg_offset[LAST_SAVED_REGNUM + 1]; + + /* The number of extra stack bytes taken up by register varargs. +-- +2.34.1 + + +From 8b664cc8f05c8130e8ca73a59ae2751cdef8a0ea Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:48 +0100 +Subject: [PATCH 12/19] aarch64: Simplify top of frame allocation + +After previous patches, it no longer really makes sense to allocate +the top of the frame in terms of varargs_and_saved_regs_size and +saved_regs_and_above. + +gcc/ + * config/aarch64/aarch64.c (aarch64_layout_frame): Simplify + the allocation of the top of the frame. +--- + gcc/config/aarch64/aarch64.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 45ff664cba6..779547d0344 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7584,23 +7584,16 @@ aarch64_layout_frame (void) + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; + +- poly_int64 varargs_and_saved_regs_size +- = frame.saved_regs_size + frame.saved_varargs_size; +- +- poly_int64 saved_regs_and_above +- = aligned_upper_bound (varargs_and_saved_regs_size +- + get_frame_size (), +- STACK_BOUNDARY / BITS_PER_UNIT); +- +- frame.bytes_above_hard_fp +- = saved_regs_and_above - frame.below_hard_fp_saved_regs_size; ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ auto top_of_locals = offset; + +- /* Both these values are already aligned. */ +- gcc_assert (multiple_p (frame.bytes_below_saved_regs, +- STACK_BOUNDARY / BITS_PER_UNIT)); +- frame.frame_size = saved_regs_and_above + frame.bytes_below_saved_regs; ++ offset += frame.saved_varargs_size; ++ gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ frame.frame_size = offset; + +- frame.bytes_above_locals = frame.saved_varargs_size; ++ frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; + frame.final_adjust = 0; +-- +2.34.1 + + +From bb4600071acc3a02db4f37ffb95c8495ad76a140 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:49 +0100 +Subject: [PATCH 13/19] aarch64: Minor initial adjustment tweak + +This patch just changes a calculation of initial_adjust +to one that makes it slightly more obvious that the total +adjustment is frame.frame_size. + +gcc/ + * config/aarch64/aarch64.c (aarch64_layout_frame): Tweak + calculation of initial_adjust for frames in which all saves + are SVE saves. +--- + gcc/config/aarch64/aarch64.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 779547d0344..0b8992ada74 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7645,11 +7645,10 @@ aarch64_layout_frame (void) + { + /* Frame in which all saves are SVE saves: + +- sub sp, sp, hard_fp_offset + below_hard_fp_saved_regs_size ++ sub sp, sp, frame_size - bytes_below_saved_regs + save SVE registers relative to SP + sub sp, sp, bytes_below_saved_regs */ +- frame.initial_adjust = (frame.bytes_above_hard_fp +- + frame.below_hard_fp_saved_regs_size); ++ frame.initial_adjust = frame.frame_size - frame.bytes_below_saved_regs; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else if (frame.bytes_above_hard_fp.is_constant (&const_above_fp) +-- +2.34.1 + + +From f22329d5efbacf80edf4a2d45ebadd93f283252c Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:49 +0100 +Subject: [PATCH 14/19] aarch64: Tweak stack clash boundary condition + +The AArch64 ABI says that, when stack clash protection is used, +there can be a maximum of 1KiB of unprobed space at sp on entry +to a function. Therefore, we need to probe when allocating +>= guard_size - 1KiB of data (>= rather than >). This is what +GCC does. + +If an allocation is exactly guard_size bytes, it is enough to allocate +those bytes and probe once at offset 1024. It isn't possible to use a +single probe at any other offset: higher would conmplicate later code, +by leaving more unprobed space than usual, while lower would risk +leaving an entire page unprobed. For simplicity, the code probes all +allocations at offset 1024. + +Some register saves also act as probes. If we need to allocate +more space below the last such register save probe, we need to +probe the allocation if it is > 1KiB. Again, this allocation is +then sometimes (but not always) probed at offset 1024. This sort of +allocation is currently only used for outgoing arguments, which are +rarely this big. + +However, the code also probed if this final outgoing-arguments +allocation was == 1KiB, rather than just > 1KiB. This isn't +necessary, since the register save then probes at offset 1024 +as required. Continuing to probe allocations of exactly 1KiB +would complicate later patches. + +gcc/ + * config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space): + Don't probe final allocations that are exactly 1KiB in size (after + unprobed space above the final allocation has been deducted). + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: New test. +--- + gcc/config/aarch64/aarch64.c | 4 +- + .../aarch64/stack-check-prologue-17.c | 55 +++++++++++++++++++ + 2 files changed, 58 insertions(+), 1 deletion(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 0b8992ada74..bfd24876195 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -8564,9 +8564,11 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT guard_size + = 1 << param_stack_clash_protection_guard_size; + HOST_WIDE_INT guard_used_by_caller = STACK_CLASH_CALLER_GUARD; ++ HOST_WIDE_INT byte_sp_alignment = STACK_BOUNDARY / BITS_PER_UNIT; ++ gcc_assert (multiple_p (poly_size, byte_sp_alignment)); + HOST_WIDE_INT min_probe_threshold + = (final_adjustment_p +- ? guard_used_by_caller ++ ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); + /* When doing the final adjustment for the outgoing arguments, take into + account any unprobed space there is above the current SP. There are +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +new file mode 100644 +index 00000000000..0d8a25d73a2 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -0,0 +1,55 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} +-- +2.34.1 + + +From 174a9747491e591ef2abb3e20a0332303f11003a Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:49 +0100 +Subject: [PATCH 15/19] aarch64: Put LR save probe in first 16 bytes + +-fstack-clash-protection uses the save of LR as a probe for the next +allocation. The next allocation could be: + +* another part of the static frame, e.g. when allocating SVE save slots + or outgoing arguments + +* an alloca in the same function + +* an allocation made by a callee function + +However, when -fomit-frame-pointer is used, the LR save slot is placed +above the other GPR save slots. It could therefore be up to 80 bytes +above the base of the GPR save area (which is also the hard fp address). + +aarch64_allocate_and_probe_stack_space took this into account when +deciding how much subsequent space could be allocated without needing +a probe. However, it interacted badly with: + + /* If doing a small final adjustment, we always probe at offset 0. + This is done to avoid issues when LR is not at position 0 or when + the final adjustment is smaller than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +which forces any allocation that is smaller than the guard page size +to be probed at offset 0 rather than the usual offset 1024. It was +therefore possible to construct cases in which we had: + +* a probe using LR at SP + 80 bytes (or some other value >= 16) +* an allocation of the guard page size - 16 bytes +* a probe at SP + 0 + +which allocates guard page size + 64 consecutive unprobed bytes. + +This patch requires the LR probe to be in the first 16 bytes of the +save area when stack clash protection is active. Doing it +unconditionally would cause code-quality regressions, but a later +patch deals with that. + +The new comment doesn't say that the probe register is required +to be LR, since a later patch removes that restriction. + +gcc/ + * config/aarch64/aarch64.c (aarch64_layout_frame): Ensure that + the LR save slot is in the first 16 bytes of the register save area. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + when LR was not in the first 16 bytes. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-18.c: New test. +--- + gcc/config/aarch64/aarch64.c | 61 ++++------- + .../aarch64/stack-check-prologue-18.c | 100 ++++++++++++++++++ + 2 files changed, 123 insertions(+), 38 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index bfd24876195..3f2b10de987 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7532,26 +7532,34 @@ aarch64_layout_frame (void) + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); + frame.bytes_below_hard_fp = offset; ++ ++ auto allocate_gpr_slot = [&](unsigned int regno) ++ { ++ frame.reg_offset[regno] = offset; ++ if (frame.wb_candidate1 == INVALID_REGNUM) ++ frame.wb_candidate1 = regno; ++ else if (frame.wb_candidate2 == INVALID_REGNUM) ++ frame.wb_candidate2 = regno; ++ offset += UNITS_PER_WORD; ++ }; ++ + if (frame.emit_frame_chain) + { + /* FP and LR are placed in the linkage record. */ +- frame.reg_offset[R29_REGNUM] = offset; +- frame.wb_candidate1 = R29_REGNUM; +- frame.reg_offset[R30_REGNUM] = offset + UNITS_PER_WORD; +- frame.wb_candidate2 = R30_REGNUM; +- offset += 2 * UNITS_PER_WORD; ++ allocate_gpr_slot (R29_REGNUM); ++ allocate_gpr_slot (R30_REGNUM); + } ++ else if (flag_stack_clash_protection ++ && known_eq (frame.reg_offset[R30_REGNUM], SLOT_REQUIRED)) ++ /* Put the LR save slot first, since it makes a good choice of probe ++ for stack clash purposes. The idea is that the link register usually ++ has to be saved before a call anyway, and so we lose little by ++ stopping it from being individually shrink-wrapped. */ ++ allocate_gpr_slot (R30_REGNUM); + + for (regno = R0_REGNUM; regno <= R30_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) +- { +- frame.reg_offset[regno] = offset; +- if (frame.wb_candidate1 == INVALID_REGNUM) +- frame.wb_candidate1 = regno; +- else if (frame.wb_candidate2 == INVALID_REGNUM) +- frame.wb_candidate2 = regno; +- offset += UNITS_PER_WORD; +- } ++ allocate_gpr_slot (regno); + + poly_int64 max_int_offset = offset; + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -8570,29 +8578,6 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + = (final_adjustment_p + ? guard_used_by_caller + byte_sp_alignment + : guard_size - guard_used_by_caller); +- /* When doing the final adjustment for the outgoing arguments, take into +- account any unprobed space there is above the current SP. There are +- two cases: +- +- - When saving SVE registers below the hard frame pointer, we force +- the lowest save to take place in the prologue before doing the final +- adjustment (i.e. we don't allow the save to be shrink-wrapped). +- This acts as a probe at SP, so there is no unprobed space. +- +- - When there are no SVE register saves, we use the store of the link +- register as a probe. We can't assume that LR was saved at position 0 +- though, so treat any space below it as unprobed. */ +- if (final_adjustment_p +- && known_eq (frame.below_hard_fp_saved_regs_size, 0)) +- { +- poly_int64 lr_offset = (frame.reg_offset[LR_REGNUM] +- - frame.bytes_below_saved_regs); +- if (known_ge (lr_offset, 0)) +- min_probe_threshold -= lr_offset.to_constant (); +- else +- gcc_assert (!flag_stack_clash_protection || known_eq (poly_size, 0)); +- } +- + poly_int64 frame_size = frame.frame_size; + + /* We should always have a positive probe threshold. */ +@@ -8772,8 +8757,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; + /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when LR is not at position 0 or when +- the final adjustment is smaller than the probing offset. */ ++ This is done to avoid issues when the final adjustment is smaller ++ than the probing offset. */ + else if (final_adjustment_p && rounded_size == 0) + residual_probe_offset = 0; + +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +new file mode 100644 +index 00000000000..82447d20fff +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -0,0 +1,100 @@ ++/* { dg-options "-O2 -fstack-clash-protection -fomit-frame-pointer --param stack-clash-protection-guard-size=12" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void f(int, ...); ++void g(); ++ ++/* ++** test1: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #4064 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++** str x26, \[sp, #?4128\] ++** ... ++*/ ++int test1(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test2: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1040 ++** str xzr, \[sp\] ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test2(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x); ++ } ++ g(); ++ return 1; ++} ++ ++/* ++** test3: ++** ... ++** str x30, \[sp\] ++** sub sp, sp, #1024 ++** cbnz w0, .* ++** bl g ++** ... ++*/ ++int test3(int z) { ++ __uint128_t x = 0; ++ int y[0x400]; ++ if (z) ++ { ++ asm volatile ("" ::: ++ "x19", "x20", "x21", "x22", "x23", "x24", "x25", "x26"); ++ f(0, 0, 0, 0, 0, 0, 0, &y, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, ++ x, x, x, x, x, x, x, x, x, x, x, x, x, x, x, x); ++ } ++ g(); ++ return 1; ++} +-- +2.34.1 + + +From e932e11c353be52256dd30d30d924f4e834e3ca3 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:51 +0100 +Subject: [PATCH 16/19] aarch64: Simplify probe of final frame allocation + +Previous patches ensured that the final frame allocation only needs +a probe when the size is strictly greater than 1KiB. It's therefore +safe to use the normal 1024 probe offset in all cases. + +The main motivation for doing this is to simplify the code and +remove the number of special cases. + +gcc/ + * config/aarch64/aarch64.c (aarch64_allocate_and_probe_stack_space): + Always probe the residual allocation at offset 1024, asserting + that that is in range. + +gcc/testsuite/ + * gcc.target/aarch64/stack-check-prologue-17.c: Expect the probe + to be at offset 1024 rather than offset 0. + * gcc.target/aarch64/stack-check-prologue-18.c: Likewise. +--- + gcc/config/aarch64/aarch64.c | 12 ++++-------- + .../gcc.target/aarch64/stack-check-prologue-17.c | 2 +- + .../gcc.target/aarch64/stack-check-prologue-18.c | 4 ++-- + 3 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 3f2b10de987..4b9cd687525 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -8751,16 +8751,12 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + are still safe. */ + if (residual) + { +- HOST_WIDE_INT residual_probe_offset = guard_used_by_caller; ++ gcc_assert (guard_used_by_caller + byte_sp_alignment <= size); ++ + /* If we're doing final adjustments, and we've done any full page + allocations then any residual needs to be probed. */ + if (final_adjustment_p && rounded_size != 0) + min_probe_threshold = 0; +- /* If doing a small final adjustment, we always probe at offset 0. +- This is done to avoid issues when the final adjustment is smaller +- than the probing offset. */ +- else if (final_adjustment_p && rounded_size == 0) +- residual_probe_offset = 0; + + aarch64_sub_sp (temp1, temp2, residual, frame_related_p); + if (residual >= min_probe_threshold) +@@ -8771,8 +8767,8 @@ aarch64_allocate_and_probe_stack_space (rtx temp1, rtx temp2, + HOST_WIDE_INT_PRINT_DEC " bytes, probing will be required." + "\n", residual); + +- emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, +- residual_probe_offset)); ++ emit_stack_probe (plus_constant (Pmode, stack_pointer_rtx, ++ guard_used_by_caller)); + emit_insn (gen_blockage ()); + } + } +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +index 0d8a25d73a2..f0ec1389771 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-17.c +@@ -33,7 +33,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +index 82447d20fff..6383bec5ebc 100644 +--- a/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c ++++ b/gcc/testsuite/gcc.target/aarch64/stack-check-prologue-18.c +@@ -9,7 +9,7 @@ void g(); + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #4064 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +@@ -50,7 +50,7 @@ int test1(int z) { + ** ... + ** str x30, \[sp\] + ** sub sp, sp, #1040 +-** str xzr, \[sp\] ++** str xzr, \[sp, #?1024\] + ** cbnz w0, .* + ** bl g + ** ... +-- +2.34.1 + + +From 9ed9fd54b2b471745c9489e83496c091a7b64904 Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:52 +0100 +Subject: [PATCH 17/19] aarch64: Explicitly record probe registers in frame + info + +The stack frame is currently divided into three areas: + +A: the area above the hard frame pointer +B: the SVE saves below the hard frame pointer +C: the outgoing arguments + +If the stack frame is allocated in one chunk, the allocation needs a +probe if the frame size is >= guard_size - 1KiB. In addition, if the +function is not a leaf function, it must probe an address no more than +1KiB above the outgoing SP. We ensured the second condition by + +(1) using single-chunk allocations for non-leaf functions only if + the link register save slot is within 512 bytes of the bottom + of the frame; and + +(2) using the link register save as a probe (meaning, for instance, + that it can't be individually shrink wrapped) + +If instead the stack is allocated in multiple chunks, then: + +* an allocation involving only the outgoing arguments (C above) requires + a probe if the allocation size is > 1KiB + +* any other allocation requires a probe if the allocation size + is >= guard_size - 1KiB + +* second and subsequent allocations require the previous allocation + to probe at the bottom of the allocated area, regardless of the size + of that previous allocation + +The final point means that, unlike for single allocations, +it can be necessary to have both a non-SVE register probe and +an SVE register probe. For example: + +* allocate A, probe using a non-SVE register save +* allocate B, probe using an SVE register save +* allocate C + +The non-SVE register used in this case was again the link register. +It was previously used even if the link register save slot was some +bytes above the bottom of the non-SVE register saves, but an earlier +patch avoided that by putting the link register save slot first. + +As a belt-and-braces fix, this patch explicitly records which +probe registers we're using and allows the non-SVE probe to be +whichever register comes first (as for SVE). + +The patch also avoids unnecessary probes in sve/pcs/stack_clash_3.c. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::sve_save_and_probe) + (aarch64_frame::hard_fp_save_and_probe): New fields. + * config/aarch64/aarch64.c (aarch64_layout_frame): Initialize them. + Rather than asserting that a leaf function saves LR, instead assert + that a leaf function saves something. + (aarch64_get_separate_components): Prevent the chosen probe + registers from being individually shrink-wrapped. + (aarch64_allocate_and_probe_stack_space): Remove workaround for + probe registers that aren't at the bottom of the previous allocation. + +gcc/testsuite/ + * gcc.target/aarch64/sve/pcs/stack_clash_3.c: Avoid redundant probes. +--- + gcc/config/aarch64/aarch64.c | 68 +++++++++++++++---- + gcc/config/aarch64/aarch64.h | 8 +++ + .../aarch64/sve/pcs/stack_clash_3.c | 6 +- + 3 files changed, 64 insertions(+), 18 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 4b9cd687525..ef4b3b671ba 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7469,15 +7469,11 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + +- /* With stack-clash, LR must be saved in non-leaf functions. The saving of +- LR counts as an implicit probe which allows us to maintain the invariant +- described in the comment at expand_prologue. */ +- gcc_assert (crtl->is_leaf +- || maybe_ne (frame.reg_offset[R30_REGNUM], SLOT_NOT_REQUIRED)); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.bytes_below_saved_regs = offset; ++ frame.sve_save_and_probe = INVALID_REGNUM; + + /* Now assign stack slots for the registers. Start with the predicate + registers, since predicate LDR and STR have a relatively small +@@ -7485,6 +7481,8 @@ aarch64_layout_frame (void) + for (regno = P0_REGNUM; regno <= P15_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += BYTES_PER_SVE_PRED; + } +@@ -7522,6 +7520,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.sve_save_and_probe == INVALID_REGNUM) ++ frame.sve_save_and_probe = regno; + frame.reg_offset[regno] = offset; + offset += vector_save_size; + } +@@ -7531,10 +7531,18 @@ aarch64_layout_frame (void) + frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; + bool saves_below_hard_fp_p + = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ gcc_assert (!saves_below_hard_fp_p ++ || (frame.sve_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.sve_save_and_probe], ++ frame.bytes_below_saved_regs))); ++ + frame.bytes_below_hard_fp = offset; ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; + + auto allocate_gpr_slot = [&](unsigned int regno) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + frame.reg_offset[regno] = offset; + if (frame.wb_candidate1 == INVALID_REGNUM) + frame.wb_candidate1 = regno; +@@ -7568,6 +7576,8 @@ aarch64_layout_frame (void) + for (regno = V0_REGNUM; regno <= V31_REGNUM; regno++) + if (known_eq (frame.reg_offset[regno], SLOT_REQUIRED)) + { ++ if (frame.hard_fp_save_and_probe == INVALID_REGNUM) ++ frame.hard_fp_save_and_probe = regno; + /* If there is an alignment gap between integer and fp callee-saves, + allocate the last fp register to it if possible. */ + if (regno == last_fp_reg +@@ -7591,6 +7601,17 @@ aarch64_layout_frame (void) + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + + frame.saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (frame.saved_regs_size, ++ frame.below_hard_fp_saved_regs_size) ++ || (frame.hard_fp_save_and_probe != INVALID_REGNUM ++ && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], ++ frame.bytes_below_hard_fp))); ++ ++ /* With stack-clash, a register must be saved in non-leaf functions. ++ The saving of the bottommost register counts as an implicit probe, ++ which allows us to maintain the invariant described in the comment ++ at expand_prologue. */ ++ gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -7690,6 +7711,25 @@ aarch64_layout_frame (void) + frame.final_adjust = frame.bytes_below_saved_regs; + } + ++ /* The frame is allocated in pieces, with each non-final piece ++ including a register save at offset 0 that acts as a probe for ++ the following piece. In addition, the save of the bottommost register ++ acts as a probe for callees and allocas. Roll back any probes that ++ aren't needed. ++ ++ A probe isn't needed if it is associated with the final allocation ++ (including callees and allocas) that happens before the epilogue is ++ executed. */ ++ if (crtl->is_leaf ++ && !cfun->calls_alloca ++ && known_eq (frame.final_adjust, 0)) ++ { ++ if (maybe_ne (frame.sve_callee_adjust, 0)) ++ frame.sve_save_and_probe = INVALID_REGNUM; ++ else ++ frame.hard_fp_save_and_probe = INVALID_REGNUM; ++ } ++ + /* Make sure the individual adjustments add up to the full frame size. */ + gcc_assert (known_eq (frame.initial_adjust + + frame.callee_adjust +@@ -8267,13 +8307,6 @@ aarch64_get_separate_components (void) + + poly_int64 offset = frame.reg_offset[regno]; + +- /* If the register is saved in the first SVE save slot, we use +- it as a stack probe for -fstack-clash-protection. */ +- if (flag_stack_clash_protection +- && maybe_ne (frame.below_hard_fp_saved_regs_size, 0) +- && known_eq (offset, frame.bytes_below_saved_regs)) +- continue; +- + /* Get the offset relative to the register we'll use. */ + if (frame_pointer_needed) + offset -= frame.bytes_below_hard_fp; +@@ -8308,6 +8341,13 @@ aarch64_get_separate_components (void) + + bitmap_clear_bit (components, LR_REGNUM); + bitmap_clear_bit (components, SP_REGNUM); ++ if (flag_stack_clash_protection) ++ { ++ if (frame.sve_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.sve_save_and_probe); ++ if (frame.hard_fp_save_and_probe != INVALID_REGNUM) ++ bitmap_clear_bit (components, frame.hard_fp_save_and_probe); ++ } + + return components; + } +@@ -8844,8 +8884,8 @@ aarch64_epilogue_uses (int regno) + When probing is needed, we emit a probe at the start of the prologue + and every PARAM_STACK_CLASH_PROTECTION_GUARD_SIZE bytes thereafter. + +- We have to track how much space has been allocated and the only stores +- to the stack we track as implicit probes are the FP/LR stores. ++ We can also use register saves as probes. These are stored in ++ sve_save_and_probe and hard_fp_save_and_probe. + + For outgoing arguments we probe if the size is larger than 1KB, such that + the ABI specified buffer is maintained for the next callee. +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index c8ec3d58495..97173e48598 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -911,6 +911,14 @@ struct GTY (()) aarch64_frame + This is the register they should use. */ + unsigned spare_pred_reg; + ++ /* An SVE register that is saved below the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned sve_save_and_probe; ++ ++ /* A register that is saved at the hard frame pointer and that acts ++ as a probe for later allocations, or INVALID_REGNUM if none. */ ++ unsigned hard_fp_save_and_probe; ++ + bool laid_out; + }; + +diff --git a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +index 3e01ec36c3a..3530a0d504b 100644 +--- a/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c ++++ b/gcc/testsuite/gcc.target/aarch64/sve/pcs/stack_clash_3.c +@@ -11,11 +11,10 @@ + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +@@ -39,13 +38,12 @@ test_1 (int n) + ** mov x11, sp + ** ... + ** sub sp, sp, x13 +-** str p4, \[sp\] + ** cbz w0, [^\n]* ++** str p4, \[sp\] + ** str p5, \[sp, #1, mul vl\] + ** str p6, \[sp, #2, mul vl\] + ** ... + ** ptrue p0\.b, all +-** ldr p4, \[sp\] + ** addvl sp, sp, #1 + ** ldr x24, \[sp\], 32 + ** ret +-- +2.34.1 + + +From 4bbf7b6cdd02b0d547ddd6a630f2065680bf2f6b Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:52 +0100 +Subject: [PATCH 18/19] aarch64: Remove below_hard_fp_saved_regs_size + +After previous patches, it's no longer necessary to store +saved_regs_size and below_hard_fp_saved_regs_size in the frame info. +All measurements instead use the top or bottom of the frame as +reference points. + +gcc/ + * config/aarch64/aarch64.h (aarch64_frame::saved_regs_size) + (aarch64_frame::below_hard_fp_saved_regs_size): Delete. + * config/aarch64/aarch64.c (aarch64_layout_frame): Update accordingly. +--- + gcc/config/aarch64/aarch64.c | 45 +++++++++++++++++------------------- + gcc/config/aarch64/aarch64.h | 7 ------ + 2 files changed, 21 insertions(+), 31 deletions(-) + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index ef4b3b671ba..385718a475b 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7528,9 +7528,8 @@ aarch64_layout_frame (void) + + /* OFFSET is now the offset of the hard frame pointer from the bottom + of the callee save area. */ +- frame.below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; +- bool saves_below_hard_fp_p +- = maybe_ne (frame.below_hard_fp_saved_regs_size, 0); ++ auto below_hard_fp_saved_regs_size = offset - frame.bytes_below_saved_regs; ++ bool saves_below_hard_fp_p = maybe_ne (below_hard_fp_saved_regs_size, 0); + gcc_assert (!saves_below_hard_fp_p + || (frame.sve_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.sve_save_and_probe], +@@ -7600,9 +7599,8 @@ aarch64_layout_frame (void) + + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); + +- frame.saved_regs_size = offset - frame.bytes_below_saved_regs; +- gcc_assert (known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size) ++ auto saved_regs_size = offset - frame.bytes_below_saved_regs; ++ gcc_assert (known_eq (saved_regs_size, below_hard_fp_saved_regs_size) + || (frame.hard_fp_save_and_probe != INVALID_REGNUM + && known_eq (frame.reg_offset[frame.hard_fp_save_and_probe], + frame.bytes_below_hard_fp))); +@@ -7611,7 +7609,7 @@ aarch64_layout_frame (void) + The saving of the bottommost register counts as an implicit probe, + which allows us to maintain the invariant described in the comment + at expand_prologue. */ +- gcc_assert (crtl->is_leaf || maybe_ne (frame.saved_regs_size, 0)); ++ gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + + offset += get_frame_size (); + offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +@@ -7637,7 +7635,7 @@ aarch64_layout_frame (void) + + HOST_WIDE_INT const_size, const_below_saved_regs, const_above_fp; + HOST_WIDE_INT const_saved_regs_size; +- if (known_eq (frame.saved_regs_size, 0)) ++ if (known_eq (saved_regs_size, 0)) + frame.initial_adjust = frame.frame_size; + else if (frame.frame_size.is_constant (&const_size) + && const_size < max_push_offset +@@ -7650,7 +7648,7 @@ aarch64_layout_frame (void) + frame.callee_adjust = const_size; + } + else if (frame.bytes_below_saved_regs.is_constant (&const_below_saved_regs) +- && frame.saved_regs_size.is_constant (&const_saved_regs_size) ++ && saved_regs_size.is_constant (&const_saved_regs_size) + && const_below_saved_regs + const_saved_regs_size < 512 + /* We could handle this case even with data below the saved + registers, provided that that data left us with valid offsets +@@ -7669,8 +7667,7 @@ aarch64_layout_frame (void) + frame.initial_adjust = frame.frame_size; + } + else if (saves_below_hard_fp_p +- && known_eq (frame.saved_regs_size, +- frame.below_hard_fp_saved_regs_size)) ++ && known_eq (saved_regs_size, below_hard_fp_saved_regs_size)) + { + /* Frame in which all saves are SVE saves: + +@@ -7692,7 +7689,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.callee_adjust = const_above_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + else +@@ -7707,7 +7704,7 @@ aarch64_layout_frame (void) + [save SVE registers relative to SP] + sub sp, sp, bytes_below_saved_regs */ + frame.initial_adjust = frame.bytes_above_hard_fp; +- frame.sve_callee_adjust = frame.below_hard_fp_saved_regs_size; ++ frame.sve_callee_adjust = below_hard_fp_saved_regs_size; + frame.final_adjust = frame.bytes_below_saved_regs; + } + +@@ -8849,17 +8846,17 @@ aarch64_epilogue_uses (int regno) + | local variables | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | \ +- +-------------------------------+ | +- | callee-saved registers | | frame.saved_regs_size +- +-------------------------------+ | +- | LR' | | +- +-------------------------------+ | +- | FP' | | +- +-------------------------------+ |<- hard_frame_pointer_rtx (aligned) +- | SVE vector registers | | \ +- +-------------------------------+ | | below_hard_fp_saved_regs_size +- | SVE predicate registers | / / ++ | padding | ++ +-------------------------------+ ++ | callee-saved registers | ++ +-------------------------------+ ++ | LR' | ++ +-------------------------------+ ++ | FP' | ++ +-------------------------------+ <-- hard_frame_pointer_rtx (aligned) ++ | SVE vector registers | ++ +-------------------------------+ ++ | SVE predicate registers | + +-------------------------------+ + | dynamic allocation | + +-------------------------------+ +diff --git a/gcc/config/aarch64/aarch64.h b/gcc/config/aarch64/aarch64.h +index 97173e48598..9084b1cfb9d 100644 +--- a/gcc/config/aarch64/aarch64.h ++++ b/gcc/config/aarch64/aarch64.h +@@ -837,18 +837,11 @@ struct GTY (()) aarch64_frame + STACK_BOUNDARY. */ + HOST_WIDE_INT saved_varargs_size; + +- /* The size of the callee-save registers with a slot in REG_OFFSET. */ +- poly_int64 saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the bottom of the register save area. + This value is always a multiple of STACK_BOUNDARY. */ + poly_int64 bytes_below_saved_regs; + +- /* The size of the callee-save registers with a slot in REG_OFFSET that +- are saved below the hard frame pointer. */ +- poly_int64 below_hard_fp_saved_regs_size; +- + /* The number of bytes between the bottom of the static frame (the bottom + of the outgoing arguments) and the hard frame pointer. This value is + always a multiple of STACK_BOUNDARY. */ +-- +2.34.1 + + +From bea0985749c12fcc264710586addb7838cc61e6d Mon Sep 17 00:00:00 2001 +From: Richard Sandiford <richard.sandiford@arm.com> +Date: Tue, 12 Sep 2023 16:19:52 +0100 +Subject: [PATCH 19/19] aarch64: Make stack smash canary protect saved + registers + +AArch64 normally puts the saved registers near the bottom of the frame, +immediately above any dynamic allocations. But this means that a +stack-smash attack on those dynamic allocations could overwrite the +saved registers without needing to reach as far as the stack smash +canary. + +The same thing could also happen for variable-sized arguments that are +passed by value, since those are allocated before a call and popped on +return. + +This patch avoids that by putting the locals (and thus the canary) below +the saved registers when stack smash protection is active. + +The patch fixes CVE-2023-4039. + +gcc/ + * config/aarch64/aarch64.c (aarch64_save_regs_above_locals_p): + New function. + (aarch64_layout_frame): Use it to decide whether locals should + go above or below the saved registers. + (aarch64_expand_prologue): Update stack layout comment. + Emit a stack tie after the final adjustment. + +gcc/testsuite/ + * gcc.target/aarch64/stack-protector-8.c: New test. + * gcc.target/aarch64/stack-protector-9.c: Likewise. +--- + gcc/config/aarch64/aarch64.c | 46 +++++++-- + .../gcc.target/aarch64/stack-protector-8.c | 95 +++++++++++++++++++ + .../gcc.target/aarch64/stack-protector-9.c | 33 +++++++ + 3 files changed, 168 insertions(+), 6 deletions(-) + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-8.c + create mode 100644 gcc/testsuite/gcc.target/aarch64/stack-protector-9.c + +diff --git a/gcc/config/aarch64/aarch64.c b/gcc/config/aarch64/aarch64.c +index 385718a475b..3ccfd3c30fc 100644 +--- a/gcc/config/aarch64/aarch64.c ++++ b/gcc/config/aarch64/aarch64.c +@@ -7392,6 +7392,20 @@ aarch64_needs_frame_chain (void) + return aarch64_use_frame_pointer; + } + ++/* Return true if the current function should save registers above ++ the locals area, rather than below it. */ ++ ++static bool ++aarch64_save_regs_above_locals_p () ++{ ++ /* When using stack smash protection, make sure that the canary slot ++ comes between the locals and the saved registers. Otherwise, ++ it would be possible for a carefully sized smash attack to change ++ the saved registers (particularly LR and FP) without reaching the ++ canary. */ ++ return crtl->stack_protect_guard; ++} ++ + /* Mark the registers that need to be saved by the callee and calculate + the size of the callee-saved registers area and frame record (both FP + and LR may be omitted). */ +@@ -7403,6 +7417,7 @@ aarch64_layout_frame (void) + poly_int64 vector_save_size = GET_MODE_SIZE (vector_save_mode); + bool frame_related_fp_reg_p = false; + aarch64_frame &frame = cfun->machine->frame; ++ poly_int64 top_of_locals = -1; + + frame.emit_frame_chain = aarch64_needs_frame_chain (); + +@@ -7469,9 +7484,16 @@ aarch64_layout_frame (void) + && !crtl->abi->clobbers_full_reg_p (regno)) + frame.reg_offset[regno] = SLOT_REQUIRED; + ++ bool regs_at_top_p = aarch64_save_regs_above_locals_p (); + + poly_int64 offset = crtl->outgoing_args_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); ++ if (regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + frame.bytes_below_saved_regs = offset; + frame.sve_save_and_probe = INVALID_REGNUM; + +@@ -7611,15 +7633,18 @@ aarch64_layout_frame (void) + at expand_prologue. */ + gcc_assert (crtl->is_leaf || maybe_ne (saved_regs_size, 0)); + +- offset += get_frame_size (); +- offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); +- auto top_of_locals = offset; +- ++ if (!regs_at_top_p) ++ { ++ offset += get_frame_size (); ++ offset = aligned_upper_bound (offset, STACK_BOUNDARY / BITS_PER_UNIT); ++ top_of_locals = offset; ++ } + offset += frame.saved_varargs_size; + gcc_assert (multiple_p (offset, STACK_BOUNDARY / BITS_PER_UNIT)); + frame.frame_size = offset; + + frame.bytes_above_hard_fp = frame.frame_size - frame.bytes_below_hard_fp; ++ gcc_assert (known_ge (top_of_locals, 0)); + frame.bytes_above_locals = frame.frame_size - top_of_locals; + + frame.initial_adjust = 0; +@@ -8843,10 +8868,10 @@ aarch64_epilogue_uses (int regno) + | for register varargs | + | | + +-------------------------------+ +- | local variables | <-- frame_pointer_rtx ++ | local variables (1) | <-- frame_pointer_rtx + | | + +-------------------------------+ +- | padding | ++ | padding (1) | + +-------------------------------+ + | callee-saved registers | + +-------------------------------+ +@@ -8858,6 +8883,10 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | SVE predicate registers | + +-------------------------------+ ++ | local variables (2) | ++ +-------------------------------+ ++ | padding (2) | ++ +-------------------------------+ + | dynamic allocation | + +-------------------------------+ + | padding | +@@ -8867,6 +8896,9 @@ aarch64_epilogue_uses (int regno) + +-------------------------------+ + | | <-- stack_pointer_rtx (aligned) + ++ The regions marked (1) and (2) are mutually exclusive. (2) is used ++ when aarch64_save_regs_above_locals_p is true. ++ + Dynamic stack allocations via alloca() decrease stack_pointer_rtx + but leave frame_pointer_rtx and hard_frame_pointer_rtx + unchanged. +@@ -9058,6 +9090,8 @@ aarch64_expand_prologue (void) + gcc_assert (known_eq (bytes_below_sp, final_adjust)); + aarch64_allocate_and_probe_stack_space (tmp1_rtx, tmp0_rtx, final_adjust, + !frame_pointer_needed, true); ++ if (emit_frame_chain && maybe_ne (final_adjust, 0)) ++ emit_insn (gen_stack_tie (stack_pointer_rtx, hard_frame_pointer_rtx)); + } + + /* Return TRUE if we can use a simple_return insn. +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +new file mode 100644 +index 00000000000..e71d820e365 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-8.c +@@ -0,0 +1,95 @@ ++/* { dg-options " -O -fstack-protector-strong -mstack-protector-guard=sysreg -mstack-protector-guard-reg=tpidr2_el0 -mstack-protector-guard-offset=16" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++void g(void *); ++__SVBool_t *h(void *); ++ ++/* ++** test1: ++** sub sp, sp, #288 ++** stp x29, x30, \[sp, #?272\] ++** add x29, sp, #?272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** ldp x29, x30, \[sp, #?272\] ++** add sp, sp, #?288 ++** ret ++** bl __stack_chk_fail ++*/ ++int test1() { ++ int y[0x40]; ++ g(y); ++ return 1; ++} ++ ++/* ++** test2: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** sub sp, sp, #1040 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?1032\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl g ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?1040 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++int test2() { ++ int y[0x100]; ++ g(y); ++ return 1; ++} ++ ++#pragma GCC target "+sve" ++ ++/* ++** test3: ++** stp x29, x30, \[sp, #?-16\]! ++** mov x29, sp ++** addvl sp, sp, #-18 ++** ... ++** str p4, \[sp\] ++** ... ++** sub sp, sp, #272 ++** mrs (x[0-9]+), tpidr2_el0 ++** ldr (x[0-9]+), \[\1, #?16\] ++** str \2, \[sp, #?264\] ++** mov \2, #?0 ++** add x0, sp, #?8 ++** bl h ++** ... ++** mrs .* ++** ... ++** bne .* ++** ... ++** add sp, sp, #?272 ++** ... ++** ldr p4, \[sp\] ++** ... ++** addvl sp, sp, #18 ++** ldp x29, x30, \[sp\], #?16 ++** ret ++** bl __stack_chk_fail ++*/ ++__SVBool_t test3() { ++ int y[0x40]; ++ return *h(y); ++} +diff --git a/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +new file mode 100644 +index 00000000000..58f322aa480 +--- /dev/null ++++ b/gcc/testsuite/gcc.target/aarch64/stack-protector-9.c +@@ -0,0 +1,33 @@ ++/* { dg-options "-O2 -mcpu=neoverse-v1 -fstack-protector-all" } */ ++/* { dg-final { check-function-bodies "**" "" } } */ ++ ++/* ++** main: ++** ... ++** stp x29, x30, \[sp, #?-[0-9]+\]! ++** ... ++** sub sp, sp, #[0-9]+ ++** ... ++** str x[0-9]+, \[x29, #?-8\] ++** ... ++*/ ++int f(const char *); ++void g(void *); ++int main(int argc, char* argv[]) ++{ ++ int a; ++ int b; ++ char c[2+f(argv[1])]; ++ int d[0x100]; ++ char y; ++ ++ y=42; a=4; b=10; ++ c[0] = 'h'; c[1] = '\0'; ++ ++ c[f(argv[2])] = '\0'; ++ ++ __builtin_printf("%d %d\n%s\n", a, b, c); ++ g(d); ++ ++ return 0; ++} +-- +2.34.1 + diff --git a/meta/recipes-devtools/gcc/gcc_11.3.bb b/meta/recipes-devtools/gcc/gcc_11.4.bb index 255fe552bd..255fe552bd 100644 --- a/meta/recipes-devtools/gcc/gcc_11.3.bb +++ b/meta/recipes-devtools/gcc/gcc_11.4.bb diff --git a/meta/recipes-devtools/gcc/libgcc-common.inc b/meta/recipes-devtools/gcc/libgcc-common.inc index d48dc8b823..31f629acaa 100644 --- a/meta/recipes-devtools/gcc/libgcc-common.inc +++ b/meta/recipes-devtools/gcc/libgcc-common.inc @@ -45,10 +45,14 @@ do_install () { } do_install:append:libc-baremetal () { - rmdir ${D}${base_libdir} + if [ "${base_libdir}" != "${libdir}" ]; then + rmdir ${D}${base_libdir} + fi } do_install:append:libc-newlib () { - rmdir ${D}${base_libdir} + if [ "${base_libdir}" != "${libdir}" ]; then + rmdir ${D}${base_libdir} + fi } # No rpm package is actually created but -dev depends on it, avoid dnf error diff --git a/meta/recipes-devtools/gcc/libgcc-initial_11.3.bb b/meta/recipes-devtools/gcc/libgcc-initial_11.4.bb index a259082b47..a259082b47 100644 --- a/meta/recipes-devtools/gcc/libgcc-initial_11.3.bb +++ b/meta/recipes-devtools/gcc/libgcc-initial_11.4.bb diff --git a/meta/recipes-devtools/gcc/libgcc_11.3.bb b/meta/recipes-devtools/gcc/libgcc_11.4.bb index f88963b0a4..f88963b0a4 100644 --- a/meta/recipes-devtools/gcc/libgcc_11.3.bb +++ b/meta/recipes-devtools/gcc/libgcc_11.4.bb diff --git a/meta/recipes-devtools/gcc/libgfortran_11.3.bb b/meta/recipes-devtools/gcc/libgfortran_11.4.bb index 71dd8b4bdc..71dd8b4bdc 100644 --- a/meta/recipes-devtools/gcc/libgfortran_11.3.bb +++ b/meta/recipes-devtools/gcc/libgfortran_11.4.bb diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc index 649ee28727..6c9fe60cab 100644 --- a/meta/recipes-devtools/gdb/gdb.inc +++ b/meta/recipes-devtools/gdb/gdb.inc @@ -14,5 +14,8 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \ file://0008-resolve-restrict-keyword-conflict.patch \ file://0009-Fix-invalid-sigprocmask-call.patch \ file://0010-gdbserver-ctrl-c-handling.patch \ + file://0011-CVE-2023-39128.patch \ + file://0012-CVE-2023-39129.patch \ + file://0013-CVE-2023-39130.patch \ " SRC_URI[sha256sum] = "1497c36a71881b8671a9a84a0ee40faab788ca30d7ba19d8463c3cc787152e32" diff --git a/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch new file mode 100644 index 0000000000..53b49cb21d --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch @@ -0,0 +1,75 @@ +From 033bc52bb6190393c8eed80925fa78cc35b40c6d Mon Sep 17 00:00:00 2001 +From: Tom Tromey <tromey@adacore.com> +Date: Wed, 16 Aug 2023 11:29:19 -0600 +Subject: [PATCH] Avoid buffer overflow in ada_decode + +A bug report pointed out a buffer overflow in ada_decode, which Keith +helpfully analyzed. ada_decode had a logic error when the input was +all digits. While this isn't valid -- and would probably only appear +in fuzzer tests -- it still should be handled properly. + +This patch adds a missing bounds check. Tested with the self-tests in +an asan build. + +Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=30639 +Reviewed-by: Keith Seitz <keiths@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] +CVE: CVE-2023-39128 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + gdb/ada-lang.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/gdb/ada-lang.c b/gdb/ada-lang.c +index 70a2b44..f682302 100644 +--- a/gdb/ada-lang.c ++++ b/gdb/ada-lang.c +@@ -57,6 +57,7 @@ + #include "cli/cli-utils.h" + #include "gdbsupport/function-view.h" + #include "gdbsupport/byte-vector.h" ++#include "gdbsupport/selftest.h" + #include <algorithm> + #include "ada-exp.h" + +@@ -1057,7 +1058,7 @@ ada_decode (const char *encoded, bool wrap) + i -= 1; + if (i > 1 && encoded[i] == '_' && encoded[i - 1] == '_') + len0 = i - 1; +- else if (encoded[i] == '$') ++ else if (i >= 0 && encoded[i] == '$') + len0 = i; + } + +@@ -1225,6 +1226,18 @@ ada_decode (const char *encoded, bool wrap) + return decoded; + } + ++#ifdef GDB_SELF_TEST ++ ++static void ++ada_decode_tests () ++{ ++ /* This isn't valid, but used to cause a crash. PR gdb/30639. The ++ result does not really matter very much. */ ++ SELF_CHECK (ada_decode ("44") == "44"); ++} ++ ++#endif ++ + /* Table for keeping permanent unique copies of decoded names. Once + allocated, names in this table are never released. While this is a + storage leak, it should not be significant unless there are massive +@@ -13497,4 +13510,8 @@ DWARF attribute."), + gdb::observers::new_objfile.attach (ada_new_objfile_observer, "ada-lang"); + gdb::observers::free_objfile.attach (ada_free_objfile_observer, "ada-lang"); + gdb::observers::inferior_exit.attach (ada_inferior_exit, "ada-lang"); ++ ++#ifdef GDB_SELF_TEST ++ selftests::register_test ("ada-decode", ada_decode_tests); ++#endif + } +-- +2.35.7 + diff --git a/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch new file mode 100644 index 0000000000..63fb44d59a --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch @@ -0,0 +1,50 @@ +From: Keith Seitz <keiths@...> +Date: Wed, 2 Aug 2023 15:35:11 +0000 (-0700) +Subject: Verify COFF symbol stringtab offset +X-Git-Tag: gdb-14-branchpoint~473 +X-Git-Url: https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a + +Verify COFF symbol stringtab offset + +This patch addresses an issue with malformed/fuzzed debug information that +was recently reported in gdb/30639. That bug specifically deals with +an ASAN issue, but the reproducer provided by the reporter causes a +another failure outside of ASAN: + +Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff_plain;h=58abdf887821a5da09ba184c6e400a3bc5cccd5a] + +CVE: CVE-2023-39129 + +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> + +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -159,6 +160,7 @@ static file_ptr linetab_offset; + static file_ptr linetab_size; + + static char *stringtab = NULL; ++static long stringtab_length = 0; + + extern void stabsread_clear_cache (void); + +@@ -1303,6 +1298,7 @@ init_stringtab (bfd *abfd, file_ptr offset, gdb::unique_xmalloc_ptr<char> *stora + /* This is in target format (probably not very useful, and not + currently used), not host format. */ + memcpy (stringtab, lengthbuf, sizeof lengthbuf); ++ stringtab_length = length; + if (length == sizeof length) /* Empty table -- just the count. */ + return 0; + +@@ -1322,8 +1318,9 @@ getsymname (struct internal_syment *symbol_entry) + + if (symbol_entry->_n._n_n._n_zeroes == 0) + { +- /* FIXME: Probably should be detecting corrupt symbol files by +- seeing whether offset points to within the stringtab. */ ++ if (symbol_entry->_n._n_n._n_offset > stringtab_length) ++ error (_("COFF Error: string table offset (%ld) outside string table (length %ld)"), ++ symbol_entry->_n._n_n._n_offset, stringtab_length); + result = stringtab + symbol_entry->_n._n_n._n_offset; + } + else diff --git a/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch new file mode 100644 index 0000000000..bfd5b18d7d --- /dev/null +++ b/meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch @@ -0,0 +1,326 @@ +From 2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80 Mon Sep 17 00:00:00 2001 +From: Alan Modra <amodra@gmail.com> +Date: Wed, 9 Aug 2023 09:58:36 +0930 +Subject: [PATCH] gdb: warn unused result for bfd IO functions + +This fixes the compilation warnings introduced by my bfdio.c patch. + +The removed bfd_seeks in coff_symfile_read date back to 1994, commit +7f4c859520, prior to which the file used stdio rather than bfd to read +symbols. Since it now uses bfd to read the file there should be no +need to synchronise to bfd's idea of the file position. I also fixed +a potential uninitialised memory access. + +Approved-By: Andrew Burgess <aburgess@redhat.com> + +Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=2db20b97f1dc3e5dce3d6ed74a8a62f0dede8c80] +CVE: CVE-2023-39130 +Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> +--- + gdb/coff-pe-read.c | 114 +++++++++++++++++++++++++++++---------------- + gdb/coffread.c | 27 ++--------- + gdb/dbxread.c | 7 +-- + gdb/xcoffread.c | 5 +- + 4 files changed, 85 insertions(+), 68 deletions(-) + +diff --git a/gdb/coff-pe-read.c b/gdb/coff-pe-read.c +--- a/gdb/coff-pe-read.c ++++ b/gdb/coff-pe-read.c +@@ -291,23 +291,31 @@ read_pe_truncate_name (char *dll_name) + + /* Low-level support functions, direct from the ld module pe-dll.c. */ + static unsigned int +-pe_get16 (bfd *abfd, int where) ++pe_get16 (bfd *abfd, int where, bool *fail) + { + unsigned char b[2]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 2, abfd); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 2, abfd) != 2) ++ { ++ *fail = true; ++ return 0; ++ } + return b[0] + (b[1] << 8); + } + + static unsigned int +-pe_get32 (bfd *abfd, int where) ++pe_get32 (bfd *abfd, int where, bool *fail) + { + unsigned char b[4]; + +- bfd_seek (abfd, (file_ptr) where, SEEK_SET); +- bfd_bread (b, (bfd_size_type) 4, abfd); +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ if (bfd_seek (abfd, where, SEEK_SET) != 0 ++ || bfd_bread (b, 4, abfd) != 4) ++ { ++ *fail = true; ++ return 0; ++ } ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + static unsigned int +@@ -323,7 +331,7 @@ pe_as32 (void *ptr) + { + unsigned char *b = (unsigned char *) ptr; + +- return b[0] + (b[1] << 8) + (b[2] << 16) + (b[3] << 24); ++ return b[0] + (b[1] << 8) + (b[2] << 16) + ((unsigned) b[3] << 24); + } + + /* Read the (non-debug) export symbol table from a portable +@@ -376,37 +384,50 @@ read_pe_exported_syms (minimal_symbol_re + || strcmp (target, "pei-i386") == 0 + || strcmp (target, "pe-arm-wince-little") == 0 + || strcmp (target, "pei-arm-wince-little") == 0); ++ ++ /* Possibly print a debug message about DLL not having a valid format. */ ++ auto maybe_print_debug_msg = [&] () -> void { ++ if (debug_coff_pe_read) ++ fprintf_unfiltered (gdb_stdlog, _("%s doesn't appear to be a DLL\n"), ++ bfd_get_filename (dll)); ++ }; ++ + if (!is_pe32 && !is_pe64) +- { +- /* This is not a recognized PE format file. Abort now, because +- the code is untested on anything else. *FIXME* test on +- further architectures and loosen or remove this test. */ +- return; +- } ++ return maybe_print_debug_msg (); + + /* Get pe_header, optional header and numbers of export entries. */ +- pe_header_offset = pe_get32 (dll, 0x3c); ++ bool fail = false; ++ pe_header_offset = pe_get32 (dll, 0x3c, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + opthdr_ofs = pe_header_offset + 4 + 20; + if (is_pe64) +- num_entries = pe_get32 (dll, opthdr_ofs + 108); ++ num_entries = pe_get32 (dll, opthdr_ofs + 108, &fail); + else +- num_entries = pe_get32 (dll, opthdr_ofs + 92); ++ num_entries = pe_get32 (dll, opthdr_ofs + 92, &fail); ++ if (fail) ++ return maybe_print_debug_msg (); + + if (num_entries < 1) /* No exports. */ + return; + if (is_pe64) + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 112, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 116, &fail); + } + else + { +- export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96); +- export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100); ++ export_opthdrrva = pe_get32 (dll, opthdr_ofs + 96, &fail); ++ export_opthdrsize = pe_get32 (dll, opthdr_ofs + 100, &fail); + } +- nsections = pe_get16 (dll, pe_header_offset + 4 + 2); ++ if (fail) ++ return maybe_print_debug_msg (); ++ ++ nsections = pe_get16 (dll, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (dll, pe_header_offset + 4 + 16)); ++ pe_get16 (dll, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return maybe_print_debug_msg (); + expptr = 0; + export_size = 0; + +@@ -415,12 +436,13 @@ read_pe_exported_syms (minimal_symbol_re + { + char sname[8]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long vsize = pe_get32 (dll, secptr1 + 16); +- unsigned long fptr = pe_get32 (dll, secptr1 + 20); +- +- bfd_seek (dll, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) sizeof (sname), dll); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 16, &fail); ++ unsigned long fptr = pe_get32 (dll, secptr1 + 20, &fail); ++ ++ if (fail ++ || bfd_seek (dll, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, sizeof (sname), dll) != sizeof (sname)) + + if ((strcmp (sname, ".edata") == 0) + || (vaddr <= export_opthdrrva && export_opthdrrva < vaddr + vsize)) +@@ -461,16 +483,18 @@ read_pe_exported_syms (minimal_symbol_re + for (i = 0; i < nsections; i++) + { + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vsize = pe_get32 (dll, secptr1 + 8); +- unsigned long vaddr = pe_get32 (dll, secptr1 + 12); +- unsigned long characteristics = pe_get32 (dll, secptr1 + 36); ++ unsigned long vsize = pe_get32 (dll, secptr1 + 8, &fail); ++ unsigned long vaddr = pe_get32 (dll, secptr1 + 12, &fail); ++ unsigned long characteristics = pe_get32 (dll, secptr1 + 36, &fail); + char sec_name[SCNNMLEN + 1]; + int sectix; + unsigned int bfd_section_index; + asection *section; + +- bfd_seek (dll, (file_ptr) secptr1 + 0, SEEK_SET); +- bfd_bread (sec_name, (bfd_size_type) SCNNMLEN, dll); ++ if (fail ++ || bfd_seek (dll, secptr1 + 0, SEEK_SET) != 0 ++ || bfd_bread (sec_name, SCNNMLEN, dll) != SCNNMLEN) ++ return maybe_print_debug_msg (); + sec_name[SCNNMLEN] = '\0'; + + sectix = read_pe_section_index (sec_name); +@@ -509,8 +533,9 @@ read_pe_exported_syms (minimal_symbol_re + gdb::def_vector<unsigned char> expdata_storage (export_size); + expdata = expdata_storage.data (); + +- bfd_seek (dll, (file_ptr) expptr, SEEK_SET); +- bfd_bread (expdata, (bfd_size_type) export_size, dll); ++ if (bfd_seek (dll, expptr, SEEK_SET) != 0 ++ || bfd_bread (expdata, export_size, dll) != export_size) ++ return maybe_print_debug_msg (); + erva = expdata - export_rva; + + nexp = pe_as32 (expdata + 24); +@@ -658,20 +683,27 @@ pe_text_section_offset (struct bfd *abfd + } + + /* Get pe_header, optional header and numbers of sections. */ +- pe_header_offset = pe_get32 (abfd, 0x3c); +- nsections = pe_get16 (abfd, pe_header_offset + 4 + 2); ++ bool fail = false; ++ pe_header_offset = pe_get32 (abfd, 0x3c, &fail); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; ++ nsections = pe_get16 (abfd, pe_header_offset + 4 + 2, &fail); + secptr = (pe_header_offset + 4 + 20 + +- pe_get16 (abfd, pe_header_offset + 4 + 16)); ++ pe_get16 (abfd, pe_header_offset + 4 + 16, &fail)); ++ if (fail) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + + /* Get the rva and size of the export section. */ + for (i = 0; i < nsections; i++) + { + char sname[SCNNMLEN + 1]; + unsigned long secptr1 = secptr + 40 * i; +- unsigned long vaddr = pe_get32 (abfd, secptr1 + 12); ++ unsigned long vaddr = pe_get32 (abfd, secptr1 + 12, &fail); + +- bfd_seek (abfd, (file_ptr) secptr1, SEEK_SET); +- bfd_bread (sname, (bfd_size_type) SCNNMLEN, abfd); ++ if (fail ++ || bfd_seek (abfd, secptr1, SEEK_SET) != 0 ++ || bfd_bread (sname, SCNNMLEN, abfd) != SCNNMLEN) ++ return DEFAULT_COFF_PE_TEXT_SECTION_OFFSET; + sname[SCNNMLEN] = '\0'; + if (strcmp (sname, ".text") == 0) + return vaddr; +diff --git a/gdb/coffread.c b/gdb/coffread.c +--- a/gdb/coffread.c ++++ b/gdb/coffread.c +@@ -690,8 +690,6 @@ coff_symfile_read (struct objfile *objfi + + /* FIXME: dubious. Why can't we use something normal like + bfd_get_section_contents? */ +- bfd_seek (abfd, abfd->where, 0); +- + stabstrsize = bfd_section_size (info->stabstrsect); + + coffstab_build_psymtabs (objfile, +@@ -780,22 +778,6 @@ coff_symtab_read (minimal_symbol_reader + + scoped_free_pendings free_pending; + +- /* Work around a stdio bug in SunOS4.1.1 (this makes me nervous.... +- it's hard to know I've really worked around it. The fix should +- be harmless, anyway). The symptom of the bug is that the first +- fread (in read_one_sym), will (in my example) actually get data +- from file offset 268, when the fseek was to 264 (and ftell shows +- 264). This causes all hell to break loose. I was unable to +- reproduce this on a short test program which operated on the same +- file, performing (I think) the same sequence of operations. +- +- It stopped happening when I put in this (former) rewind(). +- +- FIXME: Find out if this has been reported to Sun, whether it has +- been fixed in a later release, etc. */ +- +- bfd_seek (objfile->obfd, 0, 0); +- + /* Position to read the symbol table. */ + val = bfd_seek (objfile->obfd, symtab_offset, 0); + if (val < 0) +@@ -1285,12 +1267,13 @@ init_stringtab (bfd *abfd, file_ptr offs + if (bfd_seek (abfd, offset, 0) < 0) + return -1; + +- val = bfd_bread ((char *) lengthbuf, sizeof lengthbuf, abfd); +- length = bfd_h_get_32 (symfile_bfd, lengthbuf); +- ++ val = bfd_bread (lengthbuf, sizeof lengthbuf, abfd); + /* If no string table is needed, then the file may end immediately + after the symbols. Just return with `stringtab' set to null. */ +- if (val != sizeof lengthbuf || length < sizeof lengthbuf) ++ if (val != sizeof lengthbuf) ++ return 0; ++ length = bfd_h_get_32 (symfile_bfd, lengthbuf); ++ if (length < sizeof lengthbuf) + return 0; + + storage->reset ((char *) xmalloc (length)); +diff --git a/gdb/dbxread.c b/gdb/dbxread.c +--- a/gdb/dbxread.c ++++ b/gdb/dbxread.c +@@ -812,7 +812,8 @@ stabs_seek (int sym_offset) + symbuf_left -= sym_offset; + } + else +- bfd_seek (symfile_bfd, sym_offset, SEEK_CUR); ++ if (bfd_seek (symfile_bfd, sym_offset, SEEK_CUR) != 0) ++ perror_with_name (bfd_get_filename (symfile_bfd)); + } + + #define INTERNALIZE_SYMBOL(intern, extern, abfd) \ +@@ -2095,8 +2096,8 @@ dbx_expand_psymtab (legacy_psymtab *pst, + symbol_size = SYMBOL_SIZE (pst); + + /* Read in this file's symbols. */ +- bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET); +- read_ofile_symtab (objfile, pst); ++ if (bfd_seek (objfile->obfd, SYMBOL_OFFSET (pst), SEEK_SET) == 0) ++ read_ofile_symtab (objfile, pst); + } + + pst->readin = true; +diff --git a/gdb/xcoffread.c b/gdb/xcoffread.c +--- a/gdb/xcoffread.c ++++ b/gdb/xcoffread.c +@@ -865,8 +865,9 @@ enter_line_range (struct subfile *subfil + + while (curoffset <= limit_offset) + { +- bfd_seek (abfd, curoffset, SEEK_SET); +- bfd_bread (ext_lnno, linesz, abfd); ++ if (bfd_seek (abfd, curoffset, SEEK_SET) != 0 ++ || bfd_bread (ext_lnno, linesz, abfd) != linesz) ++ return; + bfd_coff_swap_lineno_in (abfd, ext_lnno, &int_lnno); + + /* Find the address this line represents. */ +-- +2.39.3 diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch b/meta/recipes-devtools/git/git/CVE-2023-25652.patch new file mode 100644 index 0000000000..825701eaff --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <Johannes.Schindelin@gmx.de> +Date: Thu Mar 9 16:02:54 2023 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + + The `git apply --reject` is expected to write out `.rej` files in case + one or more hunks fail to apply cleanly. Historically, the command + overwrites any existing `.rej` files. The idea being that + apply/reject/edit cycles are relatively common, and the generated `.rej` + files are not considered precious. + + But the command does not overwrite existing `.rej` symbolic links, and + instead follows them. This is unsafe because the same patch could + potentially create such a symbolic link and point at arbitrary paths + outside the current worktree, and `git apply` would write the contents + of the `.rej` file into that location. + + Therefore, let's make sure that any existing `.rej` file or symbolic + link is removed before writing it. + + Reported-by: RyotaK <ryotak.mail@gmail.com> + Helped-by: Taylor Blau <me@ttaylorr.com> + Helped-by: Junio C Hamano <gitster@pobox.com> + Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> + Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +CVE: CVE-2023-25652 +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index fc6f484..47f2686 100644 +--- a/apply.c ++++ b/apply.c +@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 65ac7df..e95e6d4 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.40.0 diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch b/meta/recipes-devtools/git/git/CVE-2023-29007.patch new file mode 100644 index 0000000000..472f4022b2 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch @@ -0,0 +1,162 @@ +From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 +From: Taylor Blau <me@ttaylorr.com> +Date: Fri, 14 Apr 2023 11:46:59 -0400 +Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' + +Avoids issues with renaming or deleting sections with long lines, where +configuration values may be interpreted as sections, leading to +configuration injection. Addresses CVE-2023-29007. + +* tb/config-copy-or-rename-in-file-injection: + config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` + config.c: avoid integer truncation in `copy_or_rename_section_in_file()` + config: avoid fixed-sized buffer when renaming/deleting a section + t1300: demonstrate failure when renaming sections with long lines + +Signed-off-by: Taylor Blau <me@ttaylorr.com> + +Upstream-Status: Backport +CVE: CVE-2023-29007 + +Reference to upstream patch: +https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + config.c | 36 +++++++++++++++++++++++++----------- + t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 11 deletions(-) + +diff --git a/config.c b/config.c +index 2bffa8d..6a01938 100644 +--- a/config.c ++++ b/config.c +@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const char *value, + flags); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name) + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3256,11 +3259,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3297,16 +3301,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { +- unsigned i; +- int length; ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { ++ size_t i, length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* +@@ -3323,7 +3336,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3398,6 +3411,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 78359f1..b07feb1 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -617,6 +617,36 @@ test_expect_success 'renaming to bogus section is rejected' ' + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_success 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_success 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF +-- +2.40.0 diff --git a/meta/recipes-devtools/git/git_2.35.3.bb b/meta/recipes-devtools/git/git_2.35.7.bb index 794045c8b7..9e7b0a8cff 100644 --- a/meta/recipes-devtools/git/git_2.35.3.bb +++ b/meta/recipes-devtools/git/git_2.35.7.bb @@ -10,6 +10,8 @@ PROVIDES:append:class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://fixsort.patch \ file://0001-config.mak.uname-do-not-force-RHEL-7-specific-build-.patch \ + file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" @@ -31,6 +33,12 @@ CVE_PRODUCT = "git-scm:git" # in mirrored git repos. Most OE users wouldn't build the docs and # we don't see this as a major issue for our general users/usecases. CVE_CHECK_IGNORE += "CVE-2022-24975" +# This is specific to Git-for-Windows +CVE_CHECK_IGNORE += "CVE-2022-41953" +# specific to Git for Windows +CVE_CHECK_IGNORE += "CVE-2023-22743" +# This is specific to Git-for-Windows +CVE_CHECK_IGNORE += "CVE-2023-25815" PACKAGECONFIG ??= "expat curl" PACKAGECONFIG[cvsserver] = "" @@ -165,4 +173,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \ " EXTRA_OEMAKE += "NO_GETTEXT=1" -SRC_URI[tarball.sha256sum] = "cad708072d5c0b390c71651f5edb44143f00b357766973470bf9adebc0944c03" +SRC_URI[tarball.sha256sum] = "fc849272a95cc7457091221a645fcd753b3b1984767ee3323fb6a0aa944bbcb4" diff --git a/meta/recipes-devtools/go/go-1.17.10.inc b/meta/recipes-devtools/go/go-1.17.10.inc deleted file mode 100644 index e71feb5d02..0000000000 --- a/meta/recipes-devtools/go/go-1.17.10.inc +++ /dev/null @@ -1,25 +0,0 @@ -require go-common.inc - -FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.18:" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" - -SRC_URI += "\ - file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ - file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ - file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ - file://0004-ld-add-soname-to-shareable-objects.patch \ - file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ - file://0006-cmd-dist-separate-host-and-target-builds.patch \ - file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ - file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ - file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ - file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ - file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ -" -SRC_URI[main.sha256sum] = "299e55af30f15691b015d8dcf8ecae72412412569e5b2ece20361753a456f2f9" - -# Upstream don't believe it is a signifiant real world issue and will only -# fix in 1.17 onwards where we can drop this. -# https://github.com/golang/go/issues/30999#issuecomment-910470358 -CVE_CHECK_IGNORE += "CVE-2021-29923" diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc new file mode 100644 index 0000000000..768961de2c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -0,0 +1,67 @@ +require go-common.inc + +FILESEXTRAPATHS:prepend := "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" + +SRC_URI += "\ + file://0001-allow-CC-and-CXX-to-have-multiple-words.patch \ + file://0002-cmd-go-make-content-based-hash-generation-less-pedan.patch \ + file://0003-allow-GOTOOLDIR-to-be-overridden-in-the-environment.patch \ + file://0004-ld-add-soname-to-shareable-objects.patch \ + file://0005-make.bash-override-CC-when-building-dist-and-go_boot.patch \ + file://0006-cmd-dist-separate-host-and-target-builds.patch \ + file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ + file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ + file://0009-Revert-cmd-go-make-sure-CC-and-CXX-are-absolute.patch \ + file://0001-exec.go-do-not-write-linker-flags-into-buildids.patch \ + file://0001-src-cmd-dist-buildgo.go-do-not-hardcode-host-compile.patch \ + file://0010-net-Fix-issue-with-DNS-not-being-updated.patch \ + file://CVE-2022-27664.patch \ + file://0001-net-http-httputil-avoid-query-parameter-smuggling.patch \ + file://CVE-2022-41715.patch \ + file://CVE-2022-41717.patch \ + file://CVE-2022-2879.patch \ + file://CVE-2022-41720.patch \ + file://CVE-2022-41723.patch \ + file://cve-2022-41724.patch \ + file://add_godebug.patch \ + file://cve-2022-41725.patch \ + file://CVE-2022-41722.patch \ + file://CVE-2023-24537.patch \ + file://CVE-2023-24534.patch \ + file://CVE-2023-24538_1.patch \ + file://CVE-2023-24538_2.patch \ + file://CVE-2023-24540.patch \ + file://CVE-2023-24539.patch \ + file://CVE-2023-29404.patch \ + file://CVE-2023-29405.patch \ + file://CVE-2023-29402.patch \ + file://CVE-2023-29400.patch \ + file://CVE-2023-29406-1.patch \ + file://CVE-2023-29406-2.patch \ + file://CVE-2023-24536_1.patch \ + file://CVE-2023-24536_2.patch \ + file://CVE-2023-24536_3.patch \ + file://CVE-2023-24531_1.patch \ + file://CVE-2023-24531_2.patch \ + file://CVE-2023-29409.patch \ + file://CVE-2023-39319.patch \ + file://CVE-2023-39318.patch \ + file://CVE-2023-39326.patch \ + file://CVE-2023-45285.patch \ + file://CVE-2023-45287.patch \ + file://CVE-2023-45289.patch \ + file://CVE-2023-45290.patch \ + file://CVE-2024-24784.patch \ + file://CVE-2024-24785.patch \ +" +SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" + +# Upstream don't believe it is a signifiant real world issue and will only +# fix in 1.17 onwards where we can drop this. +# https://github.com/golang/go/issues/30999#issuecomment-910470358 +CVE_CHECK_IGNORE += "CVE-2021-29923" + +# This are specific to Microsoft Windows +CVE_CHECK_IGNORE += "CVE-2022-41716 CVE-2023-45283 CVE-2023-45284" diff --git a/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch b/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch new file mode 100644 index 0000000000..80fba1446e --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/0001-net-http-httputil-avoid-query-parameter-smuggling.patch @@ -0,0 +1,178 @@ +From c8bdf59453c95528a444a85e1b206c1c09eb20f6 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 22 Sep 2022 13:32:00 -0700 +Subject: [PATCH] net/http/httputil: avoid query parameter smuggling + +Query parameter smuggling occurs when a proxy's interpretation +of query parameters differs from that of a downstream server. +Change ReverseProxy to avoid forwarding ignored query parameters. + +Remove unparsable query parameters from the outbound request + + * if req.Form != nil after calling ReverseProxy.Director; and + * before calling ReverseProxy.Rewrite. + +This change preserves the existing behavior of forwarding the +raw query untouched if a Director hook does not parse the query +by calling Request.ParseForm (possibly indirectly). + +Fixes #55842 +For #54663 +For CVE-2022-2880 + +Change-Id: If1621f6b0e73a49d79059dae9e6b256e0ff18ca9 +Reviewed-on: https://go-review.googlesource.com/c/go/+/432976 +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit 7c84234142149bd24a4096c6cab691d3593f3431) +Reviewed-on: https://go-review.googlesource.com/c/go/+/433695 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +CVE: CVE-2022-2880 +Upstream-Status: Backport [9d2c73a9fd69e45876509bb3bdb2af99bf77da1e] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/net/http/httputil/reverseproxy.go | 36 +++++++++++ + src/net/http/httputil/reverseproxy_test.go | 74 ++++++++++++++++++++++ + 2 files changed, 110 insertions(+) + +diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go +index 8b63368..c76eec6 100644 +--- a/src/net/http/httputil/reverseproxy.go ++++ b/src/net/http/httputil/reverseproxy.go +@@ -249,6 +249,9 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { + } + + p.Director(outreq) ++ if outreq.Form != nil { ++ outreq.URL.RawQuery = cleanQueryParams(outreq.URL.RawQuery) ++ } + outreq.Close = false + + reqUpType := upgradeType(outreq.Header) +@@ -628,3 +631,36 @@ func (c switchProtocolCopier) copyToBackend(errc chan<- error) { + _, err := io.Copy(c.backend, c.user) + errc <- err + } ++ ++func cleanQueryParams(s string) string { ++ reencode := func(s string) string { ++ v, _ := url.ParseQuery(s) ++ return v.Encode() ++ } ++ for i := 0; i < len(s); { ++ switch s[i] { ++ case ';': ++ return reencode(s) ++ case '%': ++ if i+2 >= len(s) || !ishex(s[i+1]) || !ishex(s[i+2]) { ++ return reencode(s) ++ } ++ i += 3 ++ default: ++ i++ ++ } ++ } ++ return s ++} ++ ++func ishex(c byte) bool { ++ switch { ++ case '0' <= c && c <= '9': ++ return true ++ case 'a' <= c && c <= 'f': ++ return true ++ case 'A' <= c && c <= 'F': ++ return true ++ } ++ return false ++} +diff --git a/src/net/http/httputil/reverseproxy_test.go b/src/net/http/httputil/reverseproxy_test.go +index 4b6ad77..8c0a4f1 100644 +--- a/src/net/http/httputil/reverseproxy_test.go ++++ b/src/net/http/httputil/reverseproxy_test.go +@@ -1517,3 +1517,77 @@ func TestJoinURLPath(t *testing.T) { + } + } + } ++ ++const ( ++ testWantsCleanQuery = true ++ testWantsRawQuery = false ++) ++ ++func TestReverseProxyQueryParameterSmugglingDirectorDoesNotParseForm(t *testing.T) { ++ testReverseProxyQueryParameterSmuggling(t, testWantsRawQuery, func(u *url.URL) *ReverseProxy { ++ proxyHandler := NewSingleHostReverseProxy(u) ++ oldDirector := proxyHandler.Director ++ proxyHandler.Director = func(r *http.Request) { ++ oldDirector(r) ++ } ++ return proxyHandler ++ }) ++} ++ ++func TestReverseProxyQueryParameterSmugglingDirectorParsesForm(t *testing.T) { ++ testReverseProxyQueryParameterSmuggling(t, testWantsCleanQuery, func(u *url.URL) *ReverseProxy { ++ proxyHandler := NewSingleHostReverseProxy(u) ++ oldDirector := proxyHandler.Director ++ proxyHandler.Director = func(r *http.Request) { ++ // Parsing the form causes ReverseProxy to remove unparsable ++ // query parameters before forwarding. ++ r.FormValue("a") ++ oldDirector(r) ++ } ++ return proxyHandler ++ }) ++} ++ ++func testReverseProxyQueryParameterSmuggling(t *testing.T, wantCleanQuery bool, newProxy func(*url.URL) *ReverseProxy) { ++ const content = "response_content" ++ backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ++ w.Write([]byte(r.URL.RawQuery)) ++ })) ++ defer backend.Close() ++ backendURL, err := url.Parse(backend.URL) ++ if err != nil { ++ t.Fatal(err) ++ } ++ proxyHandler := newProxy(backendURL) ++ frontend := httptest.NewServer(proxyHandler) ++ defer frontend.Close() ++ ++ // Don't spam output with logs of queries containing semicolons. ++ backend.Config.ErrorLog = log.New(io.Discard, "", 0) ++ frontend.Config.ErrorLog = log.New(io.Discard, "", 0) ++ ++ for _, test := range []struct { ++ rawQuery string ++ cleanQuery string ++ }{{ ++ rawQuery: "a=1&a=2;b=3", ++ cleanQuery: "a=1", ++ }, { ++ rawQuery: "a=1&a=%zz&b=3", ++ cleanQuery: "a=1&b=3", ++ }} { ++ res, err := frontend.Client().Get(frontend.URL + "?" + test.rawQuery) ++ if err != nil { ++ t.Fatalf("Get: %v", err) ++ } ++ defer res.Body.Close() ++ body, _ := io.ReadAll(res.Body) ++ wantQuery := test.rawQuery ++ if wantCleanQuery { ++ wantQuery = test.cleanQuery ++ } ++ if got, want := string(body), wantQuery; got != want { ++ t.Errorf("proxy forwarded raw query %q as %q, want %q", test.rawQuery, got, want) ++ } ++ } ++} +-- +2.32.0 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch new file mode 100644 index 0000000000..fba4f054ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-27664.patch @@ -0,0 +1,102 @@ +From 5bc9106458fc07851ac324a4157132a91b1f3479 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 22 Aug 2022 16:21:02 -0700 +Subject: [PATCH] [release-branch.go1.18] net/http: update bundled + golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2022-27664 +Fixes #53977 +For #54658. + +Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/428635 +Reviewed-by: Tatiana Bradley <tatiana@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport +CVE: CVE-2022-27664 + +Reference to upstream patch: https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479 +Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> +--- + src/cmd/internal/moddeps/moddeps_test.go | 2 ++ + src/net/http/h2_bundle.go | 21 +++++++++++++-------- + 2 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 56c3b2585c..3306e29431 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,8 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") ++ + goBin := testenv.GoToolPath(t) + + // Ensure that all packages imported within GOROOT +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index bb82f24585..1e78f6cdb9 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -3384,10 +3384,11 @@ func (s http2SettingID) String() string { + // name (key). See httpguts.ValidHeaderName for the base rules. + // + // Further, http2 says: +-// "Just as in HTTP/1.x, header field names are strings of ASCII +-// characters that are compared in a case-insensitive +-// fashion. However, header field names MUST be converted to +-// lowercase prior to their encoding in HTTP/2. " ++// ++// "Just as in HTTP/1.x, header field names are strings of ASCII ++// characters that are compared in a case-insensitive ++// fashion. However, header field names MUST be converted to ++// lowercase prior to their encoding in HTTP/2. " + func http2validWireHeaderFieldName(v string) bool { + if len(v) == 0 { + return false +@@ -3578,8 +3579,8 @@ func (s *http2sorter) SortStrings(ss []string) { + // validPseudoPath reports whether v is a valid :path pseudo-header + // value. It must be either: + // +-// *) a non-empty string starting with '/' +-// *) the string '*', for OPTIONS requests. ++// *) a non-empty string starting with '/' ++// *) the string '*', for OPTIONS requests. + // + // For now this is only used a quick check for deciding when to clean + // up Opaque URLs before sending requests from the Transport. +@@ -5053,6 +5054,9 @@ func (sc *http2serverConn) startGracefulShutdownInternal() { + func (sc *http2serverConn) goAway(code http2ErrCode) { + sc.serveG.check() + if sc.inGoAway { ++ if sc.goAwayCode == http2ErrCodeNo { ++ sc.goAwayCode = code ++ } + return + } + sc.inGoAway = true +@@ -6265,8 +6269,9 @@ func (rws *http2responseWriterState) writeChunk(p []byte) (n int, err error) { + // prior to the headers being written. If the set of trailers is fixed + // or known before the header is written, the normal Go trailers mechanism + // is preferred: +-// https://golang.org/pkg/net/http/#ResponseWriter +-// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers ++// ++// https://golang.org/pkg/net/http/#ResponseWriter ++// https://golang.org/pkg/net/http/#example_ResponseWriter_trailers + const http2TrailerPrefix = "Trailer:" + + // promoteUndeclaredTrailers permits http.Handlers to set trailers +-- +2.36.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch new file mode 100644 index 0000000000..0315e1a3ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-2879.patch @@ -0,0 +1,177 @@ +From d064ed520a7cc6b480f9565e30751e695d394f4e Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 2 Sep 2022 20:45:18 -0700 +Subject: [PATCH] archive/tar: limit size of headers + +Set a 1MiB limit on special file blocks (PAX headers, GNU long names, +GNU link names), to avoid reading arbitrarily large amounts of data +into memory. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting +this issue. + +Fixes CVE-2022-2879 +Updates #54853 +Fixes #55925 + +Change-Id: I85136d6ff1e0af101a112190e027987ab4335680 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565555 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +(cherry picked from commit 6ee768cef6b82adf7a90dcf367a1699ef694f3b2) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1590622 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/438500 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +CVE: CVE-2022-2879 +Upstream-Status: Backport [0a723816cd205576945fa57fbdde7e6532d59d08] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/archive/tar/format.go | 4 ++++ + src/archive/tar/reader.go | 14 ++++++++++++-- + src/archive/tar/reader_test.go | 8 +++++++- + src/archive/tar/writer.go | 3 +++ + src/archive/tar/writer_test.go | 27 +++++++++++++++++++++++++++ + 5 files changed, 53 insertions(+), 3 deletions(-) + +diff --git a/src/archive/tar/format.go b/src/archive/tar/format.go +index cfe24a5..6642364 100644 +--- a/src/archive/tar/format.go ++++ b/src/archive/tar/format.go +@@ -143,6 +143,10 @@ const ( + blockSize = 512 // Size of each block in a tar stream + nameSize = 100 // Max length of the name field in USTAR format + prefixSize = 155 // Max length of the prefix field in USTAR format ++ ++ // Max length of a special file (PAX header, GNU long name or link). ++ // This matches the limit used by libarchive. ++ maxSpecialFileSize = 1 << 20 + ) + + // blockPadding computes the number of bytes needed to pad offset up to the +diff --git a/src/archive/tar/reader.go b/src/archive/tar/reader.go +index 1b1d5b4..f645af8 100644 +--- a/src/archive/tar/reader.go ++++ b/src/archive/tar/reader.go +@@ -103,7 +103,7 @@ func (tr *Reader) next() (*Header, error) { + continue // This is a meta header affecting the next header + case TypeGNULongName, TypeGNULongLink: + format.mayOnlyBe(FormatGNU) +- realname, err := io.ReadAll(tr) ++ realname, err := readSpecialFile(tr) + if err != nil { + return nil, err + } +@@ -293,7 +293,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { + // parsePAX parses PAX headers. + // If an extended header (type 'x') is invalid, ErrHeader is returned + func parsePAX(r io.Reader) (map[string]string, error) { +- buf, err := io.ReadAll(r) ++ buf, err := readSpecialFile(r) + if err != nil { + return nil, err + } +@@ -826,6 +826,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { + return n, err + } + ++// readSpecialFile is like io.ReadAll except it returns ++// ErrFieldTooLong if more than maxSpecialFileSize is read. ++func readSpecialFile(r io.Reader) ([]byte, error) { ++ buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) ++ if len(buf) > maxSpecialFileSize { ++ return nil, ErrFieldTooLong ++ } ++ return buf, err ++} ++ + // discard skips n bytes in r, reporting an error if unable to do so. + func discard(r io.Reader, n int64) error { + // If possible, Seek to the last byte before the end of the data section. +diff --git a/src/archive/tar/reader_test.go b/src/archive/tar/reader_test.go +index 789ddc1..926dc3d 100644 +--- a/src/archive/tar/reader_test.go ++++ b/src/archive/tar/reader_test.go +@@ -6,6 +6,7 @@ package tar + + import ( + "bytes" ++ "compress/bzip2" + "crypto/md5" + "errors" + "fmt" +@@ -625,9 +626,14 @@ func TestReader(t *testing.T) { + } + defer f.Close() + ++ var fr io.Reader = f ++ if strings.HasSuffix(v.file, ".bz2") { ++ fr = bzip2.NewReader(fr) ++ } ++ + // Capture all headers and checksums. + var ( +- tr = NewReader(f) ++ tr = NewReader(fr) + hdrs []*Header + chksums []string + rdbuf = make([]byte, 8) +diff --git a/src/archive/tar/writer.go b/src/archive/tar/writer.go +index e80498d..893eac0 100644 +--- a/src/archive/tar/writer.go ++++ b/src/archive/tar/writer.go +@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { + flag = TypeXHeader + } + data := buf.String() ++ if len(data) > maxSpecialFileSize { ++ return ErrFieldTooLong ++ } + if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { + return err // Global headers return here + } +diff --git a/src/archive/tar/writer_test.go b/src/archive/tar/writer_test.go +index a00f02d..4e709e5 100644 +--- a/src/archive/tar/writer_test.go ++++ b/src/archive/tar/writer_test.go +@@ -1006,6 +1006,33 @@ func TestIssue12594(t *testing.T) { + } + } + ++func TestWriteLongHeader(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ h *Header ++ }{{ ++ name: "name too long", ++ h: &Header{Name: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "linkname too long", ++ h: &Header{Linkname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "uname too long", ++ h: &Header{Uname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "gname too long", ++ h: &Header{Gname: strings.Repeat("a", maxSpecialFileSize)}, ++ }, { ++ name: "PAX header too long", ++ h: &Header{PAXRecords: map[string]string{"GOLANG.x": strings.Repeat("a", maxSpecialFileSize)}}, ++ }} { ++ w := NewWriter(io.Discard) ++ if err := w.WriteHeader(test.h); err != ErrFieldTooLong { ++ t.Errorf("%v: w.WriteHeader() = %v, want ErrFieldTooLong", test.name, err) ++ } ++ } ++} ++ + // testNonEmptyWriter wraps an io.Writer and ensures that + // Write is never called with an empty buffer. + type testNonEmptyWriter struct{ io.Writer } diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch new file mode 100644 index 0000000000..994f37aaf3 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41715.patch @@ -0,0 +1,270 @@ +From e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 Mon Sep 17 00:00:00 2001 +From: Russ Cox <rsc@golang.org> +Date: Wed, 28 Sep 2022 11:18:51 -0400 +Subject: [PATCH] [release-branch.go1.18] regexp: limit size of parsed regexps + +Set a 128 MB limit on the amount of space used by []syntax.Inst +in the compiled form corresponding to a given regexp. + +Also set a 128 MB limit on the rune storage in the *syntax.Regexp +tree itself. + +Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. + +Fixes CVE-2022-41715. +Updates #55949. +Fixes #55950. + +Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 +Run-TryBot: Carlos Amedee <carlos@golang.org> +Reviewed-by: Carlos Amedee <carlos@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997] +CVE: CVE-2022-41715 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/regexp/syntax/parse.go | 145 ++++++++++++++++++++++++++++++-- + src/regexp/syntax/parse_test.go | 13 +-- + 2 files changed, 148 insertions(+), 10 deletions(-) + +diff --git a/src/regexp/syntax/parse.go b/src/regexp/syntax/parse.go +index d7cf2af..3792960 100644 +--- a/src/regexp/syntax/parse.go ++++ b/src/regexp/syntax/parse.go +@@ -90,15 +90,49 @@ const ( + // until we've allocated at least maxHeight Regexp structures. + const maxHeight = 1000 + ++// maxSize is the maximum size of a compiled regexp in Insts. ++// It too is somewhat arbitrarily chosen, but the idea is to be large enough ++// to allow significant regexps while at the same time small enough that ++// the compiled form will not take up too much memory. ++// 128 MB is enough for a 3.3 million Inst structures, which roughly ++// corresponds to a 3.3 MB regexp. ++const ( ++ maxSize = 128 << 20 / instSize ++ instSize = 5 * 8 // byte, 2 uint32, slice is 5 64-bit words ++) ++ ++// maxRunes is the maximum number of runes allowed in a regexp tree ++// counting the runes in all the nodes. ++// Ignoring character classes p.numRunes is always less than the length of the regexp. ++// Character classes can make it much larger: each \pL adds 1292 runes. ++// 128 MB is enough for 32M runes, which is over 26k \pL instances. ++// Note that repetitions do not make copies of the rune slices, ++// so \pL{1000} is only one rune slice, not 1000. ++// We could keep a cache of character classes we've seen, ++// so that all the \pL we see use the same rune list, ++// but that doesn't remove the problem entirely: ++// consider something like [\pL01234][\pL01235][\pL01236]...[\pL^&*()]. ++// And because the Rune slice is exposed directly in the Regexp, ++// there is not an opportunity to change the representation to allow ++// partial sharing between different character classes. ++// So the limit is the best we can do. ++const ( ++ maxRunes = 128 << 20 / runeSize ++ runeSize = 4 // rune is int32 ++) ++ + type parser struct { + flags Flags // parse mode flags + stack []*Regexp // stack of parsed expressions + free *Regexp + numCap int // number of capturing groups seen + wholeRegexp string +- tmpClass []rune // temporary char class work space +- numRegexp int // number of regexps allocated +- height map[*Regexp]int // regexp height for height limit check ++ tmpClass []rune // temporary char class work space ++ numRegexp int // number of regexps allocated ++ numRunes int // number of runes in char classes ++ repeats int64 // product of all repetitions seen ++ height map[*Regexp]int // regexp height, for height limit check ++ size map[*Regexp]int64 // regexp compiled size, for size limit check + } + + func (p *parser) newRegexp(op Op) *Regexp { +@@ -122,6 +156,104 @@ func (p *parser) reuse(re *Regexp) { + p.free = re + } + ++func (p *parser) checkLimits(re *Regexp) { ++ if p.numRunes > maxRunes { ++ panic(ErrInternalError) ++ } ++ p.checkSize(re) ++ p.checkHeight(re) ++} ++ ++func (p *parser) checkSize(re *Regexp) { ++ if p.size == nil { ++ // We haven't started tracking size yet. ++ // Do a relatively cheap check to see if we need to start. ++ // Maintain the product of all the repeats we've seen ++ // and don't track if the total number of regexp nodes ++ // we've seen times the repeat product is in budget. ++ if p.repeats == 0 { ++ p.repeats = 1 ++ } ++ if re.Op == OpRepeat { ++ n := re.Max ++ if n == -1 { ++ n = re.Min ++ } ++ if n <= 0 { ++ n = 1 ++ } ++ if int64(n) > maxSize/p.repeats { ++ p.repeats = maxSize ++ } else { ++ p.repeats *= int64(n) ++ } ++ } ++ if int64(p.numRegexp) < maxSize/p.repeats { ++ return ++ } ++ ++ // We need to start tracking size. ++ // Make the map and belatedly populate it ++ // with info about everything we've constructed so far. ++ p.size = make(map[*Regexp]int64) ++ for _, re := range p.stack { ++ p.checkSize(re) ++ } ++ } ++ ++ if p.calcSize(re, true) > maxSize { ++ panic(ErrInternalError) ++ } ++} ++ ++func (p *parser) calcSize(re *Regexp, force bool) int64 { ++ if !force { ++ if size, ok := p.size[re]; ok { ++ return size ++ } ++ } ++ ++ var size int64 ++ switch re.Op { ++ case OpLiteral: ++ size = int64(len(re.Rune)) ++ case OpCapture, OpStar: ++ // star can be 1+ or 2+; assume 2 pessimistically ++ size = 2 + p.calcSize(re.Sub[0], false) ++ case OpPlus, OpQuest: ++ size = 1 + p.calcSize(re.Sub[0], false) ++ case OpConcat: ++ for _, sub := range re.Sub { ++ size += p.calcSize(sub, false) ++ } ++ case OpAlternate: ++ for _, sub := range re.Sub { ++ size += p.calcSize(sub, false) ++ } ++ if len(re.Sub) > 1 { ++ size += int64(len(re.Sub)) - 1 ++ } ++ case OpRepeat: ++ sub := p.calcSize(re.Sub[0], false) ++ if re.Max == -1 { ++ if re.Min == 0 { ++ size = 2 + sub // x* ++ } else { ++ size = 1 + int64(re.Min)*sub // xxx+ ++ } ++ break ++ } ++ // x{2,5} = xx(x(x(x)?)?)? ++ size = int64(re.Max)*sub + int64(re.Max-re.Min) ++ } ++ ++ if size < 1 { ++ size = 1 ++ } ++ p.size[re] = size ++ return size ++} ++ + func (p *parser) checkHeight(re *Regexp) { + if p.numRegexp < maxHeight { + return +@@ -158,6 +290,7 @@ func (p *parser) calcHeight(re *Regexp, force bool) int { + + // push pushes the regexp re onto the parse stack and returns the regexp. + func (p *parser) push(re *Regexp) *Regexp { ++ p.numRunes += len(re.Rune) + if re.Op == OpCharClass && len(re.Rune) == 2 && re.Rune[0] == re.Rune[1] { + // Single rune. + if p.maybeConcat(re.Rune[0], p.flags&^FoldCase) { +@@ -189,7 +322,7 @@ func (p *parser) push(re *Regexp) *Regexp { + } + + p.stack = append(p.stack, re) +- p.checkHeight(re) ++ p.checkLimits(re) + return re + } + +@@ -299,7 +432,7 @@ func (p *parser) repeat(op Op, min, max int, before, after, lastRepeat string) ( + re.Sub = re.Sub0[:1] + re.Sub[0] = sub + p.stack[n-1] = re +- p.checkHeight(re) ++ p.checkLimits(re) + + if op == OpRepeat && (min >= 2 || max >= 2) && !repeatIsValid(re, 1000) { + return "", &Error{ErrInvalidRepeatSize, before[:len(before)-len(after)]} +@@ -503,6 +636,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp { + + for j := start; j < i; j++ { + sub[j] = p.removeLeadingString(sub[j], len(str)) ++ p.checkLimits(sub[j]) + } + suffix := p.collapse(sub[start:i], OpAlternate) // recurse + +@@ -560,6 +694,7 @@ func (p *parser) factor(sub []*Regexp) []*Regexp { + for j := start; j < i; j++ { + reuse := j != start // prefix came from sub[start] + sub[j] = p.removeLeadingRegexp(sub[j], reuse) ++ p.checkLimits(sub[j]) + } + suffix := p.collapse(sub[start:i], OpAlternate) // recurse + +diff --git a/src/regexp/syntax/parse_test.go b/src/regexp/syntax/parse_test.go +index 1ef6d8a..67e3c56 100644 +--- a/src/regexp/syntax/parse_test.go ++++ b/src/regexp/syntax/parse_test.go +@@ -484,12 +484,15 @@ var invalidRegexps = []string{ + `(?P<>a)`, + `[a-Z]`, + `(?i)[a-Z]`, +- `a{100000}`, +- `a{100000,}`, +- "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", +- strings.Repeat("(", 1000) + strings.Repeat(")", 1000), +- strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), + `\Q\E*`, ++ `a{100000}`, // too much repetition ++ `a{100000,}`, // too much repetition ++ "((((((((((x{2}){2}){2}){2}){2}){2}){2}){2}){2}){2})", // too much repetition ++ strings.Repeat("(", 1000) + strings.Repeat(")", 1000), // too deep ++ strings.Repeat("(?:", 1000) + strings.Repeat(")*", 1000), // too deep ++ "(" + strings.Repeat("(xx?)", 1000) + "){1000}", // too long ++ strings.Repeat("(xx?){1000}", 1000), // too long ++ strings.Repeat(`\pL`, 27000), // too many runes + } + + var onlyPerl = []string{ +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch new file mode 100644 index 0000000000..e2ab92ed00 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41717.patch @@ -0,0 +1,89 @@ +From 618120c165669c00a1606505defea6ca755cdc27 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 30 Nov 2022 16:46:33 -0500 +Subject: [PATCH] [release-branch.go1.19] net/http: update bundled + golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +For #56350. +For #57009. +Fixes CVE-2022-41717. + +Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/455363 +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Jenny Rakoczy <jenny@golang.org> +Reviewed-by: Michael Pratt <mpratt@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27] +CVE: CVE-2022-41717 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/cmd/internal/moddeps/moddeps_test.go | 1 + + src/net/http/h2_bundle.go | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/cmd/internal/moddeps/moddeps_test.go b/src/cmd/internal/moddeps/moddeps_test.go +index 3306e29..d48d43f 100644 +--- a/src/cmd/internal/moddeps/moddeps_test.go ++++ b/src/cmd/internal/moddeps/moddeps_test.go +@@ -34,6 +34,7 @@ import ( + // See issues 36852, 41409, and 43687. + // (Also see golang.org/issue/27348.) + func TestAllDependencies(t *testing.T) { ++ t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored modules") + t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored modules") + + goBin := testenv.GoToolPath(t) +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go +index 6e2ef30..9d6abd8 100644 +--- a/src/net/http/h2_bundle.go ++++ b/src/net/http/h2_bundle.go +@@ -4189,6 +4189,7 @@ type http2serverConn struct { + headerTableSize uint32 + peerMaxHeaderListSize uint32 // zero means unknown (default) + canonHeader map[string]string // http2-lower-case -> Go-Canonical-Case ++ canonHeaderKeysSize int // canonHeader keys size in bytes + writingFrame bool // started writing a frame (on serve goroutine or separate) + writingFrameAsync bool // started a frame on its own goroutine but haven't heard back on wroteFrameCh + needsFrameFlush bool // last frame write wasn't a flush +@@ -4368,6 +4369,13 @@ func (sc *http2serverConn) condlogf(err error, format string, args ...interface{ + } + } + ++// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size ++// of the entries in the canonHeader cache. ++// This should be larger than the size of unique, uncommon header keys likely to ++// be sent by the peer, while not so high as to permit unreasonable memory usage ++// if the peer sends an unbounded number of unique header keys. ++const http2maxCachedCanonicalHeadersKeysSize = 2048 ++ + func (sc *http2serverConn) canonicalHeader(v string) string { + sc.serveG.check() + http2buildCommonHeaderMapsOnce() +@@ -4383,14 +4391,10 @@ func (sc *http2serverConn) canonicalHeader(v string) string { + sc.canonHeader = make(map[string]string) + } + cv = CanonicalHeaderKey(v) +- // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of +- // entries in the canonHeader cache. This should be larger than the number +- // of unique, uncommon header keys likely to be sent by the peer, while not +- // so high as to permit unreaasonable memory usage if the peer sends an unbounded +- // number of unique header keys. +- const maxCachedCanonicalHeaders = 32 +- if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ size := 100 + len(v)*2 // 100 bytes of map overhead + key + value ++ if sc.canonHeaderKeysSize+size <= http2maxCachedCanonicalHeadersKeysSize { + sc.canonHeader[v] = cv ++ sc.canonHeaderKeysSize += size + } + return cv + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch new file mode 100644 index 0000000000..6c2e8804b3 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41720.patch @@ -0,0 +1,514 @@ +From f8896a97a0630b0f2f8c488310147f7f20b3ec7d Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 10 Nov 2022 12:16:27 -0800 +Subject: [PATCH] os, net/http: avoid escapes from os.DirFS and http.Dir on + Windows + +Do not permit access to Windows reserved device names (NUL, COM1, etc.) +via os.DirFS and http.Dir filesystems. + +Avoid escapes from os.DirFS(`\`) on Windows. DirFS would join the +the root to the relative path with a path separator, making +os.DirFS(`\`).Open(`/foo/bar`) open the path `\\foo\bar`, which is +a UNC name. Not only does this not open the intended file, but permits +reference to any file on the system rather than only files on the +current drive. + +Make os.DirFS("") invalid, with all file access failing. Previously, +a root of "" was interpreted as "/", which is surprising and probably +unintentional. + +Fixes CVE-2022-41720. +Fixes #56694. + +Change-Id: I275b5fa391e6ad7404309ea98ccc97405942e0f0 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663832 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/455360 +Reviewed-by: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Jenny Rakoczy <jenny@golang.org> + +CVE: CVE-2022-41720 +Upstream-Status: Backport [7013a4f5f816af62033ad63dd06b77c30d7a62a7] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/go/build/deps_test.go | 1 + + src/internal/safefilepath/path.go | 21 +++++ + src/internal/safefilepath/path_other.go | 23 ++++++ + src/internal/safefilepath/path_test.go | 88 +++++++++++++++++++++ + src/internal/safefilepath/path_windows.go | 95 +++++++++++++++++++++++ + src/net/http/fs.go | 8 +- + src/net/http/fs_test.go | 28 +++++++ + src/os/file.go | 36 +++++++-- + src/os/os_test.go | 38 +++++++++ + 9 files changed, 328 insertions(+), 10 deletions(-) + create mode 100644 src/internal/safefilepath/path.go + create mode 100644 src/internal/safefilepath/path_other.go + create mode 100644 src/internal/safefilepath/path_test.go + create mode 100644 src/internal/safefilepath/path_windows.go + +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index 45e2f25..dc3bb8c 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -165,6 +165,7 @@ var depsRules = ` + io/fs + < internal/testlog + < internal/poll ++ < internal/safefilepath + < os + < os/signal; + +diff --git a/src/internal/safefilepath/path.go b/src/internal/safefilepath/path.go +new file mode 100644 +index 0000000..0f0a270 +--- /dev/null ++++ b/src/internal/safefilepath/path.go +@@ -0,0 +1,21 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package safefilepath manipulates operating-system file paths. ++package safefilepath ++ ++import ( ++ "errors" ++) ++ ++var errInvalidPath = errors.New("invalid path") ++ ++// FromFS converts a slash-separated path into an operating-system path. ++// ++// FromFS returns an error if the path cannot be represented by the operating ++// system. For example, paths containing '\' and ':' characters are rejected ++// on Windows. ++func FromFS(path string) (string, error) { ++ return fromFS(path) ++} +diff --git a/src/internal/safefilepath/path_other.go b/src/internal/safefilepath/path_other.go +new file mode 100644 +index 0000000..f93da18 +--- /dev/null ++++ b/src/internal/safefilepath/path_other.go +@@ -0,0 +1,23 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build !windows ++ ++package safefilepath ++ ++import "runtime" ++ ++func fromFS(path string) (string, error) { ++ if runtime.GOOS == "plan9" { ++ if len(path) > 0 && path[0] == '#' { ++ return path, errInvalidPath ++ } ++ } ++ for i := range path { ++ if path[i] == 0 { ++ return "", errInvalidPath ++ } ++ } ++ return path, nil ++} +diff --git a/src/internal/safefilepath/path_test.go b/src/internal/safefilepath/path_test.go +new file mode 100644 +index 0000000..dc662c1 +--- /dev/null ++++ b/src/internal/safefilepath/path_test.go +@@ -0,0 +1,88 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package safefilepath_test ++ ++import ( ++ "internal/safefilepath" ++ "os" ++ "path/filepath" ++ "runtime" ++ "testing" ++) ++ ++type PathTest struct { ++ path, result string ++} ++ ++const invalid = "" ++ ++var fspathtests = []PathTest{ ++ {".", "."}, ++ {"/a/b/c", "/a/b/c"}, ++ {"a\x00b", invalid}, ++} ++ ++var winreservedpathtests = []PathTest{ ++ {`a\b`, `a\b`}, ++ {`a:b`, `a:b`}, ++ {`a/b:c`, `a/b:c`}, ++ {`NUL`, `NUL`}, ++ {`./com1`, `./com1`}, ++ {`a/nul/b`, `a/nul/b`}, ++} ++ ++// Whether a reserved name with an extension is reserved or not varies by ++// Windows version. ++var winreservedextpathtests = []PathTest{ ++ {"nul.txt", "nul.txt"}, ++ {"a/nul.txt/b", "a/nul.txt/b"}, ++} ++ ++var plan9reservedpathtests = []PathTest{ ++ {`#c`, `#c`}, ++} ++ ++func TestFromFS(t *testing.T) { ++ switch runtime.GOOS { ++ case "windows": ++ if canWriteFile(t, "NUL") { ++ t.Errorf("can unexpectedly write a file named NUL on Windows") ++ } ++ if canWriteFile(t, "nul.txt") { ++ fspathtests = append(fspathtests, winreservedextpathtests...) ++ } else { ++ winreservedpathtests = append(winreservedpathtests, winreservedextpathtests...) ++ } ++ for i := range winreservedpathtests { ++ winreservedpathtests[i].result = invalid ++ } ++ for i := range fspathtests { ++ fspathtests[i].result = filepath.FromSlash(fspathtests[i].result) ++ } ++ case "plan9": ++ for i := range plan9reservedpathtests { ++ plan9reservedpathtests[i].result = invalid ++ } ++ } ++ tests := fspathtests ++ tests = append(tests, winreservedpathtests...) ++ tests = append(tests, plan9reservedpathtests...) ++ for _, test := range tests { ++ got, err := safefilepath.FromFS(test.path) ++ if (got == "") != (err != nil) { ++ t.Errorf(`FromFS(%q) = %q, %v; want "" only if err != nil`, test.path, got, err) ++ } ++ if got != test.result { ++ t.Errorf("FromFS(%q) = %q, %v; want %q", test.path, got, err, test.result) ++ } ++ } ++} ++ ++func canWriteFile(t *testing.T, name string) bool { ++ path := filepath.Join(t.TempDir(), name) ++ os.WriteFile(path, []byte("ok"), 0666) ++ b, _ := os.ReadFile(path) ++ return string(b) == "ok" ++} +diff --git a/src/internal/safefilepath/path_windows.go b/src/internal/safefilepath/path_windows.go +new file mode 100644 +index 0000000..909c150 +--- /dev/null ++++ b/src/internal/safefilepath/path_windows.go +@@ -0,0 +1,95 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package safefilepath ++ ++import ( ++ "syscall" ++ "unicode/utf8" ++) ++ ++func fromFS(path string) (string, error) { ++ if !utf8.ValidString(path) { ++ return "", errInvalidPath ++ } ++ for len(path) > 1 && path[0] == '/' && path[1] == '/' { ++ path = path[1:] ++ } ++ containsSlash := false ++ for p := path; p != ""; { ++ // Find the next path element. ++ i := 0 ++ dot := -1 ++ for i < len(p) && p[i] != '/' { ++ switch p[i] { ++ case 0, '\\', ':': ++ return "", errInvalidPath ++ case '.': ++ if dot < 0 { ++ dot = i ++ } ++ } ++ i++ ++ } ++ part := p[:i] ++ if i < len(p) { ++ containsSlash = true ++ p = p[i+1:] ++ } else { ++ p = "" ++ } ++ // Trim the extension and look for a reserved name. ++ base := part ++ if dot >= 0 { ++ base = part[:dot] ++ } ++ if isReservedName(base) { ++ if dot < 0 { ++ return "", errInvalidPath ++ } ++ // The path element is a reserved name with an extension. ++ // Some Windows versions consider this a reserved name, ++ // while others do not. Use FullPath to see if the name is ++ // reserved. ++ if p, _ := syscall.FullPath(part); len(p) >= 4 && p[:4] == `\\.\` { ++ return "", errInvalidPath ++ } ++ } ++ } ++ if containsSlash { ++ // We can't depend on strings, so substitute \ for / manually. ++ buf := []byte(path) ++ for i, b := range buf { ++ if b == '/' { ++ buf[i] = '\\' ++ } ++ } ++ path = string(buf) ++ } ++ return path, nil ++} ++ ++// isReservedName reports if name is a Windows reserved device name. ++// It does not detect names with an extension, which are also reserved on some Windows versions. ++// ++// For details, search for PRN in ++// https://docs.microsoft.com/en-us/windows/desktop/fileio/naming-a-file. ++func isReservedName(name string) bool { ++ if 3 <= len(name) && len(name) <= 4 { ++ switch string([]byte{toUpper(name[0]), toUpper(name[1]), toUpper(name[2])}) { ++ case "CON", "PRN", "AUX", "NUL": ++ return len(name) == 3 ++ case "COM", "LPT": ++ return len(name) == 4 && '1' <= name[3] && name[3] <= '9' ++ } ++ } ++ return false ++} ++ ++func toUpper(c byte) byte { ++ if 'a' <= c && c <= 'z' { ++ return c - ('a' - 'A') ++ } ++ return c ++} +diff --git a/src/net/http/fs.go b/src/net/http/fs.go +index 57e731e..43ee4b5 100644 +--- a/src/net/http/fs.go ++++ b/src/net/http/fs.go +@@ -9,6 +9,7 @@ package http + import ( + "errors" + "fmt" ++ "internal/safefilepath" + "io" + "io/fs" + "mime" +@@ -69,14 +70,15 @@ func mapDirOpenError(originalErr error, name string) error { + // Open implements FileSystem using os.Open, opening files for reading rooted + // and relative to the directory d. + func (d Dir) Open(name string) (File, error) { +- if filepath.Separator != '/' && strings.ContainsRune(name, filepath.Separator) { +- return nil, errors.New("http: invalid character in file path") ++ path, err := safefilepath.FromFS(path.Clean("/" + name)) ++ if err != nil { ++ return nil, errors.New("http: invalid or unsafe file path") + } + dir := string(d) + if dir == "" { + dir = "." + } +- fullName := filepath.Join(dir, filepath.FromSlash(path.Clean("/"+name))) ++ fullName := filepath.Join(dir, path) + f, err := os.Open(fullName) + if err != nil { + return nil, mapDirOpenError(err, fullName) +diff --git a/src/net/http/fs_test.go b/src/net/http/fs_test.go +index b42ade1..941448a 100644 +--- a/src/net/http/fs_test.go ++++ b/src/net/http/fs_test.go +@@ -648,6 +648,34 @@ func TestFileServerZeroByte(t *testing.T) { + } + } + ++func TestFileServerNamesEscape(t *testing.T) { ++ t.Run("h1", func(t *testing.T) { ++ testFileServerNamesEscape(t, h1Mode) ++ }) ++ t.Run("h2", func(t *testing.T) { ++ testFileServerNamesEscape(t, h2Mode) ++ }) ++} ++func testFileServerNamesEscape(t *testing.T, h2 bool) { ++ defer afterTest(t) ++ ts := newClientServerTest(t, h2, FileServer(Dir("testdata"))).ts ++ defer ts.Close() ++ for _, path := range []string{ ++ "/../testdata/file", ++ "/NUL", // don't read from device files on Windows ++ } { ++ res, err := ts.Client().Get(ts.URL + path) ++ if err != nil { ++ t.Fatal(err) ++ } ++ res.Body.Close() ++ if res.StatusCode < 400 || res.StatusCode > 599 { ++ t.Errorf("Get(%q): got status %v, want 4xx or 5xx", path, res.StatusCode) ++ } ++ ++ } ++} ++ + type fakeFileInfo struct { + dir bool + basename string +diff --git a/src/os/file.go b/src/os/file.go +index e717f17..cb87158 100644 +--- a/src/os/file.go ++++ b/src/os/file.go +@@ -37,12 +37,12 @@ + // Note: The maximum number of concurrent operations on a File may be limited by + // the OS or the system. The number should be high, but exceeding it may degrade + // performance or cause other issues. +-// + package os + + import ( + "errors" + "internal/poll" ++ "internal/safefilepath" + "internal/testlog" + "internal/unsafeheader" + "io" +@@ -623,6 +623,8 @@ func isWindowsNulName(name string) bool { + // the /prefix tree, then using DirFS does not stop the access any more than using + // os.Open does. DirFS is therefore not a general substitute for a chroot-style security + // mechanism when the directory tree contains arbitrary content. ++// ++// The directory dir must not be "". + func DirFS(dir string) fs.FS { + return dirFS(dir) + } +@@ -641,10 +643,11 @@ func containsAny(s, chars string) bool { + type dirFS string + + func (dir dirFS) Open(name string) (fs.File, error) { +- if !fs.ValidPath(name) || runtime.GOOS == "windows" && containsAny(name, `\:`) { +- return nil, &PathError{Op: "open", Path: name, Err: ErrInvalid} ++ fullname, err := dir.join(name) ++ if err != nil { ++ return nil, &PathError{Op: "stat", Path: name, Err: err} + } +- f, err := Open(string(dir) + "/" + name) ++ f, err := Open(fullname) + if err != nil { + return nil, err // nil fs.File + } +@@ -652,16 +655,35 @@ func (dir dirFS) Open(name string) (fs.File, error) { + } + + func (dir dirFS) Stat(name string) (fs.FileInfo, error) { +- if !fs.ValidPath(name) || runtime.GOOS == "windows" && containsAny(name, `\:`) { +- return nil, &PathError{Op: "stat", Path: name, Err: ErrInvalid} ++ fullname, err := dir.join(name) ++ if err != nil { ++ return nil, &PathError{Op: "stat", Path: name, Err: err} + } +- f, err := Stat(string(dir) + "/" + name) ++ f, err := Stat(fullname) + if err != nil { + return nil, err + } + return f, nil + } + ++// join returns the path for name in dir. ++func (dir dirFS) join(name string) (string, error) { ++ if dir == "" { ++ return "", errors.New("os: DirFS with empty root") ++ } ++ if !fs.ValidPath(name) { ++ return "", ErrInvalid ++ } ++ name, err := safefilepath.FromFS(name) ++ if err != nil { ++ return "", ErrInvalid ++ } ++ if IsPathSeparator(dir[len(dir)-1]) { ++ return string(dir) + name, nil ++ } ++ return string(dir) + string(PathSeparator) + name, nil ++} ++ + // ReadFile reads the named file and returns the contents. + // A successful call returns err == nil, not err == EOF. + // Because ReadFile reads the whole file, it does not treat an EOF from Read +diff --git a/src/os/os_test.go b/src/os/os_test.go +index 506f1fb..be269bb 100644 +--- a/src/os/os_test.go ++++ b/src/os/os_test.go +@@ -2702,6 +2702,44 @@ func TestDirFS(t *testing.T) { + if err == nil { + t.Fatalf(`Open testdata\dirfs succeeded`) + } ++ ++ // Test that Open does not open Windows device files. ++ _, err = d.Open(`NUL`) ++ if err == nil { ++ t.Errorf(`Open NUL succeeded`) ++ } ++} ++ ++func TestDirFSRootDir(t *testing.T) { ++ cwd, err := os.Getwd() ++ if err != nil { ++ t.Fatal(err) ++ } ++ cwd = cwd[len(filepath.VolumeName(cwd)):] // trim volume prefix (C:) on Windows ++ cwd = filepath.ToSlash(cwd) // convert \ to / ++ cwd = strings.TrimPrefix(cwd, "/") // trim leading / ++ ++ // Test that Open can open a path starting at /. ++ d := DirFS("/") ++ f, err := d.Open(cwd + "/testdata/dirfs/a") ++ if err != nil { ++ t.Fatal(err) ++ } ++ f.Close() ++} ++ ++func TestDirFSEmptyDir(t *testing.T) { ++ d := DirFS("") ++ cwd, _ := os.Getwd() ++ for _, path := range []string{ ++ "testdata/dirfs/a", // not DirFS(".") ++ filepath.ToSlash(cwd) + "/testdata/dirfs/a", // not DirFS("/") ++ } { ++ _, err := d.Open(path) ++ if err == nil { ++ t.Fatalf(`DirFS("").Open(%q) succeeded`, path) ++ } ++ } + } + + func TestDirFSPathsValid(t *testing.T) { diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch new file mode 100644 index 0000000000..426a4f925f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch @@ -0,0 +1,103 @@ +From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 12 Dec 2022 16:43:37 -0800 +Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows + +Do not permit Clean to convert a relative path into one starting +with a drive reference. This change causes Clean to insert a . +path element at the start of a path when the original path does not +start with a volume name, and the first path element would contain +a colon. + +This may introduce a spurious but harmless . path element under +some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`. + +This reverts CL 401595, since the change here supersedes the one +in that CL. + +Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue. + +Updates #57274 +Fixes #57276 +Fixes CVE-2022-41722 + +Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1675249 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728944 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468119 +Reviewed-by: Than McIntosh <thanm@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Michael Pratt <mpratt@google.com> + +CVE: CVE-2022-41722 +Upstream-Status: Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/path/filepath/path.go | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go +index 8300a32..94621a0 100644 +--- a/src/path/filepath/path.go ++++ b/src/path/filepath/path.go +@@ -15,6 +15,7 @@ import ( + "errors" + "io/fs" + "os" ++ "runtime" + "sort" + "strings" + ) +@@ -117,21 +118,9 @@ func Clean(path string) string { + case os.IsPathSeparator(path[r]): + // empty path element + r++ +- case path[r] == '.' && r+1 == n: ++ case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): + // . element + r++ +- case path[r] == '.' && os.IsPathSeparator(path[r+1]): +- // ./ element +- r++ +- +- for r < len(path) && os.IsPathSeparator(path[r]) { +- r++ +- } +- if out.w == 0 && volumeNameLen(path[r:]) > 0 { +- // When joining prefix "." and an absolute path on Windows, +- // the prefix should not be removed. +- out.append('.') +- } + case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): + // .. element: remove to last separator + r += 2 +@@ -157,6 +146,18 @@ func Clean(path string) string { + if rooted && out.w != 1 || !rooted && out.w != 0 { + out.append(Separator) + } ++ // If a ':' appears in the path element at the start of a Windows path, ++ // insert a .\ at the beginning to avoid converting relative paths ++ // like a/../c: into c:. ++ if runtime.GOOS == "windows" && out.w == 0 && out.volLen == 0 && r != 0 { ++ for i := r; i < n && !os.IsPathSeparator(path[i]); i++ { ++ if path[i] == ':' { ++ out.append('.') ++ out.append(Separator) ++ break ++ } ++ } ++ } + // copy element + for ; r < n && !os.IsPathSeparator(path[r]); r++ { + out.append(path[r]) +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch b/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch new file mode 100644 index 0000000000..a93fa31dcd --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch @@ -0,0 +1,156 @@ +From 451766789f646617157c725e20c955d4a9a70d4e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 6 Feb 2023 10:03:44 -0800 +Subject: [PATCH] net/http: update bundled golang.org/x/net/http2 + +Disable cmd/internal/moddeps test, since this update includes PRIVATE +track fixes. + +Fixes CVE-2022-41723 +Fixes #58355 +Updates #57855 + +Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468118 +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Pratt <mpratt@google.com> +Auto-Submit: Michael Pratt <mpratt@google.com> +Reviewed-by: Than McIntosh <thanm@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3] +CVE: CVE-2022-41723 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/vendor/golang.org/x/net/http2/hpack/hpack.go | 79 +++++++++++++++--------- + 1 file changed, 49 insertions(+), 30 deletions(-) + +diff --git a/src/vendor/golang.org/x/net/http2/hpack/hpack.go b/src/vendor/golang.org/x/net/http2/hpack/hpack.go +index 85f18a2..02e80e3 100644 +--- a/src/vendor/golang.org/x/net/http2/hpack/hpack.go ++++ b/src/vendor/golang.org/x/net/http2/hpack/hpack.go +@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + + var hf HeaderField + wantStr := d.emitEnabled || it.indexed() ++ var undecodedName undecodedString + if nameIdx > 0 { + ihf, ok := d.at(nameIdx) + if !ok { +@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + } + hf.Name = ihf.Name + } else { +- hf.Name, buf, err = d.readString(buf, wantStr) ++ undecodedName, buf, err = d.readString(buf) + if err != nil { + return err + } + } +- hf.Value, buf, err = d.readString(buf, wantStr) ++ undecodedValue, buf, err := d.readString(buf) + if err != nil { + return err + } ++ if wantStr { ++ if nameIdx <= 0 { ++ hf.Name, err = d.decodeString(undecodedName) ++ if err != nil { ++ return err ++ } ++ } ++ hf.Value, err = d.decodeString(undecodedValue) ++ if err != nil { ++ return err ++ } ++ } + d.buf = buf + if it.indexed() { + d.dynTab.add(hf) +@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { + return 0, origP, errNeedMore + } + +-// readString decodes an hpack string from p. ++// readString reads an hpack string from p. + // +-// wantStr is whether s will be used. If false, decompression and +-// []byte->string garbage are skipped if s will be ignored +-// anyway. This does mean that huffman decoding errors for non-indexed +-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server +-// is returning an error anyway, and because they're not indexed, the error +-// won't affect the decoding state. +-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { ++// It returns a reference to the encoded string data to permit deferring decode costs ++// until after the caller verifies all data is present. ++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { + if len(p) == 0 { +- return "", p, errNeedMore ++ return u, p, errNeedMore + } + isHuff := p[0]&128 != 0 + strLen, p, err := readVarInt(7, p) + if err != nil { +- return "", p, err ++ return u, p, err + } + if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { +- return "", nil, ErrStringLength ++ // Returning an error here means Huffman decoding errors ++ // for non-indexed strings past the maximum string length ++ // are ignored, but the server is returning an error anyway ++ // and because the string is not indexed the error will not ++ // affect the decoding state. ++ return u, nil, ErrStringLength + } + if uint64(len(p)) < strLen { +- return "", p, errNeedMore +- } +- if !isHuff { +- if wantStr { +- s = string(p[:strLen]) +- } +- return s, p[strLen:], nil ++ return u, p, errNeedMore + } ++ u.isHuff = isHuff ++ u.b = p[:strLen] ++ return u, p[strLen:], nil ++} + +- if wantStr { +- buf := bufPool.Get().(*bytes.Buffer) +- buf.Reset() // don't trust others +- defer bufPool.Put(buf) +- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { +- buf.Reset() +- return "", nil, err +- } ++type undecodedString struct { ++ isHuff bool ++ b []byte ++} ++ ++func (d *Decoder) decodeString(u undecodedString) (string, error) { ++ if !u.isHuff { ++ return string(u.b), nil ++ } ++ buf := bufPool.Get().(*bytes.Buffer) ++ buf.Reset() // don't trust others ++ var s string ++ err := huffmanDecode(buf, d.maxStrLen, u.b) ++ if err == nil { + s = buf.String() +- buf.Reset() // be nice to GC + } +- return s, p[strLen:], nil ++ buf.Reset() // be nice to GC ++ bufPool.Put(buf) ++ return s, err + } +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch new file mode 100644 index 0000000000..c65c7852d5 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24534.patch @@ -0,0 +1,200 @@ +From d6759e7a059f4208f07aa781402841d7ddaaef96 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Fri, 10 Mar 2023 14:21:05 -0800 +Subject: [PATCH] [release-branch.go1.19] net/textproto: avoid overpredicting + the number of MIME header keys + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802452 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +(cherry picked from commit f739f080a72fd5b06d35c8e244165159645e2ed6) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802393 +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Change-Id: I675451438d619a9130360c56daf529559004903f +Reviewed-on: https://go-review.googlesource.com/c/go/+/481982 +Run-TryBot: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/d6759e7a059f4208f07aa781402841d7ddaaef96] +CVE: CVE-2023-24534 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> + +--- + src/bytes/bytes.go | 14 ++++++++ + src/net/textproto/reader.go | 30 ++++++++++------ + src/net/textproto/reader_test.go | 59 ++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 11 deletions(-) + +diff --git a/src/bytes/bytes.go b/src/bytes/bytes.go +index ce52649..95ff31c 100644 +--- a/src/bytes/bytes.go ++++ b/src/bytes/bytes.go +@@ -1174,3 +1174,17 @@ func Index(s, sep []byte) int { + } + return -1 + } ++ ++// Cut slices s around the first instance of sep, ++// returning the text before and after sep. ++// The found result reports whether sep appears in s. ++// If sep does not appear in s, cut returns s, nil, false. ++// ++// Cut returns slices of the original slice s, not copies. ++func Cut(s, sep []byte) (before, after []byte, found bool) { ++ if i := Index(s, sep); i >= 0 { ++ return s[:i], s[i+len(sep):], true ++ } ++ return s, nil, false ++} ++ +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 6a680f4..fcbede8 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -493,8 +493,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. + var strs []string +- hint := r.upcomingHeaderNewlines() ++ hint := r.upcomingHeaderKeys() + if hint > 0 { ++ if hint > 1000 { ++ hint = 1000 // set a cap to avoid overallocation ++ } + strs = make([]string, hint) + } + +@@ -589,9 +592,11 @@ func mustHaveFieldNameColon(line []byte) error { + return nil + } + +-// upcomingHeaderNewlines returns an approximation of the number of newlines ++var nl = []byte("\n") ++ ++// upcomingHeaderKeys returns an approximation of the number of keys + // that will be in this header. If it gets confused, it returns 0. +-func (r *Reader) upcomingHeaderNewlines() (n int) { ++func (r *Reader) upcomingHeaderKeys() (n int) { + // Try to determine the 'hint' size. + r.R.Peek(1) // force a buffer load if empty + s := r.R.Buffered() +@@ -599,17 +604,20 @@ func (r *Reader) upcomingHeaderNewlines() (n int) { + return + } + peek, _ := r.R.Peek(s) +- for len(peek) > 0 { +- i := bytes.IndexByte(peek, '\n') +- if i < 3 { +- // Not present (-1) or found within the next few bytes, +- // implying we're at the end ("\r\n\r\n" or "\n\n") +- return ++ for len(peek) > 0 && n < 1000 { ++ var line []byte ++ line, peek, _ = bytes.Cut(peek, nl) ++ if len(line) == 0 || (len(line) == 1 && line[0] == '\r') { ++ // Blank line separating headers from the body. ++ break ++ } ++ if line[0] == ' ' || line[0] == '\t' { ++ // Folded continuation of the previous line. ++ continue + } + n++ +- peek = peek[i+1:] + } +- return ++ return n + } + + // CanonicalMIMEHeaderKey returns the canonical format of the +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3124d43..3ae0de1 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -9,6 +9,7 @@ import ( + "bytes" + "io" + "reflect" ++ "runtime" + "strings" + "testing" + ) +@@ -127,6 +128,42 @@ func TestReadMIMEHeaderSingle(t *testing.T) { + } + } + ++// TestReaderUpcomingHeaderKeys is testing an internal function, but it's very ++// difficult to test well via the external API. ++func TestReaderUpcomingHeaderKeys(t *testing.T) { ++ for _, test := range []struct { ++ input string ++ want int ++ }{{ ++ input: "", ++ want: 0, ++ }, { ++ input: "A: v", ++ want: 1, ++ }, { ++ input: "A: v\r\nB: v\r\n", ++ want: 2, ++ }, { ++ input: "A: v\nB: v\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n continued\r\n still continued\r\nB: v\r\n\r\n", ++ want: 2, ++ }, { ++ input: "A: v\r\n\r\nB: v\r\nC: v\r\n", ++ want: 1, ++ }, { ++ input: "A: v" + strings.Repeat("\n", 1000), ++ want: 1, ++ }} { ++ r := reader(test.input) ++ got := r.upcomingHeaderKeys() ++ if test.want != got { ++ t.Fatalf("upcomingHeaderKeys(%q): %v; want %v", test.input, got, test.want) ++ } ++ } ++} ++ + func TestReadMIMEHeaderNoKey(t *testing.T) { + r := reader(": bar\ntest-1: 1\n\n") + m, err := r.ReadMIMEHeader() +@@ -223,6 +260,28 @@ func TestReadMIMEHeaderTrimContinued(t *testing.T) { + } + } + ++// Test that reading a header doesn't overallocate. Issue 58975. ++func TestReadMIMEHeaderAllocations(t *testing.T) { ++ var totalAlloc uint64 ++ const count = 200 ++ for i := 0; i < count; i++ { ++ r := reader("A: b\r\n\r\n" + strings.Repeat("\n", 4096)) ++ var m1, m2 runtime.MemStats ++ runtime.ReadMemStats(&m1) ++ _, err := r.ReadMIMEHeader() ++ if err != nil { ++ t.Fatalf("ReadMIMEHeader: %v", err) ++ } ++ runtime.ReadMemStats(&m2) ++ totalAlloc += m2.TotalAlloc - m1.TotalAlloc ++ } ++ // 32k is large and we actually allocate substantially less, ++ // but prior to the fix for #58975 we allocated ~400k in this case. ++ if got, want := totalAlloc/count, uint64(32768); got > want { ++ t.Fatalf("ReadMIMEHeader allocated %v bytes, want < %v", got, want) ++ } ++} ++ + type readResponseTest struct { + in string + inCode int +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch new file mode 100644 index 0000000000..4521f159ea --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch @@ -0,0 +1,75 @@ +From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 20 Mar 2023 10:43:19 -0700 +Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime + message sizes + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802456 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802611 +Reviewed-by: Damien Neil <dneil@google.com> +Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168 +Reviewed-on: https://go-review.googlesource.com/c/go/+/481986 +Reviewed-by: Matthew Dempsky <mdempsky@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104] +CVE: CVE-2023-24537 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/go/parser/parser_test.go | 16 ++++++++++++++++ + src/go/scanner/scanner.go | 5 ++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go +index 1a46c87..993df63 100644 +--- a/src/go/parser/parser_test.go ++++ b/src/go/parser/parser_test.go +@@ -746,3 +746,19 @@ func TestScopeDepthLimit(t *testing.T) { + } + } + } ++ ++// TestIssue59180 tests that line number overflow doesn't cause an infinite loop. ++func TestIssue59180(t *testing.T) { ++ testcases := []string{ ++ "package p\n//line :9223372036854775806\n\n//", ++ "package p\n//line :1:9223372036854775806\n\n//", ++ "package p\n//line file:9223372036854775806\n\n//", ++ } ++ ++ for _, src := range testcases { ++ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments) ++ if err == nil { ++ t.Errorf("ParseFile(%s) succeeded unexpectedly", src) ++ } ++ } ++} +diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go +index f08e28c..ff847b5 100644 +--- a/src/go/scanner/scanner.go ++++ b/src/go/scanner/scanner.go +@@ -251,13 +251,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text []byte) { + return + } + ++ // Put a cap on the maximum size of line and column numbers. ++ // 30 bits allows for some additional space before wrapping an int32. ++ const maxLineCol = 1<<30 - 1 + var line, col int + i2, n2, ok2 := trailingDigits(text[:i-1]) + if ok2 { + //line filename:line:col + i, i2 = i2, i + line, col = n2, n +- if col == 0 { ++ if col == 0 || col > maxLineCol { + s.error(offs+i2, "invalid column number: "+string(text[i2:])) + return + } +-- +2.25.1 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_1.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_1.patch new file mode 100644 index 0000000000..bb0a416f46 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_1.patch @@ -0,0 +1,597 @@ +From b1e4e8ec7e946ff2d3bb37ac99c5468ceb49c362 Mon Sep 17 00:00:00 2001 +From: Russ Cox <rsc@golang.org> +Date: Thu, 20 May 2021 12:46:33 -0400 +Subject: [PATCH 1/2] html/template, text/template: implement break and + continue for range loops + +Break and continue for range loops was accepted as a proposal in June 2017. +It was implemented in CL 66410 (Oct 2017) +but then rolled back in CL 92155 (Feb 2018) +because html/template changes had not been implemented. + +This CL reimplements break and continue in text/template +and then adds support for them in html/template as well. + +Fixes #20531. + +Change-Id: I05330482a976f1c078b4b49c2287bd9031bb7616 +Reviewed-on: https://go-review.googlesource.com/c/go/+/321491 +Trust: Russ Cox <rsc@golang.org> +Run-TryBot: Russ Cox <rsc@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Reviewed-by: Rob Pike <r@golang.org> + +Upstream-Status: Backport from https://github.com/golang/go/commit/d0dd26a88c019d54f22463daae81e785f5867565 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/context.go | 4 ++ + src/html/template/escape.go | 71 ++++++++++++++++++++++++++++++++++- + src/html/template/escape_test.go | 24 ++++++++++++ + src/html/template/exec_test.go | 2 + + src/text/template/doc.go | 8 ++++ + src/text/template/exec.go | 24 +++++++++++- + src/text/template/exec_test.go | 2 + + src/text/template/parse/lex.go | 13 ++++++- + src/text/template/parse/lex_test.go | 2 + + src/text/template/parse/node.go | 36 ++++++++++++++++++ + src/text/template/parse/parse.go | 42 ++++++++++++++++++++- + src/text/template/parse/parse_test.go | 8 ++++ + 12 files changed, 232 insertions(+), 4 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..aaa7d08 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -6,6 +6,7 @@ package template + + import ( + "fmt" ++ "text/template/parse" + ) + + // context describes the state an HTML parser must be in when it reaches the +@@ -22,6 +23,7 @@ type context struct { + jsCtx jsCtx + attr attr + element element ++ n parse.Node // for range break/continue + err *Error + } + +@@ -141,6 +143,8 @@ const ( + // stateError is an infectious error state outside any valid + // HTML/CSS/JS construct. + stateError ++ // stateDead marks unreachable code after a {{break}} or {{continue}}. ++ stateDead + ) + + // isComment is true for any state that contains content meant for template +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 8739735..6dea79c 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -97,6 +97,15 @@ type escaper struct { + actionNodeEdits map[*parse.ActionNode][]string + templateNodeEdits map[*parse.TemplateNode]string + textNodeEdits map[*parse.TextNode][]byte ++ // rangeContext holds context about the current range loop. ++ rangeContext *rangeContext ++} ++ ++// rangeContext holds information about the current range loop. ++type rangeContext struct { ++ outer *rangeContext // outer loop ++ breaks []context // context at each break action ++ continues []context // context at each continue action + } + + // makeEscaper creates a blank escaper for the given set. +@@ -109,6 +118,7 @@ func makeEscaper(n *nameSpace) escaper { + map[*parse.ActionNode][]string{}, + map[*parse.TemplateNode]string{}, + map[*parse.TextNode][]byte{}, ++ nil, + } + } + +@@ -124,8 +134,16 @@ func (e *escaper) escape(c context, n parse.Node) context { + switch n := n.(type) { + case *parse.ActionNode: + return e.escapeAction(c, n) ++ case *parse.BreakNode: ++ c.n = n ++ e.rangeContext.breaks = append(e.rangeContext.breaks, c) ++ return context{state: stateDead} + case *parse.CommentNode: + return c ++ case *parse.ContinueNode: ++ c.n = n ++ e.rangeContext.continues = append(e.rangeContext.breaks, c) ++ return context{state: stateDead} + case *parse.IfNode: + return e.escapeBranch(c, &n.BranchNode, "if") + case *parse.ListNode: +@@ -427,6 +445,12 @@ func join(a, b context, node parse.Node, nodeName string) context { + if b.state == stateError { + return b + } ++ if a.state == stateDead { ++ return b ++ } ++ if b.state == stateDead { ++ return a ++ } + if a.eq(b) { + return a + } +@@ -466,14 +490,27 @@ func join(a, b context, node parse.Node, nodeName string) context { + + // escapeBranch escapes a branch template node: "if", "range" and "with". + func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) context { ++ if nodeName == "range" { ++ e.rangeContext = &rangeContext{outer: e.rangeContext} ++ } + c0 := e.escapeList(c, n.List) +- if nodeName == "range" && c0.state != stateError { ++ if nodeName == "range" { ++ if c0.state != stateError { ++ c0 = joinRange(c0, e.rangeContext) ++ } ++ e.rangeContext = e.rangeContext.outer ++ if c0.state == stateError { ++ return c0 ++ } ++ + // The "true" branch of a "range" node can execute multiple times. + // We check that executing n.List once results in the same context + // as executing n.List twice. ++ e.rangeContext = &rangeContext{outer: e.rangeContext} + c1, _ := e.escapeListConditionally(c0, n.List, nil) + c0 = join(c0, c1, n, nodeName) + if c0.state == stateError { ++ e.rangeContext = e.rangeContext.outer + // Make clear that this is a problem on loop re-entry + // since developers tend to overlook that branch when + // debugging templates. +@@ -481,11 +518,39 @@ func (e *escaper) escapeBranch(c context, n *parse.BranchNode, nodeName string) + c0.err.Description = "on range loop re-entry: " + c0.err.Description + return c0 + } ++ c0 = joinRange(c0, e.rangeContext) ++ e.rangeContext = e.rangeContext.outer ++ if c0.state == stateError { ++ return c0 ++ } + } + c1 := e.escapeList(c, n.ElseList) + return join(c0, c1, n, nodeName) + } + ++func joinRange(c0 context, rc *rangeContext) context { ++ // Merge contexts at break and continue statements into overall body context. ++ // In theory we could treat breaks differently from continues, but for now it is ++ // enough to treat them both as going back to the start of the loop (which may then stop). ++ for _, c := range rc.breaks { ++ c0 = join(c0, c, c.n, "range") ++ if c0.state == stateError { ++ c0.err.Line = c.n.(*parse.BreakNode).Line ++ c0.err.Description = "at range loop break: " + c0.err.Description ++ return c0 ++ } ++ } ++ for _, c := range rc.continues { ++ c0 = join(c0, c, c.n, "range") ++ if c0.state == stateError { ++ c0.err.Line = c.n.(*parse.ContinueNode).Line ++ c0.err.Description = "at range loop continue: " + c0.err.Description ++ return c0 ++ } ++ } ++ return c0 ++} ++ + // escapeList escapes a list template node. + func (e *escaper) escapeList(c context, n *parse.ListNode) context { + if n == nil { +@@ -493,6 +558,9 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context { + } + for _, m := range n.Nodes { + c = e.escape(c, m) ++ if c.state == stateDead { ++ break ++ } + } + return c + } +@@ -503,6 +571,7 @@ func (e *escaper) escapeList(c context, n *parse.ListNode) context { + // which is the same as whether e was updated. + func (e *escaper) escapeListConditionally(c context, n *parse.ListNode, filter func(*escaper, context) bool) (context, bool) { + e1 := makeEscaper(e.ns) ++ e1.rangeContext = e.rangeContext + // Make type inferences available to f. + for k, v := range e.output { + e1.output[k] = v +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index fbc84a7..3b0aa8c 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -920,6 +920,22 @@ func TestErrors(t *testing.T) { + "<a href='/foo?{{range .Items}}&{{.K}}={{.V}}{{end}}'>", + "", + }, ++ { ++ "{{range .Items}}<a{{if .X}}{{end}}>{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}<a{{if .X}}{{end}}>{{continue}}{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}<a{{if .X}}{{end}}>{{break}}{{end}}", ++ "", ++ }, ++ { ++ "{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}", ++ "", ++ }, + // Error cases. + { + "{{if .Cond}}<a{{end}}", +@@ -956,6 +972,14 @@ func TestErrors(t *testing.T) { + "z:2:8: on range loop re-entry: {{range}} branches", + }, + { ++ "{{range .Items}}<a{{if .X}}{{break}}{{end}}>{{end}}", ++ "z:1:29: at range loop break: {{range}} branches end in different contexts", ++ }, ++ { ++ "{{range .Items}}<a{{if .X}}{{continue}}{{end}}>{{end}}", ++ "z:1:29: at range loop continue: {{range}} branches end in different contexts", ++ }, ++ { + "<a b=1 c={{.H}}", + "z: ends in a non-text context: {stateAttr delimSpaceOrTagEnd", + }, +diff --git a/src/html/template/exec_test.go b/src/html/template/exec_test.go +index 8885873..523340b 100644 +--- a/src/html/template/exec_test.go ++++ b/src/html/template/exec_test.go +@@ -567,6 +567,8 @@ var execTests = []execTest{ + {"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true}, + {"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true}, ++ {"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true}, ++ {"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true}, + {"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true}, + {"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true}, +diff --git a/src/text/template/doc.go b/src/text/template/doc.go +index 7b30294..0228b15 100644 +--- a/src/text/template/doc.go ++++ b/src/text/template/doc.go +@@ -112,6 +112,14 @@ data, defined in detail in the corresponding sections that follow. + T0 is executed; otherwise, dot is set to the successive elements + of the array, slice, or map and T1 is executed. + ++ {{break}} ++ The innermost {{range pipeline}} loop is ended early, stopping the ++ current iteration and bypassing all remaining iterations. ++ ++ {{continue}} ++ The current iteration of the innermost {{range pipeline}} loop is ++ stopped, and the loop starts the next iteration. ++ + {{template "name"}} + The template with the specified name is executed with nil data. + +diff --git a/src/text/template/exec.go b/src/text/template/exec.go +index 5ad3b4e..92fa9d9 100644 +--- a/src/text/template/exec.go ++++ b/src/text/template/exec.go +@@ -5,6 +5,7 @@ + package template + + import ( ++ "errors" + "fmt" + "internal/fmtsort" + "io" +@@ -243,6 +244,12 @@ func (t *Template) DefinedTemplates() string { + return b.String() + } + ++// Sentinel errors for use with panic to signal early exits from range loops. ++var ( ++ walkBreak = errors.New("break") ++ walkContinue = errors.New("continue") ++) ++ + // Walk functions step through the major pieces of the template structure, + // generating output as they go. + func (s *state) walk(dot reflect.Value, node parse.Node) { +@@ -255,7 +262,11 @@ func (s *state) walk(dot reflect.Value, node parse.Node) { + if len(node.Pipe.Decl) == 0 { + s.printValue(node, val) + } ++ case *parse.BreakNode: ++ panic(walkBreak) + case *parse.CommentNode: ++ case *parse.ContinueNode: ++ panic(walkContinue) + case *parse.IfNode: + s.walkIfOrWith(parse.NodeIf, dot, node.Pipe, node.List, node.ElseList) + case *parse.ListNode: +@@ -334,6 +345,11 @@ func isTrue(val reflect.Value) (truth, ok bool) { + + func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) { + s.at(r) ++ defer func() { ++ if r := recover(); r != nil && r != walkBreak { ++ panic(r) ++ } ++ }() + defer s.pop(s.mark()) + val, _ := indirect(s.evalPipeline(dot, r.Pipe)) + // mark top of stack before any variables in the body are pushed. +@@ -347,8 +363,14 @@ func (s *state) walkRange(dot reflect.Value, r *parse.RangeNode) { + if len(r.Pipe.Decl) > 1 { + s.setTopVar(2, index) + } ++ defer s.pop(mark) ++ defer func() { ++ // Consume panic(walkContinue) ++ if r := recover(); r != nil && r != walkContinue { ++ panic(r) ++ } ++ }() + s.walk(elem, r.List) +- s.pop(mark) + } + switch val.Kind() { + case reflect.Array, reflect.Slice: +diff --git a/src/text/template/exec_test.go b/src/text/template/exec_test.go +index ef52164..586af55 100644 +--- a/src/text/template/exec_test.go ++++ b/src/text/template/exec_test.go +@@ -564,6 +564,8 @@ var execTests = []execTest{ + {"range empty no else", "{{range .SIEmpty}}-{{.}}-{{end}}", "", tVal, true}, + {"range []int else", "{{range .SI}}-{{.}}-{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range empty else", "{{range .SIEmpty}}-{{.}}-{{else}}EMPTY{{end}}", "EMPTY", tVal, true}, ++ {"range []int break else", "{{range .SI}}-{{.}}-{{break}}NOTREACHED{{else}}EMPTY{{end}}", "-3-", tVal, true}, ++ {"range []int continue else", "{{range .SI}}-{{.}}-{{continue}}NOTREACHED{{else}}EMPTY{{end}}", "-3--4--5-", tVal, true}, + {"range []bool", "{{range .SB}}-{{.}}-{{end}}", "-true--false-", tVal, true}, + {"range []int method", "{{range .SI | .MAdd .I}}-{{.}}-{{end}}", "-20--21--22-", tVal, true}, + {"range map", "{{range .MSI}}-{{.}}-{{end}}", "-1--3--2-", tVal, true}, +diff --git a/src/text/template/parse/lex.go b/src/text/template/parse/lex.go +index 6784071..95e3377 100644 +--- a/src/text/template/parse/lex.go ++++ b/src/text/template/parse/lex.go +@@ -62,6 +62,8 @@ const ( + // Keywords appear after all the rest. + itemKeyword // used only to delimit the keywords + itemBlock // block keyword ++ itemBreak // break keyword ++ itemContinue // continue keyword + itemDot // the cursor, spelled '.' + itemDefine // define keyword + itemElse // else keyword +@@ -76,6 +78,8 @@ const ( + var key = map[string]itemType{ + ".": itemDot, + "block": itemBlock, ++ "break": itemBreak, ++ "continue": itemContinue, + "define": itemDefine, + "else": itemElse, + "end": itemEnd, +@@ -119,6 +123,8 @@ type lexer struct { + parenDepth int // nesting depth of ( ) exprs + line int // 1+number of newlines seen + startLine int // start line of this item ++ breakOK bool // break keyword allowed ++ continueOK bool // continue keyword allowed + } + + // next returns the next rune in the input. +@@ -461,7 +467,12 @@ Loop: + } + switch { + case key[word] > itemKeyword: +- l.emit(key[word]) ++ item := key[word] ++ if item == itemBreak && !l.breakOK || item == itemContinue && !l.continueOK { ++ l.emit(itemIdentifier) ++ } else { ++ l.emit(item) ++ } + case word[0] == '.': + l.emit(itemField) + case word == "true", word == "false": +diff --git a/src/text/template/parse/lex_test.go b/src/text/template/parse/lex_test.go +index 6510eed..df6aabf 100644 +--- a/src/text/template/parse/lex_test.go ++++ b/src/text/template/parse/lex_test.go +@@ -35,6 +35,8 @@ var itemName = map[itemType]string{ + // keywords + itemDot: ".", + itemBlock: "block", ++ itemBreak: "break", ++ itemContinue: "continue", + itemDefine: "define", + itemElse: "else", + itemIf: "if", +diff --git a/src/text/template/parse/node.go b/src/text/template/parse/node.go +index 177482f..4726822 100644 +--- a/src/text/template/parse/node.go ++++ b/src/text/template/parse/node.go +@@ -71,6 +71,8 @@ const ( + NodeVariable // A $ variable. + NodeWith // A with action. + NodeComment // A comment. ++ NodeBreak // A break action. ++ NodeContinue // A continue action. + ) + + // Nodes. +@@ -907,6 +909,40 @@ func (i *IfNode) Copy() Node { + return i.tr.newIf(i.Pos, i.Line, i.Pipe.CopyPipe(), i.List.CopyList(), i.ElseList.CopyList()) + } + ++// BreakNode represents a {{break}} action. ++type BreakNode struct { ++ tr *Tree ++ NodeType ++ Pos ++ Line int ++} ++ ++func (t *Tree) newBreak(pos Pos, line int) *BreakNode { ++ return &BreakNode{tr: t, NodeType: NodeBreak, Pos: pos, Line: line} ++} ++ ++func (b *BreakNode) Copy() Node { return b.tr.newBreak(b.Pos, b.Line) } ++func (b *BreakNode) String() string { return "{{break}}" } ++func (b *BreakNode) tree() *Tree { return b.tr } ++func (b *BreakNode) writeTo(sb *strings.Builder) { sb.WriteString("{{break}}") } ++ ++// ContinueNode represents a {{continue}} action. ++type ContinueNode struct { ++ tr *Tree ++ NodeType ++ Pos ++ Line int ++} ++ ++func (t *Tree) newContinue(pos Pos, line int) *ContinueNode { ++ return &ContinueNode{tr: t, NodeType: NodeContinue, Pos: pos, Line: line} ++} ++ ++func (c *ContinueNode) Copy() Node { return c.tr.newContinue(c.Pos, c.Line) } ++func (c *ContinueNode) String() string { return "{{continue}}" } ++func (c *ContinueNode) tree() *Tree { return c.tr } ++func (c *ContinueNode) writeTo(sb *strings.Builder) { sb.WriteString("{{continue}}") } ++ + // RangeNode represents a {{range}} action and its commands. + type RangeNode struct { + BranchNode +diff --git a/src/text/template/parse/parse.go b/src/text/template/parse/parse.go +index 1a63961..d92bed5 100644 +--- a/src/text/template/parse/parse.go ++++ b/src/text/template/parse/parse.go +@@ -31,6 +31,7 @@ type Tree struct { + vars []string // variables defined at the moment. + treeSet map[string]*Tree + actionLine int // line of left delim starting action ++ rangeDepth int + mode Mode + } + +@@ -224,6 +225,8 @@ func (t *Tree) startParse(funcs []map[string]interface{}, lex *lexer, treeSet ma + t.vars = []string{"$"} + t.funcs = funcs + t.treeSet = treeSet ++ lex.breakOK = !t.hasFunction("break") ++ lex.continueOK = !t.hasFunction("continue") + } + + // stopParse terminates parsing. +@@ -386,6 +389,10 @@ func (t *Tree) action() (n Node) { + switch token := t.nextNonSpace(); token.typ { + case itemBlock: + return t.blockControl() ++ case itemBreak: ++ return t.breakControl(token.pos, token.line) ++ case itemContinue: ++ return t.continueControl(token.pos, token.line) + case itemElse: + return t.elseControl() + case itemEnd: +@@ -405,6 +412,32 @@ func (t *Tree) action() (n Node) { + return t.newAction(token.pos, token.line, t.pipeline("command", itemRightDelim)) + } + ++// Break: ++// {{break}} ++// Break keyword is past. ++func (t *Tree) breakControl(pos Pos, line int) Node { ++ if token := t.next(); token.typ != itemRightDelim { ++ t.unexpected(token, "in {{break}}") ++ } ++ if t.rangeDepth == 0 { ++ t.errorf("{{break}} outside {{range}}") ++ } ++ return t.newBreak(pos, line) ++} ++ ++// Continue: ++// {{continue}} ++// Continue keyword is past. ++func (t *Tree) continueControl(pos Pos, line int) Node { ++ if token := t.next(); token.typ != itemRightDelim { ++ t.unexpected(token, "in {{continue}}") ++ } ++ if t.rangeDepth == 0 { ++ t.errorf("{{continue}} outside {{range}}") ++ } ++ return t.newContinue(pos, line) ++} ++ + // Pipeline: + // declarations? command ('|' command)* + func (t *Tree) pipeline(context string, end itemType) (pipe *PipeNode) { +@@ -480,8 +513,14 @@ func (t *Tree) checkPipeline(pipe *PipeNode, context string) { + func (t *Tree) parseControl(allowElseIf bool, context string) (pos Pos, line int, pipe *PipeNode, list, elseList *ListNode) { + defer t.popVars(len(t.vars)) + pipe = t.pipeline(context, itemRightDelim) ++ if context == "range" { ++ t.rangeDepth++ ++ } + var next Node + list, next = t.itemList() ++ if context == "range" { ++ t.rangeDepth-- ++ } + switch next.Type() { + case nodeEnd: //done + case nodeElse: +@@ -523,7 +562,8 @@ func (t *Tree) ifControl() Node { + // {{range pipeline}} itemList {{else}} itemList {{end}} + // Range keyword is past. + func (t *Tree) rangeControl() Node { +- return t.newRange(t.parseControl(false, "range")) ++ r := t.newRange(t.parseControl(false, "range")) ++ return r + } + + // With: +diff --git a/src/text/template/parse/parse_test.go b/src/text/template/parse/parse_test.go +index 9b1be27..c3679a0 100644 +--- a/src/text/template/parse/parse_test.go ++++ b/src/text/template/parse/parse_test.go +@@ -230,6 +230,10 @@ var parseTests = []parseTest{ + `{{range $x := .SI}}{{.}}{{end}}`}, + {"range 2 vars", "{{range $x, $y := .SI}}{{.}}{{end}}", noError, + `{{range $x, $y := .SI}}{{.}}{{end}}`}, ++ {"range with break", "{{range .SI}}{{.}}{{break}}{{end}}", noError, ++ `{{range .SI}}{{.}}{{break}}{{end}}`}, ++ {"range with continue", "{{range .SI}}{{.}}{{continue}}{{end}}", noError, ++ `{{range .SI}}{{.}}{{continue}}{{end}}`}, + {"constants", "{{range .SI 1 -3.2i true false 'a' nil}}{{end}}", noError, + `{{range .SI 1 -3.2i true false 'a' nil}}{{end}}`}, + {"template", "{{template `x`}}", noError, +@@ -279,6 +283,10 @@ var parseTests = []parseTest{ + {"adjacent args", "{{printf 3`x`}}", hasError, ""}, + {"adjacent args with .", "{{printf `x`.}}", hasError, ""}, + {"extra end after if", "{{if .X}}a{{else if .Y}}b{{end}}{{end}}", hasError, ""}, ++ {"break outside range", "{{range .}}{{end}} {{break}}", hasError, ""}, ++ {"continue outside range", "{{range .}}{{end}} {{continue}}", hasError, ""}, ++ {"break in range else", "{{range .}}{{else}}{{break}}{{end}}", hasError, ""}, ++ {"continue in range else", "{{range .}}{{else}}{{continue}}{{end}}", hasError, ""}, + // Other kinds of assignments and operators aren't available yet. + {"bug0a", "{{$x := 0}}{{$x}}", noError, "{{$x := 0}}{{$x}}"}, + {"bug0b", "{{$x += 1}}{{$x}}", hasError, ""}, +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_2.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_2.patch new file mode 100644 index 0000000000..f94f0f55c7 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24538_2.patch @@ -0,0 +1,371 @@ +From 07cc3b8711a8efbb5885f56dd90d854049ad2f7d Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 20 Mar 2023 11:01:13 -0700 +Subject: [PATCH 2/2] html/template: disallow actions in JS template literals + +ECMAScript 6 introduced template literals[0][1] which are delimited with +backticks. These need to be escaped in a similar fashion to the +delimiters for other string literals. Additionally template literals can +contain special syntax for string interpolation. + +There is no clear way to allow safe insertion of actions within JS +template literals, as handling (JS) string interpolation inside of these +literals is rather complex. As such we've chosen to simply disallow +template actions within these template literals. + +A new error code is added for this parsing failure case, errJsTmplLit, +but it is unexported as it is not backwards compatible with other minor +release versions to introduce an API change in a minor release. We will +export this code in the next major release. + +The previous behavior (with the cavet that backticks are now escaped +properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. + +This change subsumes CL471455. + +Thanks to Sohom Datta, Manipal Institute of Technology, for reporting +this issue. + +Fixes CVE-2023-24538 +For #59234 +Fixes #59271 + +[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals +[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c +Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/context.go | 2 ++ + src/html/template/error.go | 13 ++++++++ + src/html/template/escape.go | 11 +++++++ + src/html/template/escape_test.go | 66 ++++++++++++++++++++++----------------- + src/html/template/js.go | 2 ++ + src/html/template/js_test.go | 2 +- + src/html/template/jsctx_string.go | 9 ++++++ + src/html/template/state_string.go | 37 ++++++++++++++++++++-- + src/html/template/transition.go | 7 ++++- + 9 files changed, 116 insertions(+), 33 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..0b65313 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -116,6 +116,8 @@ const ( + stateJSDqStr + // stateJSSqStr occurs inside a JavaScript single quoted string. + stateJSSqStr ++ // stateJSBqStr occurs inside a JavaScript back quoted string. ++ stateJSBqStr + // stateJSRegexp occurs inside a JavaScript regexp literal. + stateJSRegexp + // stateJSBlockCmt occurs inside a JavaScript /* block comment */. +diff --git a/src/html/template/error.go b/src/html/template/error.go +index 0e52706..fd26b64 100644 +--- a/src/html/template/error.go ++++ b/src/html/template/error.go +@@ -211,6 +211,19 @@ const ( + // pipeline occurs in an unquoted attribute value context, "html" is + // disallowed. Avoid using "html" and "urlquery" entirely in new templates. + ErrPredefinedEscaper ++ ++ // errJSTmplLit: "... appears in a JS template literal" ++ // Example: ++ // <script>var tmpl = `{{.Interp}`</script> ++ // Discussion: ++ // Package html/template does not support actions inside of JS template ++ // literals. ++ // ++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor ++ // release, since it is backwards incompatible with the other minor ++ // releases. As such we need to leave it unexported, and then we'll add it ++ // in the next major release. ++ errJSTmplLit + ) + + func (e *Error) Error() string { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 8739735..ca078f4 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -8,6 +8,7 @@ import ( + "bytes" + "fmt" + "html" ++ "internal/godebug" + "io" + "text/template" + "text/template/parse" +@@ -205,6 +206,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + c.jsCtx = jsCtxDivOp + case stateJSDqStr, stateJSSqStr: + s = append(s, "_html_template_jsstrescaper") ++ case stateJSBqStr: ++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp") ++ if debugAllowActionJSTmpl == "1" { ++ s = append(s, "_html_template_jsstrescaper") ++ } else { ++ return context{ ++ state: stateError, ++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n), ++ } ++ } + case stateJSRegexp: + s = append(s, "_html_template_jsregexpescaper") + case stateCSS: +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 3b0aa8c..a695b17 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -681,35 +681,31 @@ func TestEscape(t *testing.T) { + } + + for _, test := range tests { +- tmpl := New(test.name) +- tmpl = Must(tmpl.Parse(test.input)) +- // Check for bug 6459: Tree field was not set in Parse. +- if tmpl.Tree != tmpl.text.Tree { +- t.Errorf("%s: tree not set properly", test.name) +- continue +- } +- b := new(bytes.Buffer) +- if err := tmpl.Execute(b, data); err != nil { +- t.Errorf("%s: template execution failed: %s", test.name, err) +- continue +- } +- if w, g := test.output, b.String(); w != g { +- t.Errorf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g) +- continue +- } +- b.Reset() +- if err := tmpl.Execute(b, pdata); err != nil { +- t.Errorf("%s: template execution failed for pointer: %s", test.name, err) +- continue +- } +- if w, g := test.output, b.String(); w != g { +- t.Errorf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g) +- continue +- } +- if tmpl.Tree != tmpl.text.Tree { +- t.Errorf("%s: tree mismatch", test.name) +- continue +- } ++ t.Run(test.name, func(t *testing.T) { ++ tmpl := New(test.name) ++ tmpl = Must(tmpl.Parse(test.input)) ++ // Check for bug 6459: Tree field was not set in Parse. ++ if tmpl.Tree != tmpl.text.Tree { ++ t.Fatalf("%s: tree not set properly", test.name) ++ } ++ b := new(strings.Builder) ++ if err := tmpl.Execute(b, data); err != nil { ++ t.Fatalf("%s: template execution failed: %s", test.name, err) ++ } ++ if w, g := test.output, b.String(); w != g { ++ t.Fatalf("%s: escaped output: want\n\t%q\ngot\n\t%q", test.name, w, g) ++ } ++ b.Reset() ++ if err := tmpl.Execute(b, pdata); err != nil { ++ t.Fatalf("%s: template execution failed for pointer: %s", test.name, err) ++ } ++ if w, g := test.output, b.String(); w != g { ++ t.Fatalf("%s: escaped output for pointer: want\n\t%q\ngot\n\t%q", test.name, w, g) ++ } ++ if tmpl.Tree != tmpl.text.Tree { ++ t.Fatalf("%s: tree mismatch", test.name) ++ } ++ }) + } + } + +@@ -936,6 +932,10 @@ func TestErrors(t *testing.T) { + "{{range .Items}}<a{{if .X}}{{end}}>{{if .X}}{{break}}{{end}}{{end}}", + "", + }, ++ { ++ "<script>var a = `${a+b}`</script>`", ++ "", ++ }, + // Error cases. + { + "{{if .Cond}}<a{{end}}", +@@ -1082,6 +1082,10 @@ func TestErrors(t *testing.T) { + // html is allowed since it is the last command in the pipeline, but urlquery is not. + `predefined escaper "urlquery" disallowed in template`, + }, ++ { ++ "<script>var tmpl = `asd {{.}}`;</script>", ++ `{{.}} appears in a JS template literal`, ++ }, + } + for _, test := range tests { + buf := new(bytes.Buffer) +@@ -1304,6 +1308,10 @@ func TestEscapeText(t *testing.T) { + context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript}, + }, + { ++ "<a onclick=\"`foo", ++ context{state: stateJSBqStr, delim: delimDoubleQuote, attr: attrScript}, ++ }, ++ { + `<A ONCLICK="'`, + context{state: stateJSSqStr, delim: delimDoubleQuote, attr: attrScript}, + }, +diff --git a/src/html/template/js.go b/src/html/template/js.go +index ea9c183..b888eaf 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{ + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. + '"': `\u0022`, ++ '`': `\u0060`, + '&': `\u0026`, + '\'': `\u0027`, + '+': `\u002b`, +@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{ + '"': `\u0022`, + '&': `\u0026`, + '\'': `\u0027`, ++ '`': `\u0060`, + '+': `\u002b`, + '/': `\/`, + '<': `\u003c`, +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index d7ee47b..7d963ae 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -292,7 +292,7 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) { + `0123456789:;\u003c=\u003e?` + + `@ABCDEFGHIJKLMNO` + + `PQRSTUVWXYZ[\\]^_` + +- "`abcdefghijklmno" + ++ "\\u0060abcdefghijklmno" + + "pqrstuvwxyz{|}~\u007f" + + "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E", + }, +diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go +index dd1d87e..2394893 100644 +--- a/src/html/template/jsctx_string.go ++++ b/src/html/template/jsctx_string.go +@@ -4,6 +4,15 @@ package template + + import "strconv" + ++func _() { ++ // An "invalid array index" compiler error signifies that the constant values have changed. ++ // Re-run the stringer command to generate them again. ++ var x [1]struct{} ++ _ = x[jsCtxRegexp-0] ++ _ = x[jsCtxDivOp-1] ++ _ = x[jsCtxUnknown-2] ++} ++ + const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown" + + var _jsCtx_index = [...]uint8{0, 11, 21, 33} +diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go +index 05104be..6fb1a6e 100644 +--- a/src/html/template/state_string.go ++++ b/src/html/template/state_string.go +@@ -4,9 +4,42 @@ package template + + import "strconv" + +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateError" ++func _() { ++ // An "invalid array index" compiler error signifies that the constant values have changed. ++ // Re-run the stringer command to generate them again. ++ var x [1]struct{} ++ _ = x[stateText-0] ++ _ = x[stateTag-1] ++ _ = x[stateAttrName-2] ++ _ = x[stateAfterName-3] ++ _ = x[stateBeforeValue-4] ++ _ = x[stateHTMLCmt-5] ++ _ = x[stateRCDATA-6] ++ _ = x[stateAttr-7] ++ _ = x[stateURL-8] ++ _ = x[stateSrcset-9] ++ _ = x[stateJS-10] ++ _ = x[stateJSDqStr-11] ++ _ = x[stateJSSqStr-12] ++ _ = x[stateJSBqStr-13] ++ _ = x[stateJSRegexp-14] ++ _ = x[stateJSBlockCmt-15] ++ _ = x[stateJSLineCmt-16] ++ _ = x[stateCSS-17] ++ _ = x[stateCSSDqStr-18] ++ _ = x[stateCSSSqStr-19] ++ _ = x[stateCSSDqURL-20] ++ _ = x[stateCSSSqURL-21] ++ _ = x[stateCSSURL-22] ++ _ = x[stateCSSBlockCmt-23] ++ _ = x[stateCSSLineCmt-24] ++ _ = x[stateError-25] ++ _ = x[stateDead-26] ++} ++ ++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" + +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 155, 170, 184, 192, 205, 218, 231, 244, 255, 271, 286, 296} ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317} + + func (i state) String() string { + if i >= state(len(_state_index)-1) { +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index 06df679..92eb351 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateJS: tJS, + stateJSDqStr: tJSDelimited, + stateJSSqStr: tJSDelimited, ++ stateJSBqStr: tJSDelimited, + stateJSRegexp: tJSDelimited, + stateJSBlockCmt: tBlockCmt, + stateJSLineCmt: tLineCmt, +@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) { + + // tJS is the context transition function for the JS state. + func tJS(c context, s []byte) (context, int) { +- i := bytes.IndexAny(s, `"'/`) ++ i := bytes.IndexAny(s, "\"`'/") + if i == -1 { + // Entire input is non string, comment, regexp tokens. + c.jsCtx = nextJSCtx(s, c.jsCtx) +@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) { + c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp + case '\'': + c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp ++ case '`': ++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp + case '/': + switch { + case i+1 < len(s) && s[i+1] == '/': +@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) { + switch c.state { + case stateJSSqStr: + specials = `\'` ++ case stateJSBqStr: ++ specials = "`\\" + case stateJSRegexp: + specials = `\/[]` + } +-- +2.7.4 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch new file mode 100644 index 0000000000..fa19e18264 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch @@ -0,0 +1,53 @@ +From e49282327b05192e46086bf25fd3ac691205fe80 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 13 Apr 2023 15:40:44 -0700 +Subject: [PATCH] [release-branch.go1.19] html/template: disallow angle + brackets in CSS values + +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491335 +Run-TryBot: Carlos Amedee <carlos@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80] +CVE: CVE-2023-24539 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/html/template/css.go | 2 +- + src/html/template/css_test.go | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/css.go b/src/html/template/css.go +index 890a0c6b227fe..f650d8b3e843a 100644 +--- a/src/html/template/css.go ++++ b/src/html/template/css.go +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { + // inside a string that might embed JavaScript source. + for i, c := range b { + switch c { +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': + return filterFailsafe + case '-': + // Disallow <!-- or -->. +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go +index a735638b0314f..2b76256a766e9 100644 +--- a/src/html/template/css_test.go ++++ b/src/html/template/css_test.go +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, + {`-expre\0000073sion`, "-expre\x073sion"}, + {`@import url evil.css`, "ZgotmplZ"}, ++ {"<", "ZgotmplZ"}, ++ {">", "ZgotmplZ"}, + } + for _, test := range tests { + got := cssValueFilter(test.css) diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29400.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29400.patch new file mode 100644 index 0000000000..04bd1f5fec --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29400.patch @@ -0,0 +1,99 @@ +From 9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 13 Apr 2023 14:01:50 -0700 +Subject: [PATCH] [release-branch.go1.19] html/template: emit filterFailsafe + for empty unquoted attr value + +An unquoted action used as an attribute value can result in unsafe +behavior if it is empty, as HTML normalization will result in unexpected +attributes, and may allow attribute injection. If executing a template +results in a empty unquoted attribute value, emit filterFailsafe +instead. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +For #59722 +Fixes #59815 +Fixes CVE-2023-29400 + +Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851498 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491357 +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5] +CVE: CVE-2023-29400 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/html/template/escape.go | 5 ++--- + src/html/template/escape_test.go | 15 +++++++++++++++ + src/html/template/html.go | 3 +++ + 3 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index ca078f4..bdccc65 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -362,9 +362,8 @@ func normalizeEscFn(e string) string { + // for all x. + var redundantFuncs = map[string]map[string]bool{ + "_html_template_commentescaper": { +- "_html_template_attrescaper": true, +- "_html_template_nospaceescaper": true, +- "_html_template_htmlescaper": true, ++ "_html_template_attrescaper": true, ++ "_html_template_htmlescaper": true, + }, + "_html_template_cssescaper": { + "_html_template_attrescaper": true, +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index fbc84a7..4f48afe 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) { + `<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`, + `<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`, + }, ++ { ++ "unquoted empty attribute value (plaintext)", ++ "<p name={{.U}}>", ++ "<p name=ZgotmplZ>", ++ }, ++ { ++ "unquoted empty attribute value (url)", ++ "<p href={{.U}}>", ++ "<p href=ZgotmplZ>", ++ }, ++ { ++ "quoted empty attribute value", ++ "<p name=\"{{.U}}\">", ++ "<p name=\"\">", ++ }, + } + + for _, test := range tests { +diff --git a/src/html/template/html.go b/src/html/template/html.go +index 356b829..636bc21 100644 +--- a/src/html/template/html.go ++++ b/src/html/template/html.go +@@ -14,6 +14,9 @@ import ( + // htmlNospaceEscaper escapes for inclusion in unquoted attribute values. + func htmlNospaceEscaper(args ...interface{}) string { + s, t := stringify(args...) ++ if s == "" { ++ return filterFailsafe ++ } + if t == contentTypeHTML { + return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false) + } +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch new file mode 100644 index 0000000000..a326cda5c4 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-1.patch @@ -0,0 +1,210 @@ +From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 28 Jun 2023 13:20:08 -0700 +Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before + sending + +Verify that the Host header we send is valid. +Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops" +adding an X-Evil header to HTTP/1 requests. + +Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to +header injection in the way HTTP/1 is, but x/net/http2 doesn't validate +the header and will go into a retry loop when the server rejects it. +CL 506995 adds the necessary validation to x/net/http2. + +Updates #60374 +Fixes #61075 +For CVE-2023-29406 + +Change-Id: I05cb6866a9bead043101954dfded199258c6dd04 +Reviewed-on: https://go-review.googlesource.com/c/go/+/506996 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2) +Reviewed-on: https://go-review.googlesource.com/c/go/+/507358 +Run-TryBot: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b] +CVE: CVE-2023-29406 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/net/http/http_test.go | 29 ---------------------- + src/net/http/request.go | 45 ++++++++-------------------------- + src/net/http/request_test.go | 11 ++------- + src/net/http/transport_test.go | 18 ++++++++++++++ + 4 files changed, 30 insertions(+), 73 deletions(-) + +diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go +index 0d92fe5..f03272a 100644 +--- a/src/net/http/http_test.go ++++ b/src/net/http/http_test.go +@@ -48,35 +48,6 @@ func TestForeachHeaderElement(t *testing.T) { + } + } + +-func TestCleanHost(t *testing.T) { +- tests := []struct { +- in, want string +- }{ +- {"www.google.com", "www.google.com"}, +- {"www.google.com foo", "www.google.com"}, +- {"www.google.com/foo", "www.google.com"}, +- {" first character is a space", ""}, +- {"[1::6]:8080", "[1::6]:8080"}, +- +- // Punycode: +- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"}, +- {"bücher.de", "xn--bcher-kva.de"}, +- {"bücher.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we convert to lowercase before punycode: +- {"BÜCHER.de", "xn--bcher-kva.de"}, +- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"}, +- // Verify we normalize to NFC before punycode: +- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed +- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input +- } +- for _, tt := range tests { +- got := cleanHost(tt.in) +- if tt.want != got { +- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want) +- } +- } +-} +- + // Test that cmd/go doesn't link in the HTTP server. + // + // This catches accidental dependencies between the HTTP transport and +diff --git a/src/net/http/request.go b/src/net/http/request.go +index 09cb0c7..2f4e740 100644 +--- a/src/net/http/request.go ++++ b/src/net/http/request.go +@@ -17,7 +17,6 @@ import ( + "io" + "mime" + "mime/multipart" +- "net" + "net/http/httptrace" + "net/http/internal/ascii" + "net/textproto" +@@ -27,6 +26,7 @@ import ( + "strings" + "sync" + ++ "golang.org/x/net/http/httpguts" + "golang.org/x/net/idna" + ) + +@@ -568,12 +568,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF + // is not given, use the host from the request URL. + // + // Clean the host, in case it arrives with unexpected stuff in it. +- host := cleanHost(r.Host) ++ host := r.Host + if host == "" { + if r.URL == nil { + return errMissingHost + } +- host = cleanHost(r.URL.Host) ++ host = r.URL.Host ++ } ++ host, err = httpguts.PunycodeHostPort(host) ++ if err != nil { ++ return err ++ } ++ if !httpguts.ValidHostHeader(host) { ++ return errors.New("http: invalid Host header") + } + + // According to RFC 6874, an HTTP client, proxy, or other +@@ -730,38 +737,6 @@ func idnaASCII(v string) (string, error) { + return idna.Lookup.ToASCII(v) + } + +-// cleanHost cleans up the host sent in request's Host header. +-// +-// It both strips anything after '/' or ' ', and puts the value +-// into Punycode form, if necessary. +-// +-// Ideally we'd clean the Host header according to the spec: +-// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]") +-// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host) +-// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host) +-// But practically, what we are trying to avoid is the situation in +-// issue 11206, where a malformed Host header used in the proxy context +-// would create a bad request. So it is enough to just truncate at the +-// first offending character. +-func cleanHost(in string) string { +- if i := strings.IndexAny(in, " /"); i != -1 { +- in = in[:i] +- } +- host, port, err := net.SplitHostPort(in) +- if err != nil { // input was just a host +- a, err := idnaASCII(in) +- if err != nil { +- return in // garbage in, garbage out +- } +- return a +- } +- a, err := idnaASCII(host) +- if err != nil { +- return in // garbage in, garbage out +- } +- return net.JoinHostPort(a, port) +-} +- + // removeZone removes IPv6 zone identifier from host. + // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080" + func removeZone(host string) string { +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go +index fac12b7..368e87a 100644 +--- a/src/net/http/request_test.go ++++ b/src/net/http/request_test.go +@@ -776,15 +776,8 @@ func TestRequestBadHost(t *testing.T) { + } + req.Host = "foo.com with spaces" + req.URL.Host = "foo.com with spaces" +- req.Write(logWrites{t, &got}) +- want := []string{ +- "GET /after HTTP/1.1\r\n", +- "Host: foo.com\r\n", +- "User-Agent: " + DefaultUserAgent + "\r\n", +- "\r\n", +- } +- if !reflect.DeepEqual(got, want) { +- t.Errorf("Writes = %q\n Want = %q", got, want) ++ if err := req.Write(logWrites{t, &got}); err == nil { ++ t.Errorf("Writing request with invalid Host: succeded, want error") + } + } + +diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go +index eeaa492..58f12af 100644 +--- a/src/net/http/transport_test.go ++++ b/src/net/http/transport_test.go +@@ -6512,3 +6512,21 @@ func TestCancelRequestWhenSharingConnection(t *testing.T) { + close(r2c) + wg.Wait() + } ++ ++func TestRequestSanitization(t *testing.T) { ++ setParallel(t) ++ defer afterTest(t) ++ ++ ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) { ++ if h, ok := req.Header["X-Evil"]; ok { ++ t.Errorf("request has X-Evil header: %q", h) ++ } ++ })).ts ++ defer ts.Close() ++ req, _ := NewRequest("GET", ts.URL, nil) ++ req.Host = "go.dev\r\nX-Evil:evil" ++ resp, _ := ts.Client().Do(req) ++ if resp != nil { ++ resp.Body.Close() ++ } ++} +-- +2.25.1 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch new file mode 100644 index 0000000000..637f46a537 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-29406-2.patch @@ -0,0 +1,114 @@ +From c08a5fa413a34111c9a37fd9e545de27ab0978b1 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 19 Jul 2023 10:30:46 -0700 +Subject: [PATCH] [release-branch.go1.19] net/http: permit requests with + invalid Host headers + +Historically, the Transport has silently truncated invalid +Host headers at the first '/' or ' ' character. CL 506996 changed +this behavior to reject invalid Host headers entirely. +Unfortunately, Docker appears to rely on the previous behavior. + +When sending a HTTP/1 request with an invalid Host, send an empty +Host header. This is safer than truncation: If you care about the +Host, then you should get the one you set; if you don't care, +then an empty Host should be fine. + +Continue to fully validate Host headers sent to a proxy, +since proxies generally can't productively forward requests +without a Host. + +For #60374 +Fixes #61431 +Fixes #61825 + +Change-Id: If170c7dd860aa20eb58fe32990fc93af832742b6 +Reviewed-on: https://go-review.googlesource.com/c/go/+/511155 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit b9153f6ef338baee5fe02a867c8fbc83a8b29dd1) +Reviewed-on: https://go-review.googlesource.com/c/go/+/518855 +Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Roland Shoemaker <roland@golang.org> +Reviewed-by: Russ Cox <rsc@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/c08a5fa413a34111c9a37fd9e545de27ab0978b1] +CVE: CVE-2023-29406 +Signed-off-by: Ming Liu <liu.ming50@gmail.com> +--- + src/net/http/request.go | 23 ++++++++++++++++++++++- + src/net/http/request_test.go | 17 ++++++++++++----- + 2 files changed, 34 insertions(+), 6 deletions(-) + +diff --git a/src/net/http/request.go b/src/net/http/request.go +index 3100037386..91cb8a66b9 100644 +--- a/src/net/http/request.go ++++ b/src/net/http/request.go +@@ -582,8 +582,29 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF + if err != nil { + return err + } ++ // Validate that the Host header is a valid header in general, ++ // but don't validate the host itself. This is sufficient to avoid ++ // header or request smuggling via the Host field. ++ // The server can (and will, if it's a net/http server) reject ++ // the request if it doesn't consider the host valid. + if !httpguts.ValidHostHeader(host) { +- return errors.New("http: invalid Host header") ++ // Historically, we would truncate the Host header after '/' or ' '. ++ // Some users have relied on this truncation to convert a network ++ // address such as Unix domain socket path into a valid, ignored ++ // Host header (see https://go.dev/issue/61431). ++ // ++ // We don't preserve the truncation, because sending an altered ++ // header field opens a smuggling vector. Instead, zero out the ++ // Host header entirely if it isn't valid. (An empty Host is valid; ++ // see RFC 9112 Section 3.2.) ++ // ++ // Return an error if we're sending to a proxy, since the proxy ++ // probably can't do anything useful with an empty Host header. ++ if !usingProxy { ++ host = "" ++ } else { ++ return errors.New("http: invalid Host header") ++ } + } + + // According to RFC 6874, an HTTP client, proxy, or other +diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go +index fddc85d6a9..dd1e2dc2a1 100644 +--- a/src/net/http/request_test.go ++++ b/src/net/http/request_test.go +@@ -770,16 +770,23 @@ func TestRequestWriteBufferedWriter(t *testing.T) { + } + } + +-func TestRequestBadHost(t *testing.T) { ++func TestRequestBadHostHeader(t *testing.T) { + got := []string{} + req, err := NewRequest("GET", "http://foo/after", nil) + if err != nil { + t.Fatal(err) + } +- req.Host = "foo.com with spaces" +- req.URL.Host = "foo.com with spaces" +- if err := req.Write(logWrites{t, &got}); err == nil { +- t.Errorf("Writing request with invalid Host: succeded, want error") ++ req.Host = "foo.com\nnewline" ++ req.URL.Host = "foo.com\nnewline" ++ req.Write(logWrites{t, &got}) ++ want := []string{ ++ "GET /after HTTP/1.1\r\n", ++ "Host: \r\n", ++ "User-Agent: " + DefaultUserAgent + "\r\n", ++ "\r\n", ++ } ++ if !reflect.DeepEqual(got, want) { ++ t.Errorf("Writes = %q\n Want = %q", got, want) + } + } + +-- +2.34.1 + diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch new file mode 100644 index 0000000000..d3fc6b0313 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch @@ -0,0 +1,207 @@ +From 5330cd225ba54c7dc78c1b46dcdf61a4671a632c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Wed, 10 Jan 2024 11:02:14 -0800 +Subject: [PATCH] [release-branch.go1.22] net/mail: properly handle special + characters in phrase and obs-phrase + +Fixes a couple of misalignments with RFC 5322 which introduce +significant diffs between (mostly) conformant parsers. + +This change reverts the changes made in CL50911, which allowed certain +special RFC 5322 characters to appear unquoted in the "phrase" syntax. +It is unclear why this change was made in the first place, and created +a divergence from comformant parsers. In particular this resulted in +treating comments in display names incorrectly. + +Additionally properly handle trailing malformed comments in the group +syntax. + +For #65083 +Fixed #65849 + +Change-Id: I00dddc044c6ae3381154e43236632604c390f672 +Reviewed-on: https://go-review.googlesource.com/c/go/+/555596 +Reviewed-by: Damien Neil <dneil@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/566215 +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/5330cd225ba54c7dc78c1b46dcdf61a4671a632c] +CVE: CVE-2024-24784 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/net/mail/message.go | 30 +++++++++++++++------------ + src/net/mail/message_test.go | 40 ++++++++++++++++++++++++++---------- + 2 files changed, 46 insertions(+), 24 deletions(-) + +diff --git a/src/net/mail/message.go b/src/net/mail/message.go +index 47bbf6c..84f48f0 100644 +--- a/src/net/mail/message.go ++++ b/src/net/mail/message.go +@@ -231,7 +231,7 @@ func (a *Address) String() string { + // Add quotes if needed + quoteLocal := false + for i, r := range local { +- if isAtext(r, false, false) { ++ if isAtext(r, false) { + continue + } + if r == '.' { +@@ -395,7 +395,7 @@ func (p *addrParser) parseAddress(handleGroup bool) ([]*Address, error) { + if !p.consume('<') { + atext := true + for _, r := range displayName { +- if !isAtext(r, true, false) { ++ if !isAtext(r, true) { + atext = false + break + } +@@ -430,7 +430,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { + // handle empty group. + p.skipSpace() + if p.consume(';') { +- p.skipCFWS() ++ if !p.skipCFWS() { ++ return nil, errors.New("mail: misformatted parenthetical comment") ++ } + return group, nil + } + +@@ -447,7 +449,9 @@ func (p *addrParser) consumeGroupList() ([]*Address, error) { + return nil, errors.New("mail: misformatted parenthetical comment") + } + if p.consume(';') { +- p.skipCFWS() ++ if !p.skipCFWS() { ++ return nil, errors.New("mail: misformatted parenthetical comment") ++ } + break + } + if !p.consume(',') { +@@ -517,6 +521,12 @@ func (p *addrParser) consumePhrase() (phrase string, err error) { + var words []string + var isPrevEncoded bool + for { ++ // obs-phrase allows CFWS after one word ++ if len(words) > 0 { ++ if !p.skipCFWS() { ++ return "", errors.New("mail: misformatted parenthetical comment") ++ } ++ } + // word = atom / quoted-string + var word string + p.skipSpace() +@@ -612,7 +622,6 @@ Loop: + // If dot is true, consumeAtom parses an RFC 5322 dot-atom instead. + // If permissive is true, consumeAtom will not fail on: + // - leading/trailing/double dots in the atom (see golang.org/issue/4938) +-// - special characters (RFC 5322 3.2.3) except '<', '>', ':' and '"' (see golang.org/issue/21018) + func (p *addrParser) consumeAtom(dot bool, permissive bool) (atom string, err error) { + i := 0 + +@@ -623,7 +632,7 @@ Loop: + case size == 1 && r == utf8.RuneError: + return "", fmt.Errorf("mail: invalid utf-8 in address: %q", p.s) + +- case size == 0 || !isAtext(r, dot, permissive): ++ case size == 0 || !isAtext(r, dot): + break Loop + + default: +@@ -777,18 +786,13 @@ func (e charsetError) Error() string { + + // isAtext reports whether r is an RFC 5322 atext character. + // If dot is true, period is included. +-// If permissive is true, RFC 5322 3.2.3 specials is included, +-// except '<', '>', ':' and '"'. +-func isAtext(r rune, dot, permissive bool) bool { ++func isAtext(r rune, dot bool) bool { + switch r { + case '.': + return dot + + // RFC 5322 3.2.3. specials +- case '(', ')', '[', ']', ';', '@', '\\', ',': +- return permissive +- +- case '<', '>', '"', ':': ++ case '(', ')', '<', '>', '[', ']', ':', ';', '@', '\\', ',', '"': // RFC 5322 3.2.3. specials + return false + } + return isVchar(r) +diff --git a/src/net/mail/message_test.go b/src/net/mail/message_test.go +index 80a17b2..00bc93e 100644 +--- a/src/net/mail/message_test.go ++++ b/src/net/mail/message_test.go +@@ -334,8 +334,11 @@ func TestAddressParsingError(t *testing.T) { + 13: {"group not closed: null@example.com", "expected comma"}, + 14: {"group: first@example.com, second@example.com;", "group with multiple addresses"}, + 15: {"john.doe", "missing '@' or angle-addr"}, +- 16: {"john.doe@", "no angle-addr"}, ++ 16: {"john.doe@", "missing '@' or angle-addr"}, + 17: {"John Doe@foo.bar", "no angle-addr"}, ++ 18: {" group: null@example.com; (asd", "misformatted parenthetical comment"}, ++ 19: {" group: ; (asd", "misformatted parenthetical comment"}, ++ 20: {`(John) Doe <jdoe@machine.example>`, "missing word in phrase:"}, + } + + for i, tc := range mustErrTestCases { +@@ -374,24 +377,19 @@ func TestAddressParsing(t *testing.T) { + Address: "john.q.public@example.com", + }}, + }, +- { +- `"John (middle) Doe" <jdoe@machine.example>`, +- []*Address{{ +- Name: "John (middle) Doe", +- Address: "jdoe@machine.example", +- }}, +- }, ++ // Comment in display name + { + `John (middle) Doe <jdoe@machine.example>`, + []*Address{{ +- Name: "John (middle) Doe", ++ Name: "John Doe", + Address: "jdoe@machine.example", + }}, + }, ++ // Display name is quoted string, so comment is not a comment + { +- `John !@M@! Doe <jdoe@machine.example>`, ++ `"John (middle) Doe" <jdoe@machine.example>`, + []*Address{{ +- Name: "John !@M@! Doe", ++ Name: "John (middle) Doe", + Address: "jdoe@machine.example", + }}, + }, +@@ -726,6 +724,26 @@ func TestAddressParsing(t *testing.T) { + }, + }, + }, ++ // Comment in group display name ++ { ++ `group (comment:): a@example.com, b@example.com;`, ++ []*Address{ ++ { ++ Address: "a@example.com", ++ }, ++ { ++ Address: "b@example.com", ++ }, ++ }, ++ }, ++ { ++ `x(:"):"@a.example;("@b.example;`, ++ []*Address{ ++ { ++ Address: `@a.example;(@b.example`, ++ }, ++ }, ++ }, + } + for _, test := range tests { + if len(test.exp) == 1 { +-- +2.39.3 diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch new file mode 100644 index 0000000000..5c8244e89a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch @@ -0,0 +1,196 @@ +From 056b0edcb8c152152021eebf4cf42adbfbe77992 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <roland@golang.org> +Date: Wed, 14 Feb 2024 17:18:36 -0800 +Subject: [PATCH] [release-branch.go1.22] html/template: escape additional + tokens in MarshalJSON errors + +Escape "</script" and "<!--" in errors returned from MarshalJSON errors +when attempting to marshal types in script blocks. This prevents any +user controlled content from prematurely terminating the script block. + +Updates #65697 +Fixes #65969 + +Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b +Reviewed-on: https://go-review.googlesource.com/c/go/+/564196 +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Damien Neil <dneil@google.com> +(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa) +Reviewed-on: https://go-review.googlesource.com/c/go/+/567535 +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992] +CVE: CVE-2024-24785 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/html/template/js.go | 22 ++++++++- + src/html/template/js_test.go | 96 ++++++++++++++++++++---------------- + 2 files changed, 74 insertions(+), 44 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 35994f0..4d3b25d 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string { + // cyclic data. This may be an unacceptable DoS risk. + b, err := json.Marshal(a) + if err != nil { +- // Put a space before comment so that if it is flush against ++ // While the standard JSON marshaller does not include user controlled ++ // information in the error message, if a type has a MarshalJSON method, ++ // the content of the error message is not guaranteed. Since we insert ++ // the error into the template, as part of a comment, we attempt to ++ // prevent the error from either terminating the comment, or the script ++ // block itself. ++ // ++ // In particular we: ++ // * replace "*/" comment end tokens with "* /", which does not ++ // terminate the comment ++ // * replace "</script" with "\x3C/script", and "<!--" with ++ // "\x3C!--", which prevents confusing script block termination ++ // semantics ++ // ++ // We also put a space before the comment so that if it is flush against + // a division operator it is not turned into a line comment: + // x/{{y}} + // turning into + // x//* error marshaling y: + // second line of error message */null +- return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /")) ++ errStr := err.Error() ++ errStr = strings.ReplaceAll(errStr, "*/", "* /") ++ errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`) ++ errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`) ++ return fmt.Sprintf(" /* %s */null ", errStr) + } + + // TODO: maybe post-process output to prevent it from containing +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index de9ef28..0eaec11 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -5,6 +5,7 @@ + package template + + import ( ++ "errors" + "bytes" + "math" + "strings" +@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) { + } + } + ++type jsonErrType struct{} ++ ++func (e *jsonErrType) MarshalJSON() ([]byte, error) { ++ return nil, errors.New("beep */ boop </script blip <!--") ++} ++ + func TestJSValEscaper(t *testing.T) { + tests := []struct { +- x interface{} +- js string ++ x any ++ js string ++ skipNest bool + }{ +- {int(42), " 42 "}, +- {uint(42), " 42 "}, +- {int16(42), " 42 "}, +- {uint16(42), " 42 "}, +- {int32(-42), " -42 "}, +- {uint32(42), " 42 "}, +- {int16(-42), " -42 "}, +- {uint16(42), " 42 "}, +- {int64(-42), " -42 "}, +- {uint64(42), " 42 "}, +- {uint64(1) << 53, " 9007199254740992 "}, ++ {int(42), " 42 ", false}, ++ {uint(42), " 42 ", false}, ++ {int16(42), " 42 ", false}, ++ {uint16(42), " 42 ", false}, ++ {int32(-42), " -42 ", false}, ++ {uint32(42), " 42 ", false}, ++ {int16(-42), " -42 ", false}, ++ {uint16(42), " 42 ", false}, ++ {int64(-42), " -42 ", false}, ++ {uint64(42), " 42 ", false}, ++ {uint64(1) << 53, " 9007199254740992 ", false}, + // ulp(1 << 53) > 1 so this loses precision in JS + // but it is still a representable integer literal. +- {uint64(1)<<53 + 1, " 9007199254740993 "}, +- {float32(1.0), " 1 "}, +- {float32(-1.0), " -1 "}, +- {float32(0.5), " 0.5 "}, +- {float32(-0.5), " -0.5 "}, +- {float32(1.0) / float32(256), " 0.00390625 "}, +- {float32(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {float64(1.0), " 1 "}, +- {float64(-1.0), " -1 "}, +- {float64(0.5), " 0.5 "}, +- {float64(-0.5), " -0.5 "}, +- {float64(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {"", `""`}, +- {"foo", `"foo"`}, ++ {uint64(1)<<53 + 1, " 9007199254740993 ", false}, ++ {float32(1.0), " 1 ", false}, ++ {float32(-1.0), " -1 ", false}, ++ {float32(0.5), " 0.5 ", false}, ++ {float32(-0.5), " -0.5 ", false}, ++ {float32(1.0) / float32(256), " 0.00390625 ", false}, ++ {float32(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {float64(1.0), " 1 ", false}, ++ {float64(-1.0), " -1 ", false}, ++ {float64(0.5), " 0.5 ", false}, ++ {float64(-0.5), " -0.5 ", false}, ++ {float64(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {"", `""`, false}, ++ {"foo", `"foo"`, false}, + // Newlines. +- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, ++ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false}, + // "\v" == "v" on IE 6 so use "\u000b" instead. +- {"\t\x0b", `"\t\u000b"`}, +- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, +- {[]interface{}{}, "[]"}, +- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`}, +- {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`}, +- {"<!--", `"\u003c!--"`}, +- {"-->", `"--\u003e"`}, +- {"<![CDATA[", `"\u003c![CDATA["`}, +- {"]]>", `"]]\u003e"`}, +- {"</script", `"\u003c/script"`}, +- {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E" +- {nil, " null "}, ++ {"\t\x0b", `"\t\u000b"`, false}, ++ {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false}, ++ {[]any{}, "[]", false}, ++ {[]any{42, "foo", nil}, `[42,"foo",null]`, false}, ++ {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false}, ++ {"<!--", `"\u003c!--"`, false}, ++ {"-->", `"--\u003e"`, false}, ++ {"<![CDATA[", `"\u003c![CDATA["`, false}, ++ {"]]>", `"]]\u003e"`, false}, ++ {"</script", `"\u003c/script"`, false}, ++ {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E" ++ {nil, " null ", false}, ++ {&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true}, + } + + for _, test := range tests { + if js := jsValEscaper(test.x); js != test.js { + t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js) + } ++ if test.skipNest { ++ continue ++ } + // Make sure that escaping corner cases are not broken + // by nesting. + a := []interface{}{test.x} +-- +2.39.3 diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch new file mode 100644 index 0000000000..ff9ba18ec5 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch @@ -0,0 +1,137 @@ +From f8d691d335c6ac14bcbae6886b5bf8ca8bf1e6a5 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 16 Mar 2023 14:18:04 -0700 +Subject: [PATCH 1/3] mime/multipart: avoid excessive copy buffer allocations + in ReadForm + +When copying form data to disk with io.Copy, +allocate only one copy buffer and reuse it rather than +creating two buffers per file (one from io.multiReader.WriteTo, +and a second one from os.File.ReadFrom). + +Thanks to Jakob Ackermann (@das7pad) for reporting this issue. + +For CVE-2023-24536 +For #59153 +For #59269 + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802453 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802395 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Change-Id: Ie405470c92abffed3356913b37d813e982c96c8b +Reviewed-on: https://go-review.googlesource.com/c/go/+/481983 +Run-TryBot: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Michael Knyszek <mknyszek@google.com> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +CVE: CVE-2023-24536 +Upstream-Status: Backport [ef41a4e2face45e580c5836eaebd51629fc23f15] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/mime/multipart/formdata.go | 15 +++++++-- + src/mime/multipart/formdata_test.go | 49 +++++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 3 deletions(-) + +diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +index a7d4ca9..975dcb6 100644 +--- a/src/mime/multipart/formdata.go ++++ b/src/mime/multipart/formdata.go +@@ -84,6 +84,7 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + maxMemoryBytes = math.MaxInt64 + } + } ++ var copyBuf []byte + for { + p, err := r.nextPart(false, maxMemoryBytes) + if err == io.EOF { +@@ -147,14 +148,22 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + } + } + numDiskFiles++ +- size, err := io.Copy(file, io.MultiReader(&b, p)) ++ if _, err := file.Write(b.Bytes()); err != nil { ++ return nil, err ++ } ++ if copyBuf == nil { ++ copyBuf = make([]byte, 32*1024) // same buffer size as io.Copy uses ++ } ++ // os.File.ReadFrom will allocate its own copy buffer if we let io.Copy use it. ++ type writerOnly struct{ io.Writer } ++ remainingSize, err := io.CopyBuffer(writerOnly{file}, p, copyBuf) + if err != nil { + return nil, err + } + fh.tmpfile = file.Name() +- fh.Size = size ++ fh.Size = int64(b.Len()) + remainingSize + fh.tmpoff = fileOff +- fileOff += size ++ fileOff += fh.Size + if !combineFiles { + if err := file.Close(); err != nil { + return nil, err +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index 5cded71..f5b5608 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -368,3 +368,52 @@ func testReadFormManyFiles(t *testing.T, distinct bool) { + t.Fatalf("temp dir contains %v files; want 0", len(names)) + } + } ++ ++func BenchmarkReadForm(b *testing.B) { ++ for _, test := range []struct { ++ name string ++ form func(fw *Writer, count int) ++ }{{ ++ name: "fields", ++ form: func(fw *Writer, count int) { ++ for i := 0; i < count; i++ { ++ w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i)) ++ fmt.Fprintf(w, "value %v", i) ++ } ++ }, ++ }, { ++ name: "files", ++ form: func(fw *Writer, count int) { ++ for i := 0; i < count; i++ { ++ w, _ := fw.CreateFormFile(fmt.Sprintf("field%v", i), fmt.Sprintf("file%v", i)) ++ fmt.Fprintf(w, "value %v", i) ++ } ++ }, ++ }} { ++ b.Run(test.name, func(b *testing.B) { ++ for _, maxMemory := range []int64{ ++ 0, ++ 1 << 20, ++ } { ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ test.form(fw, 10) ++ if err := fw.Close(); err != nil { ++ b.Fatal(err) ++ } ++ b.Run(fmt.Sprintf("maxMemory=%v", maxMemory), func(b *testing.B) { ++ b.ReportAllocs() ++ for i := 0; i < b.N; i++ { ++ fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary()) ++ form, err := fr.ReadForm(maxMemory) ++ if err != nil { ++ b.Fatal(err) ++ } ++ form.RemoveAll() ++ } ++ ++ }) ++ } ++ }) ++ } ++} +-- +2.35.5 + diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch new file mode 100644 index 0000000000..704a1fb567 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch @@ -0,0 +1,187 @@ +From 4174a87b600c58e8cc00d9d18d0c507c67ca5d41 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 16 Mar 2023 16:56:12 -0700 +Subject: [PATCH 2/3] net/textproto, mime/multipart: improve accounting of + non-file data + +For requests containing large numbers of small parts, +memory consumption of a parsed form could be about 250% +over the estimated size. + +When considering the size of parsed forms, account for the size of +FileHeader structs and increase the estimate of memory consumed by +map entries. + +Thanks to Jakob Ackermann (@das7pad) for reporting this issue. + +For CVE-2023-24536 +For #59153 +For #59269 + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802454 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802396 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Change-Id: I31bc50e9346b4eee6fbe51a18c3c57230cc066db +Reviewed-on: https://go-review.googlesource.com/c/go/+/481984 +Reviewed-by: Matthew Dempsky <mdempsky@google.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> + +CVE: CVE-2023-24536 +Upstream-Status: Backport [7a359a651c7ebdb29e0a1c03102fce793e9f58f0] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/mime/multipart/formdata.go | 9 +++-- + src/mime/multipart/formdata_test.go | 55 ++++++++++++----------------- + src/net/textproto/reader.go | 8 ++++- + 3 files changed, 37 insertions(+), 35 deletions(-) + +diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +index 975dcb6..3f6ff69 100644 +--- a/src/mime/multipart/formdata.go ++++ b/src/mime/multipart/formdata.go +@@ -103,8 +103,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + // Multiple values for the same key (one map entry, longer slice) are cheaper + // than the same number of values for different keys (many map entries), but + // using a consistent per-value cost for overhead is simpler. ++ const mapEntryOverhead = 200 + maxMemoryBytes -= int64(len(name)) +- maxMemoryBytes -= 100 // map overhead ++ maxMemoryBytes -= mapEntryOverhead + if maxMemoryBytes < 0 { + // We can't actually take this path, since nextPart would already have + // rejected the MIME headers for being too large. Check anyway. +@@ -128,7 +129,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + } + + // file, store in memory or on disk ++ const fileHeaderSize = 100 + maxMemoryBytes -= mimeHeaderSize(p.Header) ++ maxMemoryBytes -= mapEntryOverhead ++ maxMemoryBytes -= fileHeaderSize + if maxMemoryBytes < 0 { + return nil, ErrMessageTooLarge + } +@@ -183,9 +187,10 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + } + + func mimeHeaderSize(h textproto.MIMEHeader) (size int64) { ++ size = 400 + for k, vs := range h { + size += int64(len(k)) +- size += 100 // map entry overhead ++ size += 200 // map entry overhead + for _, v := range vs { + size += int64(len(v)) + } +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index f5b5608..8ed26e0 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -192,10 +192,10 @@ func (r *failOnReadAfterErrorReader) Read(p []byte) (n int, err error) { + // TestReadForm_NonFileMaxMemory asserts that the ReadForm maxMemory limit is applied + // while processing non-file form data as well as file form data. + func TestReadForm_NonFileMaxMemory(t *testing.T) { +- n := 10<<20 + 25 + if testing.Short() { +- n = 10<<10 + 25 ++ t.Skip("skipping in -short mode") + } ++ n := 10 << 20 + largeTextValue := strings.Repeat("1", n) + message := `--MyBoundary + Content-Disposition: form-data; name="largetext" +@@ -203,38 +203,29 @@ Content-Disposition: form-data; name="largetext" + ` + largeTextValue + ` + --MyBoundary-- + ` +- + testBody := strings.ReplaceAll(message, "\n", "\r\n") +- testCases := []struct { +- name string +- maxMemory int64 +- err error +- }{ +- {"smaller", 50 + int64(len("largetext")) + 100, nil}, +- {"exact-fit", 25 + int64(len("largetext")) + 100, nil}, +- {"too-large", 0, ErrMessageTooLarge}, +- } +- for _, tc := range testCases { +- t.Run(tc.name, func(t *testing.T) { +- if tc.maxMemory == 0 && testing.Short() { +- t.Skip("skipping in -short mode") +- } +- b := strings.NewReader(testBody) +- r := NewReader(b, boundary) +- f, err := r.ReadForm(tc.maxMemory) +- if err == nil { +- defer f.RemoveAll() +- } +- if tc.err != err { +- t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err) +- } +- if err == nil { +- if g := f.Value["largetext"][0]; g != largeTextValue { +- t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue)) +- } +- } +- }) ++ // Try parsing the form with increasing maxMemory values. ++ // Changes in how we account for non-file form data may cause the exact point ++ // where we change from rejecting the form as too large to accepting it to vary, ++ // but we should see both successes and failures. ++ const failWhenMaxMemoryLessThan = 128 ++ for maxMemory := int64(0); maxMemory < failWhenMaxMemoryLessThan*2; maxMemory += 16 { ++ b := strings.NewReader(testBody) ++ r := NewReader(b, boundary) ++ f, err := r.ReadForm(maxMemory) ++ if err != nil { ++ continue ++ } ++ if g := f.Value["largetext"][0]; g != largeTextValue { ++ t.Errorf("largetext mismatch: got size: %v, expected size: %v", len(g), len(largeTextValue)) ++ } ++ f.RemoveAll() ++ if maxMemory < failWhenMaxMemoryLessThan { ++ t.Errorf("ReadForm(%v): no error, expect to hit memory limit when maxMemory < %v", maxMemory, failWhenMaxMemoryLessThan) ++ } ++ return + } ++ t.Errorf("ReadForm(x) failed for x < 1024, expect success") + } + + // TestReadForm_MetadataTooLarge verifies that we account for the size of field names, +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index fcbede8..9af4c49 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -503,6 +503,12 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + + m := make(MIMEHeader, hint) + ++ // Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry. ++ // Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large ++ // MIMEHeaders average about 200 bytes per entry. ++ lim -= 400 ++ const mapEntryOverhead = 200 ++ + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { + line, err := r.readLineSlice() +@@ -552,7 +558,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + vv := m[key] + if vv == nil { + lim -= int64(len(key)) +- lim -= 100 // map entry overhead ++ lim -= mapEntryOverhead + } + lim -= int64(len(value)) + if lim < 0 { +-- +2.35.5 + diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch new file mode 100644 index 0000000000..6de04e9a61 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch @@ -0,0 +1,349 @@ +From ec763bc936f76cec0fe71a791c6bb7d4ac5f3e46 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Mon, 20 Mar 2023 10:43:19 -0700 +Subject: [PATCH 3/3] mime/multipart: limit parsed mime message sizes + +The parsed forms of MIME headers and multipart forms can consume +substantially more memory than the size of the input data. +A malicious input containing a very large number of headers or +form parts can cause excessively large memory allocations. + +Set limits on the size of MIME data: + +Reader.NextPart and Reader.NextRawPart limit the the number +of headers in a part to 10000. + +Reader.ReadForm limits the total number of headers in all +FileHeaders to 10000. + +Both of these limits may be set with with +GODEBUG=multipartmaxheaders=<values>. + +Reader.ReadForm limits the number of parts in a form to 1000. +This limit may be set with GODEBUG=multipartmaxparts=<value>. + +Thanks for Jakob Ackermann (@das7pad) for reporting this issue. + +For CVE-2023-24536 +For #59153 +For #59269 + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802455 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1801087 +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Change-Id: If134890d75f0d95c681d67234daf191ba08e6424 +Reviewed-on: https://go-review.googlesource.com/c/go/+/481985 +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +CVE: CVE-2023-24536 +Upstream-Status: Backport [7917b5f31204528ea72e0629f0b7d52b35b27538] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/mime/multipart/formdata.go | 19 ++++++++- + src/mime/multipart/formdata_test.go | 61 ++++++++++++++++++++++++++++ + src/mime/multipart/multipart.go | 31 ++++++++++---- + src/mime/multipart/readmimeheader.go | 2 +- + src/net/textproto/reader.go | 19 +++++---- + 5 files changed, 115 insertions(+), 17 deletions(-) + +diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go +index 3f6ff69..4f26aab 100644 +--- a/src/mime/multipart/formdata.go ++++ b/src/mime/multipart/formdata.go +@@ -12,6 +12,7 @@ import ( + "math" + "net/textproto" + "os" ++ "strconv" + ) + + // ErrMessageTooLarge is returned by ReadForm if the message form +@@ -41,6 +42,15 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + numDiskFiles := 0 + multipartFiles := godebug.Get("multipartfiles") + combineFiles := multipartFiles != "distinct" ++ maxParts := 1000 ++ multipartMaxParts := godebug.Get("multipartmaxparts") ++ if multipartMaxParts != "" { ++ if v, err := strconv.Atoi(multipartMaxParts); err == nil && v >= 0 { ++ maxParts = v ++ } ++ } ++ maxHeaders := maxMIMEHeaders() ++ + defer func() { + if file != nil { + if cerr := file.Close(); err == nil { +@@ -86,13 +96,17 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + } + var copyBuf []byte + for { +- p, err := r.nextPart(false, maxMemoryBytes) ++ p, err := r.nextPart(false, maxMemoryBytes, maxHeaders) + if err == io.EOF { + break + } + if err != nil { + return nil, err + } ++ if maxParts <= 0 { ++ return nil, ErrMessageTooLarge ++ } ++ maxParts-- + + name := p.FormName() + if name == "" { +@@ -136,6 +150,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + if maxMemoryBytes < 0 { + return nil, ErrMessageTooLarge + } ++ for _, v := range p.Header { ++ maxHeaders -= int64(len(v)) ++ } + fh := &FileHeader{ + Filename: filename, + Header: p.Header, +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index 8ed26e0..c78eeb7 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -360,6 +360,67 @@ func testReadFormManyFiles(t *testing.T, distinct bool) { + } + } + ++func TestReadFormLimits(t *testing.T) { ++ for _, test := range []struct { ++ values int ++ files int ++ extraKeysPerFile int ++ wantErr error ++ godebug string ++ }{ ++ {values: 1000}, ++ {values: 1001, wantErr: ErrMessageTooLarge}, ++ {values: 500, files: 500}, ++ {values: 501, files: 500, wantErr: ErrMessageTooLarge}, ++ {files: 1000}, ++ {files: 1001, wantErr: ErrMessageTooLarge}, ++ {files: 1, extraKeysPerFile: 9998}, // plus Content-Disposition and Content-Type ++ {files: 1, extraKeysPerFile: 10000, wantErr: ErrMessageTooLarge}, ++ {godebug: "multipartmaxparts=100", values: 100}, ++ {godebug: "multipartmaxparts=100", values: 101, wantErr: ErrMessageTooLarge}, ++ {godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 48}, ++ {godebug: "multipartmaxheaders=100", files: 2, extraKeysPerFile: 50, wantErr: ErrMessageTooLarge}, ++ } { ++ name := fmt.Sprintf("values=%v/files=%v/extraKeysPerFile=%v", test.values, test.files, test.extraKeysPerFile) ++ if test.godebug != "" { ++ name += fmt.Sprintf("/godebug=%v", test.godebug) ++ } ++ t.Run(name, func(t *testing.T) { ++ if test.godebug != "" { ++ t.Setenv("GODEBUG", test.godebug) ++ } ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ for i := 0; i < test.values; i++ { ++ w, _ := fw.CreateFormField(fmt.Sprintf("field%v", i)) ++ fmt.Fprintf(w, "value %v", i) ++ } ++ for i := 0; i < test.files; i++ { ++ h := make(textproto.MIMEHeader) ++ h.Set("Content-Disposition", ++ fmt.Sprintf(`form-data; name="file%v"; filename="file%v"`, i, i)) ++ h.Set("Content-Type", "application/octet-stream") ++ for j := 0; j < test.extraKeysPerFile; j++ { ++ h.Set(fmt.Sprintf("k%v", j), "v") ++ } ++ w, _ := fw.CreatePart(h) ++ fmt.Fprintf(w, "value %v", i) ++ } ++ if err := fw.Close(); err != nil { ++ t.Fatal(err) ++ } ++ fr := NewReader(bytes.NewReader(buf.Bytes()), fw.Boundary()) ++ form, err := fr.ReadForm(1 << 10) ++ if err == nil { ++ defer form.RemoveAll() ++ } ++ if err != test.wantErr { ++ t.Errorf("ReadForm = %v, want %v", err, test.wantErr) ++ } ++ }) ++ } ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/mime/multipart/multipart.go b/src/mime/multipart/multipart.go +index 19fe0ea..80acabc 100644 +--- a/src/mime/multipart/multipart.go ++++ b/src/mime/multipart/multipart.go +@@ -16,11 +16,13 @@ import ( + "bufio" + "bytes" + "fmt" ++ "internal/godebug" + "io" + "mime" + "mime/quotedprintable" + "net/textproto" + "path/filepath" ++ "strconv" + "strings" + ) + +@@ -128,12 +130,12 @@ func (r *stickyErrorReader) Read(p []byte) (n int, _ error) { + return n, r.err + } + +-func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { ++func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) { + bp := &Part{ + Header: make(map[string][]string), + mr: mr, + } +- if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil { ++ if err := bp.populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders); err != nil { + return nil, err + } + bp.r = partReader{bp} +@@ -149,9 +151,9 @@ func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { + return bp, nil + } + +-func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error { ++func (bp *Part) populateHeaders(maxMIMEHeaderSize, maxMIMEHeaders int64) error { + r := textproto.NewReader(bp.mr.bufReader) +- header, err := readMIMEHeader(r, maxMIMEHeaderSize) ++ header, err := readMIMEHeader(r, maxMIMEHeaderSize, maxMIMEHeaders) + if err == nil { + bp.Header = header + } +@@ -313,6 +315,19 @@ type Reader struct { + // including header keys, values, and map overhead. + const maxMIMEHeaderSize = 10 << 20 + ++func maxMIMEHeaders() int64 { ++ // multipartMaxHeaders is the maximum number of header entries NextPart will return, ++ // as well as the maximum combined total of header entries Reader.ReadForm will return ++ // in FileHeaders. ++ multipartMaxHeaders := godebug.Get("multipartmaxheaders") ++ if multipartMaxHeaders != "" { ++ if v, err := strconv.ParseInt(multipartMaxHeaders, 10, 64); err == nil && v >= 0 { ++ return v ++ } ++ } ++ return 10000 ++} ++ + // NextPart returns the next part in the multipart or an error. + // When there are no more parts, the error io.EOF is returned. + // +@@ -320,7 +335,7 @@ const maxMIMEHeaderSize = 10 << 20 + // has a value of "quoted-printable", that header is instead + // hidden and the body is transparently decoded during Read calls. + func (r *Reader) NextPart() (*Part, error) { +- return r.nextPart(false, maxMIMEHeaderSize) ++ return r.nextPart(false, maxMIMEHeaderSize, maxMIMEHeaders()) + } + + // NextRawPart returns the next part in the multipart or an error. +@@ -329,10 +344,10 @@ func (r *Reader) NextPart() (*Part, error) { + // Unlike NextPart, it does not have special handling for + // "Content-Transfer-Encoding: quoted-printable". + func (r *Reader) NextRawPart() (*Part, error) { +- return r.nextPart(true, maxMIMEHeaderSize) ++ return r.nextPart(true, maxMIMEHeaderSize, maxMIMEHeaders()) + } + +-func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { ++func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize, maxMIMEHeaders int64) (*Part, error) { + if r.currentPart != nil { + r.currentPart.Close() + } +@@ -357,7 +372,7 @@ func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) + + if r.isBoundaryDelimiterLine(line) { + r.partsRead++ +- bp, err := newPart(r, rawPart, maxMIMEHeaderSize) ++ bp, err := newPart(r, rawPart, maxMIMEHeaderSize, maxMIMEHeaders) + if err != nil { + return nil, err + } +diff --git a/src/mime/multipart/readmimeheader.go b/src/mime/multipart/readmimeheader.go +index 6836928..25aa6e2 100644 +--- a/src/mime/multipart/readmimeheader.go ++++ b/src/mime/multipart/readmimeheader.go +@@ -11,4 +11,4 @@ import ( + // readMIMEHeader is defined in package net/textproto. + // + //go:linkname readMIMEHeader net/textproto.readMIMEHeader +-func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error) ++func readMIMEHeader(r *textproto.Reader, maxMemory, maxHeaders int64) (textproto.MIMEHeader, error) +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index 9af4c49..c6569c8 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -483,12 +483,12 @@ func (r *Reader) ReadDotLines() ([]string, error) { + // } + // + func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) { +- return readMIMEHeader(r, math.MaxInt64) ++ return readMIMEHeader(r, math.MaxInt64, math.MaxInt64) + } + + // readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size. + // It is called by the mime/multipart package. +-func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { ++func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) { + // Avoid lots of small slice allocations later by allocating one + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. +@@ -506,7 +506,7 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + // Account for 400 bytes of overhead for the MIMEHeader, plus 200 bytes per entry. + // Benchmarking map creation as of go1.20, a one-entry MIMEHeader is 416 bytes and large + // MIMEHeaders average about 200 bytes per entry. +- lim -= 400 ++ maxMemory -= 400 + const mapEntryOverhead = 200 + + // The first line cannot start with a leading space. +@@ -538,6 +538,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + continue + } + ++ maxHeaders-- ++ if maxHeaders < 0 { ++ return nil, errors.New("message too large") ++ } ++ + // backport 5c55ac9bf1e5f779220294c843526536605f42ab + // + // value is computed as +@@ -557,11 +562,11 @@ func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + + vv := m[key] + if vv == nil { +- lim -= int64(len(key)) +- lim -= mapEntryOverhead ++ maxMemory -= int64(len(key)) ++ maxMemory -= mapEntryOverhead + } +- lim -= int64(len(value)) +- if lim < 0 { ++ maxMemory -= int64(len(value)) ++ if maxMemory < 0 { + // TODO: This should be a distinguishable error (ErrMessageTooLarge) + // to allow mime/multipart to detect it. + return m, errors.New("message too large") +-- +2.35.5 + diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch new file mode 100644 index 0000000000..7e6e871e38 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch @@ -0,0 +1,93 @@ +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] html/template: handle all JS whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Carlos Amedee <carlos@golang.org> +TryBot-Bypass: Carlos Amedee <carlos@golang.org> +Run-TryBot: Carlos Amedee <carlos@golang.org> + +CVE: CVE-2023-24540 +Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/html/template/js.go | 8 +++++++- + src/html/template/js_test.go | 11 +++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index b888eaf..35994f0 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as defined ++// by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after the + // given run of tokens starts a regular expression instead of a division + // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index d7ee47b..8f5d76d 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { + {jsCtxDivOp, "0"}, + // Dots that are part of a number are div preceders. + {jsCtxDivOp, "0."}, ++ // Some JS interpreters treat NBSP as a normal space, so ++ // we must too in order to properly escape things. ++ {jsCtxRegexp, "=\u00A0"}, + } + + for _, test := range tests { +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } + } + +-- +2.40.0 + diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch new file mode 100644 index 0000000000..bf1fbbe0d6 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch @@ -0,0 +1,194 @@ +From 4dae3bbe0e6a5700037bb996ae84d6f457c4f58a Mon Sep 17 00:00:00 2001 +From: Bryan C. Mills <bcmills@google.com> +Date: Fri, 12 May 2023 14:15:16 -0400 +Subject: [PATCH] cmd/go: disallow package directories containing newlines + +Directory or file paths containing newlines may cause tools (such as +cmd/cgo) that emit "//line" or "#line" -directives to write part of +the path into non-comment lines in generated source code. If those +lines contain valid Go code, it may be injected into the resulting +binary. + +(Note that Go import paths and file paths within module zip files +already could not contain newlines.) + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #60167. +Fixes CVE-2023-29402. + +Change-Id: I64572e9f454bce7b685d00e2e6a1c96cd33d53df +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1882606 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Russ Cox <rsc@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/501226 +Run-TryBot: David Chase <drchase@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/4dae3bbe0e6a5700037bb996ae84d6f457c4f58a] +CVE: CVE-2023-29402 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + src/cmd/go/internal/load/pkg.go | 4 + + src/cmd/go/internal/work/exec.go | 6 ++ + src/cmd/go/script_test.go | 1 + + .../go/testdata/script/build_cwd_newline.txt | 100 ++++++++++++++++++ + 4 files changed, 111 insertions(+) + create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt + +diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go +index a83cc9a..d4da86d 100644 +--- a/src/cmd/go/internal/load/pkg.go ++++ b/src/cmd/go/internal/load/pkg.go +@@ -1897,6 +1897,10 @@ func (p *Package) load(ctx context.Context, opts PackageOpts, path string, stk * + setError(fmt.Errorf("invalid input directory name %q", name)) + return + } ++ if strings.ContainsAny(p.Dir, "\r\n") { ++ setError(fmt.Errorf("invalid package directory %q", p.Dir)) ++ return ++ } + + // Build list of imported packages and full dependency list. + imports := make([]*Package, 0, len(p.Imports)) +diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go +index b35caa4..b1bf347 100644 +--- a/src/cmd/go/internal/work/exec.go ++++ b/src/cmd/go/internal/work/exec.go +@@ -505,6 +505,12 @@ func (b *Builder) build(ctx context.Context, a *Action) (err error) { + b.Print(a.Package.ImportPath + "\n") + } + ++ if p.Error != nil { ++ // Don't try to build anything for packages with errors. There may be a ++ // problem with the inputs that makes the package unsafe to build. ++ return p.Error ++ } ++ + if a.Package.BinaryOnly { + p.Stale = true + p.StaleReason = "binary-only packages are no longer supported" +diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go +index c0156d0..ce4ff37 100644 +--- a/src/cmd/go/script_test.go ++++ b/src/cmd/go/script_test.go +@@ -182,6 +182,7 @@ func (ts *testScript) setup() { + "devnull=" + os.DevNull, + "goversion=" + goVersion(ts), + ":=" + string(os.PathListSeparator), ++ "newline=\n", + } + if !testenv.HasExternalNetwork() { + ts.env = append(ts.env, "TESTGONETWORK=panic", "TESTGOVCS=panic") +diff --git a/src/cmd/go/testdata/script/build_cwd_newline.txt b/src/cmd/go/testdata/script/build_cwd_newline.txt +new file mode 100644 +index 0000000..61c6966 +--- /dev/null ++++ b/src/cmd/go/testdata/script/build_cwd_newline.txt +@@ -0,0 +1,100 @@ ++[windows] skip 'filesystem normalizes / to \' ++[plan9] skip 'filesystem disallows \n in paths' ++ ++# If the directory path containing a package to be built includes a newline, ++# the go command should refuse to even try to build the package. ++ ++env DIR=$WORK${/}${newline}'package main'${newline}'func main() { panic("uh-oh")'${newline}'/*' ++ ++mkdir $DIR ++cd $DIR ++exec pwd ++cp $WORK/go.mod ./go.mod ++cp $WORK/main.go ./main.go ++cp $WORK/main_test.go ./main_test.go ++ ++! go build -o $devnull . ++stderr 'package example: invalid package directory .*uh-oh' ++ ++! go build -o $devnull main.go ++stderr 'package command-line-arguments: invalid package directory .*uh-oh' ++ ++! go run . ++stderr 'package example: invalid package directory .*uh-oh' ++ ++! go run main.go ++stderr 'package command-line-arguments: invalid package directory .*uh-oh' ++ ++! go test . ++stderr 'package example: invalid package directory .*uh-oh' ++ ++! go test -v main.go main_test.go ++stderr 'package command-line-arguments: invalid package directory .*uh-oh' ++ ++ ++# Since we do preserve $PWD (or set it appropriately) for commands, and we do ++# not resolve symlinks unnecessarily, referring to the contents of the unsafe ++# directory via a safe symlink should be ok, and should not inject the data from ++# the symlink target path. ++ ++[!symlink] stop 'remainder of test checks symlink behavior' ++[short] stop 'links and runs binaries' ++ ++symlink $WORK${/}link -> $DIR ++ ++go run $WORK${/}link${/}main.go ++! stdout panic ++! stderr panic ++stderr '^ok$' ++ ++go test -v $WORK${/}link${/}main.go $WORK${/}link${/}main_test.go ++! stdout panic ++! stderr panic ++stdout '^ok$' # 'go test' combines the test's stdout into stderr ++ ++cd $WORK/link ++ ++! go run $DIR${/}main.go ++stderr 'package command-line-arguments: invalid package directory .*uh-oh' ++ ++go run . ++! stdout panic ++! stderr panic ++stderr '^ok$' ++ ++go run main.go ++! stdout panic ++! stderr panic ++stderr '^ok$' ++ ++go test -v ++! stdout panic ++! stderr panic ++stdout '^ok$' # 'go test' combines the test's stdout into stderr ++ ++go test -v . ++! stdout panic ++! stderr panic ++stdout '^ok$' # 'go test' combines the test's stdout into stderr ++ ++ ++-- $WORK/go.mod -- ++module example ++go 1.19 ++-- $WORK/main.go -- ++package main ++ ++import "C" ++ ++func main() { ++ /* nothing here */ ++ println("ok") ++} ++-- $WORK/main_test.go -- ++package main ++ ++import "testing" ++ ++func TestMain(*testing.M) { ++ main() ++} +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch new file mode 100644 index 0000000000..c6beced884 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch @@ -0,0 +1,78 @@ +From bbeb55f5faf93659e1cfd6ab073ab3c9d126d195 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Fri, 5 May 2023 13:10:34 -0700 +Subject: [PATCH] cmd/go: enforce flags with non-optional arguments + +Enforce that linker flags which expect arguments get them, otherwise it +may be possible to smuggle unexpected flags through as the linker can +consume what looks like a flag as an argument to a preceding flag (i.e. +"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be +somewhat more restrictive in the general format of some flags. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #60305 +Fixes CVE-2023-29404 + +Change-Id: I913df78a692cee390deefc3cd7d8f5b031524fc9 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1876275 +Reviewed-by: Ian Lance Taylor <iant@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/501225 +Run-TryBot: David Chase <drchase@google.com> +Reviewed-by: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/bbeb55f5faf93659e1cfd6ab073ab3c9d126d195] +CVE: CVE-2023-29404 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + src/cmd/go/internal/work/security.go | 6 +++--- + src/cmd/go/internal/work/security_test.go | 5 +++++ + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/go/internal/work/security.go b/src/cmd/go/internal/work/security.go +index e9b9f6c..91e6e4c 100644 +--- a/src/cmd/go/internal/work/security.go ++++ b/src/cmd/go/internal/work/security.go +@@ -179,10 +179,10 @@ var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-Wl,-berok`), + re(`-Wl,-Bstatic`), + re(`-Wl,-Bsymbolic-functions`), +- re(`-Wl,-O([^@,\-][^,]*)?`), ++ re(`-Wl,-O[0-9]+`), + re(`-Wl,-d[ny]`), + re(`-Wl,--disable-new-dtags`), +- re(`-Wl,-e[=,][a-zA-Z0-9]*`), ++ re(`-Wl,-e[=,][a-zA-Z0-9]+`), + re(`-Wl,--enable-new-dtags`), + re(`-Wl,--end-group`), + re(`-Wl,--(no-)?export-dynamic`), +@@ -191,7 +191,7 @@ var validLinkerFlags = []*lazyregexp.Regexp{ + re(`-Wl,--hash-style=(sysv|gnu|both)`), + re(`-Wl,-headerpad_max_install_names`), + re(`-Wl,--no-undefined`), +- re(`-Wl,-R([^@\-][^,@]*$)`), ++ re(`-Wl,-R,?([^@\-,][^,@]*$)`), + re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`), + re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`), + re(`-Wl,-s`), +diff --git a/src/cmd/go/internal/work/security_test.go b/src/cmd/go/internal/work/security_test.go +index 8d4be0a..3616548 100644 +--- a/src/cmd/go/internal/work/security_test.go ++++ b/src/cmd/go/internal/work/security_test.go +@@ -227,6 +227,11 @@ var badLinkerFlags = [][]string{ + {"-Wl,-R,@foo"}, + {"-Wl,--just-symbols,@foo"}, + {"../x.o"}, ++ {"-Wl,-R,"}, ++ {"-Wl,-O"}, ++ {"-Wl,-e="}, ++ {"-Wl,-e,"}, ++ {"-Wl,-R,-flag"}, + } + + func TestCheckLinkerFlags(t *testing.T) { +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch new file mode 100644 index 0000000000..d806e1e67d --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch @@ -0,0 +1,109 @@ +From 6d8af00a630aa51134e54f0f321658621c6410f0 Mon Sep 17 00:00:00 2001 +From: Ian Lance Taylor <iant@golang.org> +Date: Thu, 4 May 2023 14:06:39 -0700 +Subject: [PATCH] cmd/go,cmd/cgo: in _cgo_flags use one line per flag + +The flags that we recorded in _cgo_flags did not use any quoting, +so a flag containing embedded spaces was mishandled. +Change the _cgo_flags format to put each flag on a separate line. +That is a simple format that does not require any quoting. + +As far as I can tell only cmd/go uses _cgo_flags, and it is only +used for gccgo. If this patch doesn't cause any trouble, then +in the next release we can change to only using _cgo_flags for gccgo. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #60306 +Fixes CVE-2023-29405 + +Change-Id: I81fb5337db8a22e1f4daca22ceff4b79b96d0b4f +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1875094 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/501224 +Reviewed-by: Ian Lance Taylor <iant@google.com> +Run-TryBot: David Chase <drchase@google.com> +Reviewed-by: Michael Knyszek <mknyszek@google.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0] +CVE: CVE-2023-29405 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + src/cmd/cgo/out.go | 4 +++- + src/cmd/go/internal/work/gccgo.go | 14 ++++++------- + .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++++++++++++++++++ + 3 files changed, 29 insertions(+), 9 deletions(-) + create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt + +diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go +index 94152f4..62e6528 100644 +--- a/src/cmd/cgo/out.go ++++ b/src/cmd/cgo/out.go +@@ -47,7 +47,9 @@ func (p *Package) writeDefs() { + + fflg := creat(*objDir + "_cgo_flags") + for k, v := range p.CgoFlags { +- fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " ")) ++ for _, arg := range v { ++ fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg) ++ } + if k == "LDFLAGS" && !*gccgo { + for _, arg := range v { + fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg) +diff --git a/src/cmd/go/internal/work/gccgo.go b/src/cmd/go/internal/work/gccgo.go +index 1499536..bb4be2f 100644 +--- a/src/cmd/go/internal/work/gccgo.go ++++ b/src/cmd/go/internal/work/gccgo.go +@@ -283,14 +283,12 @@ func (tools gccgoToolchain) link(b *Builder, root *Action, out, importcfg string + const ldflagsPrefix = "_CGO_LDFLAGS=" + for _, line := range strings.Split(string(flags), "\n") { + if strings.HasPrefix(line, ldflagsPrefix) { +- newFlags := strings.Fields(line[len(ldflagsPrefix):]) +- for _, flag := range newFlags { +- // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS +- // but they don't mean anything to the linker so filter +- // them out. +- if flag != "-g" && !strings.HasPrefix(flag, "-O") { +- cgoldflags = append(cgoldflags, flag) +- } ++ flag := line[len(ldflagsPrefix):] ++ // Every _cgo_flags file has -g and -O2 in _CGO_LDFLAGS ++ // but they don't mean anything to the linker so filter ++ // them out. ++ if flag != "-g" && !strings.HasPrefix(flag, "-O") { ++ cgoldflags = append(cgoldflags, flag) + } + } + } +diff --git a/src/cmd/go/testdata/script/gccgo_link_ldflags.txt b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt +new file mode 100644 +index 0000000..4e91ae5 +--- /dev/null ++++ b/src/cmd/go/testdata/script/gccgo_link_ldflags.txt +@@ -0,0 +1,20 @@ ++# Test that #cgo LDFLAGS are properly quoted. ++# The #cgo LDFLAGS below should pass a string with spaces to -L, ++# as though searching a directory with a space in its name. ++# It should not pass --nosuchoption to the external linker. ++ ++[!cgo] skip ++ ++go build ++ ++[!exec:gccgo] skip ++ ++go build -compiler gccgo ++ ++-- go.mod -- ++module m ++-- cgo.go -- ++package main ++// #cgo LDFLAGS: -L "./ -Wl,--nosuchoption" ++import "C" ++func main() {} +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch new file mode 100644 index 0000000000..38451f7555 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch @@ -0,0 +1,175 @@ +From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Wed, 23 Aug 2023 12:03:43 +0000 +Subject: [PATCH] crypto/tls: restrict RSA keys in certificates to <= 8192 bits + +Extremely large RSA keys in certificate chains can cause a client/server +to expend significant CPU time verifying signatures. Limit this by +restricting the size of RSA keys transmitted during handshakes to <= +8192 bits. + +Based on a survey of publicly trusted RSA keys, there are currently only +three certificates in circulation with keys larger than this, and all +three appear to be test certificates that are not actively deployed. It +is possible there are larger keys in use in private PKIs, but we target +the web PKI, so causing breakage here in the interests of increasing the +default safety of users of crypto/tls seems reasonable. + +Thanks to Mateusz Poliwczak for reporting this issue. + +Updates #61460 +Fixes #61579 +Fixes CVE-2023-29409 + +Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1912161 +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1965487 +Reviewed-on: https://go-review.googlesource.com/c/go/+/514915 +Run-TryBot: David Chase <drchase@google.com> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> +TryBot-Bypass: David Chase <drchase@google.com> + +CVE: CVE-2023-29409 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/crypto/tls/handshake_client.go | 8 +++ + src/crypto/tls/handshake_client_test.go | 78 +++++++++++++++++++++++++ + src/crypto/tls/handshake_server.go | 4 ++ + 3 files changed, 90 insertions(+) + +diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go +index 85622f1..828d2cb 100644 +--- a/src/crypto/tls/handshake_client.go ++++ b/src/crypto/tls/handshake_client.go +@@ -852,6 +852,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error { + return nil + } + ++// maxRSAKeySize is the maximum RSA key size in bits that we are willing ++// to verify the signatures of during a TLS handshake. ++const maxRSAKeySize = 8192 ++ + // verifyServerCertificate parses and verifies the provided chain, setting + // c.verifiedChains and c.peerCertificates or sending the appropriate alert. + func (c *Conn) verifyServerCertificate(certificates [][]byte) error { +@@ -862,6 +866,10 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse certificate from server: " + err.Error()) + } ++ if cert.PublicKeyAlgorithm == x509.RSA && cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize { ++ c.sendAlert(alertBadCertificate) ++ return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", maxRSAKeySize) ++ } + certs[i] = cert + } + +diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go +index 0228745..d581cb1 100644 +--- a/src/crypto/tls/handshake_client_test.go ++++ b/src/crypto/tls/handshake_client_test.go +@@ -2595,3 +2595,81 @@ func TestClientHandshakeContextCancellation(t *testing.T) { + t.Error("Client connection was not closed when the context was canceled") + } + } ++ ++// discardConn wraps a net.Conn but discards all writes, but reports that they happened. ++type discardConn struct { ++ net.Conn ++} ++ ++func (dc *discardConn) Write(data []byte) (int, error) { ++ return len(data), nil ++} ++ ++// largeRSAKeyCertPEM contains a 8193 bit RSA key ++const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE----- ++MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0 ++aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH ++dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca ++n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur ++ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j ++gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0 ++WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4 ++qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9 ++sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo ++a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh ++t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp ++HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO ++Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8 ++3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3 ++1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G ++VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8 ++45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq ++dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH ++GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe ++V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn ++ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7 ++B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J ++l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW ++4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg ++kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK ++aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r ++/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv ++qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ ++FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l ++Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds ++14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+ ++Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w ++5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg ++aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa ++Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28 ++DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu ++sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv ++rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j ++Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X ++KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F ++j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs ++6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ ++u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3 ++o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR ++9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X ++9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS ++u58= ++-----END CERTIFICATE-----` ++ ++func TestHandshakeRSATooBig(t *testing.T) { ++ testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM)) ++ ++ c := &Conn{conn: &discardConn{}, config: testConfig.Clone()} ++ ++ expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits" ++ err := c.verifyServerCertificate([][]byte{testCert.Bytes}) ++ if err == nil || err.Error() != expectedErr { ++ t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err) ++ } ++ ++ expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits" ++ err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}}) ++ if err == nil || err.Error() != expectedErr { ++ t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err) ++ } ++} +diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go +index 8d51e7e..a5d8f4a 100644 +--- a/src/crypto/tls/handshake_server.go ++++ b/src/crypto/tls/handshake_server.go +@@ -812,6 +812,10 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse client certificate: " + err.Error()) + } ++ if certs[i].PublicKeyAlgorithm == x509.RSA && certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize { ++ c.sendAlert(alertBadCertificate) ++ return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", maxRSAKeySize) ++ } + } + + if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) { +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.19/add_godebug.patch b/meta/recipes-devtools/go/go-1.19/add_godebug.patch new file mode 100644 index 0000000000..0c3d2d2855 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/add_godebug.patch @@ -0,0 +1,84 @@ + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git as of commit 22c1d18a27... +Copy src/internal/godebug from go 1.19 since it does not +exist in 1.17. + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + +--- /dev/null ++++ go/src/internal/godebug/godebug.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package godebug parses the GODEBUG environment variable. ++package godebug ++ ++import "os" ++ ++// Get returns the value for the provided GODEBUG key. ++func Get(key string) string { ++ return get(os.Getenv("GODEBUG"), key) ++} ++ ++// get returns the value part of key=value in s (a GODEBUG value). ++func get(s, key string) string { ++ for i := 0; i < len(s)-len(key)-1; i++ { ++ if i > 0 && s[i-1] != ',' { ++ continue ++ } ++ afterKey := s[i+len(key):] ++ if afterKey[0] != '=' || s[i:i+len(key)] != key { ++ continue ++ } ++ val := afterKey[1:] ++ for i, b := range val { ++ if b == ',' { ++ return val[:i] ++ } ++ } ++ return val ++ } ++ return "" ++} +--- /dev/null ++++ go/src/internal/godebug/godebug_test.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package godebug ++ ++import "testing" ++ ++func TestGet(t *testing.T) { ++ tests := []struct { ++ godebug string ++ key string ++ want string ++ }{ ++ {"", "", ""}, ++ {"", "foo", ""}, ++ {"foo=bar", "foo", "bar"}, ++ {"foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar", "foo", "bar"}, ++ {",,,foo=bar,,,", "foo", "bar"}, ++ {"foodecoy=wrong,foo=bar", "foo", "bar"}, ++ {"foo=", "foo", ""}, ++ {"foo", "foo", ""}, ++ {",foo", "foo", ""}, ++ {"foo=bar,baz", "loooooooong", ""}, ++ } ++ for _, tt := range tests { ++ got := get(tt.godebug, tt.key) ++ if got != tt.want { ++ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want) ++ } ++ } ++} diff --git a/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch b/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch new file mode 100644 index 0000000000..aacffbffcd --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch @@ -0,0 +1,2391 @@ +From 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <roland@golang.org> +Date: Wed, 14 Dec 2022 09:43:16 -0800 +Subject: [PATCH] [release-branch.go1.19] crypto/tls: replace all usages of + BytesOrPanic + +Message marshalling makes use of BytesOrPanic a lot, under the +assumption that it will never panic. This assumption was incorrect, and +specifically crafted handshakes could trigger panics. Rather than just +surgically replacing the usages of BytesOrPanic in paths that could +panic, replace all usages of it with proper error returns in case there +are other ways of triggering panics which we didn't find. + +In one specific case, the tree routed by expandLabel, we replace the +usage of BytesOrPanic, but retain a panic. This function already +explicitly panicked elsewhere, and returning an error from it becomes +rather painful because it requires changing a large number of APIs. +The marshalling is unlikely to ever panic, as the inputs are all either +fixed length, or already limited to the sizes required. If it were to +panic, it'd likely only be during development. A close inspection shows +no paths for a user to cause a panic currently. + +This patches ends up being rather large, since it requires routing +errors back through functions which previously had no error returns. +Where possible I've tried to use helpers that reduce the verbosity +of frequently repeated stanzas, and to make the diffs as minimal as +possible. + +Thanks to Marten Seemann for reporting this issue. + +Updates #58001 +Fixes #58358 +Fixes CVE-2022-41724 + +Change-Id: Ieb55867ef0a3e1e867b33f09421932510cb58851 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1679436 +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +(cherry picked from commit 0f3a44ad7b41cc89efdfad25278953e17d9c1e04) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728204 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468117 +Auto-Submit: Michael Pratt <mpratt@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Than McIntosh <thanm@google.com> +--- + +CVE: CVE-2022-41724 + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git commit 00b256e9e3c0fa... +boring_test.go does not exist +modified for conn.go and handshake_messages.go + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +--- + src/crypto/tls/boring_test.go | 2 +- + src/crypto/tls/common.go | 2 +- + src/crypto/tls/conn.go | 46 +- + src/crypto/tls/handshake_client.go | 95 +-- + src/crypto/tls/handshake_client_test.go | 4 +- + src/crypto/tls/handshake_client_tls13.go | 74 ++- + src/crypto/tls/handshake_messages.go | 716 +++++++++++----------- + src/crypto/tls/handshake_messages_test.go | 19 +- + src/crypto/tls/handshake_server.go | 73 ++- + src/crypto/tls/handshake_server_test.go | 31 +- + src/crypto/tls/handshake_server_tls13.go | 71 ++- + src/crypto/tls/key_schedule.go | 19 +- + src/crypto/tls/ticket.go | 8 +- + 13 files changed, 657 insertions(+), 503 deletions(-) + +--- go.orig/src/crypto/tls/common.go ++++ go/src/crypto/tls/common.go +@@ -1357,7 +1357,7 @@ func (c *Certificate) leaf() (*x509.Cert + } + + type handshakeMessage interface { +- marshal() []byte ++ marshal() ([]byte, error) + unmarshal([]byte) bool + } + +--- go.orig/src/crypto/tls/conn.go ++++ go/src/crypto/tls/conn.go +@@ -994,18 +994,46 @@ func (c *Conn) writeRecordLocked(typ rec + return n, nil + } + +-// writeRecord writes a TLS record with the given type and payload to the +-// connection and updates the record layer state. +-func (c *Conn) writeRecord(typ recordType, data []byte) (int, error) { ++// writeHandshakeRecord writes a handshake message to the connection and updates ++// the record layer state. If transcript is non-nil the marshalled message is ++// written to it. ++func (c *Conn) writeHandshakeRecord(msg handshakeMessage, transcript transcriptHash) (int, error) { + c.out.Lock() + defer c.out.Unlock() + +- return c.writeRecordLocked(typ, data) ++ data, err := msg.marshal() ++ if err != nil { ++ return 0, err ++ } ++ if transcript != nil { ++ transcript.Write(data) ++ } ++ ++ return c.writeRecordLocked(recordTypeHandshake, data) ++} ++ ++// writeChangeCipherRecord writes a ChangeCipherSpec message to the connection and ++// updates the record layer state. ++func (c *Conn) writeChangeCipherRecord() error { ++ c.out.Lock() ++ defer c.out.Unlock() ++ _, err := c.writeRecordLocked(recordTypeChangeCipherSpec, []byte{1}) ++ return err + } + + // readHandshake reads the next handshake message from +-// the record layer. +-func (c *Conn) readHandshake() (interface{}, error) { ++// the record layer. If transcript is non-nil, the message ++// is written to the passed transcriptHash. ++ ++// backport 00b256e9e3c0fa02a278ec9dfc3e191e02ceaf80 ++// ++// Commit wants to set this to ++// ++// func (c *Conn) readHandshake(transcript transcriptHash) (any, error) { ++// ++// but that does not compile. Retain the original interface{} argument. ++// ++func (c *Conn) readHandshake(transcript transcriptHash) (interface{}, error) { + for c.hand.Len() < 4 { + if err := c.readRecord(); err != nil { + return nil, err +@@ -1084,6 +1112,11 @@ func (c *Conn) readHandshake() (interfac + if !m.unmarshal(data) { + return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } ++ ++ if transcript != nil { ++ transcript.Write(data) ++ } ++ + return m, nil + } + +@@ -1159,7 +1192,7 @@ func (c *Conn) handleRenegotiation() err + return errors.New("tls: internal error: unexpected renegotiation") + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -1205,7 +1238,7 @@ func (c *Conn) handlePostHandshakeMessag + return c.handleRenegotiation() + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -1241,7 +1274,11 @@ func (c *Conn) handleKeyUpdate(keyUpdate + defer c.out.Unlock() + + msg := &keyUpdateMsg{} +- _, err := c.writeRecordLocked(recordTypeHandshake, msg.marshal()) ++ msgBytes, err := msg.marshal() ++ if err != nil { ++ return err ++ } ++ _, err = c.writeRecordLocked(recordTypeHandshake, msgBytes) + if err != nil { + // Surface the error at the next write. + c.out.setErrorLocked(err) +--- go.orig/src/crypto/tls/handshake_client.go ++++ go/src/crypto/tls/handshake_client.go +@@ -157,7 +157,10 @@ func (c *Conn) clientHandshake(ctx conte + } + c.serverName = hello.serverName + +- cacheKey, session, earlySecret, binderKey := c.loadSession(hello) ++ cacheKey, session, earlySecret, binderKey, err := c.loadSession(hello) ++ if err != nil { ++ return err ++ } + if cacheKey != "" && session != nil { + defer func() { + // If we got a handshake failure when resuming a session, throw away +@@ -172,11 +175,12 @@ func (c *Conn) clientHandshake(ctx conte + }() + } + +- if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil { ++ if _, err := c.writeHandshakeRecord(hello, nil); err != nil { + return err + } + +- msg, err := c.readHandshake() ++ // serverHelloMsg is not included in the transcript ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -241,9 +245,9 @@ func (c *Conn) clientHandshake(ctx conte + } + + func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string, +- session *ClientSessionState, earlySecret, binderKey []byte) { ++ session *ClientSessionState, earlySecret, binderKey []byte, err error) { + if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { +- return "", nil, nil, nil ++ return "", nil, nil, nil, nil + } + + hello.ticketSupported = true +@@ -258,14 +262,14 @@ func (c *Conn) loadSession(hello *client + // renegotiation is primarily used to allow a client to send a client + // certificate, which would be skipped if session resumption occurred. + if c.handshakes != 0 { +- return "", nil, nil, nil ++ return "", nil, nil, nil, nil + } + + // Try to resume a previously negotiated TLS session, if available. + cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) + session, ok := c.config.ClientSessionCache.Get(cacheKey) + if !ok || session == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Check that version used for the previous session is still valid. +@@ -277,7 +281,7 @@ func (c *Conn) loadSession(hello *client + } + } + if !versOk { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Check that the cached server certificate is not expired, and that it's +@@ -286,16 +290,16 @@ func (c *Conn) loadSession(hello *client + if !c.config.InsecureSkipVerify { + if len(session.verifiedChains) == 0 { + // The original connection had InsecureSkipVerify, while this doesn't. +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + serverCert := session.serverCertificates[0] + if c.config.time().After(serverCert.NotAfter) { + // Expired certificate, delete the entry. + c.config.ClientSessionCache.Put(cacheKey, nil) +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + if err := serverCert.VerifyHostname(c.config.ServerName); err != nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + } + +@@ -303,7 +307,7 @@ func (c *Conn) loadSession(hello *client + // In TLS 1.2 the cipher suite must match the resumed session. Ensure we + // are still offering it. + if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + hello.sessionTicket = session.sessionTicket +@@ -313,14 +317,14 @@ func (c *Conn) loadSession(hello *client + // Check that the session ticket is not expired. + if c.config.time().After(session.useBy) { + c.config.ClientSessionCache.Put(cacheKey, nil) +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // In TLS 1.3 the KDF hash must match the resumed session. Ensure we + // offer at least one cipher suite with that hash. + cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite) + if cipherSuite == nil { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + cipherSuiteOk := false + for _, offeredID := range hello.cipherSuites { +@@ -331,7 +335,7 @@ func (c *Conn) loadSession(hello *client + } + } + if !cipherSuiteOk { +- return cacheKey, nil, nil, nil ++ return cacheKey, nil, nil, nil, nil + } + + // Set the pre_shared_key extension. See RFC 8446, Section 4.2.11.1. +@@ -349,9 +353,15 @@ func (c *Conn) loadSession(hello *client + earlySecret = cipherSuite.extract(psk, nil) + binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil) + transcript := cipherSuite.hash.New() +- transcript.Write(hello.marshalWithoutBinders()) ++ helloBytes, err := hello.marshalWithoutBinders() ++ if err != nil { ++ return "", nil, nil, nil, err ++ } ++ transcript.Write(helloBytes) + pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)} +- hello.updateBinders(pskBinders) ++ if err := hello.updateBinders(pskBinders); err != nil { ++ return "", nil, nil, nil, err ++ } + + return + } +@@ -396,8 +406,12 @@ func (hs *clientHandshakeState) handshak + hs.finishedHash.discardHandshakeBuffer() + } + +- hs.finishedHash.Write(hs.hello.marshal()) +- hs.finishedHash.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.hello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if err := transcriptMsg(hs.serverHello, &hs.finishedHash); err != nil { ++ return err ++ } + + c.buffering = true + c.didResume = isResume +@@ -468,7 +482,7 @@ func (hs *clientHandshakeState) pickCiph + func (hs *clientHandshakeState) doFullHandshake() error { + c := hs.c + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -477,9 +491,8 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.finishedHash.Write(certMsg.marshal()) + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -497,11 +510,10 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: received unexpected CertificateStatus message") + } +- hs.finishedHash.Write(cs.marshal()) + + c.ocspResponse = cs.response + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -530,14 +542,13 @@ func (hs *clientHandshakeState) doFullHa + + skx, ok := msg.(*serverKeyExchangeMsg) + if ok { +- hs.finishedHash.Write(skx.marshal()) + err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx) + if err != nil { + c.sendAlert(alertUnexpectedMessage) + return err + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -548,7 +559,6 @@ func (hs *clientHandshakeState) doFullHa + certReq, ok := msg.(*certificateRequestMsg) + if ok { + certRequested = true +- hs.finishedHash.Write(certReq.marshal()) + + cri := certificateRequestInfoFromMsg(hs.ctx, c.vers, certReq) + if chainToSend, err = c.getClientCertificate(cri); err != nil { +@@ -556,7 +566,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -567,7 +577,6 @@ func (hs *clientHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(shd, msg) + } +- hs.finishedHash.Write(shd.marshal()) + + // If the server requested a certificate then we have to send a + // Certificate message, even if it's empty because we don't have a +@@ -575,8 +584,7 @@ func (hs *clientHandshakeState) doFullHa + if certRequested { + certMsg = new(certificateMsg) + certMsg.certificates = chainToSend.Certificate +- hs.finishedHash.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + } +@@ -587,8 +595,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + if ckx != nil { +- hs.finishedHash.Write(ckx.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(ckx, &hs.finishedHash); err != nil { + return err + } + } +@@ -635,8 +642,7 @@ func (hs *clientHandshakeState) doFullHa + return err + } + +- hs.finishedHash.Write(certVerify.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerify, &hs.finishedHash); err != nil { + return err + } + } +@@ -771,7 +777,10 @@ func (hs *clientHandshakeState) readFini + return err + } + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -787,7 +796,11 @@ func (hs *clientHandshakeState) readFini + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server's Finished message was incorrect") + } +- hs.finishedHash.Write(serverFinished.marshal()) ++ ++ if err := transcriptMsg(serverFinished, &hs.finishedHash); err != nil { ++ return err ++ } ++ + copy(out, verify) + return nil + } +@@ -798,7 +811,7 @@ func (hs *clientHandshakeState) readSess + } + + c := hs.c +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -807,7 +820,6 @@ func (hs *clientHandshakeState) readSess + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(sessionTicketMsg, msg) + } +- hs.finishedHash.Write(sessionTicketMsg.marshal()) + + hs.session = &ClientSessionState{ + sessionTicket: sessionTicketMsg.ticket, +@@ -827,14 +839,13 @@ func (hs *clientHandshakeState) readSess + func (hs *clientHandshakeState) sendFinished(out []byte) error { + c := hs.c + +- if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { ++ if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) +- hs.finishedHash.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + copy(out, finished.verifyData) +--- go.orig/src/crypto/tls/handshake_client_test.go ++++ go/src/crypto/tls/handshake_client_test.go +@@ -1257,7 +1257,7 @@ func TestServerSelectingUnconfiguredAppl + cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256, + alpnProtocol: "how-about-this", + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), +@@ -1500,7 +1500,7 @@ func TestServerSelectingUnconfiguredCiph + random: make([]byte, 32), + cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), +--- go.orig/src/crypto/tls/handshake_client_tls13.go ++++ go/src/crypto/tls/handshake_client_tls13.go +@@ -58,7 +58,10 @@ func (hs *clientHandshakeStateTLS13) han + } + + hs.transcript = hs.suite.hash.New() +- hs.transcript.Write(hs.hello.marshal()) ++ ++ if err := transcriptMsg(hs.hello, hs.transcript); err != nil { ++ return err ++ } + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + if err := hs.sendDummyChangeCipherSpec(); err != nil { +@@ -69,7 +72,9 @@ func (hs *clientHandshakeStateTLS13) han + } + } + +- hs.transcript.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } + + c.buffering = true + if err := hs.processServerHello(); err != nil { +@@ -168,8 +173,7 @@ func (hs *clientHandshakeStateTLS13) sen + } + hs.sentDummyCCS = true + +- _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) +- return err ++ return hs.c.writeChangeCipherRecord() + } + + // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and +@@ -184,7 +188,9 @@ func (hs *clientHandshakeStateTLS13) pro + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + hs.transcript.Write(chHash) +- hs.transcript.Write(hs.serverHello.marshal()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } + + // The only HelloRetryRequest extensions we support are key_share and + // cookie, and clients must abort the handshake if the HRR would not result +@@ -249,10 +255,18 @@ func (hs *clientHandshakeStateTLS13) pro + transcript := hs.suite.hash.New() + transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + transcript.Write(chHash) +- transcript.Write(hs.serverHello.marshal()) +- transcript.Write(hs.hello.marshalWithoutBinders()) ++ if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { ++ return err ++ } ++ helloBytes, err := hs.hello.marshalWithoutBinders() ++ if err != nil { ++ return err ++ } ++ transcript.Write(helloBytes) + pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} +- hs.hello.updateBinders(pskBinders) ++ if err := hs.hello.updateBinders(pskBinders); err != nil { ++ return err ++ } + } else { + // Server selected a cipher suite incompatible with the PSK. + hs.hello.pskIdentities = nil +@@ -260,12 +274,12 @@ func (hs *clientHandshakeStateTLS13) pro + } + } + +- hs.transcript.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + +- msg, err := c.readHandshake() ++ // serverHelloMsg is not included in the transcript ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -354,6 +368,7 @@ func (hs *clientHandshakeStateTLS13) est + if !hs.usingPSK { + earlySecret = hs.suite.extract(nil, nil) + } ++ + handshakeSecret := hs.suite.extract(sharedKey, + hs.suite.deriveSecret(earlySecret, "derived", nil)) + +@@ -384,7 +399,7 @@ func (hs *clientHandshakeStateTLS13) est + func (hs *clientHandshakeStateTLS13) readServerParameters() error { + c := hs.c + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -394,7 +409,6 @@ func (hs *clientHandshakeStateTLS13) rea + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(encryptedExtensions, msg) + } +- hs.transcript.Write(encryptedExtensions.marshal()) + + if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil { + c.sendAlert(alertUnsupportedExtension) +@@ -423,18 +437,16 @@ func (hs *clientHandshakeStateTLS13) rea + return nil + } + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } + + certReq, ok := msg.(*certificateRequestMsgTLS13) + if ok { +- hs.transcript.Write(certReq.marshal()) +- + hs.certReq = certReq + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -449,7 +461,6 @@ func (hs *clientHandshakeStateTLS13) rea + c.sendAlert(alertDecodeError) + return errors.New("tls: received empty certificates message") + } +- hs.transcript.Write(certMsg.marshal()) + + c.scts = certMsg.certificate.SignedCertificateTimestamps + c.ocspResponse = certMsg.certificate.OCSPStaple +@@ -458,7 +469,10 @@ func (hs *clientHandshakeStateTLS13) rea + return err + } + +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -489,7 +503,9 @@ func (hs *clientHandshakeStateTLS13) rea + return errors.New("tls: invalid signature by the server certificate: " + err.Error()) + } + +- hs.transcript.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, hs.transcript); err != nil { ++ return err ++ } + + return nil + } +@@ -497,7 +513,10 @@ func (hs *clientHandshakeStateTLS13) rea + func (hs *clientHandshakeStateTLS13) readServerFinished() error { + c := hs.c + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -514,7 +533,9 @@ func (hs *clientHandshakeStateTLS13) rea + return errors.New("tls: invalid server finished hash") + } + +- hs.transcript.Write(finished.marshal()) ++ if err := transcriptMsg(finished, hs.transcript); err != nil { ++ return err ++ } + + // Derive secrets that take context through the server Finished. + +@@ -563,8 +584,7 @@ func (hs *clientHandshakeStateTLS13) sen + certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 + +- hs.transcript.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + +@@ -601,8 +621,7 @@ func (hs *clientHandshakeStateTLS13) sen + } + certVerifyMsg.signature = sig + +- hs.transcript.Write(certVerifyMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + +@@ -616,8 +635,7 @@ func (hs *clientHandshakeStateTLS13) sen + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + +- hs.transcript.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + +--- go.orig/src/crypto/tls/handshake_messages.go ++++ go/src/crypto/tls/handshake_messages.go +@@ -5,6 +5,7 @@ + package tls + + import ( ++ "errors" + "fmt" + "strings" + +@@ -94,9 +95,181 @@ type clientHelloMsg struct { + pskBinders [][]byte + } + +-func (m *clientHelloMsg) marshal() []byte { ++func (m *clientHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil ++ } ++ ++ var exts cryptobyte.Builder ++ if len(m.serverName) > 0 { ++ // RFC 6066, Section 3 ++ exts.AddUint16(extensionServerName) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8(0) // name_type = host_name ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(m.serverName)) ++ }) ++ }) ++ }) ++ } ++ if m.ocspStapling { ++ // RFC 4366, Section 3.6 ++ exts.AddUint16(extensionStatusRequest) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8(1) // status_type = ocsp ++ exts.AddUint16(0) // empty responder_id_list ++ exts.AddUint16(0) // empty request_extensions ++ }) ++ } ++ if len(m.supportedCurves) > 0 { ++ // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 ++ exts.AddUint16(extensionSupportedCurves) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, curve := range m.supportedCurves { ++ exts.AddUint16(uint16(curve)) ++ } ++ }) ++ }) ++ } ++ if len(m.supportedPoints) > 0 { ++ // RFC 4492, Section 5.1.2 ++ exts.AddUint16(extensionSupportedPoints) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.supportedPoints) ++ }) ++ }) ++ } ++ if m.ticketSupported { ++ // RFC 5077, Section 3.2 ++ exts.AddUint16(extensionSessionTicket) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.sessionTicket) ++ }) ++ } ++ if len(m.supportedSignatureAlgorithms) > 0 { ++ // RFC 5246, Section 7.4.1.4.1 ++ exts.AddUint16(extensionSignatureAlgorithms) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sigAlgo := range m.supportedSignatureAlgorithms { ++ exts.AddUint16(uint16(sigAlgo)) ++ } ++ }) ++ }) ++ } ++ if len(m.supportedSignatureAlgorithmsCert) > 0 { ++ // RFC 8446, Section 4.2.3 ++ exts.AddUint16(extensionSignatureAlgorithmsCert) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { ++ exts.AddUint16(uint16(sigAlgo)) ++ } ++ }) ++ }) ++ } ++ if m.secureRenegotiationSupported { ++ // RFC 5746, Section 3.2 ++ exts.AddUint16(extensionRenegotiationInfo) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.secureRenegotiation) ++ }) ++ }) ++ } ++ if len(m.alpnProtocols) > 0 { ++ // RFC 7301, Section 3.1 ++ exts.AddUint16(extensionALPN) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, proto := range m.alpnProtocols { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(proto)) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.scts { ++ // RFC 6962, Section 3.3.1 ++ exts.AddUint16(extensionSCT) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if len(m.supportedVersions) > 0 { ++ // RFC 8446, Section 4.2.1 ++ exts.AddUint16(extensionSupportedVersions) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, vers := range m.supportedVersions { ++ exts.AddUint16(vers) ++ } ++ }) ++ }) ++ } ++ if len(m.cookie) > 0 { ++ // RFC 8446, Section 4.2.2 ++ exts.AddUint16(extensionCookie) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.cookie) ++ }) ++ }) ++ } ++ if len(m.keyShares) > 0 { ++ // RFC 8446, Section 4.2.8 ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, ks := range m.keyShares { ++ exts.AddUint16(uint16(ks.group)) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(ks.data) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.earlyData { ++ // RFC 8446, Section 4.2.10 ++ exts.AddUint16(extensionEarlyData) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if len(m.pskModes) > 0 { ++ // RFC 8446, Section 4.2.9 ++ exts.AddUint16(extensionPSKModes) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.pskModes) ++ }) ++ }) ++ } ++ if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension ++ // RFC 8446, Section 4.2.11 ++ exts.AddUint16(extensionPreSharedKey) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, psk := range m.pskIdentities { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(psk.label) ++ }) ++ exts.AddUint32(psk.obfuscatedTicketAge) ++ } ++ }) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, binder := range m.pskBinders { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(binder) ++ }) ++ } ++ }) ++ }) ++ } ++ extBytes, err := exts.Bytes() ++ if err != nil { ++ return nil, err + } + + var b cryptobyte.Builder +@@ -116,219 +289,53 @@ func (m *clientHelloMsg) marshal() []byt + b.AddBytes(m.compressionMethods) + }) + +- // If extensions aren't present, omit them. +- var extensionsPresent bool +- bWithoutExtensions := *b +- +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- if len(m.serverName) > 0 { +- // RFC 6066, Section 3 +- b.AddUint16(extensionServerName) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8(0) // name_type = host_name +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(m.serverName)) +- }) +- }) +- }) +- } +- if m.ocspStapling { +- // RFC 4366, Section 3.6 +- b.AddUint16(extensionStatusRequest) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8(1) // status_type = ocsp +- b.AddUint16(0) // empty responder_id_list +- b.AddUint16(0) // empty request_extensions +- }) +- } +- if len(m.supportedCurves) > 0 { +- // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 +- b.AddUint16(extensionSupportedCurves) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, curve := range m.supportedCurves { +- b.AddUint16(uint16(curve)) +- } +- }) +- }) +- } +- if len(m.supportedPoints) > 0 { +- // RFC 4492, Section 5.1.2 +- b.AddUint16(extensionSupportedPoints) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.supportedPoints) +- }) +- }) +- } +- if m.ticketSupported { +- // RFC 5077, Section 3.2 +- b.AddUint16(extensionSessionTicket) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.sessionTicket) +- }) +- } +- if len(m.supportedSignatureAlgorithms) > 0 { +- // RFC 5246, Section 7.4.1.4.1 +- b.AddUint16(extensionSignatureAlgorithms) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sigAlgo := range m.supportedSignatureAlgorithms { +- b.AddUint16(uint16(sigAlgo)) +- } +- }) +- }) +- } +- if len(m.supportedSignatureAlgorithmsCert) > 0 { +- // RFC 8446, Section 4.2.3 +- b.AddUint16(extensionSignatureAlgorithmsCert) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { +- b.AddUint16(uint16(sigAlgo)) +- } +- }) +- }) +- } +- if m.secureRenegotiationSupported { +- // RFC 5746, Section 3.2 +- b.AddUint16(extensionRenegotiationInfo) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.secureRenegotiation) +- }) +- }) +- } +- if len(m.alpnProtocols) > 0 { +- // RFC 7301, Section 3.1 +- b.AddUint16(extensionALPN) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, proto := range m.alpnProtocols { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(proto)) +- }) +- } +- }) +- }) +- } +- if m.scts { +- // RFC 6962, Section 3.3.1 +- b.AddUint16(extensionSCT) +- b.AddUint16(0) // empty extension_data +- } +- if len(m.supportedVersions) > 0 { +- // RFC 8446, Section 4.2.1 +- b.AddUint16(extensionSupportedVersions) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, vers := range m.supportedVersions { +- b.AddUint16(vers) +- } +- }) +- }) +- } +- if len(m.cookie) > 0 { +- // RFC 8446, Section 4.2.2 +- b.AddUint16(extensionCookie) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.cookie) +- }) +- }) +- } +- if len(m.keyShares) > 0 { +- // RFC 8446, Section 4.2.8 +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, ks := range m.keyShares { +- b.AddUint16(uint16(ks.group)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(ks.data) +- }) +- } +- }) +- }) +- } +- if m.earlyData { +- // RFC 8446, Section 4.2.10 +- b.AddUint16(extensionEarlyData) +- b.AddUint16(0) // empty extension_data +- } +- if len(m.pskModes) > 0 { +- // RFC 8446, Section 4.2.9 +- b.AddUint16(extensionPSKModes) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.pskModes) +- }) +- }) +- } +- if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension +- // RFC 8446, Section 4.2.11 +- b.AddUint16(extensionPreSharedKey) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, psk := range m.pskIdentities { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(psk.label) +- }) +- b.AddUint32(psk.obfuscatedTicketAge) +- } +- }) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, binder := range m.pskBinders { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(binder) +- }) +- } +- }) +- }) +- } +- +- extensionsPresent = len(b.BytesOrPanic()) > 2 +- }) +- +- if !extensionsPresent { +- *b = bWithoutExtensions +- } +- }) ++ if len(extBytes) > 0 { ++ b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { ++ b.AddBytes(extBytes) ++ }) ++ } ++ }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + // marshalWithoutBinders returns the ClientHello through the + // PreSharedKeyExtension.identities field, according to RFC 8446, Section + // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. +-func (m *clientHelloMsg) marshalWithoutBinders() []byte { ++func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { + bindersLen := 2 // uint16 length prefix + for _, binder := range m.pskBinders { + bindersLen += 1 // uint8 length prefix + bindersLen += len(binder) + } + +- fullMessage := m.marshal() +- return fullMessage[:len(fullMessage)-bindersLen] ++ fullMessage, err := m.marshal() ++ if err != nil { ++ return nil, err ++ } ++ return fullMessage[:len(fullMessage)-bindersLen], nil + } + + // updateBinders updates the m.pskBinders field, if necessary updating the + // cached marshaled representation. The supplied binders must have the same + // length as the current m.pskBinders. +-func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { ++func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { + if len(pskBinders) != len(m.pskBinders) { +- panic("tls: internal error: pskBinders length mismatch") ++ return errors.New("tls: internal error: pskBinders length mismatch") + } + for i := range m.pskBinders { + if len(pskBinders[i]) != len(m.pskBinders[i]) { +- panic("tls: internal error: pskBinders length mismatch") ++ return errors.New("tls: internal error: pskBinders length mismatch") + } + } + m.pskBinders = pskBinders + if m.raw != nil { +- lenWithoutBinders := len(m.marshalWithoutBinders()) ++ helloBytes, err := m.marshalWithoutBinders() ++ if err != nil { ++ return err ++ } ++ lenWithoutBinders := len(helloBytes) + // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. + b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +@@ -339,9 +346,11 @@ func (m *clientHelloMsg) updateBinders(p + } + }) + if len(b.BytesOrPanic()) != len(m.raw) { +- panic("tls: internal error: failed to update binders") ++ return errors.New("tls: internal error: failed to update binders") + } + } ++ ++ return nil + } + + func (m *clientHelloMsg) unmarshal(data []byte) bool { +@@ -613,9 +622,98 @@ type serverHelloMsg struct { + selectedGroup CurveID + } + +-func (m *serverHelloMsg) marshal() []byte { ++func (m *serverHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil ++ } ++ ++ var exts cryptobyte.Builder ++ if m.ocspStapling { ++ exts.AddUint16(extensionStatusRequest) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if m.ticketSupported { ++ exts.AddUint16(extensionSessionTicket) ++ exts.AddUint16(0) // empty extension_data ++ } ++ if m.secureRenegotiationSupported { ++ exts.AddUint16(extensionRenegotiationInfo) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.secureRenegotiation) ++ }) ++ }) ++ } ++ if len(m.alpnProtocol) > 0 { ++ exts.AddUint16(extensionALPN) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes([]byte(m.alpnProtocol)) ++ }) ++ }) ++ }) ++ } ++ if len(m.scts) > 0 { ++ exts.AddUint16(extensionSCT) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ for _, sct := range m.scts { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(sct) ++ }) ++ } ++ }) ++ }) ++ } ++ if m.supportedVersion != 0 { ++ exts.AddUint16(extensionSupportedVersions) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(m.supportedVersion) ++ }) ++ } ++ if m.serverShare.group != 0 { ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(uint16(m.serverShare.group)) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.serverShare.data) ++ }) ++ }) ++ } ++ if m.selectedIdentityPresent { ++ exts.AddUint16(extensionPreSharedKey) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(m.selectedIdentity) ++ }) ++ } ++ ++ if len(m.cookie) > 0 { ++ exts.AddUint16(extensionCookie) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.cookie) ++ }) ++ }) ++ } ++ if m.selectedGroup != 0 { ++ exts.AddUint16(extensionKeyShare) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint16(uint16(m.selectedGroup)) ++ }) ++ } ++ if len(m.supportedPoints) > 0 { ++ exts.AddUint16(extensionSupportedPoints) ++ exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { ++ exts.AddBytes(m.supportedPoints) ++ }) ++ }) ++ } ++ ++ extBytes, err := exts.Bytes() ++ if err != nil { ++ return nil, err + } + + var b cryptobyte.Builder +@@ -629,104 +727,15 @@ func (m *serverHelloMsg) marshal() []byt + b.AddUint16(m.cipherSuite) + b.AddUint8(m.compressionMethod) + +- // If extensions aren't present, omit them. +- var extensionsPresent bool +- bWithoutExtensions := *b +- +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- if m.ocspStapling { +- b.AddUint16(extensionStatusRequest) +- b.AddUint16(0) // empty extension_data +- } +- if m.ticketSupported { +- b.AddUint16(extensionSessionTicket) +- b.AddUint16(0) // empty extension_data +- } +- if m.secureRenegotiationSupported { +- b.AddUint16(extensionRenegotiationInfo) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.secureRenegotiation) +- }) +- }) +- } +- if len(m.alpnProtocol) > 0 { +- b.AddUint16(extensionALPN) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes([]byte(m.alpnProtocol)) +- }) +- }) +- }) +- } +- if len(m.scts) > 0 { +- b.AddUint16(extensionSCT) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- for _, sct := range m.scts { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(sct) +- }) +- } +- }) +- }) +- } +- if m.supportedVersion != 0 { +- b.AddUint16(extensionSupportedVersions) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(m.supportedVersion) +- }) +- } +- if m.serverShare.group != 0 { +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(uint16(m.serverShare.group)) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.serverShare.data) +- }) +- }) +- } +- if m.selectedIdentityPresent { +- b.AddUint16(extensionPreSharedKey) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(m.selectedIdentity) +- }) +- } +- +- if len(m.cookie) > 0 { +- b.AddUint16(extensionCookie) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.cookie) +- }) +- }) +- } +- if m.selectedGroup != 0 { +- b.AddUint16(extensionKeyShare) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint16(uint16(m.selectedGroup)) +- }) +- } +- if len(m.supportedPoints) > 0 { +- b.AddUint16(extensionSupportedPoints) +- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { +- b.AddBytes(m.supportedPoints) +- }) +- }) +- } +- +- extensionsPresent = len(b.BytesOrPanic()) > 2 +- }) +- +- if !extensionsPresent { +- *b = bWithoutExtensions ++ if len(extBytes) > 0 { ++ b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { ++ b.AddBytes(extBytes) ++ }) + } + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *serverHelloMsg) unmarshal(data []byte) bool { +@@ -844,9 +853,9 @@ type encryptedExtensionsMsg struct { + alpnProtocol string + } + +-func (m *encryptedExtensionsMsg) marshal() []byte { ++func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -866,8 +875,9 @@ func (m *encryptedExtensionsMsg) marshal + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { +@@ -915,10 +925,10 @@ func (m *encryptedExtensionsMsg) unmarsh + + type endOfEarlyDataMsg struct{} + +-func (m *endOfEarlyDataMsg) marshal() []byte { ++func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeEndOfEarlyData +- return x ++ return x, nil + } + + func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { +@@ -930,9 +940,9 @@ type keyUpdateMsg struct { + updateRequested bool + } + +-func (m *keyUpdateMsg) marshal() []byte { ++func (m *keyUpdateMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -945,8 +955,9 @@ func (m *keyUpdateMsg) marshal() []byte + } + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *keyUpdateMsg) unmarshal(data []byte) bool { +@@ -978,9 +989,9 @@ type newSessionTicketMsgTLS13 struct { + maxEarlyData uint32 + } + +-func (m *newSessionTicketMsgTLS13) marshal() []byte { ++func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1005,8 +1016,9 @@ func (m *newSessionTicketMsgTLS13) marsh + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { +@@ -1059,9 +1071,9 @@ type certificateRequestMsgTLS13 struct { + certificateAuthorities [][]byte + } + +-func (m *certificateRequestMsgTLS13) marshal() []byte { ++func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1120,8 +1132,9 @@ func (m *certificateRequestMsgTLS13) mar + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { +@@ -1205,9 +1218,9 @@ type certificateMsg struct { + certificates [][]byte + } + +-func (m *certificateMsg) marshal() (x []byte) { ++func (m *certificateMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var i int +@@ -1216,7 +1229,7 @@ func (m *certificateMsg) marshal() (x [] + } + + length := 3 + 3*len(m.certificates) + i +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeCertificate + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1237,7 +1250,7 @@ func (m *certificateMsg) marshal() (x [] + } + + m.raw = x +- return ++ return m.raw, nil + } + + func (m *certificateMsg) unmarshal(data []byte) bool { +@@ -1284,9 +1297,9 @@ type certificateMsgTLS13 struct { + scts bool + } + +-func (m *certificateMsgTLS13) marshal() []byte { ++func (m *certificateMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1304,8 +1317,9 @@ func (m *certificateMsgTLS13) marshal() + marshalCertificate(b, certificate) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { +@@ -1428,9 +1442,9 @@ type serverKeyExchangeMsg struct { + key []byte + } + +-func (m *serverKeyExchangeMsg) marshal() []byte { ++func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + length := len(m.key) + x := make([]byte, length+4) +@@ -1441,7 +1455,7 @@ func (m *serverKeyExchangeMsg) marshal() + copy(x[4:], m.key) + + m.raw = x +- return x ++ return x, nil + } + + func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { +@@ -1458,9 +1472,9 @@ type certificateStatusMsg struct { + response []byte + } + +-func (m *certificateStatusMsg) marshal() []byte { ++func (m *certificateStatusMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1472,8 +1486,9 @@ func (m *certificateStatusMsg) marshal() + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateStatusMsg) unmarshal(data []byte) bool { +@@ -1492,10 +1507,10 @@ func (m *certificateStatusMsg) unmarshal + + type serverHelloDoneMsg struct{} + +-func (m *serverHelloDoneMsg) marshal() []byte { ++func (m *serverHelloDoneMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeServerHelloDone +- return x ++ return x, nil + } + + func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { +@@ -1507,9 +1522,9 @@ type clientKeyExchangeMsg struct { + ciphertext []byte + } + +-func (m *clientKeyExchangeMsg) marshal() []byte { ++func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + length := len(m.ciphertext) + x := make([]byte, length+4) +@@ -1520,7 +1535,7 @@ func (m *clientKeyExchangeMsg) marshal() + copy(x[4:], m.ciphertext) + + m.raw = x +- return x ++ return x, nil + } + + func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { +@@ -1541,9 +1556,9 @@ type finishedMsg struct { + verifyData []byte + } + +-func (m *finishedMsg) marshal() []byte { ++func (m *finishedMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1552,8 +1567,9 @@ func (m *finishedMsg) marshal() []byte { + b.AddBytes(m.verifyData) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *finishedMsg) unmarshal(data []byte) bool { +@@ -1575,9 +1591,9 @@ type certificateRequestMsg struct { + certificateAuthorities [][]byte + } + +-func (m *certificateRequestMsg) marshal() (x []byte) { ++func (m *certificateRequestMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + // See RFC 4346, Section 7.4.4. +@@ -1592,7 +1608,7 @@ func (m *certificateRequestMsg) marshal( + length += 2 + 2*len(m.supportedSignatureAlgorithms) + } + +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeCertificateRequest + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1627,7 +1643,7 @@ func (m *certificateRequestMsg) marshal( + } + + m.raw = x +- return ++ return m.raw, nil + } + + func (m *certificateRequestMsg) unmarshal(data []byte) bool { +@@ -1713,9 +1729,9 @@ type certificateVerifyMsg struct { + signature []byte + } + +-func (m *certificateVerifyMsg) marshal() (x []byte) { ++func (m *certificateVerifyMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + var b cryptobyte.Builder +@@ -1729,8 +1745,9 @@ func (m *certificateVerifyMsg) marshal() + }) + }) + +- m.raw = b.BytesOrPanic() +- return m.raw ++ var err error ++ m.raw, err = b.Bytes() ++ return m.raw, err + } + + func (m *certificateVerifyMsg) unmarshal(data []byte) bool { +@@ -1753,15 +1770,15 @@ type newSessionTicketMsg struct { + ticket []byte + } + +-func (m *newSessionTicketMsg) marshal() (x []byte) { ++func (m *newSessionTicketMsg) marshal() ([]byte, error) { + if m.raw != nil { +- return m.raw ++ return m.raw, nil + } + + // See RFC 5077, Section 3.3. + ticketLen := len(m.ticket) + length := 2 + 4 + ticketLen +- x = make([]byte, 4+length) ++ x := make([]byte, 4+length) + x[0] = typeNewSessionTicket + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) +@@ -1772,7 +1789,7 @@ func (m *newSessionTicketMsg) marshal() + + m.raw = x + +- return ++ return m.raw, nil + } + + func (m *newSessionTicketMsg) unmarshal(data []byte) bool { +@@ -1800,10 +1817,25 @@ func (m *newSessionTicketMsg) unmarshal( + type helloRequestMsg struct { + } + +-func (*helloRequestMsg) marshal() []byte { +- return []byte{typeHelloRequest, 0, 0, 0} ++func (*helloRequestMsg) marshal() ([]byte, error) { ++ return []byte{typeHelloRequest, 0, 0, 0}, nil + } + + func (*helloRequestMsg) unmarshal(data []byte) bool { + return len(data) == 4 + } ++ ++type transcriptHash interface { ++ Write([]byte) (int, error) ++} ++ ++// transcriptMsg is a helper used to marshal and hash messages which typically ++// are not written to the wire, and as such aren't hashed during Conn.writeRecord. ++func transcriptMsg(msg handshakeMessage, h transcriptHash) error { ++ data, err := msg.marshal() ++ if err != nil { ++ return err ++ } ++ h.Write(data) ++ return nil ++} +--- go.orig/src/crypto/tls/handshake_messages_test.go ++++ go/src/crypto/tls/handshake_messages_test.go +@@ -37,6 +37,15 @@ var tests = []interface{}{ + &certificateMsgTLS13{}, + } + ++func mustMarshal(t *testing.T, msg handshakeMessage) []byte { ++ t.Helper() ++ b, err := msg.marshal() ++ if err != nil { ++ t.Fatal(err) ++ } ++ return b ++} ++ + func TestMarshalUnmarshal(t *testing.T) { + rand := rand.New(rand.NewSource(time.Now().UnixNano())) + +@@ -55,7 +64,7 @@ func TestMarshalUnmarshal(t *testing.T) + } + + m1 := v.Interface().(handshakeMessage) +- marshaled := m1.marshal() ++ marshaled := mustMarshal(t, m1) + m2 := iface.(handshakeMessage) + if !m2.unmarshal(marshaled) { + t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled) +@@ -408,12 +417,12 @@ func TestRejectEmptySCTList(t *testing.T + + var random [32]byte + sct := []byte{0x42, 0x42, 0x42, 0x42} +- serverHello := serverHelloMsg{ ++ serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{sct}, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if !serverHelloCopy.unmarshal(serverHelloBytes) { +@@ -451,12 +460,12 @@ func TestRejectEmptySCT(t *testing.T) { + // not be zero length. + + var random [32]byte +- serverHello := serverHelloMsg{ ++ serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{nil}, + } +- serverHelloBytes := serverHello.marshal() ++ serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if serverHelloCopy.unmarshal(serverHelloBytes) { +--- go.orig/src/crypto/tls/handshake_server.go ++++ go/src/crypto/tls/handshake_server.go +@@ -129,7 +129,9 @@ func (hs *serverHandshakeState) handshak + + // readClientHello reads a ClientHello message and selects the protocol version. + func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { +- msg, err := c.readHandshake() ++ // clientHelloMsg is included in the transcript, but we haven't initialized ++ // it yet. The respective handshake functions will record it themselves. ++ msg, err := c.readHandshake(nil) + if err != nil { + return nil, err + } +@@ -456,9 +458,10 @@ func (hs *serverHandshakeState) doResume + hs.hello.ticketSupported = hs.sessionState.usedOldKey + hs.finishedHash = newFinishedHash(c.vers, hs.suite) + hs.finishedHash.discardHandshakeBuffer() +- hs.finishedHash.Write(hs.clientHello.marshal()) +- hs.finishedHash.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + +@@ -496,24 +499,23 @@ func (hs *serverHandshakeState) doFullHa + // certificates won't be used. + hs.finishedHash.discardHandshakeBuffer() + } +- hs.finishedHash.Write(hs.clientHello.marshal()) +- hs.finishedHash.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + + certMsg := new(certificateMsg) + certMsg.certificates = hs.cert.Certificate +- hs.finishedHash.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + + if hs.hello.ocspStapling { + certStatus := new(certificateStatusMsg) + certStatus.response = hs.cert.OCSPStaple +- hs.finishedHash.Write(certStatus.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil { + return err + } + } +@@ -525,8 +527,7 @@ func (hs *serverHandshakeState) doFullHa + return err + } + if skx != nil { +- hs.finishedHash.Write(skx.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil { + return err + } + } +@@ -552,15 +553,13 @@ func (hs *serverHandshakeState) doFullHa + if c.config.ClientCAs != nil { + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } +- hs.finishedHash.Write(certReq.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil { + return err + } + } + + helloDone := new(serverHelloDoneMsg) +- hs.finishedHash.Write(helloDone.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil { + return err + } + +@@ -570,7 +569,7 @@ func (hs *serverHandshakeState) doFullHa + + var pub crypto.PublicKey // public key for client auth, if any + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -583,7 +582,6 @@ func (hs *serverHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.finishedHash.Write(certMsg.marshal()) + + if err := c.processCertsFromClient(Certificate{ + Certificate: certMsg.certificates, +@@ -594,7 +592,7 @@ func (hs *serverHandshakeState) doFullHa + pub = c.peerCertificates[0].PublicKey + } + +- msg, err = c.readHandshake() ++ msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } +@@ -612,7 +610,6 @@ func (hs *serverHandshakeState) doFullHa + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(ckx, msg) + } +- hs.finishedHash.Write(ckx.marshal()) + + preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) + if err != nil { +@@ -632,7 +629,10 @@ func (hs *serverHandshakeState) doFullHa + // to the client's certificate. This allows us to verify that the client is in + // possession of the private key of the certificate. + if len(c.peerCertificates) > 0 { +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -667,7 +667,9 @@ func (hs *serverHandshakeState) doFullHa + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + +- hs.finishedHash.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil { ++ return err ++ } + } + + hs.finishedHash.discardHandshakeBuffer() +@@ -707,7 +709,10 @@ func (hs *serverHandshakeState) readFini + return err + } + +- msg, err := c.readHandshake() ++ // finishedMsg is included in the transcript, but not until after we ++ // check the client version, since the state before this message was ++ // sent is used during verification. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -724,7 +729,10 @@ func (hs *serverHandshakeState) readFini + return errors.New("tls: client's Finished message is incorrect") + } + +- hs.finishedHash.Write(clientFinished.marshal()) ++ if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil { ++ return err ++ } ++ + copy(out, verify) + return nil + } +@@ -758,14 +766,16 @@ func (hs *serverHandshakeState) sendSess + masterSecret: hs.masterSecret, + certificates: certsFromClient, + } +- var err error +- m.ticket, err = c.encryptTicket(state.marshal()) ++ stateBytes, err := state.marshal() ++ if err != nil { ++ return err ++ } ++ m.ticket, err = c.encryptTicket(stateBytes) + if err != nil { + return err + } + +- hs.finishedHash.Write(m.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil { + return err + } + +@@ -775,14 +785,13 @@ func (hs *serverHandshakeState) sendSess + func (hs *serverHandshakeState) sendFinished(out []byte) error { + c := hs.c + +- if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { ++ if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) +- hs.finishedHash.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + +--- go.orig/src/crypto/tls/handshake_server_test.go ++++ go/src/crypto/tls/handshake_server_test.go +@@ -30,6 +30,13 @@ func testClientHello(t *testing.T, serve + testClientHelloFailure(t, serverConfig, m, "") + } + ++// testFatal is a hack to prevent the compiler from complaining that there is a ++// call to t.Fatal from a non-test goroutine ++func testFatal(t *testing.T, err error) { ++ t.Helper() ++ t.Fatal(err) ++} ++ + func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) { + c, s := localPipe(t) + go func() { +@@ -37,7 +44,9 @@ func testClientHelloFailure(t *testing.T + if ch, ok := m.(*clientHelloMsg); ok { + cli.vers = ch.vers + } +- cli.writeRecord(recordTypeHandshake, m.marshal()) ++ if _, err := cli.writeHandshakeRecord(m, nil); err != nil { ++ testFatal(t, err) ++ } + c.Close() + }() + ctx := context.Background() +@@ -194,7 +203,9 @@ func TestRenegotiationExtension(t *testi + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } + + buf := make([]byte, 1024) + n, err := c.Read(buf) +@@ -253,8 +264,10 @@ func TestTLS12OnlyCipherSuites(t *testin + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) +- reply, err := cli.readHandshake() ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } ++ reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err +@@ -308,8 +321,10 @@ func TestTLSPointFormats(t *testing.T) { + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) +- reply, err := cli.readHandshake() ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } ++ reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err +@@ -1425,7 +1440,9 @@ func TestSNIGivenOnFailure(t *testing.T) + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers +- cli.writeRecord(recordTypeHandshake, clientHello.marshal()) ++ if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { ++ testFatal(t, err) ++ } + c.Close() + }() + conn := Server(s, serverConfig) +--- go.orig/src/crypto/tls/handshake_server_tls13.go ++++ go/src/crypto/tls/handshake_server_tls13.go +@@ -298,7 +298,12 @@ func (hs *serverHandshakeStateTLS13) che + c.sendAlert(alertInternalError) + return errors.New("tls: internal error: failed to clone hash") + } +- transcript.Write(hs.clientHello.marshalWithoutBinders()) ++ clientHelloBytes, err := hs.clientHello.marshalWithoutBinders() ++ if err != nil { ++ c.sendAlert(alertInternalError) ++ return err ++ } ++ transcript.Write(clientHelloBytes) + pskBinder := hs.suite.finishedHash(binderKey, transcript) + if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) { + c.sendAlert(alertDecryptError) +@@ -389,8 +394,7 @@ func (hs *serverHandshakeStateTLS13) sen + } + hs.sentDummyCCS = true + +- _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) +- return err ++ return hs.c.writeChangeCipherRecord() + } + + func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error { +@@ -398,7 +402,9 @@ func (hs *serverHandshakeStateTLS13) doH + + // The first ClientHello gets double-hashed into the transcript upon a + // HelloRetryRequest. See RFC 8446, Section 4.4.1. +- hs.transcript.Write(hs.clientHello.marshal()) ++ if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { ++ return err ++ } + chHash := hs.transcript.Sum(nil) + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) +@@ -414,8 +420,7 @@ func (hs *serverHandshakeStateTLS13) doH + selectedGroup: selectedGroup, + } + +- hs.transcript.Write(helloRetryRequest.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil { + return err + } + +@@ -423,7 +428,8 @@ func (hs *serverHandshakeStateTLS13) doH + return err + } + +- msg, err := c.readHandshake() ++ // clientHelloMsg is not included in the transcript. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +@@ -514,9 +520,10 @@ func illegalClientHelloChange(ch, ch1 *c + func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c := hs.c + +- hs.transcript.Write(hs.clientHello.marshal()) +- hs.transcript.Write(hs.hello.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { ++ if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { ++ return err ++ } ++ if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + +@@ -559,8 +566,7 @@ func (hs *serverHandshakeStateTLS13) sen + encryptedExtensions.alpnProtocol = selectedProto + c.clientProtocol = selectedProto + +- hs.transcript.Write(encryptedExtensions.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil { + return err + } + +@@ -589,8 +595,7 @@ func (hs *serverHandshakeStateTLS13) sen + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } + +- hs.transcript.Write(certReq.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil { + return err + } + } +@@ -601,8 +606,7 @@ func (hs *serverHandshakeStateTLS13) sen + certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 + +- hs.transcript.Write(certMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + +@@ -633,8 +637,7 @@ func (hs *serverHandshakeStateTLS13) sen + } + certVerifyMsg.signature = sig + +- hs.transcript.Write(certVerifyMsg.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + +@@ -648,8 +651,7 @@ func (hs *serverHandshakeStateTLS13) sen + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + +- hs.transcript.Write(finished.marshal()) +- if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { ++ if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + +@@ -710,7 +712,9 @@ func (hs *serverHandshakeStateTLS13) sen + finishedMsg := &finishedMsg{ + verifyData: hs.clientFinished, + } +- hs.transcript.Write(finishedMsg.marshal()) ++ if err := transcriptMsg(finishedMsg, hs.transcript); err != nil { ++ return err ++ } + + if !hs.shouldSendSessionTickets() { + return nil +@@ -735,8 +739,12 @@ func (hs *serverHandshakeStateTLS13) sen + SignedCertificateTimestamps: c.scts, + }, + } +- var err error +- m.label, err = c.encryptTicket(state.marshal()) ++ stateBytes, err := state.marshal() ++ if err != nil { ++ c.sendAlert(alertInternalError) ++ return err ++ } ++ m.label, err = c.encryptTicket(stateBytes) + if err != nil { + return err + } +@@ -755,7 +763,7 @@ func (hs *serverHandshakeStateTLS13) sen + // ticket_nonce, which must be unique per connection, is always left at + // zero because we only ever send one ticket per connection. + +- if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { ++ if _, err := c.writeHandshakeRecord(m, nil); err != nil { + return err + } + +@@ -780,7 +788,7 @@ func (hs *serverHandshakeStateTLS13) rea + // If we requested a client certificate, then the client must send a + // certificate message. If it's empty, no CertificateVerify is sent. + +- msg, err := c.readHandshake() ++ msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } +@@ -790,7 +798,6 @@ func (hs *serverHandshakeStateTLS13) rea + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } +- hs.transcript.Write(certMsg.marshal()) + + if err := c.processCertsFromClient(certMsg.certificate); err != nil { + return err +@@ -804,7 +811,10 @@ func (hs *serverHandshakeStateTLS13) rea + } + + if len(certMsg.certificate.Certificate) != 0 { +- msg, err = c.readHandshake() ++ // certificateVerifyMsg is included in the transcript, but not until ++ // after we verify the handshake signature, since the state before ++ // this message was sent is used. ++ msg, err = c.readHandshake(nil) + if err != nil { + return err + } +@@ -835,7 +845,9 @@ func (hs *serverHandshakeStateTLS13) rea + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + +- hs.transcript.Write(certVerify.marshal()) ++ if err := transcriptMsg(certVerify, hs.transcript); err != nil { ++ return err ++ } + } + + // If we waited until the client certificates to send session tickets, we +@@ -850,7 +862,8 @@ func (hs *serverHandshakeStateTLS13) rea + func (hs *serverHandshakeStateTLS13) readClientFinished() error { + c := hs.c + +- msg, err := c.readHandshake() ++ // finishedMsg is not included in the transcript. ++ msg, err := c.readHandshake(nil) + if err != nil { + return err + } +--- go.orig/src/crypto/tls/key_schedule.go ++++ go/src/crypto/tls/key_schedule.go +@@ -8,6 +8,7 @@ import ( + "crypto/elliptic" + "crypto/hmac" + "errors" ++ "fmt" + "hash" + "io" + "math/big" +@@ -42,8 +43,24 @@ func (c *cipherSuiteTLS13) expandLabel(s + hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(context) + }) ++ hkdfLabelBytes, err := hkdfLabel.Bytes() ++ if err != nil { ++ // Rather than calling BytesOrPanic, we explicitly handle this error, in ++ // order to provide a reasonable error message. It should be basically ++ // impossible for this to panic, and routing errors back through the ++ // tree rooted in this function is quite painful. The labels are fixed ++ // size, and the context is either a fixed-length computed hash, or ++ // parsed from a field which has the same length limitation. As such, an ++ // error here is likely to only be caused during development. ++ // ++ // NOTE: another reasonable approach here might be to return a ++ // randomized slice if we encounter an error, which would break the ++ // connection, but avoid panicking. This would perhaps be safer but ++ // significantly more confusing to users. ++ panic(fmt.Errorf("failed to construct HKDF label: %s", err)) ++ } + out := make([]byte, length) +- n, err := hkdf.Expand(c.hash.New, secret, hkdfLabel.BytesOrPanic()).Read(out) ++ n, err := hkdf.Expand(c.hash.New, secret, hkdfLabelBytes).Read(out) + if err != nil || n != length { + panic("tls: HKDF-Expand-Label invocation failed unexpectedly") + } +--- go.orig/src/crypto/tls/ticket.go ++++ go/src/crypto/tls/ticket.go +@@ -32,7 +32,7 @@ type sessionState struct { + usedOldKey bool + } + +-func (m *sessionState) marshal() []byte { ++func (m *sessionState) marshal() ([]byte, error) { + var b cryptobyte.Builder + b.AddUint16(m.vers) + b.AddUint16(m.cipherSuite) +@@ -47,7 +47,7 @@ func (m *sessionState) marshal() []byte + }) + } + }) +- return b.BytesOrPanic() ++ return b.Bytes() + } + + func (m *sessionState) unmarshal(data []byte) bool { +@@ -86,7 +86,7 @@ type sessionStateTLS13 struct { + certificate Certificate // CertificateEntry certificate_list<0..2^24-1>; + } + +-func (m *sessionStateTLS13) marshal() []byte { ++func (m *sessionStateTLS13) marshal() ([]byte, error) { + var b cryptobyte.Builder + b.AddUint16(VersionTLS13) + b.AddUint8(0) // revision +@@ -96,7 +96,7 @@ func (m *sessionStateTLS13) marshal() [] + b.AddBytes(m.resumptionSecret) + }) + marshalCertificate(&b, m.certificate) +- return b.BytesOrPanic() ++ return b.Bytes() + } + + func (m *sessionStateTLS13) unmarshal(data []byte) bool { diff --git a/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch b/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch new file mode 100644 index 0000000000..a71d07e3f1 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch @@ -0,0 +1,652 @@ +From 5c55ac9bf1e5f779220294c843526536605f42ab Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Wed, 25 Jan 2023 09:27:01 -0800 +Subject: [PATCH] [release-branch.go1.19] mime/multipart: limit memory/inode + consumption of ReadForm + +Reader.ReadForm is documented as storing "up to maxMemory bytes + 10MB" +in memory. Parsed forms can consume substantially more memory than +this limit, since ReadForm does not account for map entry overhead +and MIME headers. + +In addition, while the amount of disk memory consumed by ReadForm can +be constrained by limiting the size of the parsed input, ReadForm will +create one temporary file per form part stored on disk, potentially +consuming a large number of inodes. + +Update ReadForm's memory accounting to include part names, +MIME headers, and map entry overhead. + +Update ReadForm to store all on-disk file parts in a single +temporary file. + +Files returned by FileHeader.Open are documented as having a concrete +type of *os.File when a file is stored on disk. The change to use a +single temporary file for all parts means that this is no longer the +case when a form contains more than a single file part stored on disk. + +The previous behavior of storing each file part in a separate disk +file may be reenabled with GODEBUG=multipartfiles=distinct. + +Update Reader.NextPart and Reader.NextRawPart to set a 10MiB cap +on the size of MIME headers. + +Thanks to Jakob Ackermann (@das7pad) for reporting this issue. + +Updates #58006 +Fixes #58362 +Fixes CVE-2022-41725 + +Change-Id: Ibd780a6c4c83ac8bcfd3cbe344f042e9940f2eab +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1714276 +Reviewed-by: Julie Qiu <julieqiu@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +(cherry picked from commit ed4664330edcd91b24914c9371c377c132dbce8c) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728949 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/468116 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Than McIntosh <thanm@google.com> +Run-TryBot: Michael Pratt <mpratt@google.com> +Auto-Submit: Michael Pratt <mpratt@google.com> +--- + +CVE: CVE-2022-41725 + +Upstream-Status: Backport [see text] + +https://github.com/golong/go.git commit 5c55ac9bf1e5... +modified for reader.go + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + +___ + src/mime/multipart/formdata.go | 132 ++++++++++++++++++++----- + src/mime/multipart/formdata_test.go | 140 ++++++++++++++++++++++++++- + src/mime/multipart/multipart.go | 25 +++-- + src/mime/multipart/readmimeheader.go | 14 +++ + src/net/http/request_test.go | 2 +- + src/net/textproto/reader.go | 20 +++- + 6 files changed, 295 insertions(+), 38 deletions(-) + create mode 100644 src/mime/multipart/readmimeheader.go + +--- go.orig/src/mime/multipart/formdata.go ++++ go/src/mime/multipart/formdata.go +@@ -7,6 +7,7 @@ package multipart + import ( + "bytes" + "errors" ++ "internal/godebug" + "io" + "math" + "net/textproto" +@@ -33,23 +34,58 @@ func (r *Reader) ReadForm(maxMemory int6 + + func (r *Reader) readForm(maxMemory int64) (_ *Form, err error) { + form := &Form{make(map[string][]string), make(map[string][]*FileHeader)} ++ var ( ++ file *os.File ++ fileOff int64 ++ ) ++ numDiskFiles := 0 ++ multipartFiles := godebug.Get("multipartfiles") ++ combineFiles := multipartFiles != "distinct" + defer func() { ++ if file != nil { ++ if cerr := file.Close(); err == nil { ++ err = cerr ++ } ++ } ++ if combineFiles && numDiskFiles > 1 { ++ for _, fhs := range form.File { ++ for _, fh := range fhs { ++ fh.tmpshared = true ++ } ++ } ++ } + if err != nil { + form.RemoveAll() ++ if file != nil { ++ os.Remove(file.Name()) ++ } + } + }() + +- // Reserve an additional 10 MB for non-file parts. +- maxValueBytes := maxMemory + int64(10<<20) +- if maxValueBytes <= 0 { ++ // maxFileMemoryBytes is the maximum bytes of file data we will store in memory. ++ // Data past this limit is written to disk. ++ // This limit strictly applies to content, not metadata (filenames, MIME headers, etc.), ++ // since metadata is always stored in memory, not disk. ++ // ++ // maxMemoryBytes is the maximum bytes we will store in memory, including file content, ++ // non-file part values, metdata, and map entry overhead. ++ // ++ // We reserve an additional 10 MB in maxMemoryBytes for non-file data. ++ // ++ // The relationship between these parameters, as well as the overly-large and ++ // unconfigurable 10 MB added on to maxMemory, is unfortunate but difficult to change ++ // within the constraints of the API as documented. ++ maxFileMemoryBytes := maxMemory ++ maxMemoryBytes := maxMemory + int64(10<<20) ++ if maxMemoryBytes <= 0 { + if maxMemory < 0 { +- maxValueBytes = 0 ++ maxMemoryBytes = 0 + } else { +- maxValueBytes = math.MaxInt64 ++ maxMemoryBytes = math.MaxInt64 + } + } + for { +- p, err := r.NextPart() ++ p, err := r.nextPart(false, maxMemoryBytes) + if err == io.EOF { + break + } +@@ -63,16 +99,27 @@ func (r *Reader) readForm(maxMemory int6 + } + filename := p.FileName() + ++ // Multiple values for the same key (one map entry, longer slice) are cheaper ++ // than the same number of values for different keys (many map entries), but ++ // using a consistent per-value cost for overhead is simpler. ++ maxMemoryBytes -= int64(len(name)) ++ maxMemoryBytes -= 100 // map overhead ++ if maxMemoryBytes < 0 { ++ // We can't actually take this path, since nextPart would already have ++ // rejected the MIME headers for being too large. Check anyway. ++ return nil, ErrMessageTooLarge ++ } ++ + var b bytes.Buffer + + if filename == "" { + // value, store as string in memory +- n, err := io.CopyN(&b, p, maxValueBytes+1) ++ n, err := io.CopyN(&b, p, maxMemoryBytes+1) + if err != nil && err != io.EOF { + return nil, err + } +- maxValueBytes -= n +- if maxValueBytes < 0 { ++ maxMemoryBytes -= n ++ if maxMemoryBytes < 0 { + return nil, ErrMessageTooLarge + } + form.Value[name] = append(form.Value[name], b.String()) +@@ -80,35 +127,45 @@ func (r *Reader) readForm(maxMemory int6 + } + + // file, store in memory or on disk ++ maxMemoryBytes -= mimeHeaderSize(p.Header) ++ if maxMemoryBytes < 0 { ++ return nil, ErrMessageTooLarge ++ } + fh := &FileHeader{ + Filename: filename, + Header: p.Header, + } +- n, err := io.CopyN(&b, p, maxMemory+1) ++ n, err := io.CopyN(&b, p, maxFileMemoryBytes+1) + if err != nil && err != io.EOF { + return nil, err + } +- if n > maxMemory { +- // too big, write to disk and flush buffer +- file, err := os.CreateTemp("", "multipart-") +- if err != nil { +- return nil, err ++ if n > maxFileMemoryBytes { ++ if file == nil { ++ file, err = os.CreateTemp(r.tempDir, "multipart-") ++ if err != nil { ++ return nil, err ++ } + } ++ numDiskFiles++ + size, err := io.Copy(file, io.MultiReader(&b, p)) +- if cerr := file.Close(); err == nil { +- err = cerr +- } + if err != nil { +- os.Remove(file.Name()) + return nil, err + } + fh.tmpfile = file.Name() + fh.Size = size ++ fh.tmpoff = fileOff ++ fileOff += size ++ if !combineFiles { ++ if err := file.Close(); err != nil { ++ return nil, err ++ } ++ file = nil ++ } + } else { + fh.content = b.Bytes() + fh.Size = int64(len(fh.content)) +- maxMemory -= n +- maxValueBytes -= n ++ maxFileMemoryBytes -= n ++ maxMemoryBytes -= n + } + form.File[name] = append(form.File[name], fh) + } +@@ -116,6 +173,17 @@ func (r *Reader) readForm(maxMemory int6 + return form, nil + } + ++func mimeHeaderSize(h textproto.MIMEHeader) (size int64) { ++ for k, vs := range h { ++ size += int64(len(k)) ++ size += 100 // map entry overhead ++ for _, v := range vs { ++ size += int64(len(v)) ++ } ++ } ++ return size ++} ++ + // Form is a parsed multipart form. + // Its File parts are stored either in memory or on disk, + // and are accessible via the *FileHeader's Open method. +@@ -133,7 +201,7 @@ func (f *Form) RemoveAll() error { + for _, fh := range fhs { + if fh.tmpfile != "" { + e := os.Remove(fh.tmpfile) +- if e != nil && err == nil { ++ if e != nil && !errors.Is(e, os.ErrNotExist) && err == nil { + err = e + } + } +@@ -148,15 +216,25 @@ type FileHeader struct { + Header textproto.MIMEHeader + Size int64 + +- content []byte +- tmpfile string ++ content []byte ++ tmpfile string ++ tmpoff int64 ++ tmpshared bool + } + + // Open opens and returns the FileHeader's associated File. + func (fh *FileHeader) Open() (File, error) { + if b := fh.content; b != nil { + r := io.NewSectionReader(bytes.NewReader(b), 0, int64(len(b))) +- return sectionReadCloser{r}, nil ++ return sectionReadCloser{r, nil}, nil ++ } ++ if fh.tmpshared { ++ f, err := os.Open(fh.tmpfile) ++ if err != nil { ++ return nil, err ++ } ++ r := io.NewSectionReader(f, fh.tmpoff, fh.Size) ++ return sectionReadCloser{r, f}, nil + } + return os.Open(fh.tmpfile) + } +@@ -175,8 +253,12 @@ type File interface { + + type sectionReadCloser struct { + *io.SectionReader ++ io.Closer + } + + func (rc sectionReadCloser) Close() error { ++ if rc.Closer != nil { ++ return rc.Closer.Close() ++ } + return nil + } +--- go.orig/src/mime/multipart/formdata_test.go ++++ go/src/mime/multipart/formdata_test.go +@@ -6,8 +6,10 @@ package multipart + + import ( + "bytes" ++ "fmt" + "io" + "math" ++ "net/textproto" + "os" + "strings" + "testing" +@@ -208,8 +210,8 @@ Content-Disposition: form-data; name="la + maxMemory int64 + err error + }{ +- {"smaller", 50, nil}, +- {"exact-fit", 25, nil}, ++ {"smaller", 50 + int64(len("largetext")) + 100, nil}, ++ {"exact-fit", 25 + int64(len("largetext")) + 100, nil}, + {"too-large", 0, ErrMessageTooLarge}, + } + for _, tc := range testCases { +@@ -224,7 +226,7 @@ Content-Disposition: form-data; name="la + defer f.RemoveAll() + } + if tc.err != err { +- t.Fatalf("ReadForm error - got: %v; expected: %v", tc.err, err) ++ t.Fatalf("ReadForm error - got: %v; expected: %v", err, tc.err) + } + if err == nil { + if g := f.Value["largetext"][0]; g != largeTextValue { +@@ -234,3 +236,135 @@ Content-Disposition: form-data; name="la + }) + } + } ++ ++// TestReadForm_MetadataTooLarge verifies that we account for the size of field names, ++// MIME headers, and map entry overhead while limiting the memory consumption of parsed forms. ++func TestReadForm_MetadataTooLarge(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ f func(*Writer) ++ }{{ ++ name: "large name", ++ f: func(fw *Writer) { ++ name := strings.Repeat("a", 10<<20) ++ w, _ := fw.CreateFormField(name) ++ w.Write([]byte("value")) ++ }, ++ }, { ++ name: "large MIME header", ++ f: func(fw *Writer) { ++ h := make(textproto.MIMEHeader) ++ h.Set("Content-Disposition", `form-data; name="a"`) ++ h.Set("X-Foo", strings.Repeat("a", 10<<20)) ++ w, _ := fw.CreatePart(h) ++ w.Write([]byte("value")) ++ }, ++ }, { ++ name: "many parts", ++ f: func(fw *Writer) { ++ for i := 0; i < 110000; i++ { ++ w, _ := fw.CreateFormField("f") ++ w.Write([]byte("v")) ++ } ++ }, ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ test.f(fw) ++ if err := fw.Close(); err != nil { ++ t.Fatal(err) ++ } ++ fr := NewReader(&buf, fw.Boundary()) ++ _, err := fr.ReadForm(0) ++ if err != ErrMessageTooLarge { ++ t.Errorf("fr.ReadForm() = %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++// TestReadForm_ManyFiles_Combined tests that a multipart form containing many files only ++// results in a single on-disk file. ++func TestReadForm_ManyFiles_Combined(t *testing.T) { ++ const distinct = false ++ testReadFormManyFiles(t, distinct) ++} ++ ++// TestReadForm_ManyFiles_Distinct tests that setting GODEBUG=multipartfiles=distinct ++// results in every file in a multipart form being placed in a distinct on-disk file. ++func TestReadForm_ManyFiles_Distinct(t *testing.T) { ++ t.Setenv("GODEBUG", "multipartfiles=distinct") ++ const distinct = true ++ testReadFormManyFiles(t, distinct) ++} ++ ++func testReadFormManyFiles(t *testing.T, distinct bool) { ++ var buf bytes.Buffer ++ fw := NewWriter(&buf) ++ const numFiles = 10 ++ for i := 0; i < numFiles; i++ { ++ name := fmt.Sprint(i) ++ w, err := fw.CreateFormFile(name, name) ++ if err != nil { ++ t.Fatal(err) ++ } ++ w.Write([]byte(name)) ++ } ++ if err := fw.Close(); err != nil { ++ t.Fatal(err) ++ } ++ fr := NewReader(&buf, fw.Boundary()) ++ fr.tempDir = t.TempDir() ++ form, err := fr.ReadForm(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ for i := 0; i < numFiles; i++ { ++ name := fmt.Sprint(i) ++ if got := len(form.File[name]); got != 1 { ++ t.Fatalf("form.File[%q] has %v entries, want 1", name, got) ++ } ++ fh := form.File[name][0] ++ file, err := fh.Open() ++ if err != nil { ++ t.Fatalf("form.File[%q].Open() = %v", name, err) ++ } ++ if distinct { ++ if _, ok := file.(*os.File); !ok { ++ t.Fatalf("form.File[%q].Open: %T, want *os.File", name, file) ++ } ++ } ++ got, err := io.ReadAll(file) ++ file.Close() ++ if string(got) != name || err != nil { ++ t.Fatalf("read form.File[%q]: %q, %v; want %q, nil", name, string(got), err, name) ++ } ++ } ++ dir, err := os.Open(fr.tempDir) ++ if err != nil { ++ t.Fatal(err) ++ } ++ defer dir.Close() ++ names, err := dir.Readdirnames(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ wantNames := 1 ++ if distinct { ++ wantNames = numFiles ++ } ++ if len(names) != wantNames { ++ t.Fatalf("temp dir contains %v files; want 1", len(names)) ++ } ++ if err := form.RemoveAll(); err != nil { ++ t.Fatalf("form.RemoveAll() = %v", err) ++ } ++ names, err = dir.Readdirnames(0) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if len(names) != 0 { ++ t.Fatalf("temp dir contains %v files; want 0", len(names)) ++ } ++} +--- go.orig/src/mime/multipart/multipart.go ++++ go/src/mime/multipart/multipart.go +@@ -128,12 +128,12 @@ func (r *stickyErrorReader) Read(p []byt + return n, r.err + } + +-func newPart(mr *Reader, rawPart bool) (*Part, error) { ++func newPart(mr *Reader, rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { + bp := &Part{ + Header: make(map[string][]string), + mr: mr, + } +- if err := bp.populateHeaders(); err != nil { ++ if err := bp.populateHeaders(maxMIMEHeaderSize); err != nil { + return nil, err + } + bp.r = partReader{bp} +@@ -149,12 +149,16 @@ func newPart(mr *Reader, rawPart bool) ( + return bp, nil + } + +-func (bp *Part) populateHeaders() error { ++func (bp *Part) populateHeaders(maxMIMEHeaderSize int64) error { + r := textproto.NewReader(bp.mr.bufReader) +- header, err := r.ReadMIMEHeader() ++ header, err := readMIMEHeader(r, maxMIMEHeaderSize) + if err == nil { + bp.Header = header + } ++ // TODO: Add a distinguishable error to net/textproto. ++ if err != nil && err.Error() == "message too large" { ++ err = ErrMessageTooLarge ++ } + return err + } + +@@ -294,6 +298,7 @@ func (p *Part) Close() error { + // isn't supported. + type Reader struct { + bufReader *bufio.Reader ++ tempDir string // used in tests + + currentPart *Part + partsRead int +@@ -304,6 +309,10 @@ type Reader struct { + dashBoundary []byte // "--boundary" + } + ++// maxMIMEHeaderSize is the maximum size of a MIME header we will parse, ++// including header keys, values, and map overhead. ++const maxMIMEHeaderSize = 10 << 20 ++ + // NextPart returns the next part in the multipart or an error. + // When there are no more parts, the error io.EOF is returned. + // +@@ -311,7 +320,7 @@ type Reader struct { + // has a value of "quoted-printable", that header is instead + // hidden and the body is transparently decoded during Read calls. + func (r *Reader) NextPart() (*Part, error) { +- return r.nextPart(false) ++ return r.nextPart(false, maxMIMEHeaderSize) + } + + // NextRawPart returns the next part in the multipart or an error. +@@ -320,10 +329,10 @@ func (r *Reader) NextPart() (*Part, erro + // Unlike NextPart, it does not have special handling for + // "Content-Transfer-Encoding: quoted-printable". + func (r *Reader) NextRawPart() (*Part, error) { +- return r.nextPart(true) ++ return r.nextPart(true, maxMIMEHeaderSize) + } + +-func (r *Reader) nextPart(rawPart bool) (*Part, error) { ++func (r *Reader) nextPart(rawPart bool, maxMIMEHeaderSize int64) (*Part, error) { + if r.currentPart != nil { + r.currentPart.Close() + } +@@ -348,7 +357,7 @@ func (r *Reader) nextPart(rawPart bool) + + if r.isBoundaryDelimiterLine(line) { + r.partsRead++ +- bp, err := newPart(r, rawPart) ++ bp, err := newPart(r, rawPart, maxMIMEHeaderSize) + if err != nil { + return nil, err + } +--- /dev/null ++++ go/src/mime/multipart/readmimeheader.go +@@ -0,0 +1,14 @@ ++// Copyright 2023 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++package multipart ++ ++import ( ++ "net/textproto" ++ _ "unsafe" // for go:linkname ++) ++ ++// readMIMEHeader is defined in package net/textproto. ++// ++//go:linkname readMIMEHeader net/textproto.readMIMEHeader ++func readMIMEHeader(r *textproto.Reader, lim int64) (textproto.MIMEHeader, error) +--- go.orig/src/net/http/request_test.go ++++ go/src/net/http/request_test.go +@@ -1110,7 +1110,7 @@ func testMissingFile(t *testing.T, req * + t.Errorf("FormFile file = %v, want nil", f) + } + if fh != nil { +- t.Errorf("FormFile file header = %q, want nil", fh) ++ t.Errorf("FormFile file header = %v, want nil", fh) + } + if err != ErrMissingFile { + t.Errorf("FormFile err = %q, want ErrMissingFile", err) +--- go.orig/src/net/textproto/reader.go ++++ go/src/net/textproto/reader.go +@@ -7,8 +7,10 @@ package textproto + import ( + "bufio" + "bytes" ++ "errors" + "fmt" + "io" ++ "math" + "strconv" + "strings" + "sync" +@@ -481,6 +483,12 @@ func (r *Reader) ReadDotLines() ([]strin + // } + // + func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) { ++ return readMIMEHeader(r, math.MaxInt64) ++} ++ ++// readMIMEHeader is a version of ReadMIMEHeader which takes a limit on the header size. ++// It is called by the mime/multipart package. ++func readMIMEHeader(r *Reader, lim int64) (MIMEHeader, error) { + // Avoid lots of small slice allocations later by allocating one + // large one ahead of time which we'll cut up into smaller + // slices. If this isn't big enough later, we allocate small ones. +@@ -521,6 +529,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + continue + } + ++ // backport 5c55ac9bf1e5f779220294c843526536605f42ab ++ // ++ // value is computed as ++ // ++ // value := string(bytes.TrimLeft(v, " \t")) ++ // ++ // in the original patch from 1.19. This relies on ++ // 'v' which does not exist in 1.17. We leave the ++ // 1.17 method unchanged. ++ + // Skip initial spaces in value. + i++ // skip colon + for i < len(kv) && (kv[i] == ' ' || kv[i] == '\t') { +@@ -529,6 +547,16 @@ func (r *Reader) ReadMIMEHeader() (MIMEH + value := string(kv[i:]) + + vv := m[key] ++ if vv == nil { ++ lim -= int64(len(key)) ++ lim -= 100 // map entry overhead ++ } ++ lim -= int64(len(value)) ++ if lim < 0 { ++ // TODO: This should be a distinguishable error (ErrMessageTooLarge) ++ // to allow mime/multipart to detect it. ++ return m, errors.New("message too large") ++ } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. + // Most headers aren't multi-valued. diff --git a/meta/recipes-devtools/go/go-1.20/0010-net-Fix-issue-with-DNS-not-being-updated.patch b/meta/recipes-devtools/go/go-1.20/0010-net-Fix-issue-with-DNS-not-being-updated.patch new file mode 100644 index 0000000000..6ead518843 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/0010-net-Fix-issue-with-DNS-not-being-updated.patch @@ -0,0 +1,51 @@ +From 20176b390e28daa86b4552965cb7bd9181983c4d Mon Sep 17 00:00:00 2001 +From: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> +Date: Mon, 6 Nov 2023 20:11:19 -0600 +Subject: [PATCH] net: Fix issue with DNS not being updated + +When dns requests are made, go's native DNS resolver only reads +/etc/resolv.conf if the previous request is older than 5 seconds. + +On first network call, an initialization code runs that is +supposed to initialize DNS data and set lastChecked time. There is a bug +in this code that causes /etc/resolv.conf to not be read during +initialization and the DNS data from program startup ends up being used +until the next 5 seconds. This means that if /etc/resolv.conf changed +between program startup and the first network call, old DNS data is +still used until the next 5 seconds. + +This causes "docker pull" to fail the first time if docker daemon is +started before networking is up. + +Upstream commit d52883f443e1d564b0300acdd382af1769bf0477 made lot of +improvements to DNS resolver to fix some issues which also fixes this +issue. +This patch picks the relevant changes from it to fix this particular +issue. + +Upstream-Status: Backport [https://github.com/golang/go/commit/d52883f443e1d564b0300acdd382af1769bf0477] + +Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> +--- + src/net/dnsclient_unix.go | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/net/dnsclient_unix.go b/src/net/dnsclient_unix.go +index 6dfd4af..520ffe6 100644 +--- a/src/net/dnsclient_unix.go ++++ b/src/net/dnsclient_unix.go +@@ -337,10 +337,7 @@ var resolvConf resolverConfig + func (conf *resolverConfig) init() { + // Set dnsConfig and lastChecked so we don't parse + // resolv.conf twice the first time. +- conf.dnsConfig = systemConf().resolv +- if conf.dnsConfig == nil { +- conf.dnsConfig = dnsReadConfig("/etc/resolv.conf") +- } ++ conf.dnsConfig = dnsReadConfig("/etc/resolv.conf") + conf.lastChecked = time.Now() + + // Prepare ch so that only one update of resolverConfig may +-- +2.34.1 + diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch new file mode 100644 index 0000000000..1554aa975c --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-39319.patch @@ -0,0 +1,254 @@ +From 2070531d2f53df88e312edace6c8dfc9686ab2f5 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu Aug 3 12:28:28 2023 -0700 +Subject: [PATCH] html/template: properly handle special tags within the script + context + +The HTML specification has incredibly complex rules for how to handle +"<!--", "<script", and "</script" when they appear within literals in +the script context. Rather than attempting to apply these restrictions +(which require a significantly more complex state machine) we apply +the workaround suggested in section 4.12.1.3 of the HTML specification [1]. + +More precisely, when "<!--", "<script", and "</script" appear within +literals (strings and regular expressions, ignoring comments since we +already elide their content) we replace the "<" with "\x3C". This avoids +the unintuitive behavior that using these tags within literals can cause, +by simply preventing the rendered content from triggering it. This may +break some correct usages of these tags, but on balance is more likely +to prevent XSS attacks where users are unknowingly either closing or not +closing the script blocks where they think they are. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62197 +Fixes #62397 +Fixes CVE-2023-39319 + +[1] https://html.spec.whatwg.org/#restrictions-for-contents-of-script-elements + +Change-Id: Iab57b0532694827e3eddf57a7497ba1fab1746dc +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976594 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014621 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526099 +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Cherry Mui <cherryyz@google.com> + +CVE: CVE-2023-39319 + +Upstream-Status: Backport [https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/go/build/deps_test.go | 6 ++-- + src/html/template/context.go | 14 ++++++++++ + src/html/template/escape.go | 26 ++++++++++++++++++ + src/html/template/escape_test.go | 47 +++++++++++++++++++++++++++++++- + src/html/template/transition.go | 15 ++++++++++ + 5 files changed, 104 insertions(+), 4 deletions(-) + +diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go +index dc3bb8c..359a00a 100644 +--- a/src/go/build/deps_test.go ++++ b/src/go/build/deps_test.go +@@ -255,15 +255,15 @@ var depsRules = ` + < text/template + < internal/lazytemplate; + +- encoding/json, html, text/template +- < html/template; +- + # regexp + FMT + < regexp/syntax + < regexp + < internal/lazyregexp; + ++ encoding/json, html, text/template, regexp ++ < html/template; ++ + # suffix array + encoding/binary, regexp + < index/suffixarray; +diff --git a/src/html/template/context.go b/src/html/template/context.go +index 0b65313..f5f44a1 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -164,6 +164,20 @@ func isInTag(s state) bool { + return false + } + ++// isInScriptLiteral returns true if s is one of the literal states within a ++// <script> tag, and as such occurances of "<!--", "<script", and "</script" ++// need to be treated specially. ++func isInScriptLiteral(s state) bool { ++ // Ignore the comment states (stateJSBlockCmt, stateJSLineCmt, ++ // stateJSHTMLOpenCmt, stateJSHTMLCloseCmt) because their content is already ++ // omitted from the output. ++ switch s { ++ case stateJSDqStr, stateJSSqStr, stateJSBqStr, stateJSRegexp: ++ return true ++ } ++ return false ++} ++ + // delim is the delimiter that will end the current HTML attribute. + type delim uint8 + +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index bdccc65..1747ec9 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -10,6 +10,7 @@ import ( + "html" + "internal/godebug" + "io" ++ "regexp" + "text/template" + "text/template/parse" + ) +@@ -652,6 +653,26 @@ var delimEnds = [...]string{ + delimSpaceOrTagEnd: " \t\n\f\r>", + } + ++var ( ++ // Per WHATWG HTML specification, section 4.12.1.3, there are extremely ++ // complicated rules for how to handle the set of opening tags <!--, ++ // <script, and </script when they appear in JS literals (i.e. strings, ++ // regexs, and comments). The specification suggests a simple solution, ++ // rather than implementing the arcane ABNF, which involves simply escaping ++ // the opening bracket with \x3C. We use the below regex for this, since it ++ // makes doing the case-insensitive find-replace much simpler. ++ specialScriptTagRE = regexp.MustCompile("(?i)<(script|/script|!--)") ++ specialScriptTagReplacement = []byte("\\x3C$1") ++) ++ ++func containsSpecialScriptTag(s []byte) bool { ++ return specialScriptTagRE.Match(s) ++} ++ ++func escapeSpecialScriptTags(s []byte) []byte { ++ return specialScriptTagRE.ReplaceAll(s, specialScriptTagReplacement) ++} ++ + var doctypeBytes = []byte("<!DOCTYPE") + + // escapeText escapes a text template node. +@@ -707,6 +728,11 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { + b.Write(s[written:cs]) + written = i1 + } ++ if isInScriptLiteral(c.state) && containsSpecialScriptTag(s[i:i1]) { ++ b.Write(s[written:i]) ++ b.Write(escapeSpecialScriptTags(s[i:i1])) ++ written = i1 ++ } + if i == i1 && c.state == c1.state { + panic(fmt.Sprintf("infinite loop from %v to %v on %q..%q", c, c1, s[:i], s[i:])) + } +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 4f48afe..7853daa 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -503,6 +503,21 @@ func TestEscape(t *testing.T) { + "<script>var a/*b*///c\nd</script>", + "<script>var a \nd</script>", + }, ++ { ++ "Special tags in <script> string literals", ++ `<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`, ++ `<script>var a = "asd < 123 \x3C!-- 456 < fgh \x3Cscript jkl < 789 \x3C/script"</script>`, ++ }, ++ { ++ "Special tags in <script> string literals (mixed case)", ++ `<script>var a = "<!-- <ScripT </ScripT"</script>`, ++ `<script>var a = "\x3C!-- \x3CScripT \x3C/ScripT"</script>`, ++ }, ++ { ++ "Special tags in <script> regex literals (mixed case)", ++ `<script>var a = /<!-- <ScripT </ScripT/</script>`, ++ `<script>var a = /\x3C!-- \x3CScripT \x3C/ScripT/</script>`, ++ }, + { + "CSS comments", + "<style>p// paragraph\n" + +@@ -1491,8 +1506,38 @@ func TestEscapeText(t *testing.T) { + context{state: stateJS, element: elementScript}, + }, + { ++ // <script and </script tags are escaped, so </script> should not ++ // cause us to exit the JS state. + `<script>document.write("<script>alert(1)</script>");`, +- context{state: stateText}, ++ context{state: stateJS, element: elementScript}, ++ }, ++ { ++ `<script>document.write("<script>`, ++ context{state: stateJSDqStr, element: elementScript}, ++ }, ++ { ++ `<script>document.write("<script>alert(1)</script>`, ++ context{state: stateJSDqStr, element: elementScript}, ++ }, ++ { ++ `<script>document.write("<script>alert(1)<!--`, ++ context{state: stateJSDqStr, element: elementScript}, ++ }, ++ { ++ `<script>document.write("<script>alert(1)</Script>");`, ++ context{state: stateJS, element: elementScript}, ++ }, ++ { ++ `<script>document.write("<!--");`, ++ context{state: stateJS, element: elementScript}, ++ }, ++ { ++ `<script>let a = /</script`, ++ context{state: stateJSRegexp, element: elementScript}, ++ }, ++ { ++ `<script>let a = /</script/`, ++ context{state: stateJS, element: elementScript, jsCtx: jsCtxDivOp}, + }, + { + `<script type="text/template">`, +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index 92eb351..e2660cc 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -212,6 +212,11 @@ var ( + // element states. + func tSpecialTagEnd(c context, s []byte) (context, int) { + if c.element != elementNone { ++ // script end tags ("</script") within script literals are ignored, so that ++ // we can properly escape them. ++ if c.element == elementScript && (isInScriptLiteral(c.state) || isComment(c.state)) { ++ return c, len(s) ++ } + if i := indexTagEnd(s, specialTagEndMarkers[c.element]); i != -1 { + return context{}, i + } +@@ -331,6 +336,16 @@ func tJSDelimited(c context, s []byte) (context, int) { + inCharset = true + case ']': + inCharset = false ++ case '/': ++ // If "</script" appears in a regex literal, the '/' should not ++ // close the regex literal, and it will later be escaped to ++ // "\x3C/script" in escapeText. ++ if i > 0 && i+7 <= len(s) && bytes.Compare(bytes.ToLower(s[i-1:i+7]), []byte("</script")) == 0 { ++ i++ ++ } else if !inCharset { ++ c.state, c.jsCtx = stateJS, jsCtxDivOp ++ return c, i + 1 ++ } + default: + // end delimiter + if !inCharset { +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch new file mode 100644 index 0000000000..ca78e552c2 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch @@ -0,0 +1,182 @@ +From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 7 Nov 2023 10:47:56 -0800 +Subject: [PATCH] net/http: limit chunked data overhead + +The chunked transfer encoding adds some overhead to +the content transferred. When writing one byte per +chunk, for example, there are five bytes of overhead +per byte of data transferred: "1\r\nX\r\n" to send "X". + +Chunks may include "chunk extensions", +which we skip over and do not use. +For example: "1;chunk extension here\r\nX\r\n". + +A malicious sender can use chunk extensions to add +about 4k of overhead per byte of data. +(The maximum chunk header line size we will accept.) + +Track the amount of overhead read in chunked data, +and produce an error if it seems excessive. + +Updates #64433 +Fixes #64434 +Fixes CVE-2023-39326 + +Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2076135 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f) +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2095407 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/547355 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> + +CVE: CVE-2023-39326 + +Upstream-Status: Backport [https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/net/http/internal/chunked.go | 36 +++++++++++++--- + src/net/http/internal/chunked_test.go | 59 +++++++++++++++++++++++++++ + 2 files changed, 89 insertions(+), 6 deletions(-) + +diff --git a/src/net/http/internal/chunked.go b/src/net/http/internal/chunked.go +index f06e572..ddbaacb 100644 +--- a/src/net/http/internal/chunked.go ++++ b/src/net/http/internal/chunked.go +@@ -39,7 +39,8 @@ type chunkedReader struct { + n uint64 // unread bytes in chunk + err error + buf [2]byte +- checkEnd bool // whether need to check for \r\n chunk footer ++ checkEnd bool // whether need to check for \r\n chunk footer ++ excess int64 // "excessive" chunk overhead, for malicious sender detection + } + + func (cr *chunkedReader) beginChunk() { +@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() { + if cr.err != nil { + return + } ++ cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk data ++ line = trimTrailingWhitespace(line) ++ line, cr.err = removeChunkExtension(line) ++ if cr.err != nil { ++ return ++ } + cr.n, cr.err = parseHexUint(line) + if cr.err != nil { + return + } ++ // A sender who sends one byte per chunk will send 5 bytes of overhead ++ // for every byte of data. ("1\r\nX\r\n" to send "X".) ++ // We want to allow this, since streaming a byte at a time can be legitimate. ++ // ++ // A sender can use chunk extensions to add arbitrary amounts of additional ++ // data per byte read. ("1;very long extension\r\nX\r\n" to send "X".) ++ // We don't want to disallow extensions (although we discard them), ++ // but we also don't want to allow a sender to reduce the signal/noise ratio ++ // arbitrarily. ++ // ++ // We track the amount of excess overhead read, ++ // and produce an error if it grows too large. ++ // ++ // Currently, we say that we're willing to accept 16 bytes of overhead per chunk, ++ // plus twice the amount of real data in the chunk. ++ cr.excess -= 16 + (2 * int64(cr.n)) ++ if cr.excess < 0 { ++ cr.excess = 0 ++ } ++ if cr.excess > 16*1024 { ++ cr.err = errors.New("chunked encoding contains too much non-data") ++ } + if cr.n == 0 { + cr.err = io.EOF + } +@@ -133,11 +162,6 @@ func readChunkLine(b *bufio.Reader) ([]byte, error) { + if len(p) >= maxLineLength { + return nil, ErrLineTooLong + } +- p = trimTrailingWhitespace(p) +- p, err = removeChunkExtension(p) +- if err != nil { +- return nil, err +- } + return p, nil + } + +diff --git a/src/net/http/internal/chunked_test.go b/src/net/http/internal/chunked_test.go +index 08152ed..5fbeb08 100644 +--- a/src/net/http/internal/chunked_test.go ++++ b/src/net/http/internal/chunked_test.go +@@ -211,3 +211,62 @@ func TestChunkReadPartial(t *testing.T) { + } + + } ++ ++func TestChunkReaderTooMuchOverhead(t *testing.T) { ++ // If the sender is sending 100x as many chunk header bytes as chunk data, ++ // we should reject the stream at some point. ++ chunk := []byte("1;") ++ for i := 0; i < 100; i++ { ++ chunk = append(chunk, 'a') // chunk extension ++ } ++ chunk = append(chunk, "\r\nX\r\n"...) ++ const bodylen = 1 << 20 ++ r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) { ++ if i < bodylen { ++ return chunk, nil ++ } ++ return []byte("0\r\n"), nil ++ }}) ++ _, err := io.ReadAll(r) ++ if err == nil { ++ t.Fatalf("successfully read body with excessive overhead; want error") ++ } ++} ++ ++func TestChunkReaderByteAtATime(t *testing.T) { ++ // Sending one byte per chunk should not trip the excess-overhead detection. ++ const bodylen = 1 << 20 ++ r := NewChunkedReader(&funcReader{f: func(i int) ([]byte, error) { ++ if i < bodylen { ++ return []byte("1\r\nX\r\n"), nil ++ } ++ return []byte("0\r\n"), nil ++ }}) ++ got, err := io.ReadAll(r) ++ if err != nil { ++ t.Errorf("unexpected error: %v", err) ++ } ++ if len(got) != bodylen { ++ t.Errorf("read %v bytes, want %v", len(got), bodylen) ++ } ++} ++ ++type funcReader struct { ++ f func(iteration int) ([]byte, error) ++ i int ++ b []byte ++ err error ++} ++ ++func (r *funcReader) Read(p []byte) (n int, err error) { ++ if len(r.b) == 0 && r.err == nil { ++ r.b, r.err = r.f(r.i) ++ r.i++ ++ } ++ n = copy(p, r.b) ++ r.b = r.b[n:] ++ if len(r.b) > 0 { ++ return n, nil ++ } ++ return n, r.err ++} +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch new file mode 100644 index 0000000000..0459ae0a1a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch @@ -0,0 +1,110 @@ +From 46bc33819ac86a9596b8059235842f0e0c7469bd Mon Sep 17 00:00:00 2001 +From: Bryan C. Mills <bcmills@google.com> +Date: Thu, 2 Nov 2023 15:06:35 -0400 +Subject: [PATCH] cmd/go/internal/vcs: error out if the requested repo does not + support a secure protocol + +Updates #63845. +Fixes #63972. + +Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8 +Reviewed-on: https://go-review.googlesource.com/c/go/+/539321 +Reviewed-by: Michael Matloob <matloob@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Auto-Submit: Bryan Mills <bcmills@google.com> +(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3) +Reviewed-on: https://go-review.googlesource.com/c/go/+/540335 +Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> + +CVE: CVE-2023-45285 + +Upstream-Status: Backport [https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/cmd/go/internal/vcs/vcs.go | 25 +++++++++++++---- + .../script/mod_insecure_issue63845.txt | 28 +++++++++++++++++++ + 2 files changed, 47 insertions(+), 6 deletions(-) + create mode 100644 src/cmd/go/testdata/script/mod_insecure_issue63845.txt + +diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go +index ab42424..0e2882d 100644 +--- a/src/cmd/go/internal/vcs/vcs.go ++++ b/src/cmd/go/internal/vcs/vcs.go +@@ -891,19 +891,32 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths + if !srv.schemelessRepo { + repoURL = match["repo"] + } else { +- scheme := vcs.Scheme[0] // default to first scheme + repo := match["repo"] +- if vcs.PingCmd != "" { +- // If we know how to test schemes, scan to find one. ++ scheme, err := func() (string, error) { + for _, s := range vcs.Scheme { + if security == web.SecureOnly && !vcs.isSecureScheme(s) { + continue + } +- if vcs.Ping(s, repo) == nil { +- scheme = s +- break ++ ++ // If we know how to ping URL schemes for this VCS, ++ // check that this repo works. ++ // Otherwise, default to the first scheme ++ // that meets the requested security level. ++ if vcs.PingCmd == "" { ++ return s, nil ++ } ++ if err := vcs.Ping(s, repo); err == nil { ++ return s, nil + } + } ++ securityFrag := "" ++ if security == web.SecureOnly { ++ securityFrag = "secure " ++ } ++ return "", fmt.Errorf("no %sprotocol found for repository", securityFrag) ++ }() ++ if err != nil { ++ return nil, err + } + repoURL = scheme + "://" + repo + } +diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +new file mode 100644 +index 0000000..5fa6a4f +--- /dev/null ++++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt +@@ -0,0 +1,28 @@ ++# Regression test for https://go.dev/issue/63845: ++# If 'git ls-remote' fails for all secure protocols, ++# we should fail instead of falling back to an arbitrary protocol. ++# ++# Note that this test does not use the local vcweb test server ++# (vcs-test.golang.org), because the hook for redirecting to that ++# server bypasses the "ping to determine protocol" logic ++# in cmd/go/internal/vcs. ++ ++[!net] skip ++[!git] skip ++[short] skip 'tries to access a nonexistent external Git repo' ++ ++env GOPRIVATE=golang.org ++env CURLOPT_TIMEOUT_MS=100 ++env GIT_SSH_COMMAND=false ++ ++! go get -x golang.org/nonexist.git@latest ++stderr '^git ls-remote https://golang.org/nonexist$' ++stderr '^git ls-remote git\+ssh://golang.org/nonexist' ++stderr '^git ls-remote ssh://golang.org/nonexist$' ++! stderr 'git://' ++stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$' ++ ++-- go.mod -- ++module example ++ ++go 1.19 +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch b/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch new file mode 100644 index 0000000000..477e3c98ee --- /dev/null +++ b/meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch @@ -0,0 +1,1695 @@ +From 8a81fdf165facdcefa06531de5af98a4db343035 Mon Sep 17 00:00:00 2001 +From: Lúcás Meier <cronokirby@gmail.com> +Date: Tue Jun 8 21:36:06 2021 +0200 +Subject: [PATCH] crypto/rsa: replace big.Int for encryption and decryption + +Infamously, big.Int does not provide constant-time arithmetic, making +its use in cryptographic code quite tricky. RSA uses big.Int +pervasively, in its public API, for key generation, precomputation, and +for encryption and decryption. This is a known problem. One mitigation, +blinding, is already in place during decryption. This helps mitigate the +very leaky exponentiation operation. Because big.Int is fundamentally +not constant-time, it's unfortunately difficult to guarantee that +mitigations like these are completely effective. + +This patch removes the use of big.Int for encryption and decryption, +replacing it with an internal nat type instead. Signing and verification +are also affected, because they depend on encryption and decryption. + +Overall, this patch degrades performance by 55% for private key +operations, and 4-5x for (much faster) public key operations. +(Signatures do both, so the slowdown is worse than decryption.) + +name old time/op new time/op delta +DecryptPKCS1v15/2048-8 1.50ms ± 0% 2.34ms ± 0% +56.44% (p=0.000 n=8+10) +DecryptPKCS1v15/3072-8 4.40ms ± 0% 6.79ms ± 0% +54.33% (p=0.000 n=10+9) +DecryptPKCS1v15/4096-8 9.31ms ± 0% 15.14ms ± 0% +62.60% (p=0.000 n=10+10) +EncryptPKCS1v15/2048-8 8.16µs ± 0% 355.58µs ± 0% +4258.90% (p=0.000 n=10+9) +DecryptOAEP/2048-8 1.50ms ± 0% 2.34ms ± 0% +55.68% (p=0.000 n=10+9) +EncryptOAEP/2048-8 8.51µs ± 0% 355.95µs ± 0% +4082.75% (p=0.000 n=10+9) +SignPKCS1v15/2048-8 1.51ms ± 0% 2.69ms ± 0% +77.94% (p=0.000 n=10+10) +VerifyPKCS1v15/2048-8 7.25µs ± 0% 354.34µs ± 0% +4789.52% (p=0.000 n=9+9) +SignPSS/2048-8 1.51ms ± 0% 2.70ms ± 0% +78.80% (p=0.000 n=9+10) +VerifyPSS/2048-8 8.27µs ± 1% 355.65µs ± 0% +4199.39% (p=0.000 n=10+10) + +Keep in mind that this is without any assembly at all, and that further +improvements are likely possible. I think having a review of the logic +and the cryptography would be a good idea at this stage, before we +complicate the code too much through optimization. + +The bulk of the work is in nat.go. This introduces two new types: nat, +representing natural numbers, and modulus, representing moduli used in +modular arithmetic. + +A nat has an "announced size", which may be larger than its "true size", +the number of bits needed to represent this number. Operations on a nat +will only ever leak its announced size, never its true size, or other +information about its value. The size of a nat is always clear based on +how its value is set. For example, x.mod(y, m) will make the announced +size of x match that of m, since x is reduced modulo m. + +Operations assume that the announced size of the operands match what's +expected (with a few exceptions). For example, x.modAdd(y, m) assumes +that x and y have the same announced size as m, and that they're reduced +modulo m. + +Nats are represented over unsatured bits.UintSize - 1 bit limbs. This +means that we can't reuse the assembly routines for big.Int, which use +saturated bits.UintSize limbs. The advantage of unsaturated limbs is +that it makes Montgomery multiplication faster, by needing fewer +registers in a hot loop. This makes exponentiation faster, which +consists of many Montgomery multiplications. + +Moduli use nat internally. Unlike nat, the true size of a modulus always +matches its announced size. When creating a modulus, any zero padding is +removed. Moduli will also precompute constants when created, which is +another reason why having a separate type is desirable. + +Updates #20654 + +Co-authored-by: Filippo Valsorda <filippo@golang.org> +Change-Id: I73b61f87d58ab912e80a9644e255d552cbadcced +Reviewed-on: https://go-review.googlesource.com/c/go/+/326012 +Run-TryBot: Filippo Valsorda <filippo@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Roland Shoemaker <roland@golang.org> +Reviewed-by: Joedian Reid <joedian@golang.org> + +CVE: CVE-2023-45287 + +Upstream-Status: Backport [https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + src/crypto/rsa/example_test.go | 21 +- + src/crypto/rsa/nat.go | 626 +++++++++++++++++++++++++++++++++ + src/crypto/rsa/nat_test.go | 384 ++++++++++++++++++++ + src/crypto/rsa/pkcs1v15.go | 47 +-- + src/crypto/rsa/pss.go | 49 ++- + src/crypto/rsa/pss_test.go | 10 +- + src/crypto/rsa/rsa.go | 172 ++++----- + 7 files changed, 1140 insertions(+), 169 deletions(-) + create mode 100644 src/crypto/rsa/nat.go + create mode 100644 src/crypto/rsa/nat_test.go + +diff --git a/src/crypto/rsa/example_test.go b/src/crypto/rsa/example_test.go +index ce5c2d9..52e5639 100644 +--- a/src/crypto/rsa/example_test.go ++++ b/src/crypto/rsa/example_test.go +@@ -12,7 +12,6 @@ import ( + "crypto/sha256" + "encoding/hex" + "fmt" +- "io" + "os" + ) + +@@ -36,21 +35,17 @@ import ( + // a buffer that contains a random key. Thus, if the RSA result isn't + // well-formed, the implementation uses a random key in constant time. + func ExampleDecryptPKCS1v15SessionKey() { +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- + // The hybrid scheme should use at least a 16-byte symmetric key. Here + // we read the random key that will be used if the RSA decryption isn't + // well-formed. + key := make([]byte, 32) +- if _, err := io.ReadFull(rng, key); err != nil { ++ if _, err := rand.Read(key); err != nil { + panic("RNG failure") + } + + rsaCiphertext, _ := hex.DecodeString("aabbccddeeff") + +- if err := DecryptPKCS1v15SessionKey(rng, rsaPrivateKey, rsaCiphertext, key); err != nil { ++ if err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, rsaCiphertext, key); err != nil { + // Any errors that result will be “public” – meaning that they + // can be determined without any secret information. (For + // instance, if the length of key is impossible given the RSA +@@ -86,10 +81,6 @@ func ExampleDecryptPKCS1v15SessionKey() { + } + + func ExampleSignPKCS1v15() { +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- + message := []byte("message to be signed") + + // Only small messages can be signed directly; thus the hash of a +@@ -99,7 +90,7 @@ func ExampleSignPKCS1v15() { + // of writing (2016). + hashed := sha256.Sum256(message) + +- signature, err := SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA256, hashed[:]) ++ signature, err := SignPKCS1v15(nil, rsaPrivateKey, crypto.SHA256, hashed[:]) + if err != nil { + fmt.Fprintf(os.Stderr, "Error from signing: %s\n", err) + return +@@ -151,11 +142,7 @@ func ExampleDecryptOAEP() { + ciphertext, _ := hex.DecodeString("4d1ee10e8f286390258c51a5e80802844c3e6358ad6690b7285218a7c7ed7fc3a4c7b950fbd04d4b0239cc060dcc7065ca6f84c1756deb71ca5685cadbb82be025e16449b905c568a19c088a1abfad54bf7ecc67a7df39943ec511091a34c0f2348d04e058fcff4d55644de3cd1d580791d4524b92f3e91695582e6e340a1c50b6c6d78e80b4e42c5b4d45e479b492de42bbd39cc642ebb80226bb5200020d501b24a37bcc2ec7f34e596b4fd6b063de4858dbf5a4e3dd18e262eda0ec2d19dbd8e890d672b63d368768360b20c0b6b8592a438fa275e5fa7f60bef0dd39673fd3989cc54d2cb80c08fcd19dacbc265ee1c6014616b0e04ea0328c2a04e73460") + label := []byte("orders") + +- // crypto/rand.Reader is a good source of entropy for blinding the RSA +- // operation. +- rng := rand.Reader +- +- plaintext, err := DecryptOAEP(sha256.New(), rng, test2048Key, ciphertext, label) ++ plaintext, err := DecryptOAEP(sha256.New(), nil, test2048Key, ciphertext, label) + if err != nil { + fmt.Fprintf(os.Stderr, "Error from decryption: %s\n", err) + return +diff --git a/src/crypto/rsa/nat.go b/src/crypto/rsa/nat.go +new file mode 100644 +index 0000000..da521c2 +--- /dev/null ++++ b/src/crypto/rsa/nat.go +@@ -0,0 +1,626 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package rsa ++ ++import ( ++ "math/big" ++ "math/bits" ++) ++ ++const ( ++ // _W is the number of bits we use for our limbs. ++ _W = bits.UintSize - 1 ++ // _MASK selects _W bits from a full machine word. ++ _MASK = (1 << _W) - 1 ++) ++ ++// choice represents a constant-time boolean. The value of choice is always ++// either 1 or 0. We use an int instead of bool in order to make decisions in ++// constant time by turning it into a mask. ++type choice uint ++ ++func not(c choice) choice { return 1 ^ c } ++ ++const yes = choice(1) ++const no = choice(0) ++ ++// ctSelect returns x if on == 1, and y if on == 0. The execution time of this ++// function does not depend on its inputs. If on is any value besides 1 or 0, ++// the result is undefined. ++func ctSelect(on choice, x, y uint) uint { ++ // When on == 1, mask is 0b111..., otherwise mask is 0b000... ++ mask := -uint(on) ++ // When mask is all zeros, we just have y, otherwise, y cancels with itself. ++ return y ^ (mask & (y ^ x)) ++} ++ ++// ctEq returns 1 if x == y, and 0 otherwise. The execution time of this ++// function does not depend on its inputs. ++func ctEq(x, y uint) choice { ++ // If x != y, then either x - y or y - x will generate a carry. ++ _, c1 := bits.Sub(x, y, 0) ++ _, c2 := bits.Sub(y, x, 0) ++ return not(choice(c1 | c2)) ++} ++ ++// ctGeq returns 1 if x >= y, and 0 otherwise. The execution time of this ++// function does not depend on its inputs. ++func ctGeq(x, y uint) choice { ++ // If x < y, then x - y generates a carry. ++ _, carry := bits.Sub(x, y, 0) ++ return not(choice(carry)) ++} ++ ++// nat represents an arbitrary natural number ++// ++// Each nat has an announced length, which is the number of limbs it has stored. ++// Operations on this number are allowed to leak this length, but will not leak ++// any information about the values contained in those limbs. ++type nat struct { ++ // limbs is a little-endian representation in base 2^W with ++ // W = bits.UintSize - 1. The top bit is always unset between operations. ++ // ++ // The top bit is left unset to optimize Montgomery multiplication, in the ++ // inner loop of exponentiation. Using fully saturated limbs would leave us ++ // working with 129-bit numbers on 64-bit platforms, wasting a lot of space, ++ // and thus time. ++ limbs []uint ++} ++ ++// expand expands x to n limbs, leaving its value unchanged. ++func (x *nat) expand(n int) *nat { ++ for len(x.limbs) > n { ++ if x.limbs[len(x.limbs)-1] != 0 { ++ panic("rsa: internal error: shrinking nat") ++ } ++ x.limbs = x.limbs[:len(x.limbs)-1] ++ } ++ if cap(x.limbs) < n { ++ newLimbs := make([]uint, n) ++ copy(newLimbs, x.limbs) ++ x.limbs = newLimbs ++ return x ++ } ++ extraLimbs := x.limbs[len(x.limbs):n] ++ for i := range extraLimbs { ++ extraLimbs[i] = 0 ++ } ++ x.limbs = x.limbs[:n] ++ return x ++} ++ ++// reset returns a zero nat of n limbs, reusing x's storage if n <= cap(x.limbs). ++func (x *nat) reset(n int) *nat { ++ if cap(x.limbs) < n { ++ x.limbs = make([]uint, n) ++ return x ++ } ++ for i := range x.limbs { ++ x.limbs[i] = 0 ++ } ++ x.limbs = x.limbs[:n] ++ return x ++} ++ ++// clone returns a new nat, with the same value and announced length as x. ++func (x *nat) clone() *nat { ++ out := &nat{make([]uint, len(x.limbs))} ++ copy(out.limbs, x.limbs) ++ return out ++} ++ ++// natFromBig creates a new natural number from a big.Int. ++// ++// The announced length of the resulting nat is based on the actual bit size of ++// the input, ignoring leading zeroes. ++func natFromBig(x *big.Int) *nat { ++ xLimbs := x.Bits() ++ bitSize := bigBitLen(x) ++ requiredLimbs := (bitSize + _W - 1) / _W ++ ++ out := &nat{make([]uint, requiredLimbs)} ++ outI := 0 ++ shift := 0 ++ for i := range xLimbs { ++ xi := uint(xLimbs[i]) ++ out.limbs[outI] |= (xi << shift) & _MASK ++ outI++ ++ if outI == requiredLimbs { ++ return out ++ } ++ out.limbs[outI] = xi >> (_W - shift) ++ shift++ // this assumes bits.UintSize - _W = 1 ++ if shift == _W { ++ shift = 0 ++ outI++ ++ } ++ } ++ return out ++} ++ ++// fillBytes sets bytes to x as a zero-extended big-endian byte slice. ++// ++// If bytes is not long enough to contain the number or at least len(x.limbs)-1 ++// limbs, or has zero length, fillBytes will panic. ++func (x *nat) fillBytes(bytes []byte) []byte { ++ if len(bytes) == 0 { ++ panic("nat: fillBytes invoked with too small buffer") ++ } ++ for i := range bytes { ++ bytes[i] = 0 ++ } ++ shift := 0 ++ outI := len(bytes) - 1 ++ for i, limb := range x.limbs { ++ remainingBits := _W ++ for remainingBits >= 8 { ++ bytes[outI] |= byte(limb) << shift ++ consumed := 8 - shift ++ limb >>= consumed ++ remainingBits -= consumed ++ shift = 0 ++ outI-- ++ if outI < 0 { ++ if limb != 0 || i < len(x.limbs)-1 { ++ panic("nat: fillBytes invoked with too small buffer") ++ } ++ return bytes ++ } ++ } ++ bytes[outI] = byte(limb) ++ shift = remainingBits ++ } ++ return bytes ++} ++ ++// natFromBytes converts a slice of big-endian bytes into a nat. ++// ++// The announced length of the output depends on the length of bytes. Unlike ++// big.Int, creating a nat will not remove leading zeros. ++func natFromBytes(bytes []byte) *nat { ++ bitSize := len(bytes) * 8 ++ requiredLimbs := (bitSize + _W - 1) / _W ++ ++ out := &nat{make([]uint, requiredLimbs)} ++ outI := 0 ++ shift := 0 ++ for i := len(bytes) - 1; i >= 0; i-- { ++ bi := bytes[i] ++ out.limbs[outI] |= uint(bi) << shift ++ shift += 8 ++ if shift >= _W { ++ shift -= _W ++ out.limbs[outI] &= _MASK ++ outI++ ++ if shift > 0 { ++ out.limbs[outI] = uint(bi) >> (8 - shift) ++ } ++ } ++ } ++ return out ++} ++ ++// cmpEq returns 1 if x == y, and 0 otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) cmpEq(y *nat) choice { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ equal := yes ++ for i := 0; i < size; i++ { ++ equal &= ctEq(xLimbs[i], yLimbs[i]) ++ } ++ return equal ++} ++ ++// cmpGeq returns 1 if x >= y, and 0 otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) cmpGeq(y *nat) choice { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ var c uint ++ for i := 0; i < size; i++ { ++ c = (xLimbs[i] - yLimbs[i] - c) >> _W ++ } ++ // If there was a carry, then subtracting y underflowed, so ++ // x is not greater than or equal to y. ++ return not(choice(c)) ++} ++ ++// assign sets x <- y if on == 1, and does nothing otherwise. ++// ++// Both operands must have the same announced length. ++func (x *nat) assign(on choice, y *nat) *nat { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ xLimbs[i] = ctSelect(on, yLimbs[i], xLimbs[i]) ++ } ++ return x ++} ++ ++// add computes x += y if on == 1, and does nothing otherwise. It returns the ++// carry of the addition regardless of on. ++// ++// Both operands must have the same announced length. ++func (x *nat) add(on choice, y *nat) (c uint) { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ res := xLimbs[i] + yLimbs[i] + c ++ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i]) ++ c = res >> _W ++ } ++ return ++} ++ ++// sub computes x -= y if on == 1, and does nothing otherwise. It returns the ++// borrow of the subtraction regardless of on. ++// ++// Both operands must have the same announced length. ++func (x *nat) sub(on choice, y *nat) (c uint) { ++ // Eliminate bounds checks in the loop. ++ size := len(x.limbs) ++ xLimbs := x.limbs[:size] ++ yLimbs := y.limbs[:size] ++ ++ for i := 0; i < size; i++ { ++ res := xLimbs[i] - yLimbs[i] - c ++ xLimbs[i] = ctSelect(on, res&_MASK, xLimbs[i]) ++ c = res >> _W ++ } ++ return ++} ++ ++// modulus is used for modular arithmetic, precomputing relevant constants. ++// ++// Moduli are assumed to be odd numbers. Moduli can also leak the exact ++// number of bits needed to store their value, and are stored without padding. ++// ++// Their actual value is still kept secret. ++type modulus struct { ++ // The underlying natural number for this modulus. ++ // ++ // This will be stored without any padding, and shouldn't alias with any ++ // other natural number being used. ++ nat *nat ++ leading int // number of leading zeros in the modulus ++ m0inv uint // -nat.limbs[0]⁻¹ mod _W ++} ++ ++// minusInverseModW computes -x⁻¹ mod _W with x odd. ++// ++// This operation is used to precompute a constant involved in Montgomery ++// multiplication. ++func minusInverseModW(x uint) uint { ++ // Every iteration of this loop doubles the least-significant bits of ++ // correct inverse in y. The first three bits are already correct (1⁻¹ = 1, ++ // 3⁻¹ = 3, 5⁻¹ = 5, and 7⁻¹ = 7 mod 8), so doubling five times is enough ++ // for 61 bits (and wastes only one iteration for 31 bits). ++ // ++ // See https://crypto.stackexchange.com/a/47496. ++ y := x ++ for i := 0; i < 5; i++ { ++ y = y * (2 - x*y) ++ } ++ return (1 << _W) - (y & _MASK) ++} ++ ++// modulusFromNat creates a new modulus from a nat. ++// ++// The nat should be odd, nonzero, and the number of significant bits in the ++// number should be leakable. The nat shouldn't be reused. ++func modulusFromNat(nat *nat) *modulus { ++ m := &modulus{} ++ m.nat = nat ++ size := len(m.nat.limbs) ++ for m.nat.limbs[size-1] == 0 { ++ size-- ++ } ++ m.nat.limbs = m.nat.limbs[:size] ++ m.leading = _W - bitLen(m.nat.limbs[size-1]) ++ m.m0inv = minusInverseModW(m.nat.limbs[0]) ++ return m ++} ++ ++// bitLen is a version of bits.Len that only leaks the bit length of n, but not ++// its value. bits.Len and bits.LeadingZeros use a lookup table for the ++// low-order bits on some architectures. ++func bitLen(n uint) int { ++ var len int ++ // We assume, here and elsewhere, that comparison to zero is constant time ++ // with respect to different non-zero values. ++ for n != 0 { ++ len++ ++ n >>= 1 ++ } ++ return len ++} ++ ++// bigBitLen is a version of big.Int.BitLen that only leaks the bit length of x, ++// but not its value. big.Int.BitLen uses bits.Len. ++func bigBitLen(x *big.Int) int { ++ xLimbs := x.Bits() ++ fullLimbs := len(xLimbs) - 1 ++ topLimb := uint(xLimbs[len(xLimbs)-1]) ++ return fullLimbs*bits.UintSize + bitLen(topLimb) ++} ++ ++// modulusSize returns the size of m in bytes. ++func modulusSize(m *modulus) int { ++ bits := len(m.nat.limbs)*_W - int(m.leading) ++ return (bits + 7) / 8 ++} ++ ++// shiftIn calculates x = x << _W + y mod m. ++// ++// This assumes that x is already reduced mod m, and that y < 2^_W. ++func (x *nat) shiftIn(y uint, m *modulus) *nat { ++ d := new(nat).resetFor(m) ++ ++ // Eliminate bounds checks in the loop. ++ size := len(m.nat.limbs) ++ xLimbs := x.limbs[:size] ++ dLimbs := d.limbs[:size] ++ mLimbs := m.nat.limbs[:size] ++ ++ // Each iteration of this loop computes x = 2x + b mod m, where b is a bit ++ // from y. Effectively, it left-shifts x and adds y one bit at a time, ++ // reducing it every time. ++ // ++ // To do the reduction, each iteration computes both 2x + b and 2x + b - m. ++ // The next iteration (and finally the return line) will use either result ++ // based on whether the subtraction underflowed. ++ needSubtraction := no ++ for i := _W - 1; i >= 0; i-- { ++ carry := (y >> i) & 1 ++ var borrow uint ++ for i := 0; i < size; i++ { ++ l := ctSelect(needSubtraction, dLimbs[i], xLimbs[i]) ++ ++ res := l<<1 + carry ++ xLimbs[i] = res & _MASK ++ carry = res >> _W ++ ++ res = xLimbs[i] - mLimbs[i] - borrow ++ dLimbs[i] = res & _MASK ++ borrow = res >> _W ++ } ++ // See modAdd for how carry (aka overflow), borrow (aka underflow), and ++ // needSubtraction relate. ++ needSubtraction = ctEq(carry, borrow) ++ } ++ return x.assign(needSubtraction, d) ++} ++ ++// mod calculates out = x mod m. ++// ++// This works regardless how large the value of x is. ++// ++// The output will be resized to the size of m and overwritten. ++func (out *nat) mod(x *nat, m *modulus) *nat { ++ out.resetFor(m) ++ // Working our way from the most significant to the least significant limb, ++ // we can insert each limb at the least significant position, shifting all ++ // previous limbs left by _W. This way each limb will get shifted by the ++ // correct number of bits. We can insert at least N - 1 limbs without ++ // overflowing m. After that, we need to reduce every time we shift. ++ i := len(x.limbs) - 1 ++ // For the first N - 1 limbs we can skip the actual shifting and position ++ // them at the shifted position, which starts at min(N - 2, i). ++ start := len(m.nat.limbs) - 2 ++ if i < start { ++ start = i ++ } ++ for j := start; j >= 0; j-- { ++ out.limbs[j] = x.limbs[i] ++ i-- ++ } ++ // We shift in the remaining limbs, reducing modulo m each time. ++ for i >= 0 { ++ out.shiftIn(x.limbs[i], m) ++ i-- ++ } ++ return out ++} ++ ++// expandFor ensures out has the right size to work with operations modulo m. ++// ++// This assumes that out has as many or fewer limbs than m, or that the extra ++// limbs are all zero (which may happen when decoding a value that has leading ++// zeroes in its bytes representation that spill over the limb threshold). ++func (out *nat) expandFor(m *modulus) *nat { ++ return out.expand(len(m.nat.limbs)) ++} ++ ++// resetFor ensures out has the right size to work with operations modulo m. ++// ++// out is zeroed and may start at any size. ++func (out *nat) resetFor(m *modulus) *nat { ++ return out.reset(len(m.nat.limbs)) ++} ++ ++// modSub computes x = x - y mod m. ++// ++// The length of both operands must be the same as the modulus. Both operands ++// must already be reduced modulo m. ++func (x *nat) modSub(y *nat, m *modulus) *nat { ++ underflow := x.sub(yes, y) ++ // If the subtraction underflowed, add m. ++ x.add(choice(underflow), m.nat) ++ return x ++} ++ ++// modAdd computes x = x + y mod m. ++// ++// The length of both operands must be the same as the modulus. Both operands ++// must already be reduced modulo m. ++func (x *nat) modAdd(y *nat, m *modulus) *nat { ++ overflow := x.add(yes, y) ++ underflow := not(x.cmpGeq(m.nat)) // x < m ++ ++ // Three cases are possible: ++ // ++ // - overflow = 0, underflow = 0 ++ // ++ // In this case, addition fits in our limbs, but we can still subtract away ++ // m without an underflow, so we need to perform the subtraction to reduce ++ // our result. ++ // ++ // - overflow = 0, underflow = 1 ++ // ++ // The addition fits in our limbs, but we can't subtract m without ++ // underflowing. The result is already reduced. ++ // ++ // - overflow = 1, underflow = 1 ++ // ++ // The addition does not fit in our limbs, and the subtraction's borrow ++ // would cancel out with the addition's carry. We need to subtract m to ++ // reduce our result. ++ // ++ // The overflow = 1, underflow = 0 case is not possible, because y is at ++ // most m - 1, and if adding m - 1 overflows, then subtracting m must ++ // necessarily underflow. ++ needSubtraction := ctEq(overflow, uint(underflow)) ++ ++ x.sub(needSubtraction, m.nat) ++ return x ++} ++ ++// montgomeryRepresentation calculates x = x * R mod m, with R = 2^(_W * n) and ++// n = len(m.nat.limbs). ++// ++// Faster Montgomery multiplication replaces standard modular multiplication for ++// numbers in this representation. ++// ++// This assumes that x is already reduced mod m. ++func (x *nat) montgomeryRepresentation(m *modulus) *nat { ++ for i := 0; i < len(m.nat.limbs); i++ { ++ x.shiftIn(0, m) // x = x * 2^_W mod m ++ } ++ return x ++} ++ ++// montgomeryMul calculates d = a * b / R mod m, with R = 2^(_W * n) and ++// n = len(m.nat.limbs), using the Montgomery Multiplication technique. ++// ++// All inputs should be the same length, not aliasing d, and already ++// reduced modulo m. d will be resized to the size of m and overwritten. ++func (d *nat) montgomeryMul(a *nat, b *nat, m *modulus) *nat { ++ // See https://bearssl.org/bigint.html#montgomery-reduction-and-multiplication ++ // for a description of the algorithm. ++ ++ // Eliminate bounds checks in the loop. ++ size := len(m.nat.limbs) ++ aLimbs := a.limbs[:size] ++ bLimbs := b.limbs[:size] ++ dLimbs := d.resetFor(m).limbs[:size] ++ mLimbs := m.nat.limbs[:size] ++ ++ var overflow uint ++ for i := 0; i < size; i++ { ++ f := ((dLimbs[0] + aLimbs[i]*bLimbs[0]) * m.m0inv) & _MASK ++ carry := uint(0) ++ for j := 0; j < size; j++ { ++ // z = d[j] + a[i] * b[j] + f * m[j] + carry <= 2^(2W+1) - 2^(W+1) + 2^W ++ hi, lo := bits.Mul(aLimbs[i], bLimbs[j]) ++ z_lo, c := bits.Add(dLimbs[j], lo, 0) ++ z_hi, _ := bits.Add(0, hi, c) ++ hi, lo = bits.Mul(f, mLimbs[j]) ++ z_lo, c = bits.Add(z_lo, lo, 0) ++ z_hi, _ = bits.Add(z_hi, hi, c) ++ z_lo, c = bits.Add(z_lo, carry, 0) ++ z_hi, _ = bits.Add(z_hi, 0, c) ++ if j > 0 { ++ dLimbs[j-1] = z_lo & _MASK ++ } ++ carry = z_hi<<1 | z_lo>>_W // carry <= 2^(W+1) - 2 ++ } ++ z := overflow + carry // z <= 2^(W+1) - 1 ++ dLimbs[size-1] = z & _MASK ++ overflow = z >> _W // overflow <= 1 ++ } ++ // See modAdd for how overflow, underflow, and needSubtraction relate. ++ underflow := not(d.cmpGeq(m.nat)) // d < m ++ needSubtraction := ctEq(overflow, uint(underflow)) ++ d.sub(needSubtraction, m.nat) ++ ++ return d ++} ++ ++// modMul calculates x *= y mod m. ++// ++// x and y must already be reduced modulo m, they must share its announced ++// length, and they may not alias. ++func (x *nat) modMul(y *nat, m *modulus) *nat { ++ // A Montgomery multiplication by a value out of the Montgomery domain ++ // takes the result out of Montgomery representation. ++ xR := x.clone().montgomeryRepresentation(m) // xR = x * R mod m ++ return x.montgomeryMul(xR, y, m) // x = xR * y / R mod m ++} ++ ++// exp calculates out = x^e mod m. ++// ++// The exponent e is represented in big-endian order. The output will be resized ++// to the size of m and overwritten. x must already be reduced modulo m. ++func (out *nat) exp(x *nat, e []byte, m *modulus) *nat { ++ // We use a 4 bit window. For our RSA workload, 4 bit windows are faster ++ // than 2 bit windows, but use an extra 12 nats worth of scratch space. ++ // Using bit sizes that don't divide 8 are more complex to implement. ++ table := make([]*nat, (1<<4)-1) // table[i] = x ^ (i+1) ++ table[0] = x.clone().montgomeryRepresentation(m) ++ for i := 1; i < len(table); i++ { ++ table[i] = new(nat).expandFor(m) ++ table[i].montgomeryMul(table[i-1], table[0], m) ++ } ++ ++ out.resetFor(m) ++ out.limbs[0] = 1 ++ out.montgomeryRepresentation(m) ++ t0 := new(nat).expandFor(m) ++ t1 := new(nat).expandFor(m) ++ for _, b := range e { ++ for _, j := range []int{4, 0} { ++ // Square four times. ++ t1.montgomeryMul(out, out, m) ++ out.montgomeryMul(t1, t1, m) ++ t1.montgomeryMul(out, out, m) ++ out.montgomeryMul(t1, t1, m) ++ ++ // Select x^k in constant time from the table. ++ k := uint((b >> j) & 0b1111) ++ for i := range table { ++ t0.assign(ctEq(k, uint(i+1)), table[i]) ++ } ++ ++ // Multiply by x^k, discarding the result if k = 0. ++ t1.montgomeryMul(out, t0, m) ++ out.assign(not(ctEq(k, 0)), t1) ++ } ++ } ++ ++ // By Montgomery multiplying with 1 not in Montgomery representation, we ++ // convert out back from Montgomery representation, because it works out to ++ // dividing by R. ++ t0.assign(yes, out) ++ t1.resetFor(m) ++ t1.limbs[0] = 1 ++ out.montgomeryMul(t0, t1, m) ++ ++ return out ++} +diff --git a/src/crypto/rsa/nat_test.go b/src/crypto/rsa/nat_test.go +new file mode 100644 +index 0000000..3e6eb10 +--- /dev/null ++++ b/src/crypto/rsa/nat_test.go +@@ -0,0 +1,384 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package rsa ++ ++import ( ++ "bytes" ++ "math/big" ++ "math/bits" ++ "math/rand" ++ "reflect" ++ "testing" ++ "testing/quick" ++) ++ ++// Generate generates an even nat. It's used by testing/quick to produce random ++// *nat values for quick.Check invocations. ++func (*nat) Generate(r *rand.Rand, size int) reflect.Value { ++ limbs := make([]uint, size) ++ for i := 0; i < size; i++ { ++ limbs[i] = uint(r.Uint64()) & ((1 << _W) - 2) ++ } ++ return reflect.ValueOf(&nat{limbs}) ++} ++ ++func testModAddCommutative(a *nat, b *nat) bool { ++ mLimbs := make([]uint, len(a.limbs)) ++ for i := 0; i < len(mLimbs); i++ { ++ mLimbs[i] = _MASK ++ } ++ m := modulusFromNat(&nat{mLimbs}) ++ aPlusB := a.clone() ++ aPlusB.modAdd(b, m) ++ bPlusA := b.clone() ++ bPlusA.modAdd(a, m) ++ return aPlusB.cmpEq(bPlusA) == 1 ++} ++ ++func TestModAddCommutative(t *testing.T) { ++ err := quick.Check(testModAddCommutative, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func testModSubThenAddIdentity(a *nat, b *nat) bool { ++ mLimbs := make([]uint, len(a.limbs)) ++ for i := 0; i < len(mLimbs); i++ { ++ mLimbs[i] = _MASK ++ } ++ m := modulusFromNat(&nat{mLimbs}) ++ original := a.clone() ++ a.modSub(b, m) ++ a.modAdd(b, m) ++ return a.cmpEq(original) == 1 ++} ++ ++func TestModSubThenAddIdentity(t *testing.T) { ++ err := quick.Check(testModSubThenAddIdentity, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func testMontgomeryRoundtrip(a *nat) bool { ++ one := &nat{make([]uint, len(a.limbs))} ++ one.limbs[0] = 1 ++ aPlusOne := a.clone() ++ aPlusOne.add(1, one) ++ m := modulusFromNat(aPlusOne) ++ monty := a.clone() ++ monty.montgomeryRepresentation(m) ++ aAgain := monty.clone() ++ aAgain.montgomeryMul(monty, one, m) ++ return a.cmpEq(aAgain) == 1 ++} ++ ++func TestMontgomeryRoundtrip(t *testing.T) { ++ err := quick.Check(testMontgomeryRoundtrip, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++} ++ ++func TestFromBig(t *testing.T) { ++ expected := []byte{0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff} ++ theBig := new(big.Int).SetBytes(expected) ++ actual := natFromBig(theBig).fillBytes(make([]byte, len(expected))) ++ if !bytes.Equal(actual, expected) { ++ t.Errorf("%+x != %+x", actual, expected) ++ } ++} ++ ++func TestFillBytes(t *testing.T) { ++ xBytes := []byte{0xAA, 0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88} ++ x := natFromBytes(xBytes) ++ for l := 20; l >= len(xBytes); l-- { ++ buf := make([]byte, l) ++ rand.Read(buf) ++ actual := x.fillBytes(buf) ++ expected := make([]byte, l) ++ copy(expected[l-len(xBytes):], xBytes) ++ if !bytes.Equal(actual, expected) { ++ t.Errorf("%d: %+v != %+v", l, actual, expected) ++ } ++ } ++ for l := len(xBytes) - 1; l >= 0; l-- { ++ (func() { ++ defer func() { ++ if recover() == nil { ++ t.Errorf("%d: expected panic", l) ++ } ++ }() ++ x.fillBytes(make([]byte, l)) ++ })() ++ } ++} ++ ++func TestFromBytes(t *testing.T) { ++ f := func(xBytes []byte) bool { ++ if len(xBytes) == 0 { ++ return true ++ } ++ actual := natFromBytes(xBytes).fillBytes(make([]byte, len(xBytes))) ++ if !bytes.Equal(actual, xBytes) { ++ t.Errorf("%+x != %+x", actual, xBytes) ++ return false ++ } ++ return true ++ } ++ ++ err := quick.Check(f, &quick.Config{}) ++ if err != nil { ++ t.Error(err) ++ } ++ ++ f([]byte{0xFF, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88}) ++ f(bytes.Repeat([]byte{0xFF}, _W)) ++} ++ ++func TestShiftIn(t *testing.T) { ++ if bits.UintSize != 64 { ++ t.Skip("examples are only valid in 64 bit") ++ } ++ examples := []struct { ++ m, x, expected []byte ++ y uint64 ++ }{{ ++ m: []byte{13}, ++ x: []byte{0}, ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{7}, ++ }, { ++ m: []byte{13}, ++ x: []byte{7}, ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{11}, ++ }, { ++ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}, ++ x: make([]byte, 9), ++ y: 0x7FFF_FFFF_FFFF_FFFF, ++ expected: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, ++ }, { ++ m: []byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d}, ++ x: []byte{0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, ++ y: 0, ++ expected: []byte{0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08}, ++ }} ++ ++ for i, tt := range examples { ++ m := modulusFromNat(natFromBytes(tt.m)) ++ got := natFromBytes(tt.x).expandFor(m).shiftIn(uint(tt.y), m) ++ if got.cmpEq(natFromBytes(tt.expected).expandFor(m)) != 1 { ++ t.Errorf("%d: got %x, expected %x", i, got, tt.expected) ++ } ++ } ++} ++ ++func TestModulusAndNatSizes(t *testing.T) { ++ // These are 126 bit (2 * _W on 64-bit architectures) values, serialized as ++ // 128 bits worth of bytes. If leading zeroes are stripped, they fit in two ++ // limbs, if they are not, they fit in three. This can be a problem because ++ // modulus strips leading zeroes and nat does not. ++ m := modulusFromNat(natFromBytes([]byte{ ++ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff})) ++ x := natFromBytes([]byte{ ++ 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}) ++ x.expandFor(m) // must not panic for shrinking ++} ++ ++func TestExpand(t *testing.T) { ++ sliced := []uint{1, 2, 3, 4} ++ examples := []struct { ++ in []uint ++ n int ++ out []uint ++ }{{ ++ []uint{1, 2}, ++ 4, ++ []uint{1, 2, 0, 0}, ++ }, { ++ sliced[:2], ++ 4, ++ []uint{1, 2, 0, 0}, ++ }, { ++ []uint{1, 2}, ++ 2, ++ []uint{1, 2}, ++ }, { ++ []uint{1, 2, 0}, ++ 2, ++ []uint{1, 2}, ++ }} ++ ++ for i, tt := range examples { ++ got := (&nat{tt.in}).expand(tt.n) ++ if len(got.limbs) != len(tt.out) || got.cmpEq(&nat{tt.out}) != 1 { ++ t.Errorf("%d: got %x, expected %x", i, got, tt.out) ++ } ++ } ++} ++ ++func TestMod(t *testing.T) { ++ m := modulusFromNat(natFromBytes([]byte{0x06, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d})) ++ x := natFromBytes([]byte{0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}) ++ out := new(nat) ++ out.mod(x, m) ++ expected := natFromBytes([]byte{0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09}) ++ if out.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", out, expected) ++ } ++} ++ ++func TestModSub(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{6}} ++ y := &nat{[]uint{7}} ++ x.modSub(y, m) ++ expected := &nat{[]uint{12}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++ x.modSub(y, m) ++ expected = &nat{[]uint{5}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++} ++ ++func TestModAdd(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{6}} ++ y := &nat{[]uint{7}} ++ x.modAdd(y, m) ++ expected := &nat{[]uint{0}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++ x.modAdd(y, m) ++ expected = &nat{[]uint{7}} ++ if x.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", x, expected) ++ } ++} ++ ++func TestExp(t *testing.T) { ++ m := modulusFromNat(&nat{[]uint{13}}) ++ x := &nat{[]uint{3}} ++ out := &nat{[]uint{0}} ++ out.exp(x, []byte{12}, m) ++ expected := &nat{[]uint{1}} ++ if out.cmpEq(expected) != 1 { ++ t.Errorf("%+v != %+v", out, expected) ++ } ++} ++ ++func makeBenchmarkModulus() *modulus { ++ m := make([]uint, 32) ++ for i := 0; i < 32; i++ { ++ m[i] = _MASK ++ } ++ return modulusFromNat(&nat{limbs: m}) ++} ++ ++func makeBenchmarkValue() *nat { ++ x := make([]uint, 32) ++ for i := 0; i < 32; i++ { ++ x[i] = _MASK - 1 ++ } ++ return &nat{limbs: x} ++} ++ ++func makeBenchmarkExponent() []byte { ++ e := make([]byte, 256) ++ for i := 0; i < 32; i++ { ++ e[i] = 0xFF ++ } ++ return e ++} ++ ++func BenchmarkModAdd(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modAdd(y, m) ++ } ++} ++ ++func BenchmarkModSub(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modSub(y, m) ++ } ++} ++ ++func BenchmarkMontgomeryRepr(b *testing.B) { ++ x := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.montgomeryRepresentation(m) ++ } ++} ++ ++func BenchmarkMontgomeryMul(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ out := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.montgomeryMul(x, y, m) ++ } ++} ++ ++func BenchmarkModMul(b *testing.B) { ++ x := makeBenchmarkValue() ++ y := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ x.modMul(y, m) ++ } ++} ++ ++func BenchmarkExpBig(b *testing.B) { ++ out := new(big.Int) ++ exponentBytes := makeBenchmarkExponent() ++ x := new(big.Int).SetBytes(exponentBytes) ++ e := new(big.Int).SetBytes(exponentBytes) ++ n := new(big.Int).SetBytes(exponentBytes) ++ one := new(big.Int).SetUint64(1) ++ n.Add(n, one) ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.Exp(x, e, n) ++ } ++} ++ ++func BenchmarkExp(b *testing.B) { ++ x := makeBenchmarkValue() ++ e := makeBenchmarkExponent() ++ out := makeBenchmarkValue() ++ m := makeBenchmarkModulus() ++ ++ b.ResetTimer() ++ for i := 0; i < b.N; i++ { ++ out.exp(x, e, m) ++ } ++} +diff --git a/src/crypto/rsa/pkcs1v15.go b/src/crypto/rsa/pkcs1v15.go +index 0cbd6d0..90233bb 100644 +--- a/src/crypto/rsa/pkcs1v15.go ++++ b/src/crypto/rsa/pkcs1v15.go +@@ -9,7 +9,6 @@ import ( + "crypto/subtle" + "errors" + "io" +- "math/big" + + "crypto/internal/randutil" + ) +@@ -58,14 +57,11 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) ([]byte, error) + em[len(em)-len(msg)-1] = 0 + copy(mm, msg) + +- m := new(big.Int).SetBytes(em) +- c := encrypt(new(big.Int), pub, m) +- +- return c.FillBytes(em), nil ++ return encrypt(pub, em), nil + } + + // DecryptPKCS1v15 decrypts a plaintext using RSA and the padding scheme from PKCS #1 v1.5. +-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // Note that whether this function returns an error or not discloses secret + // information. If an attacker can cause this function to run repeatedly and +@@ -76,7 +72,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt + if err := checkPub(&priv.PublicKey); err != nil { + return nil, err + } +- valid, out, index, err := decryptPKCS1v15(rand, priv, ciphertext) ++ valid, out, index, err := decryptPKCS1v15(priv, ciphertext) + if err != nil { + return nil, err + } +@@ -87,7 +83,7 @@ func DecryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) ([]byt + } + + // DecryptPKCS1v15SessionKey decrypts a session key using RSA and the padding scheme from PKCS #1 v1.5. +-// If rand != nil, it uses RSA blinding to avoid timing side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // It returns an error if the ciphertext is the wrong length or if the + // ciphertext is greater than the public modulus. Otherwise, no error is + // returned. If the padding is valid, the resulting plaintext message is copied +@@ -114,7 +110,7 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by + return ErrDecryption + } + +- valid, em, index, err := decryptPKCS1v15(rand, priv, ciphertext) ++ valid, em, index, err := decryptPKCS1v15(priv, ciphertext) + if err != nil { + return err + } +@@ -130,26 +126,24 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by + return nil + } + +-// decryptPKCS1v15 decrypts ciphertext using priv and blinds the operation if +-// rand is not nil. It returns one or zero in valid that indicates whether the +-// plaintext was correctly structured. In either case, the plaintext is +-// returned in em so that it may be read independently of whether it was valid +-// in order to maintain constant memory access patterns. If the plaintext was +-// valid then index contains the index of the original message in em. +-func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) { ++// decryptPKCS1v15 decrypts ciphertext using priv. It returns one or zero in ++// valid that indicates whether the plaintext was correctly structured. ++// In either case, the plaintext is returned in em so that it may be read ++// independently of whether it was valid in order to maintain constant memory ++// access patterns. If the plaintext was valid then index contains the index of ++// the original message in em, to allow constant time padding removal. ++func decryptPKCS1v15(priv *PrivateKey, ciphertext []byte) (valid int, em []byte, index int, err error) { + k := priv.Size() + if k < 11 { + err = ErrDecryption + return + } + +- c := new(big.Int).SetBytes(ciphertext) +- m, err := decrypt(rand, priv, c) ++ em, err = decrypt(priv, ciphertext) + if err != nil { + return + } + +- em = m.FillBytes(make([]byte, k)) + firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) + secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2) + +@@ -221,8 +215,7 @@ var hashPrefixes = map[crypto.Hash][]byte{ + // function. If hash is zero, hashed is signed directly. This isn't + // advisable except for interoperability. + // +-// If rand is not nil then RSA blinding will be used to avoid timing +-// side-channel attacks. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // This function is deterministic. Thus, if the set of possible + // messages is small, an attacker may be able to build a map from +@@ -249,13 +242,7 @@ func SignPKCS1v15(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed []b + copy(em[k-tLen:k-hashLen], prefix) + copy(em[k-hashLen:k], hashed) + +- m := new(big.Int).SetBytes(em) +- c, err := decryptAndCheck(rand, priv, m) +- if err != nil { +- return nil, err +- } +- +- return c.FillBytes(em), nil ++ return decryptAndCheck(priv, em) + } + + // VerifyPKCS1v15 verifies an RSA PKCS #1 v1.5 signature. +@@ -282,9 +269,7 @@ func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) + return ErrVerification + } + +- c := new(big.Int).SetBytes(sig) +- m := encrypt(new(big.Int), pub, c) +- em := m.FillBytes(make([]byte, k)) ++ em := encrypt(pub, sig) + // EM = 0x00 || 0x01 || PS || 0x00 || T + + ok := subtle.ConstantTimeByteEq(em[0], 0) +diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go +index 814522d..aeb6148 100644 +--- a/src/crypto/rsa/pss.go ++++ b/src/crypto/rsa/pss.go +@@ -12,7 +12,6 @@ import ( + "errors" + "hash" + "io" +- "math/big" + ) + + // Per RFC 8017, Section 9.1 +@@ -207,19 +206,26 @@ func emsaPSSVerify(mHash, em []byte, emBits, sLen int, hash hash.Hash) error { + // Note that hashed must be the result of hashing the input message using the + // given hash function. salt is a random sequence of bytes whose length will be + // later used to verify the signature. +-func signPSSWithSalt(rand io.Reader, priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) { +- emBits := priv.N.BitLen() - 1 ++func signPSSWithSalt(priv *PrivateKey, hash crypto.Hash, hashed, salt []byte) ([]byte, error) { ++ emBits := bigBitLen(priv.N) - 1 + em, err := emsaPSSEncode(hashed, emBits, salt, hash.New()) + if err != nil { + return nil, err + } +- m := new(big.Int).SetBytes(em) +- c, err := decryptAndCheck(rand, priv, m) +- if err != nil { +- return nil, err ++ // RFC 8017: "Note that the octet length of EM will be one less than k if ++ // modBits - 1 is divisible by 8 and equal to k otherwise, where k is the ++ // length in octets of the RSA modulus n." ++ // ++ // This is extremely annoying, as all other encrypt and decrypt inputs are ++ // always the exact same size as the modulus. Since it only happens for ++ // weird modulus sizes, fix it by padding inefficiently. ++ if emLen, k := len(em), priv.Size(); emLen < k { ++ emNew := make([]byte, k) ++ copy(emNew[k-emLen:], em) ++ em = emNew + } +- s := make([]byte, priv.Size()) +- return c.FillBytes(s), nil ++ ++ return decryptAndCheck(priv, em) + } + + const ( +@@ -269,7 +275,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, + saltLength := opts.saltLength() + switch saltLength { + case PSSSaltLengthAuto: +- saltLength = (priv.N.BitLen()-1+7)/8 - 2 - hash.Size() ++ saltLength = (bigBitLen(priv.N)-1+7)/8 - 2 - hash.Size() + case PSSSaltLengthEqualsHash: + saltLength = hash.Size() + } +@@ -278,7 +284,7 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte, + if _, err := io.ReadFull(rand, salt); err != nil { + return nil, err + } +- return signPSSWithSalt(rand, priv, hash, digest, salt) ++ return signPSSWithSalt(priv, hash, digest, salt) + } + + // VerifyPSS verifies a PSS signature. +@@ -291,13 +297,22 @@ func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts + if len(sig) != pub.Size() { + return ErrVerification + } +- s := new(big.Int).SetBytes(sig) +- m := encrypt(new(big.Int), pub, s) +- emBits := pub.N.BitLen() - 1 ++ ++ emBits := bigBitLen(pub.N) - 1 + emLen := (emBits + 7) / 8 +- if m.BitLen() > emLen*8 { +- return ErrVerification ++ em := encrypt(pub, sig) ++ ++ // Like in signPSSWithSalt, deal with mismatches between emLen and the size ++ // of the modulus. The spec would have us wire emLen into the encoding ++ // function, but we'd rather always encode to the size of the modulus and ++ // then strip leading zeroes if necessary. This only happens for weird ++ // modulus sizes anyway. ++ for len(em) > emLen && len(em) > 0 { ++ if em[0] != 0 { ++ return ErrVerification ++ } ++ em = em[1:] + } +- em := m.FillBytes(make([]byte, emLen)) ++ + return emsaPSSVerify(digest, em, emBits, opts.saltLength(), hash.New()) + } +diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go +index c3a6d46..d018b43 100644 +--- a/src/crypto/rsa/pss_test.go ++++ b/src/crypto/rsa/pss_test.go +@@ -233,7 +233,10 @@ func TestPSSSigning(t *testing.T) { + } + } + +-func TestSignWithPSSSaltLengthAuto(t *testing.T) { ++func TestPSS513(t *testing.T) { ++ // See Issue 42741, and separately, RFC 8017: "Note that the octet length of ++ // EM will be one less than k if modBits - 1 is divisible by 8 and equal to ++ // k otherwise, where k is the length in octets of the RSA modulus n." + key, err := GenerateKey(rand.Reader, 513) + if err != nil { + t.Fatal(err) +@@ -246,8 +249,9 @@ func TestSignWithPSSSaltLengthAuto(t *testing.T) { + if err != nil { + t.Fatal(err) + } +- if len(signature) == 0 { +- t.Fatal("empty signature returned") ++ err = VerifyPSS(&key.PublicKey, crypto.SHA256, digest[:], signature, nil) ++ if err != nil { ++ t.Error(err) + } + } + +diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go +index 6fd59b3..20c1fe1 100644 +--- a/src/crypto/rsa/rsa.go ++++ b/src/crypto/rsa/rsa.go +@@ -19,13 +19,17 @@ + // over the public key primitive, the PrivateKey type implements the + // Decrypter and Signer interfaces from the crypto package. + // +-// The RSA operations in this package are not implemented using constant-time algorithms. ++// Operations in this package are implemented using constant-time algorithms, ++// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate]. ++// Every other operation only leaks the bit size of the involved values, which ++// all depend on the selected key size. + package rsa + + import ( + "crypto" + "crypto/rand" + "crypto/subtle" ++ "encoding/binary" + "errors" + "hash" + "io" +@@ -35,7 +39,6 @@ import ( + "crypto/internal/randutil" + ) + +-var bigZero = big.NewInt(0) + var bigOne = big.NewInt(1) + + // A PublicKey represents the public part of an RSA key. +@@ -50,7 +53,7 @@ type PublicKey struct { + // Size returns the modulus size in bytes. Raw signatures and ciphertexts + // for or by this public key will have the same size. + func (pub *PublicKey) Size() int { +- return (pub.N.BitLen() + 7) / 8 ++ return (bigBitLen(pub.N) + 7) / 8 + } + + // Equal reports whether pub and x have the same value. +@@ -384,10 +387,18 @@ func mgf1XOR(out []byte, hash hash.Hash, seed []byte) { + // too large for the size of the public key. + var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size") + +-func encrypt(c *big.Int, pub *PublicKey, m *big.Int) *big.Int { +- e := big.NewInt(int64(pub.E)) +- c.Exp(m, e, pub.N) +- return c ++func encrypt(pub *PublicKey, plaintext []byte) []byte { ++ N := modulusFromNat(natFromBig(pub.N)) ++ m := natFromBytes(plaintext).expandFor(N) ++ ++ e := make([]byte, 8) ++ binary.BigEndian.PutUint64(e, uint64(pub.E)) ++ for len(e) > 1 && e[0] == 0 { ++ e = e[1:] ++ } ++ ++ out := make([]byte, modulusSize(N)) ++ return new(nat).exp(m, e, N).fillBytes(out) + } + + // EncryptOAEP encrypts the given message with RSA-OAEP. +@@ -437,12 +448,7 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l + mgf1XOR(db, hash, seed) + mgf1XOR(seed, hash, db) + +- m := new(big.Int) +- m.SetBytes(em) +- c := encrypt(new(big.Int), pub, m) +- +- out := make([]byte, k) +- return c.FillBytes(out), nil ++ return encrypt(pub, em), nil + } + + // ErrDecryption represents a failure to decrypt a message. +@@ -484,98 +490,70 @@ func (priv *PrivateKey) Precompute() { + } + } + +-// decrypt performs an RSA decryption, resulting in a plaintext integer. If a +-// random source is given, RSA blinding is used. +-func decrypt(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) { +- // TODO(agl): can we get away with reusing blinds? +- if c.Cmp(priv.N) > 0 { +- err = ErrDecryption +- return ++// decrypt performs an RSA decryption of ciphertext into out. ++func decrypt(priv *PrivateKey, ciphertext []byte) ([]byte, error) { ++ N := modulusFromNat(natFromBig(priv.N)) ++ c := natFromBytes(ciphertext).expandFor(N) ++ if c.cmpGeq(N.nat) == 1 { ++ return nil, ErrDecryption + } + if priv.N.Sign() == 0 { + return nil, ErrDecryption + } + +- var ir *big.Int +- if random != nil { +- randutil.MaybeReadByte(random) +- +- // Blinding enabled. Blinding involves multiplying c by r^e. +- // Then the decryption operation performs (m^e * r^e)^d mod n +- // which equals mr mod n. The factor of r can then be removed +- // by multiplying by the multiplicative inverse of r. +- +- var r *big.Int +- ir = new(big.Int) +- for { +- r, err = rand.Int(random, priv.N) +- if err != nil { +- return +- } +- if r.Cmp(bigZero) == 0 { +- r = bigOne +- } +- ok := ir.ModInverse(r, priv.N) +- if ok != nil { +- break +- } +- } +- bigE := big.NewInt(int64(priv.E)) +- rpowe := new(big.Int).Exp(r, bigE, priv.N) // N != 0 +- cCopy := new(big.Int).Set(c) +- cCopy.Mul(cCopy, rpowe) +- cCopy.Mod(cCopy, priv.N) +- c = cCopy +- } +- ++ // Note that because our private decryption exponents are stored as big.Int, ++ // we potentially leak the exact number of bits of these exponents. This ++ // isn't great, but should be fine. + if priv.Precomputed.Dp == nil { +- m = new(big.Int).Exp(c, priv.D, priv.N) +- } else { +- // We have the precalculated values needed for the CRT. +- m = new(big.Int).Exp(c, priv.Precomputed.Dp, priv.Primes[0]) +- m2 := new(big.Int).Exp(c, priv.Precomputed.Dq, priv.Primes[1]) +- m.Sub(m, m2) +- if m.Sign() < 0 { +- m.Add(m, priv.Primes[0]) +- } +- m.Mul(m, priv.Precomputed.Qinv) +- m.Mod(m, priv.Primes[0]) +- m.Mul(m, priv.Primes[1]) +- m.Add(m, m2) +- +- for i, values := range priv.Precomputed.CRTValues { +- prime := priv.Primes[2+i] +- m2.Exp(c, values.Exp, prime) +- m2.Sub(m2, m) +- m2.Mul(m2, values.Coeff) +- m2.Mod(m2, prime) +- if m2.Sign() < 0 { +- m2.Add(m2, prime) +- } +- m2.Mul(m2, values.R) +- m.Add(m, m2) +- } +- } +- +- if ir != nil { +- // Unblind. +- m.Mul(m, ir) +- m.Mod(m, priv.N) +- } +- +- return ++ out := make([]byte, modulusSize(N)) ++ return new(nat).exp(c, priv.D.Bytes(), N).fillBytes(out), nil ++ } ++ ++ t0 := new(nat) ++ P := modulusFromNat(natFromBig(priv.Primes[0])) ++ Q := modulusFromNat(natFromBig(priv.Primes[1])) ++ // m = c ^ Dp mod p ++ m := new(nat).exp(t0.mod(c, P), priv.Precomputed.Dp.Bytes(), P) ++ // m2 = c ^ Dq mod q ++ m2 := new(nat).exp(t0.mod(c, Q), priv.Precomputed.Dq.Bytes(), Q) ++ // m = m - m2 mod p ++ m.modSub(t0.mod(m2, P), P) ++ // m = m * Qinv mod p ++ m.modMul(natFromBig(priv.Precomputed.Qinv).expandFor(P), P) ++ // m = m * q mod N ++ m.expandFor(N).modMul(t0.mod(Q.nat, N), N) ++ // m = m + m2 mod N ++ m.modAdd(m2.expandFor(N), N) ++ ++ for i, values := range priv.Precomputed.CRTValues { ++ p := modulusFromNat(natFromBig(priv.Primes[2+i])) ++ // m2 = c ^ Exp mod p ++ m2.exp(t0.mod(c, p), values.Exp.Bytes(), p) ++ // m2 = m2 - m mod p ++ m2.modSub(t0.mod(m, p), p) ++ // m2 = m2 * Coeff mod p ++ m2.modMul(natFromBig(values.Coeff).expandFor(p), p) ++ // m2 = m2 * R mod N ++ R := natFromBig(values.R).expandFor(N) ++ m2.expandFor(N).modMul(R, N) ++ // m = m + m2 mod N ++ m.modAdd(m2, N) ++ } ++ ++ out := make([]byte, modulusSize(N)) ++ return m.fillBytes(out), nil + } + +-func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err error) { +- m, err = decrypt(random, priv, c) ++func decryptAndCheck(priv *PrivateKey, ciphertext []byte) (m []byte, err error) { ++ m, err = decrypt(priv, ciphertext) + if err != nil { + return nil, err + } + + // In order to defend against errors in the CRT computation, m^e is + // calculated, which should match the original ciphertext. +- check := encrypt(new(big.Int), &priv.PublicKey, m) +- if c.Cmp(check) != 0 { ++ check := encrypt(&priv.PublicKey, m) ++ if subtle.ConstantTimeCompare(ciphertext, check) != 1 { + return nil, errors.New("rsa: internal error") + } + return m, nil +@@ -587,9 +565,7 @@ func decryptAndCheck(random io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int + // Encryption and decryption of a given message must use the same hash function + // and sha256.New() is a reasonable choice. + // +-// The random parameter, if not nil, is used to blind the private-key operation +-// and avoid timing side-channel attacks. Blinding is purely internal to this +-// function – the random data need not match that used when encrypting. ++// The random parameter is legacy and ignored, and it can be as nil. + // + // The label parameter must match the value given when encrypting. See + // EncryptOAEP for details. +@@ -603,9 +579,7 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext + return nil, ErrDecryption + } + +- c := new(big.Int).SetBytes(ciphertext) +- +- m, err := decrypt(random, priv, c) ++ em, err := decrypt(priv, ciphertext) + if err != nil { + return nil, err + } +@@ -614,10 +588,6 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext + lHash := hash.Sum(nil) + hash.Reset() + +- // We probably leak the number of leading zeros. +- // It's not clear that we can do anything about this. +- em := m.FillBytes(make([]byte, k)) +- + firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) + + seed := em[1 : hash.Size()+1] +-- +2.40.0 diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch new file mode 100644 index 0000000000..5f6d7e16a8 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch @@ -0,0 +1,252 @@ +From 0f717b5f7d32bb660c01ec0366bd53c9b4c5ab5d Mon Sep 17 00:00:00 2001 +From: Michael Matloob <matloob@golang.org> +Date: Mon, 24 Apr 2023 16:57:28 -0400 +Subject: [PATCH 1/2] cmd/go: sanitize go env outputs + +go env, without any arguments, outputs the environment variables in +the form of a script that can be run on the host OS. On Unix, single +quote the strings and place single quotes themselves outside the +single quoted strings. On windows use the set "var=val" syntax with +the quote starting before the variable. + +Fixes #58508 + +Change-Id: Iecd379a4af7285ea9b2024f0202250c74fd9a2bd +Reviewed-on: https://go-review.googlesource.com/c/go/+/488375 +TryBot-Result: Gopher Robot <gobot@golang.org> +Reviewed-by: Michael Matloob <matloob@golang.org> +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Michael Matloob <matloob@golang.org> +Reviewed-by: Bryan Mills <bcmills@google.com> +Reviewed-by: Quim Muntal <quimmuntal@gmail.com> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [f379e78951a405e7e99a60fb231eeedbf976c108] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 60 ++++++++++++- + src/cmd/go/internal/envcmd/env_test.go | 94 +++++++++++++++++++++ + src/cmd/go/testdata/script/env_sanitize.txt | 5 ++ + 3 files changed, 157 insertions(+), 2 deletions(-) + create mode 100644 src/cmd/go/internal/envcmd/env_test.go + create mode 100644 src/cmd/go/testdata/script/env_sanitize.txt + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index 43b94e7..0ce8843 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -6,6 +6,7 @@ + package envcmd + + import ( ++ "bytes" + "context" + "encoding/json" + "fmt" +@@ -17,6 +18,7 @@ import ( + "runtime" + "sort" + "strings" ++ "unicode" + "unicode/utf8" + + "cmd/go/internal/base" +@@ -379,9 +381,12 @@ func checkBuildConfig(add map[string]string, del map[string]bool) error { + func PrintEnv(w io.Writer, env []cfg.EnvVar) { + for _, e := range env { + if e.Name != "TERM" { ++ if runtime.GOOS != "plan9" && bytes.Contains([]byte(e.Value), []byte{0}) { ++ base.Fatalf("go: internal error: encountered null byte in environment variable %s on non-plan9 platform", e.Name) ++ } + switch runtime.GOOS { + default: +- fmt.Fprintf(w, "%s=\"%s\"\n", e.Name, e.Value) ++ fmt.Fprintf(w, "%s=%s\n", e.Name, shellQuote(e.Value)) + case "plan9": + if strings.IndexByte(e.Value, '\x00') < 0 { + fmt.Fprintf(w, "%s='%s'\n", e.Name, strings.ReplaceAll(e.Value, "'", "''")) +@@ -392,17 +397,68 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } ++ // TODO(#59979): Does this need to be quoted like above? + fmt.Fprintf(w, "%s", s) + } + fmt.Fprintf(w, ")\n") + } + case "windows": +- fmt.Fprintf(w, "set %s=%s\n", e.Name, e.Value) ++ if hasNonGraphic(e.Value) { ++ base.Errorf("go: stripping unprintable or unescapable characters from %%%q%%", e.Name) ++ } ++ fmt.Fprintf(w, "set %s=%s\n", e.Name, batchEscape(e.Value)) + } + } + } + } + ++func hasNonGraphic(s string) bool { ++ for _, c := range []byte(s) { ++ if c == '\r' || c == '\n' || (!unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c))) { ++ return true ++ } ++ } ++ return false ++} ++ ++func shellQuote(s string) string { ++ var b bytes.Buffer ++ b.WriteByte('\'') ++ for _, x := range []byte(s) { ++ if x == '\'' { ++ // Close the single quoted string, add an escaped single quote, ++ // and start another single quoted string. ++ b.WriteString(`'\''`) ++ } else { ++ b.WriteByte(x) ++ } ++ } ++ b.WriteByte('\'') ++ return b.String() ++} ++ ++func batchEscape(s string) string { ++ var b bytes.Buffer ++ for _, x := range []byte(s) { ++ if x == '\r' || x == '\n' || (!unicode.IsGraphic(rune(x)) && !unicode.IsSpace(rune(x))) { ++ b.WriteRune(unicode.ReplacementChar) ++ continue ++ } ++ switch x { ++ case '%': ++ b.WriteString("%%") ++ case '<', '>', '|', '&', '^': ++ // These are special characters that need to be escaped with ^. See ++ // https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1. ++ b.WriteByte('^') ++ b.WriteByte(x) ++ default: ++ b.WriteByte(x) ++ } ++ } ++ return b.String() ++} ++ + func printEnvAsJSON(env []cfg.EnvVar) { + m := make(map[string]string) + for _, e := range env { +diff --git a/src/cmd/go/internal/envcmd/env_test.go b/src/cmd/go/internal/envcmd/env_test.go +new file mode 100644 +index 0000000..32d99fd +--- /dev/null ++++ b/src/cmd/go/internal/envcmd/env_test.go +@@ -0,0 +1,94 @@ ++// Copyright 2022 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++//go:build unix || windows ++ ++package envcmd ++ ++import ( ++ "bytes" ++ "cmd/go/internal/cfg" ++ "fmt" ++ "internal/testenv" ++ "os" ++ "os/exec" ++ "path/filepath" ++ "runtime" ++ "testing" ++ "unicode" ++) ++ ++func FuzzPrintEnvEscape(f *testing.F) { ++ f.Add(`$(echo 'cc"'; echo 'OOPS="oops')`) ++ f.Add("$(echo shell expansion 1>&2)") ++ f.Add("''") ++ f.Add(`C:\"Program Files"\`) ++ f.Add(`\\"Quoted Host"\\share`) ++ f.Add("\xfb") ++ f.Add("0") ++ f.Add("") ++ f.Add("''''''''") ++ f.Add("\r") ++ f.Add("\n") ++ f.Add("E,%") ++ f.Fuzz(func(t *testing.T, s string) { ++ t.Parallel() ++ ++ for _, c := range []byte(s) { ++ if c == 0 { ++ t.Skipf("skipping %q: contains a null byte. Null bytes can't occur in the environment"+ ++ " outside of Plan 9, which has different code path than Windows and Unix that this test"+ ++ " isn't testing.", s) ++ } ++ if c > unicode.MaxASCII { ++ t.Skipf("skipping %#q: contains a non-ASCII character %q", s, c) ++ } ++ if !unicode.IsGraphic(rune(c)) && !unicode.IsSpace(rune(c)) { ++ t.Skipf("skipping %#q: contains non-graphic character %q", s, c) ++ } ++ if runtime.GOOS == "windows" && c == '\r' || c == '\n' { ++ t.Skipf("skipping %#q on Windows: contains unescapable character %q", s, c) ++ } ++ } ++ ++ var b bytes.Buffer ++ if runtime.GOOS == "windows" { ++ b.WriteString("@echo off\n") ++ } ++ PrintEnv(&b, []cfg.EnvVar{{Name: "var", Value: s}}) ++ var want string ++ if runtime.GOOS == "windows" { ++ fmt.Fprintf(&b, "echo \"%%var%%\"\n") ++ want += "\"" + s + "\"\r\n" ++ } else { ++ fmt.Fprintf(&b, "printf '%%s\\n' \"$var\"\n") ++ want += s + "\n" ++ } ++ scriptfilename := "script.sh" ++ if runtime.GOOS == "windows" { ++ scriptfilename = "script.bat" ++ } ++ scriptfile := filepath.Join(t.TempDir(), scriptfilename) ++ if err := os.WriteFile(scriptfile, b.Bytes(), 0777); err != nil { ++ t.Fatal(err) ++ } ++ t.Log(b.String()) ++ var cmd *exec.Cmd ++ if runtime.GOOS == "windows" { ++ cmd = testenv.Command(t, "cmd.exe", "/C", scriptfile) ++ } else { ++ cmd = testenv.Command(t, "sh", "-c", scriptfile) ++ } ++ out, err := cmd.Output() ++ t.Log(string(out)) ++ if err != nil { ++ t.Fatal(err) ++ } ++ ++ if string(out) != want { ++ t.Fatalf("output of running PrintEnv script and echoing variable: got: %q, want: %q", ++ string(out), want) ++ } ++ }) ++} +diff --git a/src/cmd/go/testdata/script/env_sanitize.txt b/src/cmd/go/testdata/script/env_sanitize.txt +new file mode 100644 +index 0000000..cc4d23a +--- /dev/null ++++ b/src/cmd/go/testdata/script/env_sanitize.txt +@@ -0,0 +1,5 @@ ++env GOFLAGS='$(echo ''cc"''; echo ''OOPS="oops'')' ++go env ++[GOOS:darwin] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:linux] stdout 'GOFLAGS=''\$\(echo ''\\''''cc"''\\''''; echo ''\\''''OOPS="oops''\\''''\)''' ++[GOOS:windows] stdout 'set GOFLAGS=\$\(echo ''cc"''; echo ''OOPS="oops''\)' +-- +2.35.5 + diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch new file mode 100644 index 0000000000..eecc04c2e3 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch @@ -0,0 +1,47 @@ +From b2624f973692ca093348395c2418d1c422f2a162 Mon Sep 17 00:00:00 2001 +From: miller <millerresearch@gmail.com> +Date: Mon, 8 May 2023 16:56:21 +0100 +Subject: [PATCH 2/2] cmd/go: quote entries in list-valued variables for go env + in plan9 + +When 'go env' without an argument prints environment variables as +a script which can be executed by the shell, variables with a +list value in Plan 9 (such as GOPATH) need to be printed with each +element enclosed in single quotes in case it contains characters +significant to the Plan 9 shell (such as ' ' or '='). + +For #58508 + +Change-Id: Ia30f51307cc6d07a7e3ada6bf9d60bf9951982ff +Reviewed-on: https://go-review.googlesource.com/c/go/+/493535 +Run-TryBot: Cherry Mui <cherryyz@google.com> +Reviewed-by: Cherry Mui <cherryyz@google.com> +Reviewed-by: Russ Cox <rsc@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> +Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> + +CVE: CVE-2023-24531 +Upstream-Status: Backport [05cc9e55876874462a4726ca0101c970838c80e5] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/cmd/go/internal/envcmd/env.go | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/cmd/go/internal/envcmd/env.go b/src/cmd/go/internal/envcmd/env.go +index 0ce8843..b48d0bd 100644 +--- a/src/cmd/go/internal/envcmd/env.go ++++ b/src/cmd/go/internal/envcmd/env.go +@@ -397,8 +397,7 @@ func PrintEnv(w io.Writer, env []cfg.EnvVar) { + if x > 0 { + fmt.Fprintf(w, " ") + } +- // TODO(#59979): Does this need to be quoted like above? +- fmt.Fprintf(w, "%s", s) ++ fmt.Fprintf(w, "'%s'", strings.ReplaceAll(s, "'", "''")) + } + fmt.Fprintf(w, ")\n") + } +-- +2.35.5 + diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch new file mode 100644 index 0000000000..503a4a288a --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-39318.patch @@ -0,0 +1,262 @@ +From 023b542edf38e2a1f87fcefb9f75ff2f99401b4c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 3 Aug 2023 12:24:13 -0700 +Subject: [PATCH] [release-branch.go1.20] html/template: support HTML-like + comments in script contexts + +Per Appendix B.1.1 of the ECMAScript specification, support HTML-like +comments in script contexts. Also per section 12.5, support hashbang +comments. This brings our parsing in-line with how browsers treat these +comment types. + +Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for +reporting this issue. + +Fixes #62196 +Fixes #62395 +Fixes CVE-2023-39318 + +Change-Id: Id512702c5de3ae46cf648e268cb10e1eb392a181 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1976593 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014620 +Reviewed-on: https://go-review.googlesource.com/c/go/+/526098 +Run-TryBot: Cherry Mui <cherryyz@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] +CVE: CVE-2023-39318 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/html/template/context.go | 6 ++- + src/html/template/escape.go | 5 ++- + src/html/template/escape_test.go | 10 +++++ + src/html/template/state_string.go | 26 +++++++------ + src/html/template/transition.go | 80 +++++++++++++++++++++++++-------------- + 5 files changed, 84 insertions(+), 43 deletions(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f5f44a1..feb6517 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -124,6 +124,10 @@ const ( + stateJSBlockCmt + // stateJSLineCmt occurs inside a JavaScript // line comment. + stateJSLineCmt ++ // stateJSHTMLOpenCmt occurs inside a JavaScript <!-- HTML-like comment. ++ stateJSHTMLOpenCmt ++ // stateJSHTMLCloseCmt occurs inside a JavaScript --> HTML-like comment. ++ stateJSHTMLCloseCmt + // stateCSS occurs inside a <style> element or style attribute. + stateCSS + // stateCSSDqStr occurs inside a CSS double quoted string. +@@ -149,7 +153,7 @@ const ( + // authors & maintainers, not for end-users or machines. + func isComment(s state) bool { + switch s { +- case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateCSSBlockCmt, stateCSSLineCmt: ++ case stateHTMLCmt, stateJSBlockCmt, stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt, stateCSSBlockCmt, stateCSSLineCmt: + return true + } + return false +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index 1747ec9..b0085ce 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -721,9 +721,12 @@ func (e *escaper) escapeText(c context, n *parse.TextNode) context { + if c.state != c1.state && isComment(c1.state) && c1.delim == delimNone { + // Preserve the portion between written and the comment start. + cs := i1 - 2 +- if c1.state == stateHTMLCmt { ++ if c1.state == stateHTMLCmt || c1.state == stateJSHTMLOpenCmt { + // "<!--" instead of "/*" or "//" + cs -= 2 ++ } else if c1.state == stateJSHTMLCloseCmt { ++ // "-->" instead of "/*" or "//" ++ cs -= 1 + } + b.Write(s[written:cs]) + written = i1 +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go +index 7853daa..bff38c6 100644 +--- a/src/html/template/escape_test.go ++++ b/src/html/template/escape_test.go +@@ -503,6 +503,16 @@ func TestEscape(t *testing.T) { + "<script>var a/*b*///c\nd</script>", + "<script>var a \nd</script>", + }, ++ { ++ "JS HTML-like comments", ++ "<script>before <!-- beep\nbetween\nbefore-->boop\n</script>", ++ "<script>before \nbetween\nbefore\n</script>", ++ }, ++ { ++ "JS hashbang comment", ++ "<script>#! beep\n</script>", ++ "<script>\n</script>", ++ }, + { + "Special tags in <script> string literals", + `<script>var a = "asd < 123 <!-- 456 < fgh <script jkl < 789 </script"</script>`, +diff --git a/src/html/template/state_string.go b/src/html/template/state_string.go +index 05104be..b5cfe70 100644 +--- a/src/html/template/state_string.go ++++ b/src/html/template/state_string.go +@@ -25,21 +25,23 @@ func _() { + _ = x[stateJSRegexp-14] + _ = x[stateJSBlockCmt-15] + _ = x[stateJSLineCmt-16] +- _ = x[stateCSS-17] +- _ = x[stateCSSDqStr-18] +- _ = x[stateCSSSqStr-19] +- _ = x[stateCSSDqURL-20] +- _ = x[stateCSSSqURL-21] +- _ = x[stateCSSURL-22] +- _ = x[stateCSSBlockCmt-23] +- _ = x[stateCSSLineCmt-24] +- _ = x[stateError-25] +- _ = x[stateDead-26] ++ _ = x[stateJSHTMLOpenCmt-17] ++ _ = x[stateJSHTMLCloseCmt-18] ++ _ = x[stateCSS-19] ++ _ = x[stateCSSDqStr-20] ++ _ = x[stateCSSSqStr-21] ++ _ = x[stateCSSDqURL-22] ++ _ = x[stateCSSSqURL-23] ++ _ = x[stateCSSURL-24] ++ _ = x[stateCSSBlockCmt-25] ++ _ = x[stateCSSLineCmt-26] ++ _ = x[stateError-27] ++ _ = x[stateDead-28] + } + +-const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" ++const _state_name = "stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSBqStrstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDead" + +-var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 204, 217, 230, 243, 256, 267, 283, 298, 308, 317} ++var _state_index = [...]uint16{0, 9, 17, 30, 44, 60, 72, 83, 92, 100, 111, 118, 130, 142, 154, 167, 182, 196, 214, 233, 241, 254, 267, 280, 293, 304, 320, 335, 345, 354} + + func (i state) String() string { + if i >= state(len(_state_index)-1) { +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index e2660cc..3d2a37c 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -14,32 +14,34 @@ import ( + // the updated context and the number of bytes consumed from the front of the + // input. + var transitionFunc = [...]func(context, []byte) (context, int){ +- stateText: tText, +- stateTag: tTag, +- stateAttrName: tAttrName, +- stateAfterName: tAfterName, +- stateBeforeValue: tBeforeValue, +- stateHTMLCmt: tHTMLCmt, +- stateRCDATA: tSpecialTagEnd, +- stateAttr: tAttr, +- stateURL: tURL, +- stateSrcset: tURL, +- stateJS: tJS, +- stateJSDqStr: tJSDelimited, +- stateJSSqStr: tJSDelimited, +- stateJSBqStr: tJSDelimited, +- stateJSRegexp: tJSDelimited, +- stateJSBlockCmt: tBlockCmt, +- stateJSLineCmt: tLineCmt, +- stateCSS: tCSS, +- stateCSSDqStr: tCSSStr, +- stateCSSSqStr: tCSSStr, +- stateCSSDqURL: tCSSStr, +- stateCSSSqURL: tCSSStr, +- stateCSSURL: tCSSStr, +- stateCSSBlockCmt: tBlockCmt, +- stateCSSLineCmt: tLineCmt, +- stateError: tError, ++ stateText: tText, ++ stateTag: tTag, ++ stateAttrName: tAttrName, ++ stateAfterName: tAfterName, ++ stateBeforeValue: tBeforeValue, ++ stateHTMLCmt: tHTMLCmt, ++ stateRCDATA: tSpecialTagEnd, ++ stateAttr: tAttr, ++ stateURL: tURL, ++ stateSrcset: tURL, ++ stateJS: tJS, ++ stateJSDqStr: tJSDelimited, ++ stateJSSqStr: tJSDelimited, ++ stateJSBqStr: tJSDelimited, ++ stateJSRegexp: tJSDelimited, ++ stateJSBlockCmt: tBlockCmt, ++ stateJSLineCmt: tLineCmt, ++ stateJSHTMLOpenCmt: tLineCmt, ++ stateJSHTMLCloseCmt: tLineCmt, ++ stateCSS: tCSS, ++ stateCSSDqStr: tCSSStr, ++ stateCSSSqStr: tCSSStr, ++ stateCSSDqURL: tCSSStr, ++ stateCSSSqURL: tCSSStr, ++ stateCSSURL: tCSSStr, ++ stateCSSBlockCmt: tBlockCmt, ++ stateCSSLineCmt: tLineCmt, ++ stateError: tError, + } + + var commentStart = []byte("<!--") +@@ -268,7 +270,7 @@ func tURL(c context, s []byte) (context, int) { + + // tJS is the context transition function for the JS state. + func tJS(c context, s []byte) (context, int) { +- i := bytes.IndexAny(s, "\"`'/") ++ i := bytes.IndexAny(s, "\"`'/<-#") + if i == -1 { + // Entire input is non string, comment, regexp tokens. + c.jsCtx = nextJSCtx(s, c.jsCtx) +@@ -298,6 +300,26 @@ func tJS(c context, s []byte) (context, int) { + err: errorf(ErrSlashAmbig, nil, 0, "'/' could start a division or regexp: %.32q", s[i:]), + }, len(s) + } ++ // ECMAScript supports HTML style comments for legacy reasons, see Appendix ++ // B.1.1 "HTML-like Comments". The handling of these comments is somewhat ++ // confusing. Multi-line comments are not supported, i.e. anything on lines ++ // between the opening and closing tokens is not considered a comment, but ++ // anything following the opening or closing token, on the same line, is ++ // ignored. As such we simply treat any line prefixed with "<!--" or "-->" ++ // as if it were actually prefixed with "//" and move on. ++ case '<': ++ if i+3 < len(s) && bytes.Equal(commentStart, s[i:i+4]) { ++ c.state, i = stateJSHTMLOpenCmt, i+3 ++ } ++ case '-': ++ if i+2 < len(s) && bytes.Equal(commentEnd, s[i:i+3]) { ++ c.state, i = stateJSHTMLCloseCmt, i+2 ++ } ++ // ECMAScript also supports "hashbang" comment lines, see Section 12.5. ++ case '#': ++ if i+1 < len(s) && s[i+1] == '!' { ++ c.state, i = stateJSLineCmt, i+1 ++ } + default: + panic("unreachable") + } +@@ -387,12 +409,12 @@ func tBlockCmt(c context, s []byte) (context, int) { + return c, i + 2 + } + +-// tLineCmt is the context transition function for //comment states. ++// tLineCmt is the context transition function for //comment states, and the JS HTML-like comment state. + func tLineCmt(c context, s []byte) (context, int) { + var lineTerminators string + var endState state + switch c.state { +- case stateJSLineCmt: ++ case stateJSLineCmt, stateJSHTMLOpenCmt, stateJSHTMLCloseCmt: + lineTerminators, endState = "\n\r\u2028\u2029", stateJS + case stateCSSLineCmt: + lineTerminators, endState = "\n\f\r", stateCSS +-- +2.35.7 + diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch new file mode 100644 index 0000000000..f8ac64472f --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-45289.patch @@ -0,0 +1,121 @@ +From 3a855208e3efed2e9d7c20ad023f1fa78afcc0be Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 11 Jan 2024 11:31:57 -0800 +Subject: [PATCH] [release-branch.go1.22] net/http, net/http/cookiejar: avoid + subdomain matches on IPv6 zones + +When deciding whether to forward cookies or sensitive headers +across a redirect, do not attempt to interpret an IPv6 address +as a domain name. + +Avoids a case where a maliciously-crafted redirect to an +IPv6 address with a scoped addressing zone could be +misinterpreted as a within-domain redirect. For example, +we could interpret "::1%.www.example.com" as a subdomain +of "www.example.com". + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes CVE-2023-45289 +Fixes #65859 +For #65065 + +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174344 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569236 +Reviewed-by: Carlos Amedee <carlos@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/3a855208e3efed2e9d7c20ad023f1fa78afcc0be] +CVE: CVE-2023-45289 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/net/http/client.go | 6 ++++++ + src/net/http/client_test.go | 1 + + src/net/http/cookiejar/jar.go | 7 +++++++ + src/net/http/cookiejar/jar_test.go | 10 ++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/src/net/http/client.go b/src/net/http/client.go +index 22db96b..b2dd445 100644 +--- a/src/net/http/client.go ++++ b/src/net/http/client.go +@@ -1015,6 +1015,12 @@ func isDomainOrSubdomain(sub, parent string) bool { + if sub == parent { + return true + } ++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). ++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. ++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". ++ if strings.ContainsAny(sub, ":%") { ++ return false ++ } + // If sub is "foo.example.com" and parent is "example.com", + // that means sub must end in "."+parent. + // Do it without allocating. +diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go +index 9788c7a..7a0aa53 100644 +--- a/src/net/http/client_test.go ++++ b/src/net/http/client_test.go +@@ -1729,6 +1729,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { + {"cookie2", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://bar.com/", false}, + {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, ++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, + + // But subdomains should work: + {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, +diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go +index e6583da..f2cf9c2 100644 +--- a/src/net/http/cookiejar/jar.go ++++ b/src/net/http/cookiejar/jar.go +@@ -362,6 +362,13 @@ func jarKey(host string, psl PublicSuffixList) string { + + // isIP reports whether host is an IP address. + func isIP(host string) bool { ++ if strings.ContainsAny(host, ":%") { ++ // Probable IPv6 address. ++ // Hostnames can't contain : or %, so this is definitely not a valid host. ++ // Treating it as an IP is the more conservative option, and avoids the risk ++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com. ++ return true ++ } + return net.ParseIP(host) != nil + } + +diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go +index 47fb1ab..fd8d40e 100644 +--- a/src/net/http/cookiejar/jar_test.go ++++ b/src/net/http/cookiejar/jar_test.go +@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{ + "127.0.0.1": true, + "1.2.3.4": true, + "2001:4860:0:2001::68": true, ++ "::1%zone": true, + "example.com": false, + "1.1.1.300": false, + "www.foo.bar.net": false, +@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{ + {"http://www.host.test:1234/", "a=1"}, + }, + }, ++ { ++ "IPv6 zone is not treated as a host.", ++ "https://example.com/", ++ []string{"a=1"}, ++ "a=1", ++ []query{ ++ {"https://[::1%25.example.com]:80/", ""}, ++ }, ++ }, + } + + func TestBasics(t *testing.T) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch new file mode 100644 index 0000000000..81f2123f34 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.21/CVE-2023-45290.patch @@ -0,0 +1,270 @@ +From 041a47712e765e94f86d841c3110c840e76d8f82 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 16 Jan 2024 15:37:52 -0800 +Subject: [PATCH] [release-branch.go1.22] net/textproto, mime/multipart: avoid + unbounded read in MIME header + +mime/multipart.Reader.ReadForm allows specifying the maximum amount +of memory that will be consumed by the form. While this limit is +correctly applied to the parsed form data structure, it was not +being applied to individual header lines in a form. + +For example, when presented with a form containing a header line +that never ends, ReadForm will continue to read the line until it +runs out of memory. + +Limit the amount of data consumed when reading a header. + +Fixes CVE-2023-45290 +Fixes #65850 +For #65383 + +Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2174345 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569237 +Reviewed-by: Carlos Amedee <carlos@golang.org> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Auto-Submit: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/041a47712e765e94f86d841c3110c840e76d8f82] +CVE: CVE-2023-45290 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>--- + src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++ + src/net/textproto/reader.go | 48 ++++++++++++++++++++--------- + src/net/textproto/reader_test.go | 12 ++++++++ + 3 files changed, 87 insertions(+), 15 deletions(-) + +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index c78eeb7..f729da6 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) { + } + } + ++func TestReadFormEndlessHeaderLine(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ prefix string ++ }{{ ++ name: "name", ++ prefix: "X-", ++ }, { ++ name: "value", ++ prefix: "X-Header: ", ++ }, { ++ name: "continuation", ++ prefix: "X-Header: foo\r\n ", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ const eol = "\r\n" ++ s := `--boundary` + eol ++ s += `Content-Disposition: form-data; name="a"` + eol ++ s += `Content-Type: text/plain` + eol ++ s += test.prefix ++ fr := io.MultiReader( ++ strings.NewReader(s), ++ neverendingReader('X'), ++ ) ++ r := NewReader(fr, "boundary") ++ _, err := r.ReadForm(1 << 20) ++ if err != ErrMessageTooLarge { ++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++type neverendingReader byte ++ ++func (r neverendingReader) Read(p []byte) (n int, err error) { ++ for i := range p { ++ p[i] = byte(r) ++ } ++ return len(p), nil ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index c6569c8..3ac4d4d 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -16,6 +16,10 @@ import ( + "sync" + ) + ++// TODO: This should be a distinguishable error (ErrMessageTooLarge) ++// to allow mime/multipart to detect it. ++var errMessageTooLarge = errors.New("message too large") ++ + // A Reader implements convenience methods for reading requests + // or responses from a text protocol network connection. + type Reader struct { +@@ -37,13 +41,13 @@ func NewReader(r *bufio.Reader) *Reader { + // ReadLine reads a single line from r, + // eliding the final \n or \r\n from the returned string. + func (r *Reader) ReadLine() (string, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + return string(line), err + } + + // ReadLineBytes is like ReadLine but returns a []byte instead of a string. + func (r *Reader) ReadLineBytes() ([]byte, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -52,7 +56,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) { + return line, err + } + +-func (r *Reader) readLineSlice() ([]byte, error) { ++// readLineSlice reads a single line from r, ++// up to lim bytes long (or unlimited if lim is less than 0), ++// eliding the final \r or \r\n from the returned string. ++func (r *Reader) readLineSlice(lim int64) ([]byte, error) { + r.closeDot() + var line []byte + for { +@@ -60,6 +67,9 @@ func (r *Reader) readLineSlice() ([]byte, error) { + if err != nil { + return nil, err + } ++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim { ++ return nil, errMessageTooLarge ++ } + // Avoid the copy if the first call produced a full line. + if line == nil && !more { + return l, nil +@@ -92,7 +102,7 @@ func (r *Reader) readLineSlice() ([]byte, error) { + // Empty lines are never continued. + // + func (r *Reader) ReadContinuedLine() (string, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + return string(line), err + } + +@@ -113,7 +123,7 @@ func trim(s []byte) []byte { + // ReadContinuedLineBytes is like ReadContinuedLine but + // returns a []byte instead of a string. + func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -126,13 +136,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { + // returning a byte slice with all lines. The validateFirstLine function + // is run on the first read line, and if it returns an error then this + // error is returned from readContinuedLineSlice. +-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) { ++// It reads up to lim bytes of data (or unlimited if lim is less than 0). ++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) { + if validateFirstLine == nil { + return nil, fmt.Errorf("missing validateFirstLine func") + } + + // Read the first line. +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(lim) + if err != nil { + return nil, err + } +@@ -160,13 +171,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([ + // copy the slice into buf. + r.buf = append(r.buf[:0], trim(line)...) + ++ if lim < 0 { ++ lim = math.MaxInt64 ++ } ++ lim -= int64(len(r.buf)) ++ + // Read continuation lines. + for r.skipSpace() > 0 { +- line, err := r.readLineSlice() ++ r.buf = append(r.buf, ' ') ++ if int64(len(r.buf)) >= lim { ++ return nil, errMessageTooLarge ++ } ++ line, err := r.readLineSlice(lim - int64(len(r.buf))) + if err != nil { + break + } +- r.buf = append(r.buf, ' ') + r.buf = append(r.buf, trim(line)...) + } + return r.buf, nil +@@ -511,7 +530,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { +- line, err := r.readLineSlice() ++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote ++ line, err := r.readLineSlice(errorLimit) + if err != nil { + return m, err + } +@@ -519,7 +539,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + + for { +- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon) ++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon) + if len(kv) == 0 { + return m, err + } +@@ -540,7 +560,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + maxHeaders-- + if maxHeaders < 0 { +- return nil, errors.New("message too large") ++ return nil, errMessageTooLarge + } + + // backport 5c55ac9bf1e5f779220294c843526536605f42ab +@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + maxMemory -= int64(len(value)) + if maxMemory < 0 { +- // TODO: This should be a distinguishable error (ErrMessageTooLarge) +- // to allow mime/multipart to detect it. +- return m, errors.New("message too large") ++ return m, errMessageTooLarge + } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3ae0de1..db1ed91 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) { + } + } + ++func TestReadLineLongLine(t *testing.T) { ++ line := strings.Repeat("12345", 10000) ++ r := reader(line + "\r\n") ++ s, err := r.ReadLine() ++ if err != nil { ++ t.Fatalf("Line 1: %v", err) ++ } ++ if s != line { ++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line)) ++ } ++} ++ + func TestReadContinuedLine(t *testing.T) { + r := reader("line1\nline\n 2\nline3\n") + s, err := r.ReadContinuedLine() +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-binary-native_1.17.10.bb b/meta/recipes-devtools/go/go-binary-native_1.17.13.bb index 0f49cebcb7..4ee0148417 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.17.10.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.17.13.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "87fc728c9c731e2f74e4a999ef53cf07302d7ed3504b0839027bd9c10edaa3fd" -SRC_URI[go_linux_arm64.sha256sum] = "649141201efa7195403eb1301b95dc79c5b3e65968986a391da1370521701b0c" +SRC_URI[go_linux_amd64.sha256sum] = "4cdd2bc664724dc7db94ad51b503512c5ae7220951cac568120f64f8e94399fc" +SRC_URI[go_linux_arm64.sha256sum] = "914daad3f011cc2014dea799bb7490442677e4ad6de0b2ac3ded6cee7e3f493d" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/go/go-cross-canadian_1.17.10.bb b/meta/recipes-devtools/go/go-cross-canadian_1.17.13.bb index 7ac9449e47..7ac9449e47 100644 --- a/meta/recipes-devtools/go/go-cross-canadian_1.17.10.bb +++ b/meta/recipes-devtools/go/go-cross-canadian_1.17.13.bb diff --git a/meta/recipes-devtools/go/go-cross_1.17.10.bb b/meta/recipes-devtools/go/go-cross_1.17.13.bb index 80b5a03f6c..80b5a03f6c 100644 --- a/meta/recipes-devtools/go/go-cross_1.17.10.bb +++ b/meta/recipes-devtools/go/go-cross_1.17.13.bb diff --git a/meta/recipes-devtools/go/go-crosssdk.inc b/meta/recipes-devtools/go/go-crosssdk.inc index cd23cca2fe..766938670a 100644 --- a/meta/recipes-devtools/go/go-crosssdk.inc +++ b/meta/recipes-devtools/go/go-crosssdk.inc @@ -4,6 +4,8 @@ DEPENDS = "go-native virtual/${TARGET_PREFIX}gcc-crosssdk virtual/nativesdk-${TA PN = "go-crosssdk-${SDK_SYS}" PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk" +export GOCACHE = "${B}/.cache" + do_configure[noexec] = "1" do_compile() { diff --git a/meta/recipes-devtools/go/go-crosssdk_1.17.10.bb b/meta/recipes-devtools/go/go-crosssdk_1.17.13.bb index 1857c8a577..1857c8a577 100644 --- a/meta/recipes-devtools/go/go-crosssdk_1.17.10.bb +++ b/meta/recipes-devtools/go/go-crosssdk_1.17.13.bb diff --git a/meta/recipes-devtools/go/go-native_1.17.10.bb b/meta/recipes-devtools/go/go-native_1.17.13.bb index 76c0ab73a6..ddf25b2c9b 100644 --- a/meta/recipes-devtools/go/go-native_1.17.10.bb +++ b/meta/recipes-devtools/go/go-native_1.17.13.bb @@ -5,7 +5,7 @@ require go-${PV}.inc inherit native -SRC_URI:append = " https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz;name=bootstrap;subdir=go1.4" +SRC_URI += "https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz;name=bootstrap;subdir=go1.4" SRC_URI[bootstrap.sha256sum] = "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52" export GOOS = "${BUILD_GOOS}" diff --git a/meta/recipes-devtools/go/go-runtime_1.17.10.bb b/meta/recipes-devtools/go/go-runtime_1.17.13.bb index 63464a1501..63464a1501 100644 --- a/meta/recipes-devtools/go/go-runtime_1.17.10.bb +++ b/meta/recipes-devtools/go/go-runtime_1.17.13.bb diff --git a/meta/recipes-devtools/go/go_1.17.10.bb b/meta/recipes-devtools/go/go_1.17.13.bb index 34dc89bb0c..bb57c1c48a 100644 --- a/meta/recipes-devtools/go/go_1.17.10.bb +++ b/meta/recipes-devtools/go/go_1.17.13.bb @@ -11,7 +11,7 @@ export CXX_FOR_TARGET = "g++" # mips/rv64 doesn't support -buildmode=pie, so skip the QA checking for mips/riscv32 and its # variants. python() { - if 'mips' in d.getVar('TARGET_ARCH',True) or 'riscv32' in d.getVar('TARGET_ARCH',True): - d.appendVar('INSANE_SKIP:%s' % d.getVar('PN',True), " textrel") + if 'mips' in d.getVar('TARGET_ARCH') or 'riscv32' in d.getVar('TARGET_ARCH'): + d.appendVar('INSANE_SKIP:%s' % d.getVar('PN'), " textrel") } diff --git a/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch new file mode 100644 index 0000000000..28da522115 --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c/CVE-2021-32292.patch @@ -0,0 +1,30 @@ +From da22ae6541584068f8169315274016920da11d8b Mon Sep 17 00:00:00 2001 +From: Marc <34656315+MarcT512@users.noreply.github.com> +Date: Fri, 7 Aug 2020 10:49:45 +0100 +Subject: [PATCH] Fix read past end of buffer + +Fixes: CVE-2021-32292 +Issue: https://github.com/json-c/json-c/issues/654 + +Upstream-Status: Backport [4e9e44e5258dee7654f74948b0dd5da39c28beec] +CVE: CVE-2021-32292 + +Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> +--- + apps/json_parse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/apps/json_parse.c b/apps/json_parse.c +index bba4622..72b31a8 100644 +--- a/apps/json_parse.c ++++ b/apps/json_parse.c +@@ -82,7 +82,8 @@ static int parseit(int fd, int (*callback)(struct json_object *)) + int parse_end = json_tokener_get_parse_end(tok); + if (obj == NULL && jerr != json_tokener_continue) + { +- char *aterr = &buf[start_pos + parse_end]; ++ char *aterr = (start_pos + parse_end < sizeof(buf)) ? ++ &buf[start_pos + parse_end] : ""; + fflush(stdout); + int fail_offset = total_read - ret + start_pos + parse_end; + fprintf(stderr, "Failed at offset %d: %s %c\n", fail_offset, diff --git a/meta/recipes-devtools/json-c/json-c/run-ptest b/meta/recipes-devtools/json-c/json-c/run-ptest new file mode 100644 index 0000000000..9ee6095ea2 --- /dev/null +++ b/meta/recipes-devtools/json-c/json-c/run-ptest @@ -0,0 +1,20 @@ +#!/bin/sh + +# This script is used to run json-c test suites +cd tests + +ret_val=0 +for i in test*.test; do + # test_basic is not an own testcase, just + # contains common code of other tests + if [ "$i" != "test_basic.test" ]; then + if ./$i > json-c_test.log 2>&1 ; then + echo PASS: $i + else + ret_val=1 + echo FAIL: $i + fi + fi +done + +exit $ret_val diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb b/meta/recipes-devtools/json-c/json-c_0.15.bb index a4673a2f0e..b3679e0135 100644 --- a/meta/recipes-devtools/json-c/json-c_0.15.bb +++ b/meta/recipes-devtools/json-c/json-c_0.15.bb @@ -4,15 +4,31 @@ HOMEPAGE = "https://github.com/json-c/json-c/wiki" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=de54b60fbbc35123ba193fea8ee216f2" -SRC_URI = "https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz" +SRC_URI = " \ + https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \ + file://run-ptest \ + file://CVE-2021-32292.patch \ +" SRC_URI[sha256sum] = "b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6" +# NVD uses full tag name including date +CVE_VERSION = "0.15-20200726" + UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/tags" UPSTREAM_CHECK_REGEX = "json-c-(?P<pver>\d+(\.\d+)+)-\d+" RPROVIDES:${PN} = "libjson" -inherit cmake +inherit cmake ptest + +do_install_ptest() { + install -d ${D}/${PTEST_PATH}/tests + install ${B}/tests/test* ${D}/${PTEST_PATH}/tests + install ${S}/tests/*.test ${D}/${PTEST_PATH}/tests + install ${S}/tests/*.expected ${D}/${PTEST_PATH}/tests + install ${S}/tests/test-defs.sh ${D}/${PTEST_PATH}/tests + install ${S}/tests/valid*json ${D}/${PTEST_PATH}/tests +} BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/libdnf/libdnf/0001-Fix-1558-Don-t-assume-inclusion-of-cstdint.patch b/meta/recipes-devtools/libdnf/libdnf/0001-Fix-1558-Don-t-assume-inclusion-of-cstdint.patch new file mode 100644 index 0000000000..277fd9fbf6 --- /dev/null +++ b/meta/recipes-devtools/libdnf/libdnf/0001-Fix-1558-Don-t-assume-inclusion-of-cstdint.patch @@ -0,0 +1,56 @@ +From 779ea105564b6d717300af2fcb02a399737a536f Mon Sep 17 00:00:00 2001 +From: ctxnop <ctxnop@gmail.com> +Date: Mon, 15 May 2023 19:30:16 +0200 +Subject: [PATCH] Fix #1558: Don't assume inclusion of cstdint + +With last versions of gcc, some headers don't include cstdint anymore, +but some sources assume that it is. + +Upstream-Status: Backport [https://github.com/rpm-software-management/libdnf/commit/779ea105564b6d717300af2fcb02a399737a536f] +Signed-off-by: ctxnop <ctxnop@gmail.com> +--- + libdnf/conf/ConfigMain.hpp | 1 + + libdnf/conf/ConfigRepo.hpp | 1 + + libdnf/conf/OptionSeconds.hpp | 2 ++ + 3 files changed, 4 insertions(+) + +diff --git a/libdnf/conf/ConfigMain.hpp b/libdnf/conf/ConfigMain.hpp +index 19395c71..59f65c48 100644 +--- a/libdnf/conf/ConfigMain.hpp ++++ b/libdnf/conf/ConfigMain.hpp +@@ -32,6 +32,7 @@ + #include "OptionString.hpp" + #include "OptionStringList.hpp" + ++#include <cstdint> + #include <memory> + + namespace libdnf { +diff --git a/libdnf/conf/ConfigRepo.hpp b/libdnf/conf/ConfigRepo.hpp +index 2b198441..84cafbad 100644 +--- a/libdnf/conf/ConfigRepo.hpp ++++ b/libdnf/conf/ConfigRepo.hpp +@@ -26,6 +26,7 @@ + #include "ConfigMain.hpp" + #include "OptionChild.hpp" + ++#include <cstdint> + #include <memory> + + namespace libdnf { +diff --git a/libdnf/conf/OptionSeconds.hpp b/libdnf/conf/OptionSeconds.hpp +index dc714b23..a80a973f 100644 +--- a/libdnf/conf/OptionSeconds.hpp ++++ b/libdnf/conf/OptionSeconds.hpp +@@ -25,6 +25,8 @@ + + #include "OptionNumber.hpp" + ++#include <cstdint> ++ + namespace libdnf { + + /** +-- +2.42.0 + diff --git a/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-conf-OptionNumber.hpp-add-missing-cstdint-inc.patch b/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-conf-OptionNumber.hpp-add-missing-cstdint-inc.patch new file mode 100644 index 0000000000..abb9504e6e --- /dev/null +++ b/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-conf-OptionNumber.hpp-add-missing-cstdint-inc.patch @@ -0,0 +1,33 @@ +From f8af6399c4f6a65a35d33ecc191bb14094dc9e18 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyich@gmail.com> +Date: Fri, 27 May 2022 22:13:48 +0100 +Subject: [PATCH] libdnf/conf/OptionNumber.hpp: add missing <cstdint> include + +Without the change libdnf build fails on this week's gcc-13 snapshot as: + + In file included from /build/libdnf/libdnf/conf/ConfigMain.hpp:29, + from /build/libdnf/libdnf/conf/ConfigMain.cpp:21: + /build/libdnf/libdnf/conf/OptionNumber.hpp:94:41: error: 'int32_t' is not a member of 'std'; did you mean 'int32_t'? + 94 | extern template class OptionNumber<std::int32_t>; + | ^~~~~~~ + +Upstream-Status: Backport [https://github.com/rpm-software-management/libdnf/commit/f8af6399c4f6a65a35d33ecc191bb14094dc9e18] +--- + libdnf/conf/OptionNumber.hpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libdnf/conf/OptionNumber.hpp b/libdnf/conf/OptionNumber.hpp +index f7a7b3d6..a3a4dea6 100644 +--- a/libdnf/conf/OptionNumber.hpp ++++ b/libdnf/conf/OptionNumber.hpp +@@ -25,6 +25,7 @@ + + #include "Option.hpp" + ++#include <cstdint> + #include <functional> + + namespace libdnf { +-- +2.42.0 + diff --git a/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-utils-sqlite3-Sqlite3.hpp-add-missing-cstdint.patch b/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-utils-sqlite3-Sqlite3.hpp-add-missing-cstdint.patch new file mode 100644 index 0000000000..adde48ee46 --- /dev/null +++ b/meta/recipes-devtools/libdnf/libdnf/0001-libdnf-utils-sqlite3-Sqlite3.hpp-add-missing-cstdint.patch @@ -0,0 +1,36 @@ +From 24b5d7f154cac9e322dd3459f6d0a5016abbbb57 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyich@gmail.com> +Date: Fri, 27 May 2022 22:12:07 +0100 +Subject: [PATCH] libdnf/utils/sqlite3/Sqlite3.hpp: add missing <cstdint> + include + +Without the change libdnf build fails on this week's gcc-13 snapshot as: + + In file included from /build/libdnf/libdnf/sack/../transaction/Swdb.hpp:38, + from /build/libdnf/libdnf/sack/query.hpp:32, + from /build/libdnf/libdnf/dnf-sack-private.hpp:31, + from /build/libdnf/libdnf/hy-iutil.cpp:60: + /build/libdnf/libdnf/sack/../transaction/../utils/sqlite3/Sqlite3.hpp:100:33: error: 'std::int64_t' has not been declared + 100 | void bind(int pos, std::int64_t val) + | ^~~~~~~ + +Upstream-Status: Backport [https://github.com/rpm-software-management/libdnf/commit/24b5d7f154cac9e322dd3459f6d0a5016abbbb57] +--- + libdnf/utils/sqlite3/Sqlite3.hpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libdnf/utils/sqlite3/Sqlite3.hpp b/libdnf/utils/sqlite3/Sqlite3.hpp +index 3a7da23c..0403bb33 100644 +--- a/libdnf/utils/sqlite3/Sqlite3.hpp ++++ b/libdnf/utils/sqlite3/Sqlite3.hpp +@@ -27,6 +27,7 @@ + + #include <sqlite3.h> + ++#include <cstdint> + #include <map> + #include <memory> + #include <stdexcept> +-- +2.42.0 + diff --git a/meta/recipes-devtools/libdnf/libdnf_0.66.0.bb b/meta/recipes-devtools/libdnf/libdnf_0.66.0.bb index 2558f96851..bd06937ed8 100644 --- a/meta/recipes-devtools/libdnf/libdnf_0.66.0.bb +++ b/meta/recipes-devtools/libdnf/libdnf_0.66.0.bb @@ -11,6 +11,9 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p file://enable_test_data_dir_set.patch \ file://0001-drop-FindPythonInstDir.cmake.patch \ file://0001-libdnf-dnf-context.cpp-do-not-try-to-access-BDB-data.patch \ + file://0001-Fix-1558-Don-t-assume-inclusion-of-cstdint.patch \ + file://0001-libdnf-utils-sqlite3-Sqlite3.hpp-add-missing-cstdint.patch \ + file://0001-libdnf-conf-OptionNumber.hpp-add-missing-cstdint-inc.patch \ " SRCREV = "add5d5418b140a86d08667dd2b14793093984875" diff --git a/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch b/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch new file mode 100644 index 0000000000..fdb6307ab5 --- /dev/null +++ b/meta/recipes-devtools/llvm/llvm/0001-Support-Add-missing-cstdint-header-to-Signals.h.patch @@ -0,0 +1,31 @@ +From a94bf34221fc4519bd8ec72560c2d363ffe2de4c Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyich@gmail.com> +Date: Mon, 23 May 2022 08:03:23 +0100 +Subject: [PATCH] [Support] Add missing <cstdint> header to Signals.h + +Without the change llvm build fails on this week's gcc-13 snapshot as: + + [ 0%] Building CXX object lib/Support/CMakeFiles/LLVMSupport.dir/Signals.cpp.o + In file included from llvm/lib/Support/Signals.cpp:14: + llvm/include/llvm/Support/Signals.h:119:8: error: variable or field 'CleanupOnSignal' declared void + 119 | void CleanupOnSignal(uintptr_t Context); + | ^~~~~~~~~~~~~~~ + +Upstream-Status: Backport [llvmorg-15.0.0 ff1681ddb303223973653f7f5f3f3435b48a1983] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + llvm/include/llvm/Support/Signals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/llvm/include/llvm/Support/Signals.h b/llvm/include/llvm/Support/Signals.h +index 44f5a750ff5c..937e0572d4a7 100644 +--- a/llvm/include/llvm/Support/Signals.h ++++ b/llvm/include/llvm/Support/Signals.h +@@ -14,6 +14,7 @@ + #ifndef LLVM_SUPPORT_SIGNALS_H + #define LLVM_SUPPORT_SIGNALS_H + ++#include <cstdint> + #include <string> + + namespace llvm { diff --git a/meta/recipes-devtools/llvm/llvm_git.bb b/meta/recipes-devtools/llvm/llvm_git.bb index 9400bf0821..cedbfb138e 100644 --- a/meta/recipes-devtools/llvm/llvm_git.bb +++ b/meta/recipes-devtools/llvm/llvm_git.bb @@ -32,6 +32,7 @@ SRC_URI = "git://github.com/llvm/llvm-project.git;branch=${BRANCH};protocol=http file://0006-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch;striplevel=2 \ file://0007-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \ file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \ + file://0001-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \ " UPSTREAM_CHECK_GITTAGREGEX = "llvmorg-(?P<pver>\d+(\.\d+)+)" diff --git a/meta/recipes-devtools/log4cplus/log4cplus_2.0.7.bb b/meta/recipes-devtools/log4cplus/log4cplus_2.0.8.bb index 3798b93f76..bbf4ce6218 100644 --- a/meta/recipes-devtools/log4cplus/log4cplus_2.0.7.bb +++ b/meta/recipes-devtools/log4cplus/log4cplus_2.0.8.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=41e8e060c26822886b592ab4765c756b" SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}-stable/${PV}/${BP}.tar.gz \ " -SRC_URI[sha256sum] = "086451c7e7c582862cbd6c60d87bb6d9d63c4b65321dba85fa71766382f7ec6d" +SRC_URI[sha256sum] = "cdc3c738e00be84d8d03b580816b9f12628ecc1d71e1395080c802615d2d9ced" UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/log4cplus/files/log4cplus-stable/" UPSTREAM_CHECK_REGEX = "log4cplus-stable/(?P<pver>\d+(\.\d+)+)/" diff --git a/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch new file mode 100644 index 0000000000..fe7b6065c2 --- /dev/null +++ b/meta/recipes-devtools/lua/lua/CVE-2022-33099.patch @@ -0,0 +1,61 @@ +From 42d40581dd919fb134c07027ca1ce0844c670daf Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Fri, 20 May 2022 13:14:33 -0300 +Subject: [PATCH] Save stack space while handling errors + +Because error handling (luaG_errormsg) uses slots from EXTRA_STACK, +and some errors can recur (e.g., string overflow while creating an +error message in 'luaG_runerror', or a C-stack overflow before calling +the message handler), the code should use stack slots with parsimony. + +This commit fixes the bug "Lua-stack overflow when C stack overflows +while handling an error". + +CVE: CVE-2022-33099 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf] + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + ldebug.c | 5 ++++- + lvm.c | 6 ++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/src/ldebug.c ++++ b/src/ldebug.c +@@ -824,8 +824,11 @@ l_noret luaG_runerror (lua_State *L, con + va_start(argp, fmt); + msg = luaO_pushvfstring(L, fmt, argp); /* format message */ + va_end(argp); +- if (isLua(ci)) /* if Lua function, add source:line information */ ++ if (isLua(ci)) { /* if Lua function, add source:line information */ + luaG_addinfo(L, msg, ci_func(ci)->p->source, getcurrentline(ci)); ++ setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ ++ L->top--; ++ } + luaG_errormsg(L); + } + +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -656,8 +656,10 @@ void luaV_concat (lua_State *L, int tota + /* collect total length and number of strings */ + for (n = 1; n < total && tostring(L, s2v(top - n - 1)); n++) { + size_t l = vslen(s2v(top - n - 1)); +- if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) ++ if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { ++ L->top = top - total; /* pop strings to avoid wasting stack */ + luaG_runerror(L, "string length overflow"); ++ } + tl += l; + } + if (tl <= LUAI_MAXSHORTLEN) { /* is result a short string? */ +@@ -672,7 +674,7 @@ void luaV_concat (lua_State *L, int tota + setsvalue2s(L, top - n, ts); /* create result */ + } + total -= n-1; /* got 'n' strings to create 1 new */ +- L->top -= n-1; /* popped 'n' strings and pushed one */ ++ L->top = top - (n - 1); /* popped 'n' strings and pushed one */ + } while (total > 1); /* repeat until only 1 result left */ + } + diff --git a/meta/recipes-devtools/lua/lua/lua.pc.in b/meta/recipes-devtools/lua/lua/lua.pc.in index c27e86e85d..1fc288c4fe 100644 --- a/meta/recipes-devtools/lua/lua/lua.pc.in +++ b/meta/recipes-devtools/lua/lua/lua.pc.in @@ -1,6 +1,5 @@ -prefix=/usr -libdir=${prefix}/lib -includedir=${prefix}/include +libdir=@LIBDIR@ +includedir=@INCLUDEDIR@ Name: Lua Description: Lua language engine diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb b/meta/recipes-devtools/lua/lua_5.4.4.bb index d704841378..a39d888ec2 100644 --- a/meta/recipes-devtools/lua/lua_5.4.4.bb +++ b/meta/recipes-devtools/lua/lua_5.4.4.bb @@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/" SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://lua.pc.in \ file://CVE-2022-28805.patch \ + file://CVE-2022-33099.patch \ ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'http://www.lua.org/tests/lua-${PV_testsuites}-tests.tar.gz;name=tarballtest file://run-ptest ', '', d)} \ " @@ -45,7 +46,7 @@ do_install () { install install -d ${D}${libdir}/pkgconfig - sed -e s/@VERSION@/${PV}/ ${WORKDIR}/lua.pc.in > ${WORKDIR}/lua.pc + sed -e s/@VERSION@/${PV}/ -e s#@LIBDIR@#${libdir}# -e s#@INCLUDEDIR@#${includedir}# ${WORKDIR}/lua.pc.in > ${WORKDIR}/lua.pc install -m 0644 ${WORKDIR}/lua.pc ${D}${libdir}/pkgconfig/ rmdir ${D}${datadir}/lua/5.4 rmdir ${D}${datadir}/lua @@ -56,3 +57,6 @@ do_install_ptest () { } BBCLASSEXTEND = "native nativesdk" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}-dev:${includedir}/luaconf.h" diff --git a/meta/recipes-devtools/meson/meson/meson-wrapper b/meta/recipes-devtools/meson/meson/meson-wrapper index 8fafaad975..71c61db84f 100755 --- a/meta/recipes-devtools/meson/meson/meson-wrapper +++ b/meta/recipes-devtools/meson/meson/meson-wrapper @@ -5,7 +5,7 @@ if [ -z "$OECORE_NATIVE_SYSROOT" ]; then fi if [ -z "$SSL_CERT_DIR" ]; then - export SSL_CERT_DIR="${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/" + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/etc/ssl/certs/" fi # If these are set to a cross-compile path, meson will get confused and try to @@ -13,7 +13,19 @@ fi # config is already in meson.cross. unset CC CXX CPP LD AR NM STRIP +case "$1" in +setup|configure|dist|install|introspect|init|test|wrap|subprojects|rewrite|compile|devenv|env2mfile|help) MESON_CMD="$1" ;; +*) echo meson-wrapper: Implicit setup command assumed; MESON_CMD=setup ;; +esac + +if [ "$MESON_CMD" = "setup" ]; then + MESON_SETUP_OPTS=" \ + --cross-file="$OECORE_NATIVE_SYSROOT/usr/share/meson/${TARGET_PREFIX}meson.cross" \ + --native-file="$OECORE_NATIVE_SYSROOT/usr/share/meson/meson.native" \ + " + echo meson-wrapper: Running meson with setup options: \"$MESON_SETUP_OPTS\" +fi + exec "$OECORE_NATIVE_SYSROOT/usr/bin/meson.real" \ - --cross-file "${OECORE_NATIVE_SYSROOT}/usr/share/meson/${TARGET_PREFIX}meson.cross" \ - --native-file "${OECORE_NATIVE_SYSROOT}/usr/share/meson/meson.native" \ - "$@" + "$@" \ + $MESON_SETUP_OPTS diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb index 3318277477..6a4f7b0688 100644 --- a/meta/recipes-devtools/mtd/mtd-utils_git.bb +++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb @@ -11,9 +11,9 @@ inherit autotools pkgconfig update-alternatives DEPENDS = "zlib e2fsprogs util-linux" RDEPENDS:mtd-utils-tests += "bash" -PV = "2.1.4" +PV = "2.1.5" -SRCREV = "c7f1bfa44a84d02061787e2f6093df5cc40b9f5c" +SRCREV = "3f3b4cc6c3120107e7aaa21c6415772a255ac49c" SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \ file://add-exclusion-to-mkfs-jffs2-git-2.patch \ " diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch b/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch new file mode 100644 index 0000000000..2303744540 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch @@ -0,0 +1,47 @@ +From 93c774d482694643cafbc82578ac8b729fb5bc8b Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov <gorcunov@gmail.com> +Date: Wed, 4 Nov 2020 13:08:06 +0300 +Subject: [PATCH] BR3392637: output/outieee: Fix nil dereference + +The handling been broken in commit 98578071. + +Upstream-Status: Backport [https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b] + +CVE: CVE-2020-21528 + +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + output/outieee.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/output/outieee.c b/output/outieee.c +index bff2f085..b3ccc5f6 100644 +--- a/output/outieee.c ++++ b/output/outieee.c +@@ -795,6 +795,23 @@ static int32_t ieee_segment(char *name, int *bits) + define_label(name, seg->index + 1, 0L, false); + ieee_seg_needs_update = NULL; + ++ /* ++ * In commit 98578071b9d71ecaa2344dd9c185237c1765041e ++ * we reworked labels significantly which in turn lead ++ * to the case where seg->name = NULL here and we get ++ * nil dereference in next segments definitions. ++ * ++ * Lets placate this case with explicit name setting ++ * if labels engine didn't set it yet. ++ * ++ * FIXME: Need to revisit this moment if such fix doesn't ++ * break anything but since IEEE 695 format is veeery ++ * old I don't expect there are many users left. In worst ++ * case this should only lead to a memory leak. ++ */ ++ if (!seg->name) ++ seg->name = nasm_strdup(name); ++ + if (seg->use32) + *bits = 32; + else +-- +2.40.0 diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch new file mode 100644 index 0000000000..1bd49c9fd9 --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch @@ -0,0 +1,104 @@ +From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" <hpa@zytor.com> +Date: Mon, 7 Nov 2022 10:26:03 -0800 +Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault + +while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix, +introduce mempset() to make these kinds of errors less likely in the +future. + +Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815 +Reported-by: <13579and24680@gmail.com> +Signed-off-by: H. Peter Anvin <hpa@zytor.com> + +Upstream-Status: Backport +CVE: CVE-2022-4437 + +Reference to upstream patch: +[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + asm/nasm.c | 12 +++++------- + configure.ac | 1 + + include/compiler.h | 7 +++++++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 7a7f8b4..675cff4 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -1,6 +1,6 @@ + /* ----------------------------------------------------------------------- * + * +- * Copyright 1996-2020 The NASM Authors - All Rights Reserved ++ * Copyright 1996-2022 The NASM Authors - All Rights Reserved + * See the file AUTHORS included with the NASM distribution for + * the specific copyright holders. + * +@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str) + } + + /* Convert N backslashes at the end of filename to 2N backslashes */ +- if (nbs) +- n += nbs; ++ n += nbs; + + os = q = nasm_malloc(n); + +@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str) + switch (*p) { + case ' ': + case '\t': +- while (nbs--) +- *q++ = '\\'; ++ q = mempset(q, '\\', nbs); + *q++ = '\\'; + *q++ = *p; ++ nbs = 0; + break; + case '$': + *q++ = *p; +@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str) + break; + } + } +- while (nbs--) +- *q++ = '\\'; + ++ q = mempset(q, '\\', nbs); + *q = '\0'; + + return os; +diff --git a/configure.ac b/configure.ac +index 39680b1..940ebe2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul) + AC_CHECK_FUNCS(iscntrl) + AC_CHECK_FUNCS(isascii) + AC_CHECK_FUNCS(mempcpy) ++AC_CHECK_FUNCS(mempset) + + AC_CHECK_FUNCS(getuid) + AC_CHECK_FUNCS(getgid) +diff --git a/include/compiler.h b/include/compiler.h +index db3d6d6..b64da6a 100644 +--- a/include/compiler.h ++++ b/include/compiler.h +@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, size_t n) + } + #endif + ++#ifndef HAVE_MEMPSET ++static inline void *mempset(void *dst, int c, size_t n) ++{ ++ return (char *)memset(dst, c, n) + n; ++} ++#endif ++ + /* + * Hack to support external-linkage inline functions + */ +-- +2.40.0 diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch b/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch new file mode 100644 index 0000000000..3502d572cd --- /dev/null +++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch @@ -0,0 +1,50 @@ +From c8af73112027fad0ecbb277e9cba257678c405af Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" <hpa@zytor.com> +Date: Wed, 7 Dec 2022 10:23:46 -0800 +Subject: [PATCH] outieee: fix segfault on empty input + +Fix the IEEE backend crashing if the input file is empty. + +Signed-off-by: H. Peter Anvin <hpa@zytor.com> + +Upstream-Status: Backport [https://github.com/netwide-assembler/nasm/commit/c8af73112027fad0ecbb277e9cba257678c405af] +CVE: CVE-2022-46457 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + output/outieee.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/output/outieee.c b/output/outieee.c +index cdb8333..8bc5eaa 100644 +--- a/output/outieee.c ++++ b/output/outieee.c +@@ -919,7 +919,7 @@ static void ieee_write_file(void) + * Write the section headers + */ + seg = seghead; +- if (!debuginfo && !strcmp(seg->name, "??LINE")) ++ if (!debuginfo && seg && !strcmp(seg->name, "??LINE")) + seg = seg->next; + while (seg) { + char buf[256]; +@@ -954,7 +954,7 @@ static void ieee_write_file(void) + /* + * write the start address if there is one + */ +- if (ieee_entry_seg) { ++ if (ieee_entry_seg && seghead) { + for (seg = seghead; seg; seg = seg->next) + if (seg->index == ieee_entry_seg) + break; +@@ -1067,7 +1067,7 @@ static void ieee_write_file(void) + * put out section data; + */ + seg = seghead; +- if (!debuginfo && !strcmp(seg->name, "??LINE")) ++ if (!debuginfo && seg && !strcmp(seg->name, "??LINE")) + seg = seg->next; + while (seg) { + if (seg->currentpos) { +-- +2.40.0 diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb b/meta/recipes-devtools/nasm/nasm_2.15.05.bb index edc17aeebf..aba061f56f 100644 --- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb +++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb @@ -8,6 +8,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-stdlib-Add-strlcat.patch \ file://0002-Add-debug-prefix-map-option.patch \ + file://CVE-2022-44370.patch \ + file://CVE-2022-46457.patch \ + file://CVE-2020-21528.patch \ " SRC_URI[sha256sum] = "3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0" diff --git a/meta/recipes-devtools/ninja/ninja_1.10.2.bb b/meta/recipes-devtools/ninja/ninja_1.10.2.bb index 7270321d6e..1509a54c9e 100644 --- a/meta/recipes-devtools/ninja/ninja_1.10.2.bb +++ b/meta/recipes-devtools/ninja/ninja_1.10.2.bb @@ -29,3 +29,6 @@ do_install() { } BBCLASSEXTEND = "native nativesdk" + +# This is a different Ninja +CVE_CHECK_IGNORE += "CVE-2021-4336" diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb b/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb index e72c171b92..b27e3ded33 100644 --- a/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb +++ b/meta/recipes-devtools/opkg-utils/opkg-utils_0.5.0.bb @@ -7,12 +7,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \ file://opkg.py;beginline=2;endline=18;md5=ffa11ff3c15eb31c6a7ceaa00cc9f986" PROVIDES += "${@bb.utils.contains('PACKAGECONFIG', 'update-alternatives', 'virtual/update-alternatives', '', d)}" -SRC_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV}.tar.gz \ +SRC_URI = "git://git.yoctoproject.org/opkg-utils;protocol=https;branch=master \ file://0001-update-alternatives-correctly-match-priority.patch \ " -UPSTREAM_CHECK_URI = "http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/refs/" +SRCREV = "9239541f14a2529b9d01c0a253ab11afa2822dab" -SRC_URI[sha256sum] = "55733c0f8ffde2bb4f9593cfd66a1f68e6a2f814e8e62f6fd78472911c818c32" +S = "${WORKDIR}/git" TARGET_CC_ARCH += "${LDFLAGS}" diff --git a/meta/recipes-devtools/opkg/opkg_0.5.0.bb b/meta/recipes-devtools/opkg/opkg_0.5.0.bb index e91d7250bc..7bddaa3016 100644 --- a/meta/recipes-devtools/opkg/opkg_0.5.0.bb +++ b/meta/recipes-devtools/opkg/opkg_0.5.0.bb @@ -46,7 +46,9 @@ EXTRA_OECONF:class-native = "--localstatedir=/${@os.path.relpath('${localstatedi do_install:append () { install -d ${D}${sysconfdir}/opkg install -m 0644 ${WORKDIR}/opkg.conf ${D}${sysconfdir}/opkg/opkg.conf - echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option lists_dir ${OPKGLIBDIR}/opkg/lists" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option info_dir ${OPKGLIBDIR}/opkg/info" >>${D}${sysconfdir}/opkg/opkg.conf + echo "option status_file ${OPKGLIBDIR}/opkg/status" >>${D}${sysconfdir}/opkg/opkg.conf # We need to create the lock directory install -d ${D}${OPKGLIBDIR}/opkg diff --git a/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch b/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch deleted file mode 100644 index b755a263a4..0000000000 --- a/meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 682fb48c137b687477008b68863c2a0b73ed47d1 Mon Sep 17 00:00:00 2001 -From: Fabio Berton <fabio.berton@ossystems.com.br> -Date: Fri, 9 Sep 2016 16:00:42 -0300 -Subject: [PATCH] handle read-only files - -Patch from: -https://github.com/darealshinji/patchelf/commit/40e66392bc4b96e9b4eda496827d26348a503509 - -Upstream-Status: Denied [https://github.com/NixOS/patchelf/pull/89] - -Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> - ---- - src/patchelf.cc | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -Index: git/src/patchelf.cc -=================================================================== ---- git.orig/src/patchelf.cc -+++ git/src/patchelf.cc -@@ -534,9 +534,19 @@ void ElfFile<ElfFileParamNames>::sortShd - - static void writeFile(const std::string & fileName, const FileContents & contents) - { -+ struct stat st; -+ int fd; -+ - debug("writing %s\n", fileName.c_str()); - -- int fd = open(fileName.c_str(), O_CREAT | O_TRUNC | O_WRONLY, 0777); -+ if (stat(fileName.c_str(), &st) != 0) -+ error("stat"); -+ -+ if (chmod(fileName.c_str(), 0600) != 0) -+ error("chmod"); -+ -+ fd = open(fileName.c_str(), O_CREAT | O_TRUNC | O_WRONLY, 0777); -+ - if (fd == -1) - error("open"); - -@@ -551,8 +561,6 @@ static void writeFile(const std::string - bytesWritten += portion; - } - -- if (close(fd) >= 0) -- return; - /* - * Just ignore EINTR; a retry loop is the wrong thing to do. - * -@@ -561,9 +569,11 @@ static void writeFile(const std::string - * http://utcc.utoronto.ca/~cks/space/blog/unix/CloseEINTR - * https://sites.google.com/site/michaelsafyan/software-engineering/checkforeintrwheninvokingclosethinkagain - */ -- if (errno == EINTR) -- return; -- error("close"); -+ if ((close(fd) < 0) && errno != EINTR) -+ error("close"); -+ -+ if (chmod(fileName.c_str(), st.st_mode) != 0) -+ error("chmod"); - } - - diff --git a/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb b/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb index 0fa2c00f1d..82c7e807ac 100644 --- a/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb +++ b/meta/recipes-devtools/patchelf/patchelf_0.14.5.bb @@ -5,7 +5,6 @@ HOMEPAGE = "https://github.com/NixOS/patchelf" LICENSE = "GPL-3.0-only" SRC_URI = "git://github.com/NixOS/patchelf;protocol=https;branch=master \ - file://handle-read-only-files.patch \ " SRCREV = "a35054504293f9ff64539850d1ed0bfd2f5399f2" diff --git a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch index 8c8f3b717c..0ef9b27439 100644 --- a/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch +++ b/meta/recipes-devtools/perl-cross/files/0001-Makefile-check-the-file-if-patched-or-not.patch @@ -21,8 +21,8 @@ index f4a26f5..7bc748e 100644 # Original versions are not saved anymore; patch generally takes care of this, # and if that fails, reaching for the source tarball is the safest option. $(CROSSPATCHED): %.applied: %.patch -- patch -p1 -i $< && touch $@ -+ test ! -f $@ && (patch -p1 -i $< && touch $@) || echo "$@ exist" +- $(cpatch) -p1 -i $< && touch $@ ++ test ! -f $@ && ($(cpatch) -p1 -i $< && touch $@) || echo "$@ exist" # ---[ common ]----------------------------------------------------------------- diff --git a/meta/recipes-devtools/perl-cross/perlcross_1.3.7.bb b/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb index 99a9ca1027..ac4dff33bb 100644 --- a/meta/recipes-devtools/perl-cross/perlcross_1.3.7.bb +++ b/meta/recipes-devtools/perl-cross/perlcross_1.5.2.bb @@ -18,7 +18,7 @@ SRC_URI = "https://github.com/arsv/perl-cross/releases/download/${PV}/perl-cross " UPSTREAM_CHECK_URI = "https://github.com/arsv/perl-cross/releases/" -SRC_URI[perl-cross.sha256sum] = "77f13ca84a63025053852331b72d4046c1f90ded98bd45ccedea738621907335" +SRC_URI[perl-cross.sha256sum] = "584dc54c48dca25e032b676a15bef377c1fed9de318b4fc140292a5dbf326e90" S = "${WORKDIR}/perl-cross-${PV}" diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31484.patch b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch new file mode 100644 index 0000000000..1f7cbd0da1 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31484.patch @@ -0,0 +1,29 @@ +From a625ec2cc3a0b6116c1f8b831d3480deb621c245 Mon Sep 17 00:00:00 2001 +From: Stig Palmquist <git@stig.io> +Date: Tue, 28 Feb 2023 11:54:06 +0100 +Subject: [PATCH] Add verify_SSL=>1 to HTTP::Tiny to verify https server + identity + +Upstream-Status: Backport [https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0] + +CVE: CVE-2023-31484 + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/CPAN/lib/CPAN/HTTP/Client.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cpan/CPAN/lib/CPAN/HTTP/Client.pm b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +index 4fc792c..a616fee 100644 +--- a/cpan/CPAN/lib/CPAN/HTTP/Client.pm ++++ b/cpan/CPAN/lib/CPAN/HTTP/Client.pm +@@ -32,6 +32,7 @@ sub mirror { + + my $want_proxy = $self->_want_proxy($uri); + my $http = HTTP::Tiny->new( ++ verify_SSL => 1, + $want_proxy ? (proxy => $self->{proxy}) : () + ); + +-- +2.40.0 diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch new file mode 100644 index 0000000000..d29996ddcb --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch @@ -0,0 +1,215 @@ +From 77f557ef84698efeb6eed04e4a9704eaf85b741d +From: Stig Palmquist <git@stig.io> +Date: Mon Jun 5 16:46:22 2023 +0200 +Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable + insecure default - Changes the `verify_SSL` default parameter from `0` to `1` + + Based on patch by Dominic Hargreaves: + https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 + + CVE: CVE-2023-31486 + +- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that + enables the previous insecure default behaviour if set to `1`. + + This provides a workaround for users who encounter problems with the + new `verify_SSL` default. + + Example to disable certificate checks: + ``` + $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl + ``` + +- Updates to documentation: + - Describe changing the verify_SSL value + - Describe the escape-hatch environment variable + - Remove rationale for not enabling verify_SSL + - Add missing certificate search paths + - Replace "SSL" with "TLS/SSL" where appropriate + - Use "machine-in-the-middle" instead of "man-in-the-middle" + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- + 1 file changed, 57 insertions(+), 29 deletions(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index 5803e45..1808c41 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@_) } + #pod C<$ENV{no_proxy}> —) + #pod * C<timeout> — Request timeout in seconds (default is 60) If a socket open, + #pod read or write takes longer than the timeout, an exception is thrown. +-#pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL +-#pod certificate of an C<https> — connection (default is false) ++#pod * C<verify_SSL> — A boolean that indicates whether to validate the TLS/SSL ++#pod certificate of an C<https> — connection (default is true). Changed from false ++#pod to true in version 0.083. + #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to + #pod L<IO::Socket::SSL> ++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default ++#pod certificate verification behavior to not check server identity if set to 1. ++#pod Only effective if C<verify_SSL> is not set. Added in version 0.083. + #pod + #pod Passing an explicit C<undef> for C<proxy>, C<http_proxy> or C<https_proxy> will + #pod prevent getting the corresponding proxies from the environment. +@@ -108,11 +112,17 @@ sub timeout { + sub new { + my($class, %args) = @_; + ++ # Support lower case verify_ssl argument, but only if verify_SSL is not ++ # true. ++ if ( exists $args{verify_ssl} ) { ++ $args{verify_SSL} ||= $args{verify_ssl}; ++ } ++ + my $self = { + max_redirect => 5, + timeout => defined $args{timeout} ? $args{timeout} : 60, + keep_alive => 1, +- verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default ++ verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), + no_proxy => $ENV{no_proxy}, + }; + +@@ -131,6 +141,13 @@ sub new { + return $self; + } + ++sub _verify_SSL_default { ++ my ($self) = @_; ++ # Check if insecure default certificate verification behaviour has been ++ # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ++ return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++} ++ + sub _set_proxies { + my ($self) = @_; + +@@ -1038,7 +1055,7 @@ sub new { + timeout => 60, + max_line_size => 16384, + max_header_lines => 64, +- verify_SSL => 0, ++ verify_SSL => HTTP::Tiny::_verify_SSL_default(), + SSL_options => {}, + %args + }, $class; +@@ -2009,11 +2026,11 @@ proxy + timeout + verify_SSL + +-=head1 SSL SUPPORT ++=head1 TLS/SSL SUPPORT + + Direct C<https> connections are supported only if L<IO::Socket::SSL> 1.56 or + greater and L<Net::SSLeay> 1.49 or greater are installed. An exception will be +-thrown if new enough versions of these modules are not installed or if the SSL ++thrown if new enough versions of these modules are not installed or if the TLS + encryption fails. You can also use C<HTTP::Tiny::can_ssl()> utility function + that returns boolean to see if the required modules are installed. + +@@ -2021,7 +2038,7 @@ An C<https> connection may be made via an C<http> proxy that supports the CONNEC + command (i.e. RFC 2817). You may not proxy C<https> via a proxy that itself + requires C<https> to communicate. + +-SSL provides two distinct capabilities: ++TLS/SSL provides two distinct capabilities: + + =over 4 + +@@ -2035,24 +2052,17 @@ Verification of server identity + + =back + +-B<By default, HTTP::Tiny does not verify server identity>. +- +-Server identity verification is controversial and potentially tricky because it +-depends on a (usually paid) third-party Certificate Authority (CA) trust model +-to validate a certificate as legitimate. This discriminates against servers +-with self-signed certificates or certificates signed by free, community-driven +-CA's such as L<CAcert.org|http://cacert.org>. ++B<By default, HTTP::Tiny verifies server identity>. + +-By default, HTTP::Tiny does not make any assumptions about your trust model, +-threat level or risk tolerance. It just aims to give you an encrypted channel +-when you need one. ++This was changed in version 0.083 due to security concerns. The previous default ++behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> ++to 1. + +-Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify +-that an SSL connection has a valid SSL certificate corresponding to the host +-name of the connection and that the SSL certificate has been verified by a CA. +-Assuming you trust the CA, this will protect against a L<man-in-the-middle +-attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are +-concerned about security, you should enable this option. ++Verification is done by checking that that the TLS/SSL connection has a valid ++certificate corresponding to the host name of the connection and that the ++certificate has been verified by a CA. Assuming you trust the CA, this will ++protect against L<machine-in-the-middle ++attacks|http://en.wikipedia.org/wiki/Machine-in-the-middle_attack>. + + Certificate verification requires a file containing trusted CA certificates. + +@@ -2060,9 +2070,7 @@ If the environment variable C<SSL_CERT_FILE> is present, HTTP::Tiny + will try to find a CA certificate file in that location. + + If the L<Mozilla::CA> module is installed, HTTP::Tiny will use the CA file +-included with it as a source of trusted CA's. (This means you trust Mozilla, +-the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the +-toolchain used to install it, and your operating system security, right?) ++included with it as a source of trusted CA's. + + If that module is not available, then HTTP::Tiny will search several + system-specific default locations for a CA certificate file: +@@ -2081,13 +2089,33 @@ system-specific default locations for a CA certificate file: + + /etc/ssl/ca-bundle.pem + ++=item * ++ ++/etc/openssl/certs/ca-certificates.crt ++ ++=item * ++ ++/etc/ssl/cert.pem ++ ++=item * ++ ++/usr/local/share/certs/ca-root-nss.crt ++ ++=item * ++ ++/etc/pki/tls/cacert.pem ++ ++=item * ++ ++/etc/certs/ca-certificates.crt ++ + =back + + An exception will be raised if C<verify_SSL> is true and no CA certificate file + is available. + +-If you desire complete control over SSL connections, the C<SSL_options> attribute +-lets you provide a hash reference that will be passed through to ++If you desire complete control over TLS/SSL connections, the C<SSL_options> ++attribute lets you provide a hash reference that will be passed through to + C<IO::Socket::SSL::start_SSL()>, overriding any options set by HTTP::Tiny. For + example, to provide your own trusted CA file: + +@@ -2097,7 +2125,7 @@ example, to provide your own trusted CA file: + + The C<SSL_options> attribute could also be used for such things as providing a + client certificate for authentication to a server or controlling the choice of +-cipher used for the SSL connection. See L<IO::Socket::SSL> documentation for ++cipher used for the TLS/SSL connection. See L<IO::Socket::SSL> documentation for + details. + + =head1 PROXY SUPPORT +-- +2.40.0 diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch new file mode 100644 index 0000000000..45452be389 --- /dev/null +++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch @@ -0,0 +1,36 @@ +From a22785783b17cbaa28afaee4a024d81a1903701d +From: Stig Palmquist <git@stig.io> +Date: Sun Jun 18 11:36:05 2023 +0200 +Subject: [PATCH] Fix incorrect env var name for verify_SSL default + +The variable to override the verify_SSL default differed slightly in the +documentation from what was checked for in the code. + +This commit makes the code use `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` +as documented, instead of `PERL_HTTP_TINY_INSECURE_BY_DEFAULT` which was +missing `SSL_` + +CVE: CVE-2023-31486 + +Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d] + +Signed-off-by: Soumya <soumya.sambu@windriver.com> +--- + cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +index ebc34a1..65ac8ff 100644 +--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm ++++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +@@ -148,7 +148,7 @@ sub _verify_SSL_default { + my ($self) = @_; + # Check if insecure default certificate verification behaviour has been + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 +- return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; ++ return (($ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; + } + + sub _set_proxies { +-- +2.40.0 diff --git a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb index e2c79d962b..881d5e672e 100644 --- a/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb +++ b/meta/recipes-devtools/perl/libmodule-build-perl_0.4231.bb @@ -37,6 +37,7 @@ EXTRA_CPAN_BUILD_FLAGS = "--create_packlist=0" do_install:append () { rm -rf ${D}${docdir}/perl/html + sed -i "s:^#!.*:#!/usr/bin/env perl:" ${D}${bindir}/config_data } do_install_ptest() { diff --git a/meta/recipes-devtools/perl/perl-ptest.inc b/meta/recipes-devtools/perl/perl-ptest.inc index 54c7807571..c233fab545 100644 --- a/meta/recipes-devtools/perl/perl-ptest.inc +++ b/meta/recipes-devtools/perl/perl-ptest.inc @@ -10,12 +10,12 @@ do_install_ptest () { sed -e "s:\/usr\/local:${bindir}:g" -i cpan/version/t/* sed -e "s:\/opt:\/usr:" -i Porting/add-package.pl sed -e "s:\/local\/gnu\/:\/:" -i hints/cxux.sh - tar -c --exclude=try --exclude=a.out --exclude='*.o' --exclude=libperl.so* --exclude=Makefile --exclude=makefile --exclude=hostperl \ + tar -c --exclude=try --exclude=a.out --exclude='*.o' --exclude=libperl.so* --exclude=[Mm]akefile --exclude=hostperl \ --exclude=cygwin --exclude=os2 --exclude=djgpp --exclude=qnx --exclude=symbian --exclude=haiku \ --exclude=vms --exclude=vos --exclude=NetWare --exclude=amigaos4 --exclude=buildcustomize.pl \ --exclude='win32/config.*' --exclude=plan9 --exclude=README.plan9 --exclude=perlplan9.pod --exclude=Configure \ --exclude=veryclean.sh --exclude=realclean.sh --exclude=getioctlsizes \ - --exclude=dl_aix.xs --exclude=sdbm.3 --exclude='cflags.SH' --exclude=makefile.old \ + --exclude=dl_aix.xs --exclude=sdbm.3 --exclude='cflags.SH' --exclude=[Mm]akefile.old \ --exclude=miniperl --exclude=generate_uudmap --exclude=patches --exclude='config.log' * | ( cd ${D}${PTEST_PATH} && tar -x ) ln -sf ${bindir}/perl ${D}${PTEST_PATH}/t/perl diff --git a/meta/recipes-devtools/perl/perl_5.34.1.bb b/meta/recipes-devtools/perl/perl_5.34.3.bb index 42bcb8b1bc..215990c8fa 100644 --- a/meta/recipes-devtools/perl/perl_5.34.1.bb +++ b/meta/recipes-devtools/perl/perl_5.34.3.bb @@ -18,6 +18,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \ file://determinism.patch \ file://0001-cpan-Sys-Syslog-Makefile.PL-Fix-_PATH_LOG-for-determ.patch \ file://0001-Fix-build-with-gcc-12.patch \ + file://CVE-2023-31484.patch \ + file://CVE-2023-31486-0001.patch \ + file://CVE-2023-31486-0002.patch \ " SRC_URI:append:class-native = " \ file://perl-configpm-switch.patch \ @@ -26,7 +29,7 @@ SRC_URI:append:class-target = " \ file://encodefix.patch \ " -SRC_URI[perl.sha256sum] = "357951a491b0ba1ce3611263922feec78ccd581dddc24a446b033e25acf242a1" +SRC_URI[perl.sha256sum] = "5b12f62863332b2a5f54102af9cdf8c010877e4bf3294911edbd594b2a1e8ede" S = "${WORKDIR}/perl-${PV}" @@ -45,6 +48,9 @@ PACKAGECONFIG[gdbm] = ",-Ui_gdbm,gdbm" # Don't generate comments in enc2xs output files. They are not reproducible export ENC2XS_NO_COMMENTS = "1" +# Duplicate of CVE-2023-47038, which has already been patched as of perl_5.34.3 +CVE_CHECK_IGNORE:append = " CVE-2023-47100" + do_configure:prepend() { cp -rfp ${STAGING_DATADIR_NATIVE}/perl-cross/* ${S} } diff --git a/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch new file mode 100644 index 0000000000..c6ec7c94e1 --- /dev/null +++ b/meta/recipes-devtools/pkgconf/pkgconf/0001-tuple-test-for-and-stop-string-processing-on-truncat.patch @@ -0,0 +1,75 @@ +From 9368831d360c0e47df55d1bb25c3517269320c5f Mon Sep 17 00:00:00 2001 +From: Ariadne Conill <ariadne@dereferenced.org> +Date: Wed, 15 Mar 2023 16:12:43 +0800 +Subject: [PATCH] tuple: test for, and stop string processing, on truncation + +otherwise a buffer overflow occurs. +this has been a bug in pkgconf since the beginning, it seems. +instead of disclosing the bug correctly, a "hotshot" developer +decided to blog about it instead. sigh. + +https://nullprogram.com/blog/2023/01/18/ + +Upstream-Status: Backport [https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059] +CVE: CVE-2023-24056 +Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com> +--- + libpkgconf/tuple.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c +index 2d550d8..b831070 100644 +--- a/libpkgconf/tuple.c ++++ b/libpkgconf/tuple.c +@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + } + } + ++ size_t remain = PKGCONF_BUFSIZE - (bptr - buf); + ptr += (pptr - ptr); + kv = pkgconf_tuple_find_global(client, varname); + if (kv != NULL) + { +- strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(kv); ++ size_t nlen = pkgconf_strlcpy(bptr, kv, remain); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); ++ ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + else + { +@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const + + if (kv != NULL) + { ++ size_t nlen; ++ + parsekv = pkgconf_tuple_parse(client, vars, kv); ++ nlen = pkgconf_strlcpy(bptr, parsekv, remain); ++ free(parsekv); + +- strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf)); +- bptr += strlen(parsekv); ++ if (nlen > remain) ++ { ++ pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + +- free(parsekv); ++ bptr = buf + (PKGCONF_BUFSIZE - 1); ++ break; ++ } ++ ++ bptr += nlen; + } + } + } +-- +2.27.0 + diff --git a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb index 887e15e28c..cad0a0fa4f 100644 --- a/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb +++ b/meta/recipes-devtools/pkgconf/pkgconf_1.8.0.bb @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2214222ec1a820bd6cc75167a56925e0" SRC_URI = "\ https://distfiles.dereferenced.org/pkgconf/pkgconf-${PV}.tar.xz \ + file://0001-tuple-test-for-and-stop-string-processing-on-truncat.patch \ file://pkg-config-wrapper \ file://pkg-config-native.in \ file://pkg-config-esdk.in \ diff --git a/meta/recipes-devtools/pseudo/files/glibc238.patch b/meta/recipes-devtools/pseudo/files/glibc238.patch new file mode 100644 index 0000000000..76ca8c11eb --- /dev/null +++ b/meta/recipes-devtools/pseudo/files/glibc238.patch @@ -0,0 +1,72 @@ +glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by +_GNU_SOURCE but we have to set that for other definitions. Therefore play with defines +to turn this off within pseudo_wrappers.c. Elsewhere we can switch to _DEFAULT_SOURCE +rather than _GNU_SOURCE. + +Upstream-Status: Pending + +Index: git/pseudo_wrappers.c +=================================================================== +--- git.orig/pseudo_wrappers.c ++++ git/pseudo_wrappers.c +@@ -6,6 +6,15 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 ++ + #include <assert.h> + #include <stdlib.h> + #include <limits.h> +Index: git/pseudo_util.c +=================================================================== +--- git.orig/pseudo_util.c ++++ git/pseudo_util.c +@@ -8,6 +8,14 @@ + */ + /* we need access to RTLD_NEXT for a horrible workaround */ + #define _GNU_SOURCE ++/* glibc 2.38 would include __isoc23_strtol and similar symbols. This is trggerd by ++ * _GNU_SOURCE but we have to set that for other definitions. Therefore play with defines ++ * to turn this off. ++ */ ++#include <features.h> ++#undef __GLIBC_USE_ISOC2X ++#undef __GLIBC_USE_C2X_STRTOL ++#define __GLIBC_USE_C2X_STRTOL 0 + + #include <ctype.h> + #include <errno.h> +Index: git/pseudolog.c +=================================================================== +--- git.orig/pseudolog.c ++++ git/pseudolog.c +@@ -8,7 +8,7 @@ + */ + /* We need _XOPEN_SOURCE for strptime(), but if we define that, + * we then don't get S_IFSOCK... _GNU_SOURCE turns on everything. */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <ctype.h> + #include <limits.h> +Index: git/pseudo_client.c +=================================================================== +--- git.orig/pseudo_client.c ++++ git/pseudo_client.c +@@ -6,7 +6,7 @@ + * SPDX-License-Identifier: LGPL-2.1-only + * + */ +-#define _GNU_SOURCE ++#define _DEFAULT_SOURCE + + #include <stdio.h> + #include <signal.h> diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index e7ef6a730c..4dd9156238 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -2,6 +2,7 @@ require pseudo.inc SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://0001-configure-Prune-PIE-flags.patch \ + file://glibc238.patch \ file://fallback-passwd \ file://fallback-group \ " @@ -13,7 +14,7 @@ SRC_URI:append:class-nativesdk = " \ file://older-glibc-symbols.patch" SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa" -SRCREV = "2b4b88eb513335b0ece55fe51854693d9b20de35" +SRCREV = "c9670c27ff67ab899007ce749254b16091577e55" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch b/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch new file mode 100644 index 0000000000..94ca254549 --- /dev/null +++ b/meta/recipes-devtools/python/python3-certifi/CVE-2022-23491.patch @@ -0,0 +1,230 @@ +From 167413eefa9482a7777b3ccdcc70e511ef5fcc2b Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Thu, 2 Feb 2023 12:57:06 +0000 +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi 2022.12.07 removes root certificates from + "TrustCor" from the root store. These are in the process of being removed + from Mozilla's trust store. TrustCor's root certificates are being removed + pursuant to an investigation prompted by media reporting that TrustCor's + ownership also operated a business that produced spyware. Conclusions of + Mozilla's investigation can be found in the linked google group discussion. + +CVE: CVE-2022-23491 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/9e9e840925d7b8e76c76fdac1fab7e6e88c1c3b8] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + certifi/cacert.pem | 181 --------------------------------------------- + 1 file changed, 181 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6d0ccc0..6bae3e4 100644 +--- a/certifi/cacert.pem ++++ b/certifi/cacert.pem +@@ -694,37 +694,6 @@ BA6+C4OmF4O5MBKgxTMVBbkN+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IB + ZQ== + -----END CERTIFICATE----- + +-# Issuer: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Subject: CN=Network Solutions Certificate Authority O=Network Solutions L.L.C. +-# Label: "Network Solutions Certificate Authority" +-# Serial: 116697915152937497490437556386812487904 +-# MD5 Fingerprint: d3:f3:a6:16:c0:fa:6b:1d:59:b1:2d:96:4d:0e:11:2e +-# SHA1 Fingerprint: 74:f8:a3:c3:ef:e7:b3:90:06:4b:83:90:3c:21:64:60:20:e5:df:ce +-# SHA256 Fingerprint: 15:f0:ba:00:a3:ac:7a:f3:ac:88:4c:07:2b:10:11:a0:77:bd:77:c0:97:f4:01:64:b2:f8:59:8a:bd:83:86:0c +------BEGIN CERTIFICATE----- +-MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi +-MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu +-MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp +-dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV +-UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO +-ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG +-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz +-c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP +-OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl +-mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF +-BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4 +-qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw +-gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB +-BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu +-bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp +-dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8 +-6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/ +-h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH +-/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv +-wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN +-pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey +------END CERTIFICATE----- +- + # Issuer: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Subject: CN=COMODO ECC Certification Authority O=COMODO CA Limited + # Label: "COMODO ECC Certification Authority" +@@ -2385,46 +2354,6 @@ KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg + xwy8p2Fp8fc74SrL+SvzZpA3 + -----END CERTIFICATE----- + +-# Issuer: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Subject: CN=Staat der Nederlanden EV Root CA O=Staat der Nederlanden +-# Label: "Staat der Nederlanden EV Root CA" +-# Serial: 10000013 +-# MD5 Fingerprint: fc:06:af:7b:e8:1a:f1:9a:b4:e8:d2:70:1f:c0:f5:ba +-# SHA1 Fingerprint: 76:e2:7e:c1:4f:db:82:c1:c0:a6:75:b5:05:be:3d:29:b4:ed:db:bb +-# SHA256 Fingerprint: 4d:24:91:41:4c:fe:95:67:46:ec:4c:ef:a6:cf:6f:72:e2:8a:13:29:43:2f:9d:8a:90:7a:c4:cb:5d:ad:c1:5a +------BEGIN CERTIFICATE----- +-MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO +-TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh +-dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y +-MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg +-TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS +-b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS +-M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC +-UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d +-Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p +-rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l +-pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb +-j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC +-KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS +-/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X +-cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH +-1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP +-px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB +-/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 +-MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI +-eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u +-2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS +-v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC +-wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy +-CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e +-vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 +-Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa +-Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL +-eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 +-FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc +-7uzXLg== +------END CERTIFICATE----- +- + # Issuer: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Subject: CN=IdenTrust Commercial Root CA 1 O=IdenTrust + # Label: "IdenTrust Commercial Root CA 1" +@@ -3032,116 +2961,6 @@ T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe + MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== + -----END CERTIFICATE----- + +-# Issuer: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-1" +-# Serial: 15752444095811006489 +-# MD5 Fingerprint: 6e:85:f1:dc:1a:00:d3:22:d5:b2:b2:ac:6b:37:05:45 +-# SHA1 Fingerprint: ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a +-# SHA256 Fingerprint: d4:0e:9c:86:cd:8f:e4:68:c1:77:69:59:f4:9e:a7:74:fa:54:86:84:b6:c4:06:f3:90:92:61:f4:dc:e2:57:5c +------BEGIN CERTIFICATE----- +-MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y +-IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB +-pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h +-IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG +-A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU +-cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +-CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid +-RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V +-seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme +-9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV +-EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW +-hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ +-DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw +-DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD +-ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I +-/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf +-ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ +-yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts +-L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN +-zl/HHk484IkzlQsPpTLWPFp5LBk= +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor RootCert CA-2 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor RootCert CA-2" +-# Serial: 2711694510199101698 +-# MD5 Fingerprint: a2:e1:f8:18:0b:ba:45:d5:c7:41:2a:bb:37:52:45:64 +-# SHA1 Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c:c0 +-# SHA256 Fingerprint: 07:53:e9:40:37:8c:1b:d5:e3:83:6e:39:5d:ae:a5:cb:83:9e:50:46:f1:bd:0e:ae:19:51:cf:10:fe:c7:c9:65 +------BEGIN CERTIFICATE----- +-MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig +-Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk +-MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg +-Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD +-VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy +-dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +-AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ +-QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq +-1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp +-2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK +-DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape +-az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF +-3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 +-oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM +-g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 +-mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh +-8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd +-BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U +-nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw +-DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX +-dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ +-MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL +-/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX +-CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa +-ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW +-2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 +-N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 +-Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB +-As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp +-5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu +-1uwJ +------END CERTIFICATE----- +- +-# Issuer: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Subject: CN=TrustCor ECA-1 O=TrustCor Systems S. de R.L. OU=TrustCor Certificate Authority +-# Label: "TrustCor ECA-1" +-# Serial: 9548242946988625984 +-# MD5 Fingerprint: 27:92:23:1d:0a:f5:40:7c:e9:e6:6b:9d:d8:f5:e7:6c +-# SHA1 Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78:bd +-# SHA256 Fingerprint: 5a:88:5d:b1:9c:01:d9:12:c5:75:93:88:93:8c:af:bb:df:03:1a:b2:d4:8e:91:ee:15:58:9b:42:97:1d:03:9c +------BEGIN CERTIFICATE----- +-MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD +-VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk +-MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U +-cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y +-IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV +-BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw +-IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy +-dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig +-RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb +-3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA +-BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 +-3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou +-owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ +-wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF +-ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf +-BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ +-MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv +-civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 +-AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F +-hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 +-soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI +-WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi +-tJ/X5g== +------END CERTIFICATE----- +- + # Issuer: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Subject: CN=SSL.com Root Certification Authority RSA O=SSL Corporation + # Label: "SSL.com Root Certification Authority RSA" +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch b/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch new file mode 100644 index 0000000000..62187ec469 --- /dev/null +++ b/meta/recipes-devtools/python/python3-certifi/CVE-2023-37920.patch @@ -0,0 +1,301 @@ +From 2dfddd74a75e4a1fa9bb901ba31a96e13b98a4e2 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 2 Aug 2023 16:05:04 +0000 +Subject: [PATCH] Certifi is a curated collection of Root Certificates for + validating the trustworthiness of SSL certificates while verifying the + identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes + "e-Tugra" root certificates. e-Tugra's root certificates were subject to an + investigation prompted by reporting of security issues in their systems. + Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root + store. + +CVE: CVE-2023-37920 + +Upstream-Status: Backport [https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + certifi/cacert.pem | 257 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 185 insertions(+), 72 deletions(-) + +diff --git a/certifi/cacert.pem b/certifi/cacert.pem +index 6bae3e4..1bec256 100644 +--- a/certifi/cacert.pem ++++ b/certifi/cacert.pem +@@ -879,34 +879,6 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2 + XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= + -----END CERTIFICATE----- + +-# Issuer: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Subject: CN=Hongkong Post Root CA 1 O=Hongkong Post +-# Label: "Hongkong Post Root CA 1" +-# Serial: 1000 +-# MD5 Fingerprint: a8:0d:6f:39:78:b9:43:6d:77:42:6d:98:5a:cc:23:ca +-# SHA1 Fingerprint: d6:da:a8:20:8d:09:d2:15:4d:24:b5:2f:cb:34:6e:b2:58:b2:8a:58 +-# SHA256 Fingerprint: f9:e6:7d:33:6c:51:00:2a:c0:54:c6:32:02:2d:66:dd:a2:e7:e3:ff:f1:0a:d0:61:ed:31:d8:bb:b4:10:cf:b2 +------BEGIN CERTIFICATE----- +-MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsx +-FjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg +-Um9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkG +-A1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr +-b25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +-AQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQ +-jVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEn +-PzlTCeqrauh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjh +-ZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9 +-nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3v/evt3a5pQuEF10Q6m/h +-q5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8ECDAGAQH/AgED +-MA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9legYsC +-mEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI3 +-7piol7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clB +-oiMBdDhViw+5LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJs +-EhTkYY2sEJCehFC78JZvRZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpO +-fMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbi +-AmvZWg== +------END CERTIFICATE----- +- + # Issuer: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Subject: CN=SecureSign RootCA11 O=Japan Certification Services, Inc. + # Label: "SecureSign RootCA11" +@@ -1836,50 +1808,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx + SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= + -----END CERTIFICATE----- + +-# Issuer: CN=E-Tugra Certification Authority O=E-Tu\u011fra EBG Bili\u015fim Teknolojileri ve Hizmetleri A.\u015e. OU=E-Tugra Sertifikasyon Merkezi +-# Subject: CN=E-Tugra Certification Authority O=E-Tu\u011fra EBG Bili\u015fim Teknolojileri ve Hizmetleri A.\u015e. OU=E-Tugra Sertifikasyon Merkezi +-# Label: "E-Tugra Certification Authority" +-# Serial: 7667447206703254355 +-# MD5 Fingerprint: b8:a1:03:63:b0:bd:21:71:70:8a:6f:13:3a:bb:79:49 +-# SHA1 Fingerprint: 51:c6:e7:08:49:06:6e:f3:92:d4:5c:a0:0d:6d:a3:62:8f:c3:52:39 +-# SHA256 Fingerprint: b0:bf:d5:2b:b0:d7:d9:bd:92:bf:5d:4d:c1:3d:a2:55:c0:2c:54:2f:37:83:65:ea:89:39:11:f5:5e:55:f2:3c +------BEGIN CERTIFICATE----- +-MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV +-BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC +-aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV +-BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 +-Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz +-MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ +-BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp +-em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN +-ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 +-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY +-B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH +-D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF +-Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo +-q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D +-k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH +-fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut +-dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM +-ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 +-zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn +-rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX +-U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 +-Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 +-XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF +-Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR +-HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY +-GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c +-77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 +-+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK +-vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 +-FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl +-yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P +-AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD +-y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d +-NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +------END CERTIFICATE----- +- + # Issuer: CN=T-TeleSec GlobalRoot Class 2 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center + # Subject: CN=T-TeleSec GlobalRoot Class 2 O=T-Systems Enterprise Services GmbH OU=T-Systems Trust Center + # Label: "T-TeleSec GlobalRoot Class 2" +@@ -4179,3 +4107,188 @@ AgGGMAoGCCqGSM49BAMDA2cAMGQCMBHervjcToiwqfAircJRQO9gcS3ujwLEXQNw + SaSS6sUUiHCm0w2wqsosQJz76YJumgIwK0eaB8bRwoF8yguWGEEbo/QwCZ61IygN + nxS2PFOiTAZpffpskcYqSUXm7LcT4Tps + -----END CERTIFICATE----- ++ ++# Issuer: CN=Sectigo Public Server Authentication Root E46 O=Sectigo Limited ++# Subject: CN=Sectigo Public Server Authentication Root E46 O=Sectigo Limited ++# Label: "Sectigo Public Server Authentication Root E46" ++# Serial: 88989738453351742415770396670917916916 ++# MD5 Fingerprint: 28:23:f8:b2:98:5c:37:16:3b:3e:46:13:4e:b0:b3:01 ++# SHA1 Fingerprint: ec:8a:39:6c:40:f0:2e:bc:42:75:d4:9f:ab:1c:1a:5b:67:be:d2:9a ++# SHA256 Fingerprint: c9:0f:26:f0:fb:1b:40:18:b2:22:27:51:9b:5c:a2:b5:3e:2c:a5:b3:be:5c:f1:8e:fe:1b:ef:47:38:0c:53:83 ++-----BEGIN CERTIFICATE----- ++MIICOjCCAcGgAwIBAgIQQvLM2htpN0RfFf51KBC49DAKBggqhkjOPQQDAzBfMQsw ++CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T ++ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN ++MjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEYMBYG ++A1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1YmxpYyBT ++ZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA ++IgNiAAR2+pmpbiDt+dd34wc7qNs9Xzjoq1WmVk/WSOrsfy2qw7LFeeyZYX8QeccC ++WvkEN/U0NSt3zn8gj1KjAIns1aeibVvjS5KToID1AZTc8GgHHs3u/iVStSBDHBv+ ++6xnOQ6OjQjBAMB0GA1UdDgQWBBTRItpMWfFLXyY4qp3W7usNw/upYTAOBgNVHQ8B ++Af8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjAn7qRa ++qCG76UeXlImldCBteU/IvZNeWBj7LRoAasm4PdCkT0RHlAFWovgzJQxC36oCMB3q ++4S6ILuH5px0CMk7yn2xVdOOurvulGu7t0vzCAxHrRVxgED1cf5kDW21USAGKcw== ++-----END CERTIFICATE----- ++ ++# Issuer: CN=Sectigo Public Server Authentication Root R46 O=Sectigo Limited ++# Subject: CN=Sectigo Public Server Authentication Root R46 O=Sectigo Limited ++# Label: "Sectigo Public Server Authentication Root R46" ++# Serial: 156256931880233212765902055439220583700 ++# MD5 Fingerprint: 32:10:09:52:00:d5:7e:6c:43:df:15:c0:b1:16:93:e5 ++# SHA1 Fingerprint: ad:98:f9:f3:e4:7d:75:3b:65:d4:82:b3:a4:52:17:bb:6e:f5:e4:38 ++# SHA256 Fingerprint: 7b:b6:47:a6:2a:ee:ac:88:bf:25:7a:a5:22:d0:1f:fe:a3:95:e0:ab:45:c7:3f:93:f6:56:54:ec:38:f2:5a:06 ++-----BEGIN CERTIFICATE----- ++MIIFijCCA3KgAwIBAgIQdY39i658BwD6qSWn4cetFDANBgkqhkiG9w0BAQwFADBf ++MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQD ++Ey1TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYw ++HhcNMjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEY ++MBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1Ymxp ++YyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBSNDYwggIiMA0GCSqGSIb3DQEB ++AQUAA4ICDwAwggIKAoICAQCTvtU2UnXYASOgHEdCSe5jtrch/cSV1UgrJnwUUxDa ++ef0rty2k1Cz66jLdScK5vQ9IPXtamFSvnl0xdE8H/FAh3aTPaE8bEmNtJZlMKpnz ++SDBh+oF8HqcIStw+KxwfGExxqjWMrfhu6DtK2eWUAtaJhBOqbchPM8xQljeSM9xf ++iOefVNlI8JhD1mb9nxc4Q8UBUQvX4yMPFF1bFOdLvt30yNoDN9HWOaEhUTCDsG3X ++ME6WW5HwcCSrv0WBZEMNvSE6Lzzpng3LILVCJ8zab5vuZDCQOc2TZYEhMbUjUDM3 ++IuM47fgxMMxF/mL50V0yeUKH32rMVhlATc6qu/m1dkmU8Sf4kaWD5QazYw6A3OAS ++VYCmO2a0OYctyPDQ0RTp5A1NDvZdV3LFOxxHVp3i1fuBYYzMTYCQNFu31xR13NgE ++SJ/AwSiItOkcyqex8Va3e0lMWeUgFaiEAin6OJRpmkkGj80feRQXEgyDet4fsZfu +++Zd4KKTIRJLpfSYFplhym3kT2BFfrsU4YjRosoYwjviQYZ4ybPUHNs2iTG7sijbt ++8uaZFURww3y8nDnAtOFr94MlI1fZEoDlSfB1D++N6xybVCi0ITz8fAr/73trdf+L ++HaAZBav6+CuBQug4urv7qv094PPK306Xlynt8xhW6aWWrL3DkJiy4Pmi1KZHQ3xt ++zwIDAQABo0IwQDAdBgNVHQ4EFgQUVnNYZJX5khqwEioEYnmhQBWIIUkwDgYDVR0P ++AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAC9c ++mTz8Bl6MlC5w6tIyMY208FHVvArzZJ8HXtXBc2hkeqK5Duj5XYUtqDdFqij0lgVQ ++YKlJfp/imTYpE0RHap1VIDzYm/EDMrraQKFz6oOht0SmDpkBm+S8f74TlH7Kph52 ++gDY9hAaLMyZlbcp+nv4fjFg4exqDsQ+8FxG75gbMY/qB8oFM2gsQa6H61SilzwZA ++Fv97fRheORKkU55+MkIQpiGRqRxOF3yEvJ+M0ejf5lG5Nkc/kLnHvALcWxxPDkjB ++JYOcCj+esQMzEhonrPcibCTRAUH4WAP+JWgiH5paPHxsnnVI84HxZmduTILA7rpX ++DhjvLpr3Etiga+kFpaHpaPi8TD8SHkXoUsCjvxInebnMMTzD9joiFgOgyY9mpFui ++TdaBJQbpdqQACj7LzTWb4OE4y2BThihCQRxEV+ioratF4yUQvNs+ZUH7G6aXD+u5 ++dHn5HrwdVw1Hr8Mvn4dGp+smWg9WY7ViYG4A++MnESLn/pmPNPW56MORcr3Ywx65 ++LvKRRFHQV80MNNVIIb/bE/FmJUNS0nAiNs2fxBx1IK1jcmMGDw4nztJqDby1ORrp ++0XZ60Vzk50lJLVU3aPAaOpg+VBeHVOmmJ1CJeyAvP/+/oYtKR5j/K3tJPsMpRmAY ++QqszKbrAKbkTidOIijlBO8n9pu0f9GBj39ItVQGL ++-----END CERTIFICATE----- ++ ++# Issuer: CN=SSL.com TLS RSA Root CA 2022 O=SSL Corporation ++# Subject: CN=SSL.com TLS RSA Root CA 2022 O=SSL Corporation ++# Label: "SSL.com TLS RSA Root CA 2022" ++# Serial: 148535279242832292258835760425842727825 ++# MD5 Fingerprint: d8:4e:c6:59:30:d8:fe:a0:d6:7a:5a:2c:2c:69:78:da ++# SHA1 Fingerprint: ec:2c:83:40:72:af:26:95:10:ff:0e:f2:03:ee:31:70:f6:78:9d:ca ++# SHA256 Fingerprint: 8f:af:7d:2e:2c:b4:70:9b:b8:e0:b3:36:66:bf:75:a5:dd:45:b5:de:48:0f:8e:a8:d4:bf:e6:be:bc:17:f2:ed ++-----BEGIN CERTIFICATE----- ++MIIFiTCCA3GgAwIBAgIQb77arXO9CEDii02+1PdbkTANBgkqhkiG9w0BAQsFADBO ++MQswCQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQD ++DBxTU0wuY29tIFRMUyBSU0EgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzQyMloX ++DTQ2MDgxOTE2MzQyMVowTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jw ++b3JhdGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgUlNBIFJvb3QgQ0EgMjAyMjCC ++AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANCkCXJPQIgSYT41I57u9nTP ++L3tYPc48DRAokC+X94xI2KDYJbFMsBFMF3NQ0CJKY7uB0ylu1bUJPiYYf7ISf5OY ++t6/wNr/y7hienDtSxUcZXXTzZGbVXcdotL8bHAajvI9AI7YexoS9UcQbOcGV0ins ++S657Lb85/bRi3pZ7QcacoOAGcvvwB5cJOYF0r/c0WRFXCsJbwST0MXMwgsadugL3 ++PnxEX4MN8/HdIGkWCVDi1FW24IBydm5MR7d1VVm0U3TZlMZBrViKMWYPHqIbKUBO ++L9975hYsLfy/7PO0+r4Y9ptJ1O4Fbtk085zx7AGL0SDGD6C1vBdOSHtRwvzpXGk3 ++R2azaPgVKPC506QVzFpPulJwoxJF3ca6TvvC0PeoUidtbnm1jPx7jMEWTO6Af77w ++dr5BUxIzrlo4QqvXDz5BjXYHMtWrifZOZ9mxQnUjbvPNQrL8VfVThxc7wDNY8VLS +++YCk8OjwO4s4zKTGkH8PnP2L0aPP2oOnaclQNtVcBdIKQXTbYxE3waWglksejBYS ++d66UNHsef8JmAOSqg+qKkK3ONkRN0VHpvB/zagX9wHQfJRlAUW7qglFA35u5CCoG ++AtUjHBPW6dvbxrB6y3snm/vg1UYk7RBLY0ulBY+6uB0rpvqR4pJSvezrZ5dtmi2f ++gTIFZzL7SAg/2SW4BCUvAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0j ++BBgwFoAU+y437uOEeicuzRk1sTN8/9REQrkwHQYDVR0OBBYEFPsuN+7jhHonLs0Z ++NbEzfP/UREK5MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAjYlt ++hEUY8U+zoO9opMAdrDC8Z2awms22qyIZZtM7QbUQnRC6cm4pJCAcAZli05bg4vsM ++QtfhWsSWTVTNj8pDU/0quOr4ZcoBwq1gaAafORpR2eCNJvkLTqVTJXojpBzOCBvf ++R4iyrT7gJ4eLSYwfqUdYe5byiB0YrrPRpgqU+tvT5TgKa3kSM/tKWTcWQA673vWJ ++DPFs0/dRa1419dvAJuoSc06pkZCmF8NsLzjUo3KUQyxi4U5cMj29TH0ZR6LDSeeW ++P4+a0zvkEdiLA9z2tmBVGKaBUfPhqBVq6+AL8BQx1rmMRTqoENjwuSfr98t67wVy ++lrXEj5ZzxOhWc5y8aVFjvO9nHEMaX3cZHxj4HCUp+UmZKbaSPaKDN7EgkaibMOlq ++bLQjk2UEqxHzDh1TJElTHaE/nUiSEeJ9DU/1172iWD54nR4fK/4huxoTtrEoZP2w ++AgDHbICivRZQIA9ygV/MlP+7mea6kMvq+cYMwq7FGc4zoWtcu358NFcXrfA/rs3q ++r5nsLFR+jM4uElZI7xc7P0peYNLcdDa8pUNjyw9bowJWCZ4kLOGGgYz+qxcs+sji ++Mho6/4UIyYOf8kpIEFR3N+2ivEC+5BB09+Rbu7nzifmPQdjH5FCQNYA+HLhNkNPU ++98OwoX6EyneSMSy4kLGCenROmxMmtNVQZlR4rmA= ++-----END CERTIFICATE----- ++ ++# Issuer: CN=SSL.com TLS ECC Root CA 2022 O=SSL Corporation ++# Subject: CN=SSL.com TLS ECC Root CA 2022 O=SSL Corporation ++# Label: "SSL.com TLS ECC Root CA 2022" ++# Serial: 26605119622390491762507526719404364228 ++# MD5 Fingerprint: 99:d7:5c:f1:51:36:cc:e9:ce:d9:19:2e:77:71:56:c5 ++# SHA1 Fingerprint: 9f:5f:d9:1a:54:6d:f5:0c:71:f0:ee:7a:bd:17:49:98:84:73:e2:39 ++# SHA256 Fingerprint: c3:2f:fd:9f:46:f9:36:d1:6c:36:73:99:09:59:43:4b:9a:d6:0a:af:bb:9e:7c:f3:36:54:f1:44:cc:1b:a1:43 ++-----BEGIN CERTIFICATE----- ++MIICOjCCAcCgAwIBAgIQFAP1q/s3ixdAW+JDsqXRxDAKBggqhkjOPQQDAzBOMQsw ++CQYDVQQGEwJVUzEYMBYGA1UECgwPU1NMIENvcnBvcmF0aW9uMSUwIwYDVQQDDBxT ++U0wuY29tIFRMUyBFQ0MgUm9vdCBDQSAyMDIyMB4XDTIyMDgyNTE2MzM0OFoXDTQ2 ++MDgxOTE2MzM0N1owTjELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD1NTTCBDb3Jwb3Jh ++dGlvbjElMCMGA1UEAwwcU1NMLmNvbSBUTFMgRUNDIFJvb3QgQ0EgMjAyMjB2MBAG ++ByqGSM49AgEGBSuBBAAiA2IABEUpNXP6wrgjzhR9qLFNoFs27iosU8NgCTWyJGYm ++acCzldZdkkAZDsalE3D07xJRKF3nzL35PIXBz5SQySvOkkJYWWf9lCcQZIxPBLFN ++SeR7T5v15wj4A4j3p8OSSxlUgaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME ++GDAWgBSJjy+j6CugFFR781a4Jl9nOAuc0DAdBgNVHQ4EFgQUiY8vo+groBRUe/NW ++uCZfZzgLnNAwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2gAMGUCMFXjIlbp ++15IkWE8elDIPDAI2wv2sdDJO4fscgIijzPvX6yv/N33w7deedWo1dlJF4AIxAMeN ++b0Igj762TVntd00pxCAgRWSGOlDGxK0tk/UYfXLtqc/ErFc2KAhl3zx5Zn6g6g== ++-----END CERTIFICATE----- ++ ++# Issuer: CN=Atos TrustedRoot Root CA ECC TLS 2021 O=Atos ++# Subject: CN=Atos TrustedRoot Root CA ECC TLS 2021 O=Atos ++# Label: "Atos TrustedRoot Root CA ECC TLS 2021" ++# Serial: 81873346711060652204712539181482831616 ++# MD5 Fingerprint: 16:9f:ad:f1:70:ad:79:d6:ed:29:b4:d1:c5:79:70:a8 ++# SHA1 Fingerprint: 9e:bc:75:10:42:b3:02:f3:81:f4:f7:30:62:d4:8f:c3:a7:51:b2:dd ++# SHA256 Fingerprint: b2:fa:e5:3e:14:cc:d7:ab:92:12:06:47:01:ae:27:9c:1d:89:88:fa:cb:77:5f:a8:a0:08:91:4e:66:39:88:a8 ++-----BEGIN CERTIFICATE----- ++MIICFTCCAZugAwIBAgIQPZg7pmY9kGP3fiZXOATvADAKBggqhkjOPQQDAzBMMS4w ++LAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgRUNDIFRMUyAyMDIxMQ0w ++CwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTI2MjNaFw00MTA0 ++MTcwOTI2MjJaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBDQSBF ++Q0MgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMHYwEAYHKoZI ++zj0CAQYFK4EEACIDYgAEloZYKDcKZ9Cg3iQZGeHkBQcfl+3oZIK59sRxUM6KDP/X ++tXa7oWyTbIOiaG6l2b4siJVBzV3dscqDY4PMwL502eCdpO5KTlbgmClBk1IQ1SQ4 ++AjJn8ZQSb+/Xxd4u/RmAo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR2 ++KCXWfeBmmnoJsmo7jjPXNtNPojAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwMD ++aAAwZQIwW5kp85wxtolrbNa9d+F851F+uDrNozZffPc8dz7kUK2o59JZDCaOMDtu ++CCrCp1rIAjEAmeMM56PDr9NJLkaCI2ZdyQAUEv049OGYa3cpetskz2VAv9LcjBHo ++9H1/IISpQuQo ++-----END CERTIFICATE----- ++ ++# Issuer: CN=Atos TrustedRoot Root CA RSA TLS 2021 O=Atos ++# Subject: CN=Atos TrustedRoot Root CA RSA TLS 2021 O=Atos ++# Label: "Atos TrustedRoot Root CA RSA TLS 2021" ++# Serial: 111436099570196163832749341232207667876 ++# MD5 Fingerprint: d4:d3:46:b8:9a:c0:9c:76:5d:9e:3a:c3:b9:99:31:d2 ++# SHA1 Fingerprint: 18:52:3b:0d:06:37:e4:d6:3a:df:23:e4:98:fb:5b:16:fb:86:74:48 ++# SHA256 Fingerprint: 81:a9:08:8e:a5:9f:b3:64:c5:48:a6:f8:55:59:09:9b:6f:04:05:ef:bf:18:e5:32:4e:c9:f4:57:ba:00:11:2f ++-----BEGIN CERTIFICATE----- ++MIIFZDCCA0ygAwIBAgIQU9XP5hmTC/srBRLYwiqipDANBgkqhkiG9w0BAQwFADBM ++MS4wLAYDVQQDDCVBdG9zIFRydXN0ZWRSb290IFJvb3QgQ0EgUlNBIFRMUyAyMDIx ++MQ0wCwYDVQQKDARBdG9zMQswCQYDVQQGEwJERTAeFw0yMTA0MjIwOTIxMTBaFw00 ++MTA0MTcwOTIxMDlaMEwxLjAsBgNVBAMMJUF0b3MgVHJ1c3RlZFJvb3QgUm9vdCBD ++QSBSU0EgVExTIDIwMjExDTALBgNVBAoMBEF0b3MxCzAJBgNVBAYTAkRFMIICIjAN ++BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtoAOxHm9BYx9sKOdTSJNy/BBl01Z ++4NH+VoyX8te9j2y3I49f1cTYQcvyAh5x5en2XssIKl4w8i1mx4QbZFc4nXUtVsYv ++Ye+W/CBGvevUez8/fEc4BKkbqlLfEzfTFRVOvV98r61jx3ncCHvVoOX3W3WsgFWZ ++kmGbzSoXfduP9LVq6hdKZChmFSlsAvFr1bqjM9xaZ6cF4r9lthawEO3NUDPJcFDs ++GY6wx/J0W2tExn2WuZgIWWbeKQGb9Cpt0xU6kGpn8bRrZtkh68rZYnxGEFzedUln ++nkL5/nWpo63/dgpnQOPF943HhZpZnmKaau1Fh5hnstVKPNe0OwANwI8f4UDErmwh ++3El+fsqyjW22v5MvoVw+j8rtgI5Y4dtXz4U2OLJxpAmMkokIiEjxQGMYsluMWuPD ++0xeqqxmjLBvk1cbiZnrXghmmOxYsL3GHX0WelXOTwkKBIROW1527k2gV+p2kHYzy ++geBYBr3JtuP2iV2J+axEoctr+hbxx1A9JNr3w+SH1VbxT5Aw+kUJWdo0zuATHAR8 ++ANSbhqRAvNncTFd+rrcztl524WWLZt+NyteYr842mIycg5kDcPOvdO3GDjbnvezB ++c6eUWsuSZIKmAMFwoW4sKeFYV+xafJlrJaSQOoD0IJ2azsct+bJLKZWD6TWNp0lI ++pw9MGZHQ9b8Q4HECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU ++dEmZ0f+0emhFdcN+tNzMzjkz2ggwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB ++DAUAA4ICAQAjQ1MkYlxt/T7Cz1UAbMVWiLkO3TriJQ2VSpfKgInuKs1l+NsW4AmS ++4BjHeJi78+xCUvuppILXTdiK/ORO/auQxDh1MoSf/7OwKwIzNsAQkG8dnK/haZPs ++o0UvFJ/1TCplQ3IM98P4lYsU84UgYt1UU90s3BiVaU+DR3BAM1h3Egyi61IxHkzJ ++qM7F78PRreBrAwA0JrRUITWXAdxfG/F851X6LWh3e9NpzNMOa7pNdkTWwhWaJuyw ++xfW70Xp0wmzNxbVe9kzmWy2B27O3Opee7c9GslA9hGCZcbUztVdF5kJHdWoOsAgM ++rr3e97sPWD2PAzHoPYJQyi9eDF20l74gNAf0xBLh7tew2VktafcxBPTy+av5EzH4 ++AXcOPUIjJsyacmdRIXrMPIWo6iFqO9taPKU0nprALN+AnCng33eU0aKAQv9qTFsR ++0PXNor6uzFFcw9VUewyu1rkGd4Di7wcaaMxZUa1+XGdrudviB0JbuAEFWDlN5LuY ++o7Ey7Nmj1m+UI/87tyll5gfp77YZ6ufCOB0yiJA8EytuzO+rdwY0d4RPcuSBhPm5 ++dDTedk+SKlOxJTnbPP/lPqYO5Wue/9vsL3SD3460s6neFE3/MaNFcyT6lSnMEpcE ++oji2jbDwN/zIIX8/syQbPYtuzE2wFg2WHYMfRsCbvUOZ58SWLs5fyQ== ++-----END CERTIFICATE----- +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb b/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb index 4c376da897..eb1574adf6 100644 --- a/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb +++ b/meta/recipes-devtools/python/python3-certifi_2021.10.8.bb @@ -7,6 +7,10 @@ HOMEPAGE = " http://certifi.io/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=67da0714c3f9471067b729eca6c9fbe8" +SRC_URI += "file://CVE-2022-23491.patch \ + file://CVE-2023-37920.patch \ + " + SRC_URI[sha256sum] = "78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872" inherit pypi setuptools3 diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch new file mode 100644 index 0000000000..5fc4878978 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-23931.patch @@ -0,0 +1,49 @@ +From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Tue, 7 Feb 2023 11:34:18 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) + +CVE: CVE-2023-23931 + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f93..075d68fb9 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ class _CipherContext: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9c..bf3b047de 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ class TestCipherUpdateInto: + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch new file mode 100644 index 0000000000..d398eea1d9 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2023-49083.patch @@ -0,0 +1,53 @@ +From 627ac5e314303acc00a19d58f09eb1eabd029fd1 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Wed, 6 Dec 2023 08:04:53 +0000 +Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates + (#9926) + +CVE: CVE-2023-49083 + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- + tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 5606fe6..c43fea0 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2189,9 +2189,12 @@ class Backend(BackendInterface): + _Reasons.UNSUPPORTED_SERIALIZATION, + ) + ++ certs: list[x509.Certificate] = [] ++ if p7.d.sign == self._ffi.NULL: ++ return certs ++ + sk_x509 = p7.d.sign.cert + num = self._lib.sk_X509_num(sk_x509) +- certs = [] + for i in range(num): + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 91ac842..b98a9f1 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -81,6 +81,12 @@ class TestPKCS7Loading(object): + mode="rb", + ) + ++ def test_load_pkcs7_empty_certificates(self): ++ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" ++ ++ certificates = pkcs7.load_der_pkcs7_certificates(der) ++ assert certificates == [] ++ + + # We have no public verification API and won't be adding one until we get + # some requirements from users so this function exists to give us basic +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..ff113e8cc7 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch @@ -0,0 +1,66 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor <alex.gaynor@gmail.com> +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't + match (#10423) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55] +CVE: CVE-2024-26130 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index c43fea0..d687931 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2131,6 +2131,15 @@ class Backend(BackendInterface): + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + self.openssl_assert(p12 != self._ffi.NULL) + p12 = self._ffi.gc(p12, self._lib.PKCS12_free) +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index c5cfbc0..8af4c93 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption + from ...utils import load_vectors_from_file + + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." + ) +-- +2.35.7 + diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index 9ef5ff39c8..83381f225c 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb @@ -17,6 +17,9 @@ SRC_URI += " \ file://0001-Cargo.toml-specify-pem-version.patch \ file://0002-Cargo.toml-edition-2018-2021.patch \ file://fix-leak-metric.patch \ + file://CVE-2023-23931.patch \ + file://CVE-2023-49083.patch \ + file://CVE-2024-26130.patch \ " inherit pypi python_setuptools3_rust diff --git a/meta/recipes-devtools/python/python3-git_3.1.27.bb b/meta/recipes-devtools/python/python3-git_3.1.37.bb index fb1bae8f8e..56a335a79e 100644 --- a/meta/recipes-devtools/python/python3-git_3.1.27.bb +++ b/meta/recipes-devtools/python/python3-git_3.1.37.bb @@ -6,13 +6,13 @@ access with big-files support." HOMEPAGE = "http://github.com/gitpython-developers/GitPython" SECTION = "devel/python" LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8b8d26c37c1d5a04f9b0186edbebc183" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5279a7ab369ba336989dcf2a107e5c8e" PYPI_PACKAGE = "GitPython" inherit pypi python_setuptools_build_meta -SRC_URI[sha256sum] = "1c885ce809e8ba2d88a29befeb385fcea06338d3640712b59ca623c220bb5704" +SRC_URI[sha256sum] = "f9b9ddc0761c125d5780eab2d64be4873fc6817c2899cbcb34b02344bdc7bc54" DEPENDS += " ${PYTHON_PN}-gitdb" diff --git a/meta/recipes-devtools/python/python3-jinja2/run-ptest b/meta/recipes-devtools/python/python3-jinja2/run-ptest index 5cec711696..5817735a63 100644 --- a/meta/recipes-devtools/python/python3-jinja2/run-ptest +++ b/meta/recipes-devtools/python/python3-jinja2/run-ptest @@ -1,3 +1,3 @@ #!/bin/sh -pytest +pytest -o log_cli=true -o log_cli_level=INFO | sed -e 's/\[...%\]//g'| sed -e 's/PASSED/PASS/g'| sed -e 's/FAILED/FAIL/g'| sed -e 's/SKIPPED/SKIP/g'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS"){printf "%s: %s\n", $NF, $0}else{print}}'| awk '{if ($NF=="PASS" || $NF=="FAIL" || $NF=="SKIP" || $NF=="XFAIL" || $NF=="XPASS") {$NF="";print $0}else{print}}' diff --git a/meta/recipes-devtools/python/python3-jinja2_3.1.1.bb b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb index c38686a5c2..068e21bf5f 100644 --- a/meta/recipes-devtools/python/python3-jinja2_3.1.1.bb +++ b/meta/recipes-devtools/python/python3-jinja2_3.1.3.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://pypi.org/project/Jinja2/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.rst;md5=5dc88300786f1c214c1e9827a5229462" -SRC_URI[sha256sum] = "640bed4bb501cbd17194b3cace1dc2126f5b619cf068a726b98192a0fde74ae9" +SRC_URI[sha256sum] = "ac8bd6544d4bb2c9792bf3a159e80bba8fda7f07e81bc3aed565432d5925ba90" PYPI_PACKAGE = "Jinja2" diff --git a/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch b/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch new file mode 100644 index 0000000000..66690e74b4 --- /dev/null +++ b/meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch @@ -0,0 +1,119 @@ +From 925760291d6efec64fda6e9dd1fd9cfbd5be068c Mon Sep 17 00:00:00 2001 +From: Mike Bayer <mike_mp@zzzcomputing.com> +Date: Mon, 29 Aug 2022 12:28:52 -0400 +Subject: [PATCH] fix tag regexp to match quoted groups correctly + +Fixed issue in lexer where the regexp used to match tags would not +correctly interpret quoted sections individually. While this parsing issue +still produced the same expected tag structure later on, the mis-handling +of quoted sections was also subject to a regexp crash if a tag had a large +number of quotes within its quoted sections. + +Fixes: #366 +Change-Id: I74e0d71ff7f419970711a7cd51adcf1bb90a44c0 + +Upstream-Status: Backport [https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c] + +Signed-off-by: <narpat.mali@windriver.com> + +--- + doc/build/unreleased/366.rst | 9 +++++++++ + mako/lexer.py | 12 ++++++++---- + test/test_lexer.py | 21 +++++++++++++++++---- + 3 files changed, 34 insertions(+), 8 deletions(-) + create mode 100644 doc/build/unreleased/366.rst + +--- /dev/null ++++ Mako-1.1.6/doc/build/unreleased/366.rst +@@ -0,0 +1,9 @@ ++.. change:: ++ :tags: bug, lexer ++ :tickets: 366 ++ ++ Fixed issue in lexer where the regexp used to match tags would not ++ correctly interpret quoted sections individually. While this parsing issue ++ still produced the same expected tag structure later on, the mis-handling ++ of quoted sections was also subject to a regexp crash if a tag had a large ++ number of quotes within its quoted sections. +\ No newline at end of file +--- Mako-1.1.6.orig/mako/lexer.py ++++ Mako-1.1.6/mako/lexer.py +@@ -295,20 +295,24 @@ class Lexer(object): + return self.template + + def match_tag_start(self): +- match = self.match( +- r""" ++ reg = r""" + \<% # opening tag + + ([\w\.\:]+) # keyword + +- ((?:\s+\w+|\s*=\s*|".*?"|'.*?')*) # attrname, = \ ++ ((?:\s+\w+|\s*=\s*|"[^"]*?"|'[^']*?'|\s*,\s*)*) # attrname, = \ + # sign, string expression ++ # comma is for backwards compat ++ # identified in #366 + + \s* # more whitespace + + (/)?> # closing + +- """, ++ """ ++ ++ match = self.match( ++ reg, + re.I | re.S | re.X, + ) + +--- Mako-1.1.6.orig/test/test_lexer.py ++++ Mako-1.1.6/test/test_lexer.py +@@ -1,5 +1,7 @@ + import re + ++import pytest ++ + from mako import compat + from mako import exceptions + from mako import parsetree +@@ -146,6 +148,10 @@ class LexerTest(TemplateTest): + """ + self.assertRaises(exceptions.CompileException, Lexer(template).parse) + ++ def test_tag_many_quotes(self): ++ template = "<%0" + '"' * 3000 ++ assert_raises(exceptions.SyntaxException, Lexer(template).parse) ++ + def test_unmatched_tag(self): + template = """ + <%namespace name="bar"> +@@ -432,9 +438,16 @@ class LexerTest(TemplateTest): + ), + ) + +- def test_pagetag(self): +- template = """ +- <%page cached="True", args="a, b"/> ++ @pytest.mark.parametrize("comma,numchars", [(",", 48), ("", 47)]) ++ def test_pagetag(self, comma, numchars): ++ # note that the comma here looks like: ++ # <%page cached="True", args="a, b"/> ++ # that's what this test has looked like for decades, however, the ++ # comma there is not actually the right syntax. When issue #366 ++ # was fixed, the reg was altered to accommodate for this comma to allow ++ # backwards compat ++ template = f""" ++ <%page cached="True"{comma} args="a, b"/> + + some template + """ +@@ -453,7 +466,7 @@ class LexerTest(TemplateTest): + + some template + """, +- (2, 48), ++ (2, numchars), + ), + ], + ), diff --git a/meta/recipes-devtools/python/python3-mako_1.1.6.bb b/meta/recipes-devtools/python/python3-mako_1.1.6.bb index 71e5d96ba1..4e4f33f5dc 100644 --- a/meta/recipes-devtools/python/python3-mako_1.1.6.bb +++ b/meta/recipes-devtools/python/python3-mako_1.1.6.bb @@ -6,6 +6,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=943eb67718222db21d44a4ef1836675f" PYPI_PACKAGE = "Mako" +SRC_URI += "file://CVE-2022-40023.patch" + inherit pypi python_setuptools_build_meta SRC_URI[sha256sum] = "4e9e345a41924a954251b95b4b28e14a301145b544901332e658907a7464b6b2" diff --git a/meta/recipes-devtools/python/python3-pip_22.0.3.bb b/meta/recipes-devtools/python/python3-pip_22.0.3.bb index 09a305edf8..6e28b87ba3 100644 --- a/meta/recipes-devtools/python/python3-pip_22.0.3.bb +++ b/meta/recipes-devtools/python/python3-pip_22.0.3.bb @@ -55,6 +55,8 @@ RDEPENDS:${PN} = "\ python3-unixadmin \ python3-xmlrpc \ python3-pickle \ + python3-distutils \ + python3-image \ " BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch b/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch new file mode 100644 index 0000000000..be3090eb8d --- /dev/null +++ b/meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch @@ -0,0 +1,436 @@ +From 73bbed822fadddf3c0ab4a945ee6ab16bbca6961 Mon Sep 17 00:00:00 2001 +From: Helder Eijs <helderijs@gmail.com> +Date: Thu, 1 Feb 2024 13:43:44 +0000 +Subject: [PATCH] Use constant-time (faster) padding decoding also for OAEP + +CVE: CVE-2023-52323 + +Upstream-Status: Backport [https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + lib/Crypto/Cipher/PKCS1_OAEP.py | 38 +++++------- + lib/Crypto/Cipher/PKCS1_v1_5.py | 31 +--------- + lib/Crypto/Cipher/_pkcs1_oaep_decode.py | 41 +++++++++++++ + src/pkcs1_decode.c | 79 +++++++++++++++++++++++-- + src/test/test_pkcs1.c | 22 +++---- + 5 files changed, 145 insertions(+), 66 deletions(-) + create mode 100644 lib/Crypto/Cipher/_pkcs1_oaep_decode.py + +diff --git a/lib/Crypto/Cipher/PKCS1_OAEP.py b/lib/Crypto/Cipher/PKCS1_OAEP.py +index 57a982b..6974584 100644 +--- a/lib/Crypto/Cipher/PKCS1_OAEP.py ++++ b/lib/Crypto/Cipher/PKCS1_OAEP.py +@@ -23,11 +23,13 @@ + from Crypto.Signature.pss import MGF1 + import Crypto.Hash.SHA1 + +-from Crypto.Util.py3compat import bord, _copy_bytes ++from Crypto.Util.py3compat import _copy_bytes + import Crypto.Util.number +-from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes +-from Crypto.Util.strxor import strxor ++from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes ++from Crypto.Util.strxor import strxor + from Crypto import Random ++from ._pkcs1_oaep_decode import oaep_decode ++ + + class PKCS1OAEP_Cipher: + """Cipher object for PKCS#1 v1.5 OAEP. +@@ -68,7 +70,7 @@ class PKCS1OAEP_Cipher: + if mgfunc: + self._mgf = mgfunc + else: +- self._mgf = lambda x,y: MGF1(x,y,self._hashObj) ++ self._mgf = lambda x, y: MGF1(x, y, self._hashObj) + + self._label = _copy_bytes(None, None, label) + self._randfunc = randfunc +@@ -105,7 +107,7 @@ class PKCS1OAEP_Cipher: + + # See 7.1.1 in RFC3447 + modBits = Crypto.Util.number.size(self._key.n) +- k = ceil_div(modBits, 8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + mLen = len(message) + +@@ -159,11 +161,11 @@ class PKCS1OAEP_Cipher: + + # See 7.1.2 in RFC3447 + modBits = Crypto.Util.number.size(self._key.n) +- k = ceil_div(modBits,8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + + # Step 1b and 1c +- if len(ciphertext) != k or k<hLen+2: ++ if len(ciphertext) != k or k < hLen+2: + raise ValueError("Ciphertext with incorrect length.") + # Step 2a (O2SIP) + ct_int = bytes_to_long(ciphertext) +@@ -173,8 +175,6 @@ class PKCS1OAEP_Cipher: + em = long_to_bytes(m_int, k) + # Step 3a + lHash = self._hashObj.new(self._label).digest() +- # Step 3b +- y = em[0] + # y must be 0, but we MUST NOT check it here in order not to + # allow attacks like Manger's (http://dl.acm.org/citation.cfm?id=704143) + maskedSeed = em[1:hLen+1] +@@ -187,22 +187,17 @@ class PKCS1OAEP_Cipher: + dbMask = self._mgf(seed, k-hLen-1) + # Step 3f + db = strxor(maskedDB, dbMask) +- # Step 3g +- one_pos = hLen + db[hLen:].find(b'\x01') +- lHash1 = db[:hLen] +- invalid = bord(y) | int(one_pos < hLen) +- hash_compare = strxor(lHash1, lHash) +- for x in hash_compare: +- invalid |= bord(x) +- for x in db[hLen:one_pos]: +- invalid |= bord(x) +- if invalid != 0: ++ # Step 3b + 3g ++ res = oaep_decode(em, lHash, db) ++ if res <= 0: + raise ValueError("Incorrect decryption.") + # Step 4 +- return db[one_pos + 1:] ++ return db[res:] ++ + + def new(key, hashAlgo=None, mgfunc=None, label=b'', randfunc=None): +- """Return a cipher object :class:`PKCS1OAEP_Cipher` that can be used to perform PKCS#1 OAEP encryption or decryption. ++ """Return a cipher object :class:`PKCS1OAEP_Cipher` ++ that can be used to perform PKCS#1 OAEP encryption or decryption. + + :param key: + The key object to use to encrypt or decrypt the message. +@@ -236,4 +231,3 @@ def new(key, hashAlgo=None, mgfunc=None, label=b'', randfunc=None): + if randfunc is None: + randfunc = Random.get_random_bytes + return PKCS1OAEP_Cipher(key, hashAlgo, mgfunc, label, randfunc) +- +diff --git a/lib/Crypto/Cipher/PKCS1_v1_5.py b/lib/Crypto/Cipher/PKCS1_v1_5.py +index d0d474a..94e99cf 100644 +--- a/lib/Crypto/Cipher/PKCS1_v1_5.py ++++ b/lib/Crypto/Cipher/PKCS1_v1_5.py +@@ -25,31 +25,7 @@ __all__ = ['new', 'PKCS115_Cipher'] + from Crypto import Random + from Crypto.Util.number import bytes_to_long, long_to_bytes + from Crypto.Util.py3compat import bord, is_bytes, _copy_bytes +- +-from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, +- c_uint8_ptr) +- +- +-_raw_pkcs1_decode = load_pycryptodome_raw_lib("Crypto.Cipher._pkcs1_decode", +- """ +- int pkcs1_decode(const uint8_t *em, size_t len_em, +- const uint8_t *sentinel, size_t len_sentinel, +- size_t expected_pt_len, +- uint8_t *output); +- """) +- +- +-def _pkcs1_decode(em, sentinel, expected_pt_len, output): +- if len(em) != len(output): +- raise ValueError("Incorrect output length") +- +- ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), +- c_size_t(len(em)), +- c_uint8_ptr(sentinel), +- c_size_t(len(sentinel)), +- c_size_t(expected_pt_len), +- c_uint8_ptr(output)) +- return ret ++from ._pkcs1_oaep_decode import pkcs1_decode + + + class PKCS115_Cipher: +@@ -113,7 +89,6 @@ class PKCS115_Cipher: + continue + ps.append(new_byte) + ps = b"".join(ps) +- assert(len(ps) == k - mLen - 3) + # Step 2b + em = b'\x00\x02' + ps + b'\x00' + _copy_bytes(None, None, message) + # Step 3a (OS2IP) +@@ -185,14 +160,14 @@ class PKCS115_Cipher: + # Step 3 (not constant time when the sentinel is not a byte string) + output = bytes(bytearray(k)) + if not is_bytes(sentinel) or len(sentinel) > k: +- size = _pkcs1_decode(em, b'', expected_pt_len, output) ++ size = pkcs1_decode(em, b'', expected_pt_len, output) + if size < 0: + return sentinel + else: + return output[size:] + + # Step 3 (somewhat constant time) +- size = _pkcs1_decode(em, sentinel, expected_pt_len, output) ++ size = pkcs1_decode(em, sentinel, expected_pt_len, output) + return output[size:] + + +diff --git a/lib/Crypto/Cipher/_pkcs1_oaep_decode.py b/lib/Crypto/Cipher/_pkcs1_oaep_decode.py +new file mode 100644 +index 0000000..fc07528 +--- /dev/null ++++ b/lib/Crypto/Cipher/_pkcs1_oaep_decode.py +@@ -0,0 +1,41 @@ ++from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, ++ c_uint8_ptr) ++ ++ ++_raw_pkcs1_decode = load_pycryptodome_raw_lib("Crypto.Cipher._pkcs1_decode", ++ """ ++ int pkcs1_decode(const uint8_t *em, size_t len_em, ++ const uint8_t *sentinel, size_t len_sentinel, ++ size_t expected_pt_len, ++ uint8_t *output); ++ ++ int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len); ++ """) ++ ++ ++def pkcs1_decode(em, sentinel, expected_pt_len, output): ++ if len(em) != len(output): ++ raise ValueError("Incorrect output length") ++ ++ ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(sentinel), ++ c_size_t(len(sentinel)), ++ c_size_t(expected_pt_len), ++ c_uint8_ptr(output)) ++ return ret ++ ++ ++def oaep_decode(em, lHash, db): ++ ret = _raw_pkcs1_decode.oaep_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(lHash), ++ c_size_t(len(lHash)), ++ c_uint8_ptr(db), ++ c_size_t(len(db))) ++ return ret +diff --git a/src/pkcs1_decode.c b/src/pkcs1_decode.c +index 207b198..74cb4a2 100644 +--- a/src/pkcs1_decode.c ++++ b/src/pkcs1_decode.c +@@ -130,7 +130,7 @@ STATIC size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice) + * - in1[] is NOT equal to in2[] where neq_mask[] is 0xFF. + * Return non-zero otherwise. + */ +-STATIC uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++STATIC uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len) + { +@@ -187,7 +187,7 @@ STATIC size_t safe_search(const uint8_t *in1, uint8_t c, size_t len) + return result; + } + +-#define EM_PREFIX_LEN 10 ++#define PKCS1_PREFIX_LEN 10 + + /* + * Decode and verify the PKCS#1 padding, then put either the plaintext +@@ -222,13 +222,13 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + if (NULL == em || NULL == output || NULL == sentinel) { + return -1; + } +- if (len_em_output < (EM_PREFIX_LEN + 2)) { ++ if (len_em_output < (PKCS1_PREFIX_LEN + 2)) { + return -1; + } + if (len_sentinel > len_em_output) { + return -1; + } +- if (expected_pt_len > 0 && expected_pt_len > (len_em_output - EM_PREFIX_LEN - 1)) { ++ if (expected_pt_len > 0 && expected_pt_len > (len_em_output - PKCS1_PREFIX_LEN - 1)) { + return -1; + } + +@@ -240,7 +240,7 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + memcpy(padded_sentinel + (len_em_output - len_sentinel), sentinel, len_sentinel); + + /** The first 10 bytes must follow the pattern **/ +- match = safe_cmp(em, ++ match = safe_cmp_masks(em, + (const uint8_t*)"\x00\x02" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\xFF\xFF" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\x00\x00" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", +@@ -283,3 +283,72 @@ end: + free(padded_sentinel); + return result; + } ++ ++/* ++ * Decode and verify the OAEP padding in constant time. ++ * ++ * The function returns the number of bytes to ignore at the beginning ++ * of db (the rest is the plaintext), or -1 in case of problems. ++ */ ++ ++EXPORT_SYM int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len) /* em_len - 1 - hLen */ ++{ ++ int result; ++ size_t one_pos, search_len, i; ++ uint8_t wrong_padding; ++ uint8_t *eq_mask = NULL; ++ uint8_t *neq_mask = NULL; ++ uint8_t *target_db = NULL; ++ ++ if (NULL == em || NULL == lHash || NULL == db) { ++ return -1; ++ } ++ ++ if (em_len < 2*hLen+2 || db_len != em_len-1-hLen) { ++ return -1; ++ } ++ ++ /* Allocate */ ++ eq_mask = (uint8_t*) calloc(1, db_len); ++ neq_mask = (uint8_t*) calloc(1, db_len); ++ target_db = (uint8_t*) calloc(1, db_len); ++ if (NULL == eq_mask || NULL == neq_mask || NULL == target_db) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ /* Step 3g */ ++ search_len = db_len - hLen; ++ ++ one_pos = safe_search(db + hLen, 0x01, search_len); ++ if (SIZE_T_MAX == one_pos) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ memset(eq_mask, 0xAA, db_len); ++ memcpy(target_db, lHash, hLen); ++ memset(eq_mask, 0xFF, hLen); ++ ++ for (i=0; i<search_len; i++) { ++ eq_mask[hLen + i] = propagate_ones(i < one_pos); ++ } ++ ++ wrong_padding = em[0]; ++ wrong_padding |= safe_cmp_masks(db, target_db, eq_mask, neq_mask, db_len); ++ set_if_match(&wrong_padding, one_pos, search_len); ++ ++ result = wrong_padding ? -1 : (int)(hLen + 1 + one_pos); ++ ++cleanup: ++ free(eq_mask); ++ free(neq_mask); ++ free(target_db); ++ ++ return result; ++} +diff --git a/src/test/test_pkcs1.c b/src/test/test_pkcs1.c +index 6ef63cb..69aaac5 100644 +--- a/src/test/test_pkcs1.c ++++ b/src/test/test_pkcs1.c +@@ -5,7 +5,7 @@ void set_if_match(uint8_t *flag, size_t term1, size_t term2); + void set_if_no_match(uint8_t *flag, size_t term1, size_t term2); + void safe_select(const uint8_t *in1, const uint8_t *in2, uint8_t *out, uint8_t choice, size_t len); + size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice); +-uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len); + size_t safe_search(const uint8_t *in1, uint8_t c, size_t len); +@@ -80,29 +80,29 @@ void test_safe_select_idx() + assert(safe_select_idx(0x100004, 0x223344, 1) == 0x223344); + } + +-void test_safe_cmp() ++void test_safe_cmp_masks(void) + { + uint8_t res; + +- res = safe_cmp(onezero, onezero, ++ res = safe_cmp_masks(onezero, onezero, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res == 0); + +- res = safe_cmp(onezero, zerozero, ++ res = safe_cmp_masks(onezero, zerozero, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res != 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res != 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\x00", + (uint8_t*)"\x00\x00", + 2); +@@ -110,19 +110,19 @@ void test_safe_cmp() + + /** -- **/ + +- res = safe_cmp(onezero, onezero, ++ res = safe_cmp_masks(onezero, onezero, + (uint8_t*)"\x00\x00", + (uint8_t*)"\xFF\xFF", + 2); + assert(res != 0); + +- res = safe_cmp(oneone, zerozero, ++ res = safe_cmp_masks(oneone, zerozero, + (uint8_t*)"\x00\x00", + (uint8_t*)"\xFF\xFF", + 2); + assert(res == 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\x00\x00", + (uint8_t*)"\x00\xFF", + 2); +@@ -130,7 +130,7 @@ void test_safe_cmp() + + /** -- **/ + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\x00", + (uint8_t*)"\x00\xFF", + 2); +@@ -158,7 +158,7 @@ int main(void) + test_set_if_no_match(); + test_safe_select(); + test_safe_select_idx(); +- test_safe_cmp(); ++ test_safe_cmp_masks(); + test_safe_search(); + return 0; + } +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pycryptodome_3.14.1.bb b/meta/recipes-devtools/python/python3-pycryptodome_3.14.1.bb index c0324590c2..1e6c514224 100644 --- a/meta/recipes-devtools/python/python3-pycryptodome_3.14.1.bb +++ b/meta/recipes-devtools/python/python3-pycryptodome_3.14.1.bb @@ -3,3 +3,4 @@ inherit setuptools3 SRC_URI[sha256sum] = "e04e40a7f8c1669195536a37979dd87da2c32dbdc73d6fe35f0077b0c17c803b" +SRC_URI += "file://CVE-2023-52323.patch" diff --git a/meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch b/meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch new file mode 100644 index 0000000000..56000b996e --- /dev/null +++ b/meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch @@ -0,0 +1,436 @@ +From 8ed5cf533be298d40ec9f75a188738ad4c3a8417 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Thu, 8 Feb 2024 09:09:35 +0000 +Subject: [PATCH] Use constant-time (faster) padding decoding also for OAEP + +CVE: CVE-2023-52323 + +Upstream-Status: Backport [https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + lib/Cryptodome/Cipher/PKCS1_OAEP.py | 38 +++++----- + lib/Cryptodome/Cipher/PKCS1_v1_5.py | 31 +------- + lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py | 41 +++++++++++ + src/pkcs1_decode.c | 79 +++++++++++++++++++-- + src/test/test_pkcs1.c | 22 +++--- + 5 files changed, 145 insertions(+), 66 deletions(-) + create mode 100644 lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py + +diff --git a/lib/Cryptodome/Cipher/PKCS1_OAEP.py b/lib/Cryptodome/Cipher/PKCS1_OAEP.py +index 7525c5d..653df04 100644 +--- a/lib/Cryptodome/Cipher/PKCS1_OAEP.py ++++ b/lib/Cryptodome/Cipher/PKCS1_OAEP.py +@@ -23,11 +23,13 @@ + from Cryptodome.Signature.pss import MGF1 + import Cryptodome.Hash.SHA1 + +-from Cryptodome.Util.py3compat import bord, _copy_bytes ++from Crypto.Util.py3compat import _copy_bytes + import Cryptodome.Util.number +-from Cryptodome.Util.number import ceil_div, bytes_to_long, long_to_bytes +-from Cryptodome.Util.strxor import strxor ++from Crypto.Util.number import ceil_div, bytes_to_long, long_to_bytes ++from Crypto.Util.strxor import strxor + from Cryptodome import Random ++from ._pkcs1_oaep_decode import oaep_decode ++ + + class PKCS1OAEP_Cipher: + """Cipher object for PKCS#1 v1.5 OAEP. +@@ -68,7 +70,7 @@ class PKCS1OAEP_Cipher: + if mgfunc: + self._mgf = mgfunc + else: +- self._mgf = lambda x,y: MGF1(x,y,self._hashObj) ++ self._mgf = lambda x, y: MGF1(x, y, self._hashObj) + + self._label = _copy_bytes(None, None, label) + self._randfunc = randfunc +@@ -105,7 +107,7 @@ class PKCS1OAEP_Cipher: + + # See 7.1.1 in RFC3447 + modBits = Cryptodome.Util.number.size(self._key.n) +- k = ceil_div(modBits, 8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + mLen = len(message) + +@@ -159,11 +161,11 @@ class PKCS1OAEP_Cipher: + + # See 7.1.2 in RFC3447 + modBits = Cryptodome.Util.number.size(self._key.n) +- k = ceil_div(modBits,8) # Convert from bits to bytes ++ k = ceil_div(modBits, 8) # Convert from bits to bytes + hLen = self._hashObj.digest_size + + # Step 1b and 1c +- if len(ciphertext) != k or k<hLen+2: ++ if len(ciphertext) != k or k < hLen+2: + raise ValueError("Ciphertext with incorrect length.") + # Step 2a (O2SIP) + ct_int = bytes_to_long(ciphertext) +@@ -173,8 +175,6 @@ class PKCS1OAEP_Cipher: + em = long_to_bytes(m_int, k) + # Step 3a + lHash = self._hashObj.new(self._label).digest() +- # Step 3b +- y = em[0] + # y must be 0, but we MUST NOT check it here in order not to + # allow attacks like Manger's (http://dl.acm.org/citation.cfm?id=704143) + maskedSeed = em[1:hLen+1] +@@ -187,22 +187,17 @@ class PKCS1OAEP_Cipher: + dbMask = self._mgf(seed, k-hLen-1) + # Step 3f + db = strxor(maskedDB, dbMask) +- # Step 3g +- one_pos = hLen + db[hLen:].find(b'\x01') +- lHash1 = db[:hLen] +- invalid = bord(y) | int(one_pos < hLen) +- hash_compare = strxor(lHash1, lHash) +- for x in hash_compare: +- invalid |= bord(x) +- for x in db[hLen:one_pos]: +- invalid |= bord(x) +- if invalid != 0: ++ # Step 3b + 3g ++ res = oaep_decode(em, lHash, db) ++ if res <= 0: + raise ValueError("Incorrect decryption.") + # Step 4 +- return db[one_pos + 1:] ++ return db[res:] ++ + + def new(key, hashAlgo=None, mgfunc=None, label=b'', randfunc=None): +- """Return a cipher object :class:`PKCS1OAEP_Cipher` that can be used to perform PKCS#1 OAEP encryption or decryption. ++ """Return a cipher object :class:`PKCS1OAEP_Cipher` ++ that can be used to perform PKCS#1 OAEP encryption or decryption. + + :param key: + The key object to use to encrypt or decrypt the message. +@@ -236,4 +231,3 @@ def new(key, hashAlgo=None, mgfunc=None, label=b'', randfunc=None): + if randfunc is None: + randfunc = Random.get_random_bytes + return PKCS1OAEP_Cipher(key, hashAlgo, mgfunc, label, randfunc) +- +diff --git a/lib/Cryptodome/Cipher/PKCS1_v1_5.py b/lib/Cryptodome/Cipher/PKCS1_v1_5.py +index 17ef9eb..f20a7ce 100644 +--- a/lib/Cryptodome/Cipher/PKCS1_v1_5.py ++++ b/lib/Cryptodome/Cipher/PKCS1_v1_5.py +@@ -25,31 +25,7 @@ __all__ = ['new', 'PKCS115_Cipher'] + from Cryptodome import Random + from Cryptodome.Util.number import bytes_to_long, long_to_bytes + from Cryptodome.Util.py3compat import bord, is_bytes, _copy_bytes +- +-from Cryptodome.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, +- c_uint8_ptr) +- +- +-_raw_pkcs1_decode = load_pycryptodome_raw_lib("Cryptodome.Cipher._pkcs1_decode", +- """ +- int pkcs1_decode(const uint8_t *em, size_t len_em, +- const uint8_t *sentinel, size_t len_sentinel, +- size_t expected_pt_len, +- uint8_t *output); +- """) +- +- +-def _pkcs1_decode(em, sentinel, expected_pt_len, output): +- if len(em) != len(output): +- raise ValueError("Incorrect output length") +- +- ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), +- c_size_t(len(em)), +- c_uint8_ptr(sentinel), +- c_size_t(len(sentinel)), +- c_size_t(expected_pt_len), +- c_uint8_ptr(output)) +- return ret ++from ._pkcs1_oaep_decode import pkcs1_decode + + + class PKCS115_Cipher: +@@ -113,7 +89,6 @@ class PKCS115_Cipher: + continue + ps.append(new_byte) + ps = b"".join(ps) +- assert(len(ps) == k - mLen - 3) + # Step 2b + em = b'\x00\x02' + ps + b'\x00' + _copy_bytes(None, None, message) + # Step 3a (OS2IP) +@@ -185,14 +160,14 @@ class PKCS115_Cipher: + # Step 3 (not constant time when the sentinel is not a byte string) + output = bytes(bytearray(k)) + if not is_bytes(sentinel) or len(sentinel) > k: +- size = _pkcs1_decode(em, b'', expected_pt_len, output) ++ size = pkcs1_decode(em, b'', expected_pt_len, output) + if size < 0: + return sentinel + else: + return output[size:] + + # Step 3 (somewhat constant time) +- size = _pkcs1_decode(em, sentinel, expected_pt_len, output) ++ size = pkcs1_decode(em, sentinel, expected_pt_len, output) + return output[size:] + + +diff --git a/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py b/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py +new file mode 100644 +index 0000000..fc07528 +--- /dev/null ++++ b/lib/Cryptodome/Cipher/_pkcs1_oaep_decode.py +@@ -0,0 +1,41 @@ ++from Crypto.Util._raw_api import (load_pycryptodome_raw_lib, c_size_t, ++ c_uint8_ptr) ++ ++ ++_raw_pkcs1_decode = load_pycryptodome_raw_lib("Crypto.Cipher._pkcs1_decode", ++ """ ++ int pkcs1_decode(const uint8_t *em, size_t len_em, ++ const uint8_t *sentinel, size_t len_sentinel, ++ size_t expected_pt_len, ++ uint8_t *output); ++ ++ int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len); ++ """) ++ ++ ++def pkcs1_decode(em, sentinel, expected_pt_len, output): ++ if len(em) != len(output): ++ raise ValueError("Incorrect output length") ++ ++ ret = _raw_pkcs1_decode.pkcs1_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(sentinel), ++ c_size_t(len(sentinel)), ++ c_size_t(expected_pt_len), ++ c_uint8_ptr(output)) ++ return ret ++ ++ ++def oaep_decode(em, lHash, db): ++ ret = _raw_pkcs1_decode.oaep_decode(c_uint8_ptr(em), ++ c_size_t(len(em)), ++ c_uint8_ptr(lHash), ++ c_size_t(len(lHash)), ++ c_uint8_ptr(db), ++ c_size_t(len(db))) ++ return ret +diff --git a/src/pkcs1_decode.c b/src/pkcs1_decode.c +index 207b198..74cb4a2 100644 +--- a/src/pkcs1_decode.c ++++ b/src/pkcs1_decode.c +@@ -130,7 +130,7 @@ STATIC size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice) + * - in1[] is NOT equal to in2[] where neq_mask[] is 0xFF. + * Return non-zero otherwise. + */ +-STATIC uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++STATIC uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len) + { +@@ -187,7 +187,7 @@ STATIC size_t safe_search(const uint8_t *in1, uint8_t c, size_t len) + return result; + } + +-#define EM_PREFIX_LEN 10 ++#define PKCS1_PREFIX_LEN 10 + + /* + * Decode and verify the PKCS#1 padding, then put either the plaintext +@@ -222,13 +222,13 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + if (NULL == em || NULL == output || NULL == sentinel) { + return -1; + } +- if (len_em_output < (EM_PREFIX_LEN + 2)) { ++ if (len_em_output < (PKCS1_PREFIX_LEN + 2)) { + return -1; + } + if (len_sentinel > len_em_output) { + return -1; + } +- if (expected_pt_len > 0 && expected_pt_len > (len_em_output - EM_PREFIX_LEN - 1)) { ++ if (expected_pt_len > 0 && expected_pt_len > (len_em_output - PKCS1_PREFIX_LEN - 1)) { + return -1; + } + +@@ -240,7 +240,7 @@ EXPORT_SYM int pkcs1_decode(const uint8_t *em, size_t len_em_output, + memcpy(padded_sentinel + (len_em_output - len_sentinel), sentinel, len_sentinel); + + /** The first 10 bytes must follow the pattern **/ +- match = safe_cmp(em, ++ match = safe_cmp_masks(em, + (const uint8_t*)"\x00\x02" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\xFF\xFF" "\x00\x00\x00\x00\x00\x00\x00\x00", + (const uint8_t*)"\x00\x00" "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", +@@ -283,3 +283,72 @@ end: + free(padded_sentinel); + return result; + } ++ ++/* ++ * Decode and verify the OAEP padding in constant time. ++ * ++ * The function returns the number of bytes to ignore at the beginning ++ * of db (the rest is the plaintext), or -1 in case of problems. ++ */ ++ ++EXPORT_SYM int oaep_decode(const uint8_t *em, ++ size_t em_len, ++ const uint8_t *lHash, ++ size_t hLen, ++ const uint8_t *db, ++ size_t db_len) /* em_len - 1 - hLen */ ++{ ++ int result; ++ size_t one_pos, search_len, i; ++ uint8_t wrong_padding; ++ uint8_t *eq_mask = NULL; ++ uint8_t *neq_mask = NULL; ++ uint8_t *target_db = NULL; ++ ++ if (NULL == em || NULL == lHash || NULL == db) { ++ return -1; ++ } ++ ++ if (em_len < 2*hLen+2 || db_len != em_len-1-hLen) { ++ return -1; ++ } ++ ++ /* Allocate */ ++ eq_mask = (uint8_t*) calloc(1, db_len); ++ neq_mask = (uint8_t*) calloc(1, db_len); ++ target_db = (uint8_t*) calloc(1, db_len); ++ if (NULL == eq_mask || NULL == neq_mask || NULL == target_db) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ /* Step 3g */ ++ search_len = db_len - hLen; ++ ++ one_pos = safe_search(db + hLen, 0x01, search_len); ++ if (SIZE_T_MAX == one_pos) { ++ result = -1; ++ goto cleanup; ++ } ++ ++ memset(eq_mask, 0xAA, db_len); ++ memcpy(target_db, lHash, hLen); ++ memset(eq_mask, 0xFF, hLen); ++ ++ for (i=0; i<search_len; i++) { ++ eq_mask[hLen + i] = propagate_ones(i < one_pos); ++ } ++ ++ wrong_padding = em[0]; ++ wrong_padding |= safe_cmp_masks(db, target_db, eq_mask, neq_mask, db_len); ++ set_if_match(&wrong_padding, one_pos, search_len); ++ ++ result = wrong_padding ? -1 : (int)(hLen + 1 + one_pos); ++ ++cleanup: ++ free(eq_mask); ++ free(neq_mask); ++ free(target_db); ++ ++ return result; ++} +diff --git a/src/test/test_pkcs1.c b/src/test/test_pkcs1.c +index 6ef63cb..69aaac5 100644 +--- a/src/test/test_pkcs1.c ++++ b/src/test/test_pkcs1.c +@@ -5,7 +5,7 @@ void set_if_match(uint8_t *flag, size_t term1, size_t term2); + void set_if_no_match(uint8_t *flag, size_t term1, size_t term2); + void safe_select(const uint8_t *in1, const uint8_t *in2, uint8_t *out, uint8_t choice, size_t len); + size_t safe_select_idx(size_t in1, size_t in2, uint8_t choice); +-uint8_t safe_cmp(const uint8_t *in1, const uint8_t *in2, ++uint8_t safe_cmp_masks(const uint8_t *in1, const uint8_t *in2, + const uint8_t *eq_mask, const uint8_t *neq_mask, + size_t len); + size_t safe_search(const uint8_t *in1, uint8_t c, size_t len); +@@ -80,29 +80,29 @@ void test_safe_select_idx() + assert(safe_select_idx(0x100004, 0x223344, 1) == 0x223344); + } + +-void test_safe_cmp() ++void test_safe_cmp_masks(void) + { + uint8_t res; + +- res = safe_cmp(onezero, onezero, ++ res = safe_cmp_masks(onezero, onezero, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res == 0); + +- res = safe_cmp(onezero, zerozero, ++ res = safe_cmp_masks(onezero, zerozero, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res != 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\xFF", + (uint8_t*)"\x00\x00", + 2); + assert(res != 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\x00", + (uint8_t*)"\x00\x00", + 2); +@@ -110,19 +110,19 @@ void test_safe_cmp() + + /** -- **/ + +- res = safe_cmp(onezero, onezero, ++ res = safe_cmp_masks(onezero, onezero, + (uint8_t*)"\x00\x00", + (uint8_t*)"\xFF\xFF", + 2); + assert(res != 0); + +- res = safe_cmp(oneone, zerozero, ++ res = safe_cmp_masks(oneone, zerozero, + (uint8_t*)"\x00\x00", + (uint8_t*)"\xFF\xFF", + 2); + assert(res == 0); + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\x00\x00", + (uint8_t*)"\x00\xFF", + 2); +@@ -130,7 +130,7 @@ void test_safe_cmp() + + /** -- **/ + +- res = safe_cmp(onezero, oneone, ++ res = safe_cmp_masks(onezero, oneone, + (uint8_t*)"\xFF\x00", + (uint8_t*)"\x00\xFF", + 2); +@@ -158,7 +158,7 @@ int main(void) + test_set_if_no_match(); + test_safe_select(); + test_safe_select_idx(); +- test_safe_cmp(); ++ test_safe_cmp_masks(); + test_safe_search(); + return 0; + } +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pycryptodomex_3.14.1.bb b/meta/recipes-devtools/python/python3-pycryptodomex_3.14.1.bb index 79a3fee19c..31ad3fda5e 100644 --- a/meta/recipes-devtools/python/python3-pycryptodomex_3.14.1.bb +++ b/meta/recipes-devtools/python/python3-pycryptodomex_3.14.1.bb @@ -3,6 +3,8 @@ inherit setuptools3 SRC_URI[sha256sum] = "2ce76ed0081fd6ac8c74edc75b9d14eca2064173af79843c24fa62573263c1f2" +SRC_URI += "file://CVE-2023-52323.patch" + FILES:${PN}-tests = " \ ${PYTHON_SITEPACKAGES_DIR}/Cryptodome/SelfTest/ \ ${PYTHON_SITEPACKAGES_DIR}/Cryptodome/SelfTest/__pycache__/ \ diff --git a/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch new file mode 100644 index 0000000000..9848072a94 --- /dev/null +++ b/meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch @@ -0,0 +1,124 @@ +From ed61747f328ff6aa343881b269600308ab8eac93 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 6 Sep 2023 10:32:38 +0000 +Subject: [PATCH] Improve the Smithy metadata matcher. + +Previously, metadata foo bar baz = 23 was accepted, but according to +the definition https://smithy.io/2.0/spec/idl.html#grammar-token-smithy-MetadataSection +it should be "metadata"<whitespace>Identifier/String<optional whitespace>. + +CVE: CVE-2022-40896 + +Upstream-Status: Backport [https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + pygments/lexers/smithy.py | 5 +- + tests/examplefiles/smithy/test.smithy | 12 +++++ + tests/examplefiles/smithy/test.smithy.output | 52 ++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + +diff --git a/pygments/lexers/smithy.py b/pygments/lexers/smithy.py +index 0f0a912..c5e25cd 100644 +--- a/pygments/lexers/smithy.py ++++ b/pygments/lexers/smithy.py +@@ -58,8 +58,9 @@ class SmithyLexer(RegexLexer): + (words(aggregate_shapes, + prefix=r'^', suffix=r'(\s+' + identifier + r')'), + bygroups(Keyword.Declaration, Name.Class)), +- (r'^(metadata)(\s+.+)(\s*)(=)', +- bygroups(Keyword.Declaration, Name.Class, Whitespace, Name.Decorator)), ++ (r'^(metadata)(\s+)((?:\S+)|(?:\"[^"]+\"))(\s*)(=)', ++ bygroups(Keyword.Declaration, Whitespace, Name.Class, ++ Whitespace, Name.Decorator)), + (r"(true|false|null)", Keyword.Constant), + (r"(-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?)", Number), + (identifier + ":", Name.Label), +diff --git a/tests/examplefiles/smithy/test.smithy b/tests/examplefiles/smithy/test.smithy +index 3d20f06..9317fee 100644 +--- a/tests/examplefiles/smithy/test.smithy ++++ b/tests/examplefiles/smithy/test.smithy +@@ -2,6 +2,18 @@ $version: "1.0" + + namespace test + ++metadata "foo" = ["bar", "baz"] ++metadata validators = [ ++ { ++ name: "ValidatorName" ++ id: "ValidatorId" ++ message: "Some string" ++ configuration: { ++ selector: "operation" ++ } ++ } ++] ++ + /// Define how an HTTP request is serialized given a specific protocol, + /// authentication scheme, and set of input parameters. + @trait(selector: "operation") +diff --git a/tests/examplefiles/smithy/test.smithy.output b/tests/examplefiles/smithy/test.smithy.output +index 1f22489..db44a38 100644 +--- a/tests/examplefiles/smithy/test.smithy.output ++++ b/tests/examplefiles/smithy/test.smithy.output +@@ -7,6 +7,58 @@ + ' test' Name.Class + '\n\n' Text.Whitespace + ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'"foo"' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'"bar"' Literal.String.Double ++',' Punctuation ++' ' Text.Whitespace ++'"baz"' Literal.String.Double ++']' Text ++'\n' Text.Whitespace ++ ++'metadata' Keyword.Declaration ++' ' Text.Whitespace ++'validators' Name.Class ++' ' Text.Whitespace ++'=' Name.Decorator ++' ' Text.Whitespace ++'[' Text ++'\n ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'name:' Name.Label ++' ' Text.Whitespace ++'"ValidatorName"' Literal.String.Double ++'\n ' Text.Whitespace ++'id:' Name.Label ++' ' Text.Whitespace ++'"ValidatorId"' Literal.String.Double ++'\n ' Text.Whitespace ++'message:' Name.Label ++' ' Text.Whitespace ++'"Some string"' Literal.String.Double ++'\n ' Text.Whitespace ++'configuration:' Name.Label ++' ' Text.Whitespace ++'{' Text ++'\n ' Text.Whitespace ++'selector:' Name.Label ++' ' Text.Whitespace ++'"operation"' Literal.String.Double ++'\n ' Text.Whitespace ++'}' Text ++'\n ' Text.Whitespace ++'}' Text ++'\n' Text.Whitespace ++ ++']' Text ++'\n\n' Text.Whitespace ++ + '/// Define how an HTTP request is serialized given a specific protocol,' Comment.Multiline + '\n' Text.Whitespace + +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb index 35d288c89e..6e787f23d2 100644 --- a/meta/recipes-devtools/python/python3-pygments_2.11.2.bb +++ b/meta/recipes-devtools/python/python3-pygments_2.11.2.bb @@ -7,6 +7,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=98419e351433ac106a24e3ad435930bc" inherit setuptools3 SRC_URI[sha256sum] = "4e426f72023d88d03b2fa258de560726ce890ff3b630f88c21cbb8b2503b8c6a" +SRC_URI += "file://CVE-2022-40896.patch" + DEPENDS += "\ ${PYTHON_PN} \ " diff --git a/meta/recipes-devtools/python/python3-pytest_7.1.1.bb b/meta/recipes-devtools/python/python3-pytest_7.1.1.bb index 1cb2fb01c0..90a4787c17 100644 --- a/meta/recipes-devtools/python/python3-pytest_7.1.1.bb +++ b/meta/recipes-devtools/python/python3-pytest_7.1.1.bb @@ -26,7 +26,7 @@ RDEPENDS:${PN}:class-target += " \ ${PYTHON_PN}-py \ ${PYTHON_PN}-setuptools \ ${PYTHON_PN}-six \ - ${PYTHON_PN}-toml \ + ${PYTHON_PN}-tomli \ ${PYTHON_PN}-wcwidth \ " diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch new file mode 100644 index 0000000000..35b4241bde --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch @@ -0,0 +1,63 @@ +From cd0128c0becd8729d0f8733bf42fbd333d51f833 Mon Sep 17 00:00:00 2001 +From: Nate Prewitt <nate.prewitt@gmail.com> +Date: Mon, 5 Jun 2023 09:31:36 +0000 +Subject: [PATCH] Merge pull request from GHSA-j8r2-6x86-q33q + +CVE: CVE-2023-32681 + +Upstream-Status: Backport [https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + requests/sessions.py | 4 +++- + tests/test_requests.py | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/requests/sessions.py b/requests/sessions.py +index 3f59cab..648cffa 100644 +--- a/requests/sessions.py ++++ b/requests/sessions.py +@@ -293,7 +293,9 @@ class SessionRedirectMixin(object): + except KeyError: + username, password = None, None + +- if username and password: ++ # urllib3 handles proxy authorization for us in the standard adapter. ++ # Avoid appending this to TLS tunneled requests where it may be leaked. ++ if not scheme.startswith('https') and username and password: + headers['Proxy-Authorization'] = _basic_auth_str(username, password) + + return new_proxies +diff --git a/tests/test_requests.py b/tests/test_requests.py +index 29b3aca..6a37777 100644 +--- a/tests/test_requests.py ++++ b/tests/test_requests.py +@@ -601,6 +601,26 @@ class TestRequests: + + assert sent_headers.get("Proxy-Authorization") == proxy_auth_value + ++ ++ @pytest.mark.parametrize( ++ "url,has_proxy_auth", ++ ( ++ ('http://example.com', True), ++ ('https://example.com', False), ++ ), ++ ) ++ def test_proxy_authorization_not_appended_to_https_request(self, url, has_proxy_auth): ++ session = requests.Session() ++ proxies = { ++ 'http': 'http://test:pass@localhost:8080', ++ 'https': 'http://test:pass@localhost:8090', ++ } ++ req = requests.Request('GET', url) ++ prep = req.prepare() ++ session.rebuild_proxies(prep, proxies) ++ ++ assert ('Proxy-Authorization' in prep.headers) is has_proxy_auth ++ + def test_basicauth_with_netrc(self, httpbin): + auth = ('user', 'pass') + wrong_auth = ('wronguser', 'wrongpass') +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb index af52b7caf5..635a6af31f 100644 --- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb +++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb @@ -3,6 +3,8 @@ HOMEPAGE = "http://python-requests.org" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" +SRC_URI += "file://CVE-2023-32681.patch" + SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" inherit pypi setuptools3 diff --git a/meta/recipes-devtools/python/python3-rfc3986-validator_0.1.1.bb b/meta/recipes-devtools/python/python3-rfc3986-validator_0.1.1.bb index 4abd181acf..e374979cb4 100644 --- a/meta/recipes-devtools/python/python3-rfc3986-validator_0.1.1.bb +++ b/meta/recipes-devtools/python/python3-rfc3986-validator_0.1.1.bb @@ -13,7 +13,7 @@ UPSTREAM_CHECK_REGEX = "/rfc3986-validator/(?P<pver>(\d+[\.\-_]*)+)/" inherit pypi setuptools3 -SRC_URI:append = " \ +SRC_URI += "\ file://0001-setup.py-move-pytest-runner-to-test_requirements.patch \ " diff --git a/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb b/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb index 8ec9a86f00..c11116a1f4 100644 --- a/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb +++ b/meta/recipes-devtools/python/python3-setuptools-rust-native_1.1.2.bb @@ -14,9 +14,7 @@ SRC_URI[sha256sum] = "a0adb9b503c0ffc4e8fe80b7c617898cefa78049983aaaea7f747e153a inherit cargo pypi python_setuptools_build_meta native -DEPENDS += "python3-setuptools-scm-native python3-wheel-native" - -RDEPENDS:${PN}:class-native += " \ +DEPENDS += " \ python3-semantic-version-native \ python3-setuptools-native \ python3-setuptools-scm-native \ diff --git a/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch new file mode 100644 index 0000000000..20a13da7bc --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch @@ -0,0 +1,31 @@ +From 9e9f617a83f6593b476669030b0347d48e831c3f Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Mon, 9 Jan 2023 14:45:05 +0000 +Subject: [PATCH] Limit the amount of whitespace to search/backtrack. Fixes + #3659. + +CVE: CVE-2022-40897 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + setuptools/package_index.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 270e7f3..e93fcc6 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -197,7 +197,7 @@ def unique_values(func): + return wrapper + + +-REL = re.compile(r"""<([^>]*\srel\s*=\s*['"]?([^'">]+)[^>]*)>""", re.I) ++REL = re.compile(r"""<([^>]*\srel\s{0,10}=\s{0,10}['"]?([^'" >]+)[^>]*)>""", re.I) + # this line is here to fix emacs' cruddy broken syntax highlighting + + +-- +2.34.1 + diff --git a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb index f2810e18d3..5f2676a04a 100644 --- a/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb +++ b/meta/recipes-devtools/python/python3-setuptools_59.5.0.bb @@ -11,6 +11,7 @@ SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-e SRC_URI += "\ file://0001-change-shebang-to-python3.patch \ file://0001-_distutils-sysconfig-append-STAGING_LIBDIR-python-sy.patch \ + file://0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch \ " SRC_URI[sha256sum] = "d144f85102f999444d06f9c0e8c737fd0194f10f2f7e5fdb77573f6e2fa4fad0" diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.9.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb index 95ae4a54a4..d384b5eb2f 100644 --- a/meta/recipes-devtools/python/python3-urllib3_1.26.9.bb +++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c" -SRC_URI[sha256sum] = "aabaf16477806a5e1dd19aa41f8c2b7950dd3c746362d7e3223dbe6de6ac448e" +SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0" inherit pypi setuptools3 @@ -15,6 +15,7 @@ RDEPENDS:${PN} += "\ ${PYTHON_PN}-netclient \ ${PYTHON_PN}-pyopenssl \ ${PYTHON_PN}-threading \ + ${PYTHON_PN}-logging \ " CVE_PRODUCT = "urllib3" diff --git a/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch new file mode 100644 index 0000000000..bdaae7dd10 --- /dev/null +++ b/meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch @@ -0,0 +1,32 @@ +From a9a0d67a663f20b69903751c23851dd4cd6b49d4 Mon Sep 17 00:00:00 2001 +From: Narpat Mali <narpat.mali@windriver.com> +Date: Wed, 11 Jan 2023 07:45:57 +0000 +Subject: [PATCH] Fixed potential DoS attack via WHEEL_INFO_RE + +CVE: CVE-2022-40898 + +Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + src/wheel/wheelfile.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/wheel/wheelfile.py b/src/wheel/wheelfile.py +index 21e7361..ff06edf 100644 +--- a/src/wheel/wheelfile.py ++++ b/src/wheel/wheelfile.py +@@ -27,8 +27,8 @@ else: + # Non-greedy matching of an optional build number may be too clever (more + # invalid wheel filenames will match). Separate regex for .dist-info? + WHEEL_INFO_RE = re.compile( +- r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.+?))(-(?P<build>\d[^-]*))? +- -(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?)\.whl$""", ++ r"""^(?P<namever>(?P<name>[^-]+?)-(?P<ver>[^-]+?))(-(?P<build>\d[^-]*))? ++ -(?P<pyver>[^-]+?)-(?P<abi>[^-]+?)-(?P<plat>[^.]+?)\.whl$""", + re.VERBOSE) + + +-- +2.32.0 + diff --git a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb index 2f7dd122ba..3ee03ddd36 100644 --- a/meta/recipes-devtools/python/python3-wheel_0.37.1.bb +++ b/meta/recipes-devtools/python/python3-wheel_0.37.1.bb @@ -8,7 +8,9 @@ SRC_URI[sha256sum] = "e9a504e793efbca1b8e0e9cb979a249cf4a0a7b5b8c9e8b65a5e39d495 inherit python_flit_core pypi -SRC_URI += " file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch" +SRC_URI += "file://0001-Backport-pyproject.toml-from-flit-backend-branch.patch \ + file://0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch \ + " BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch b/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch new file mode 100644 index 0000000000..199031d42a --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch @@ -0,0 +1,32 @@ +From 013ff01fdf2aa6ca69a7c80a2a2996630877e4ea Mon Sep 17 00:00:00 2001 +From: Trevor Gamblin <tgamblin@baylibre.com> +Date: Fri, 6 Oct 2023 10:59:44 -0400 +Subject: [PATCH] test_storlines: skip due to load variability + +This is yet another test that intermittently fails on the Yocto AB when +a worker is under heavy load, so skip it during testing. + +Upstream-Status: Inappropriate [OE-Specific] + +[YOCTO #14933] + +Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> +--- + Lib/test/test_ftplib.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py +index 082a90d46b..508814d56a 100644 +--- a/Lib/test/test_ftplib.py ++++ b/Lib/test/test_ftplib.py +@@ -629,6 +629,7 @@ def test_storbinary_rest(self): + self.client.storbinary('stor', f, rest=r) + self.assertEqual(self.server.handler_instance.rest, str(r)) + ++ @unittest.skip('timing related test, dependent on load') + def test_storlines(self): + data = RETR_DATA.replace('\r\n', '\n').encode(self.client.encoding) + f = io.BytesIO(data) +-- +2.41.0 + diff --git a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch index 0ead57e465..8c554feb4b 100644 --- a/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch +++ b/meta/recipes-devtools/python/python3/0017-setup.py-do-not-report-missing-dependencies-for-disa.patch @@ -12,16 +12,18 @@ Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Alejandro Hernandez Samaniego <alejandro@enedino.org> +Refresh for 3.10.7: +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- setup.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/setup.py b/setup.py -index 2be4738..62f0e18 100644 +index 85a2b26357..7605347bf5 100644 --- a/setup.py +++ b/setup.py -@@ -517,6 +517,14 @@ class PyBuildExt(build_ext): +@@ -517,6 +517,14 @@ def print_three_column(lst): print("%-*s %-*s %-*s" % (longest, e, longest, f, longest, g)) @@ -35,4 +37,4 @@ index 2be4738..62f0e18 100644 + if self.missing: print() - print("Python build finished successfully!") + print("The necessary bits to build these optional modules were not " diff --git a/meta/recipes-devtools/python/python3/get_module_deps3.py b/meta/recipes-devtools/python/python3/get_module_deps3.py index 1f4c982aed..8e432b49af 100644 --- a/meta/recipes-devtools/python/python3/get_module_deps3.py +++ b/meta/recipes-devtools/python/python3/get_module_deps3.py @@ -32,7 +32,7 @@ def fix_path(dep_path): dep_path = dep_path[dep_path.find(pivot)+len(pivot):] if '/usr/bin' in dep_path: - dep_path = dep_path.replace('/usr/bin''${bindir}') + dep_path = dep_path.replace('/usr/bin','${bindir}') # Handle multilib, is there a better way? if '/usr/lib32' in dep_path: @@ -56,7 +56,7 @@ if debug == True: try: m = importlib.import_module(current_module) # handle python packages which may not include all modules in the __init__ - if os.path.basename(m.__file__) == "__init__.py": + if hasattr(m, '__file__') and os.path.basename(m.__file__) == "__init__.py": modulepath = os.path.dirname(m.__file__) for i in os.listdir(modulepath): if i.startswith("_") or not(i.endswith(".py")): diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.13.bb index 357025f856..76e37e42a1 100644 --- a/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/meta/recipes-devtools/python/python3_3.10.13.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Python is a programming language that lets you work more quickly LICENSE = "PSF-2.0" SECTION = "devel/python" -LIC_FILES_CHKSUM = "file://LICENSE;md5=4b8801e752a2c70ac41a5f9aa243f766" +LIC_FILES_CHKSUM = "file://LICENSE;md5=fcf6b249c2641540219a727f35d8d2c2" SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://run-ptest \ @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-setup.py-Do-not-detect-multiarch-paths-when-cross-co.patch \ file://deterministic_imports.patch \ file://0001-Avoid-shebang-overflow-on-python-config.py.patch \ + file://0001-test_storlines-skip-due-to-load-variability.patch \ " SRC_URI:append:class-native = " \ @@ -43,7 +44,7 @@ SRC_URI:append:class-native = " \ file://12-distutils-prefix-is-inside-staging-area.patch \ file://0001-Don-t-search-system-for-headers-libraries.patch \ " -SRC_URI[sha256sum] = "80bf925f571da436b35210886cf79f6eb5fa5d6c571316b73568343451f77a19" +SRC_URI[sha256sum] = "5c88848668640d3e152b35b4536ef1c23b2ca4bd2c957ef1ecbb053f571dd3f6" # exclude pre-releases for both python 2.x and 3.x UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar" @@ -60,6 +61,8 @@ CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488" # The mailcap module is insecure by design, so this can't be fixed in a meaningful way. # The module will be removed in the future and flaws documented. CVE_CHECK_IGNORE += "CVE-2015-20107" +# Not an issue, in fact expected behaviour +CVE_CHECK_IGNORE += "CVE-2023-36632" PYTHON_MAJMIN = "3.10" diff --git a/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb index aa9e499c77..e297586bbb 100644 --- a/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb +++ b/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5 SRC_URI = "\ file://tunctl.c \ - file://qemu-oe-bridge-helper \ + file://qemu-oe-bridge-helper.c \ " S = "${WORKDIR}" @@ -16,13 +16,13 @@ inherit native do_compile() { ${CC} ${CFLAGS} ${LDFLAGS} -Wall tunctl.c -o tunctl + ${CC} ${CFLAGS} ${LDFLAGS} -Wall qemu-oe-bridge-helper.c -o qemu-oe-bridge-helper } do_install() { install -d ${D}${bindir} install tunctl ${D}${bindir}/ - - install -m 755 ${WORKDIR}/qemu-oe-bridge-helper ${D}${bindir}/ + install qemu-oe-bridge-helper ${D}${bindir}/ } DEPENDS += "qemu-system-native" diff --git a/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper b/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper deleted file mode 100755 index f057d4eef0..0000000000 --- a/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper +++ /dev/null @@ -1,25 +0,0 @@ -#! /bin/sh -# Copyright 2020 Garmin Ltd. or its subsidiaries -# -# SPDX-License-Identifier: GPL-2.0 -# -# Attempts to find and exec the host qemu-bridge-helper program - -# If the QEMU_BRIDGE_HELPER variable is set by the user, exec it. -if [ -n "$QEMU_BRIDGE_HELPER" ]; then - exec "$QEMU_BRIDGE_HELPER" "$@" -fi - -# Search common paths for the helper program -BN="qemu-bridge-helper" -PATHS="/usr/libexec/ /usr/lib/qemu/" - -for p in $PATHS; do - if [ -e "$p/$BN" ]; then - exec "$p/$BN" "$@" - fi -done - -echo "$BN not found!" > /dev/stderr -exit 1 - diff --git a/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c b/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c new file mode 100644 index 0000000000..9434e1d269 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-helper/qemu-oe-bridge-helper.c @@ -0,0 +1,34 @@ +/* + * Copyright 2022 Garmin Ltd. or its subsidiaries + * + * SPDX-License-Identifier: GPL-2.0 + * + * Attempts to find and exec the host qemu-bridge-helper program + */ + +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> + +void try_program(char const* path, char** args) { + if (access(path, X_OK) == 0) { + execv(path, args); + } +} + +int main(int argc, char** argv) { + char* var; + + var = getenv("QEMU_BRIDGE_HELPER"); + if (var && var[0] != '\0') { + execvp(var, argv); + return 1; + } + + try_program("/usr/libexec/qemu-bridge-helper", argv); + try_program("/usr/lib/qemu/qemu-bridge-helper", argv); + + fprintf(stderr, "No bridge helper found\n"); + return 1; +} + diff --git a/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb index bc5384d472..5ccede5095 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_6.2.0.bb @@ -11,7 +11,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native me EXTRA_OECONF:append = " --target-list=${@get_qemu_system_target_list(d)}" -PACKAGECONFIG ??= "fdt alsa kvm pie \ +PACKAGECONFIG ??= "fdt alsa kvm pie slirp \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ " diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index cc69eca9ae..4747310ae4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -13,7 +13,6 @@ inherit pkgconfig ptest python3-dir LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=8c5efda6cf1e1b03dcfd0e6c0d271c7f" - SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://powerpc_rom.bin \ file://run-ptest \ @@ -35,6 +34,81 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://pvrdma.patch \ file://CVE-2021-4206.patch \ file://CVE-2021-4207.patch \ + file://CVE-2022-35414.patch \ + file://CVE-2021-3929.patch \ + file://CVE-2021-4158.patch \ + file://CVE-2022-0358.patch \ + file://CVE-2022-0216_1.patch \ + file://CVE-2022-0216_2.patch \ + file://CVE-2021-3750-1.patch \ + file://CVE-2021-3750-2.patch \ + file://CVE-2021-3750-3.patch \ + file://0001-use-uint32t-for-reply-queue-head-tail-values.patch \ + file://0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch \ + file://0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch \ + file://0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch \ + file://0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch \ + file://0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch \ + file://0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch \ + file://0008_have_dma_buf_rw_function_take_a_void_pointer.patch \ + file://0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch \ + file://0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch \ + file://0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch \ + file://0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch \ + file://0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch \ + file://0014_let_dma_buf_rw_function_propagate_MemTxResult.patch \ + file://0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch \ + file://0017_let_st_pointer_dma_function_propagate_MemTxResult.patch \ + file://0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch \ + file://0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch \ + file://0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch \ + file://CVE-2021-3611_1.patch \ + file://CVE-2021-3611_2.patch \ + file://0001-net-tulip-Restrict-DMA-engine-to-memories.patch \ + file://0001-softfloat-Extend-float_exception_flags-to-16-bits.patch \ + file://0002-softfloat-Add-flag-specific-to-Inf-Inf.patch \ + file://0003-softfloat-Add-flag-specific-to-Inf-0.patch \ + file://0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch \ + file://0005-softfloat-Add-flag-specific-to-signaling-nans.patch \ + file://0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch \ + file://0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch \ + file://0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch \ + file://0009-target-ppc-Update-fmadd-for-new-flags.patch \ + file://0010-target-ppc-Split-out-do_fmadd.patch \ + file://0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch \ + file://0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch \ + file://0013-target-ppc-fix-xscvqpdp-register-access.patch \ + file://0014-target-ppc-move-xscvqpdp-to-decodetree.patch \ + file://0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch \ + file://0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch \ + file://0017-target-ppc-Implement-Vector-Expand-Mask.patch \ + file://0018-target-ppc-Implement-Vector-Extract-Mask.patch \ + file://0019-target-ppc-Implement-Vector-Mask-Move-insns.patch \ + file://0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch \ + file://0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch \ + file://CVE-2022-3165.patch \ + file://CVE-2022-4144.patch \ + file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \ + file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ + file://CVE-2023-0330.patch \ + file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ + file://CVE-2023-2861.patch \ + file://CVE-2020-14394.patch \ + file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ + file://CVE-2021-3638.patch \ + file://CVE-2023-1544.patch \ + file://CVE-2023-5088.patch \ + file://CVE-2024-24474.patch \ + file://CVE-2023-6693.patch \ + file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \ + file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \ + file://CVE-2023-42467.patch \ + file://CVE-2023-6683.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -54,6 +128,15 @@ CVE_CHECK_IGNORE += "CVE-2007-0998" # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 CVE_CHECK_IGNORE += "CVE-2018-18438" +# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664 +# https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +# this bug related to windows specific. +CVE_CHECK_IGNORE += "CVE-2023-0664" + +# As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387 +# RHEL specific issue +CVE_CHECK_IGNORE += "CVE-2023-2680" + COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" COMPATIBLE_HOST:riscv32 = "null" @@ -153,6 +236,7 @@ PACKAGECONFIG:remove:mingw32 = "kvm virglrenderer epoxy gtk+" PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2" PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr," PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," +PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburing" PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," @@ -199,6 +283,12 @@ PACKAGECONFIG[pmem] = "--enable-libpmem,--disable-libpmem,pmdk" PACKAGECONFIG[pulsedio] = "--enable-pa,--disable-pa,pulseaudio" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" PACKAGECONFIG[bpf] = "--enable-bpf,--disable-bpf,libbpf" +PACKAGECONFIG[capstone] = "--enable-capstone,--disable-capstone" +PACKAGECONFIG[rdma] = "--enable-rdma,--disable-rdma" +PACKAGECONFIG[vde] = "--enable-vde,--disable-vde" +PACKAGECONFIG[slirp] = "--enable-slirp=internal,--disable-slirp" +PACKAGECONFIG[brlapi] = "--enable-brlapi,--disable-brlapi" +PACKAGECONFIG[jack] = "--enable-jack,--disable-jack,jack," INSANE_SKIP:${PN} = "arch" diff --git a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch new file mode 100644 index 0000000000..cd846222c9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch @@ -0,0 +1,57 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/61c34fc] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 61c34fc194b776ecadc39fb26b061331107e5599 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:37 +0100 +Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no + log_cmd handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only 3 command types are logged: no need to call qxl_phys2virt() +for the other types. Using different cases will help to pass +different structure sizes to qxl_phys2virt() in a pair of commits. + +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-2-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 68bfa47568..1bcf803db6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_name(qxl_type, ext->cmd.type), + compat ? "(compat)" : ""); + ++ switch (ext->cmd.type) { ++ case QXL_CMD_DRAW: ++ break; ++ case QXL_CMD_SURFACE: ++ break; ++ case QXL_CMD_CURSOR: ++ break; ++ default: ++ goto out; ++ } + data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); + if (!data) { + return 1; +@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + qxl_log_cmd_cursor(qxl, data, ext->group_id); + break; + } ++out: + fprintf(stderr, "\n"); + return 0; + } +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch new file mode 100644 index 0000000000..ac51cf567a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch @@ -0,0 +1,217 @@ +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/8efec0e] + +Backport and rebase patch to fix compile error which imported by CVE-2022-4144.patch: + +../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': +../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? + 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + | ^~~~ + | gsize +../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is reported only once for each function it appears in + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:39 +0100 +Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently qxl_phys2virt() doesn't check for buffer overrun. +In order to do so in the next commit, pass the buffer size +as argument. + +For QXLCursor in qxl_render_cursor() -> qxl_cursor() we +verify the size of the chunked data ahead, checking we can +access 'sizeof(QXLCursor) + chunk->data_size' bytes. +Since in the SPICE_CURSOR_TYPE_MONO case the cursor is +assumed to fit in one chunk, no change are required. +In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in +qxl_unpack_chunks(). + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-4-philmd@linaro.org> +--- + hw/display/qxl-logger.c | 11 ++++++++--- + hw/display/qxl-render.c | 20 ++++++++++++++++---- + hw/display/qxl.c | 14 +++++++++----- + hw/display/qxl.h | 3 ++- + 4 files changed, 35 insertions(+), 13 deletions(-) + +diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c +index 1bcf803..35c38f6 100644 +--- a/hw/display/qxl-logger.c ++++ b/hw/display/qxl-logger.c +@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id) + QXLImage *image; + QXLImageDescriptor *desc; + +- image = qxl_phys2virt(qxl, addr, group_id); ++ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage)); + if (!image) { + return 1; + } +@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id) + cmd->u.set.position.y, + cmd->u.set.visible ? "yes" : "no", + cmd->u.set.shape); +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id); ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id, ++ sizeof(QXLCursor)); + if (!cursor) { + return 1; + } +@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + { + bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT; + void *data; ++ size_t datasz; + int ret; + + if (!qxl->cmdlog) { +@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext) + + switch (ext->cmd.type) { + case QXL_CMD_DRAW: ++ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable); + break; + case QXL_CMD_SURFACE: ++ datasz = sizeof(QXLSurfaceCmd); + break; + case QXL_CMD_CURSOR: ++ datasz = sizeof(QXLCursorCmd); + break; + default: + goto out; + } +- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz); + if (!data) { + return 1; + } +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index ca21700..fcfd40c 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl) + qxl->guest_primary.resized = 0; + qxl->guest_primary.data = qxl_phys2virt(qxl, + qxl->guest_primary.surface.mem, +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, ++ qxl->guest_primary.abs_stride ++ * height); + if (!qxl->guest_primary.data) { + goto end; + } +@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl, + if (offset == size) { + return; + } +- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id); ++ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id, ++ sizeof(QXLDataChunk) + chunk->data_size); + if (!chunk) { + return; + } +@@ -295,7 +298,8 @@ fail: + /* called from spice server thread context only */ + int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + QXLCursor *cursor; + QEMUCursor *c; + +@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext) + } + switch (cmd->type) { + case QXL_CURSOR_SET: +- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id); ++ /* First read the QXLCursor to get QXLDataChunk::data_size ... */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor)); ++ if (!cursor) { ++ return 1; ++ } ++ /* Then read including the chunked data following QXLCursor. */ ++ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id, ++ sizeof(QXLCursor) + cursor->chunk.data_size); + if (!cursor) { + return 1; + } +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index ae8aa07..2a4b2d4 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) + QXL_IO_MONITORS_CONFIG_ASYNC)); + } + +- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST); ++ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST, ++ sizeof(QXLMonitorsConfig)); + if (cfg != NULL && cfg->count == 1) { + qxl->guest_primary.resized = 1; + qxl->guest_head0_width = cfg->heads[0].width; +@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + switch (le32_to_cpu(ext->cmd.type)) { + case QXL_CMD_SURFACE: + { +- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLSurfaceCmd)); + + if (!cmd) { + return 1; +@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext) + } + case QXL_CMD_CURSOR: + { +- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id); ++ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, ++ sizeof(QXLCursorCmd)); + + if (!cmd) { + return 1; +@@ -1463,7 +1466,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + } + + /* can be also called from spice server thread context */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id) ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, ++ size_t size) + { + uint64_t offset; + uint32_t slot; +@@ -1971,7 +1975,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl) + } + + cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i], +- MEMSLOT_GROUP_GUEST); ++ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd)); + assert(cmd); + assert(cmd->type == QXL_SURFACE_CMD_CREATE); + qxl_dirty_one_surface(qxl, cmd->u.surface_create.data, +diff --git a/hw/display/qxl.h b/hw/display/qxl.h +index 30d21f4..4551c23 100644 +--- a/hw/display/qxl.h ++++ b/hw/display/qxl.h +@@ -147,7 +147,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL) + #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1) + + /* qxl.c */ +-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id); ++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id, ++ size_t size); + void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...) + GCC_FMT_ATTR(2, 3); + +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch new file mode 100644 index 0000000000..6c85a77ba7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch @@ -0,0 +1,64 @@ +CVE: CVE-2022-2962 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 5c5c50b0a73d78ffe18336c9996fef5eae9bbbb0 Mon Sep 17 00:00:00 2001 +From: Zheyu Ma <zheyuma97@gmail.com> +Date: Sun, 21 Aug 2022 20:43:43 +0800 +Subject: [PATCH] net: tulip: Restrict DMA engine to memories + +The DMA engine is started by I/O access and then itself accesses the +I/O registers, triggering a reentrancy bug. + +The following log can reveal it: +==5637==ERROR: AddressSanitizer: stack-overflow + #0 0x5595435f6078 in tulip_xmit_list_update qemu/hw/net/tulip.c:673 + #1 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + #2 0x559544637f86 in memory_region_write_accessor qemu/softmmu/memory.c:492:5 + #3 0x5595446379fa in access_with_adjusted_size qemu/softmmu/memory.c:554:18 + #4 0x5595446372fa in memory_region_dispatch_write qemu/softmmu/memory.c + #5 0x55954468b74c in flatview_write_continue qemu/softmmu/physmem.c:2825:23 + #6 0x559544683662 in flatview_write qemu/softmmu/physmem.c:2867:12 + #7 0x5595446833f3 in address_space_write qemu/softmmu/physmem.c:2963:18 + #8 0x5595435fb082 in dma_memory_rw_relaxed qemu/include/sysemu/dma.h:87:12 + #9 0x5595435fb082 in dma_memory_rw qemu/include/sysemu/dma.h:130:12 + #10 0x5595435fb082 in dma_memory_write qemu/include/sysemu/dma.h:171:12 + #11 0x5595435fb082 in stl_le_dma qemu/include/sysemu/dma.h:272:1 + #12 0x5595435fb082 in stl_le_pci_dma qemu/include/hw/pci/pci.h:910:1 + #13 0x5595435fb082 in tulip_desc_write qemu/hw/net/tulip.c:101:9 + #14 0x5595435f7e3d in tulip_xmit_list_update qemu/hw/net/tulip.c:706:9 + #15 0x5595435f204a in tulip_write qemu/hw/net/tulip.c:805:13 + +Fix this bug by restricting the DMA engine to memories regions. + +Signed-off-by: Zheyu Ma <zheyuma97@gmail.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 097e905bec..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,7 +70,7 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); +@@ -88,7 +88,7 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + + if (s->csr[0] & CSR0_DBO) { + stl_be_pci_dma(&s->dev, p, desc->status, attrs); +-- +2.34.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch new file mode 100644 index 0000000000..e9c47f6901 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch @@ -0,0 +1,75 @@ +From 0bec1ded33a857f59cf5f3ceca2f72694256e710 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 01/21] softfloat: Extend float_exception_flags to 16 bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will shortly have more than 8 bits of exceptions. +Repack the existing flags into low bits and reformat to hex. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=149a48f6e6ccedfa01307d45884aa480f5bf77c5] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Message-Id: <20211119160502.17432-2-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + include/fpu/softfloat-types.h | 16 ++++++++-------- + include/fpu/softfloat.h | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5bcbd041f7..65a43aff59 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -145,13 +145,13 @@ typedef enum __attribute__((__packed__)) { + */ + + enum { +- float_flag_invalid = 1, +- float_flag_divbyzero = 4, +- float_flag_overflow = 8, +- float_flag_underflow = 16, +- float_flag_inexact = 32, +- float_flag_input_denormal = 64, +- float_flag_output_denormal = 128 ++ float_flag_invalid = 0x0001, ++ float_flag_divbyzero = 0x0002, ++ float_flag_overflow = 0x0004, ++ float_flag_underflow = 0x0008, ++ float_flag_inexact = 0x0010, ++ float_flag_input_denormal = 0x0020, ++ float_flag_output_denormal = 0x0040, + }; + + /* +@@ -171,8 +171,8 @@ typedef enum __attribute__((__packed__)) { + */ + + typedef struct float_status { ++ uint16_t float_exception_flags; + FloatRoundMode float_rounding_mode; +- uint8_t float_exception_flags; + FloatX80RoundPrec floatx80_rounding_precision; + bool tininess_before_rounding; + /* should denormalised results go to zero and set the inexact flag? */ +diff --git a/include/fpu/softfloat.h b/include/fpu/softfloat.h +index a249991e61..0d3b407807 100644 +--- a/include/fpu/softfloat.h ++++ b/include/fpu/softfloat.h +@@ -100,7 +100,7 @@ typedef enum { + | Routine to raise any or all of the software IEC/IEEE floating-point + | exception flags. + *----------------------------------------------------------------------------*/ +-static inline void float_raise(uint8_t flags, float_status *status) ++static inline void float_raise(uint16_t flags, float_status *status) + { + status->float_exception_flags |= flags; + } +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch new file mode 100644 index 0000000000..37e122f781 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch @@ -0,0 +1,83 @@ +From 41d5e8da3d5e0a143a9fb397c9f34707ec544997 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:43:05 +0100 +Subject: [PATCH] hw/scsi/megasas: Use uint32_t for reply queue head/tail + values +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +While the reply queue values fit in 16-bit, they are accessed +as 32-bit: + + 661: s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); + 662: s->reply_queue_head %= MEGASAS_MAX_FRAMES; + 663: s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); + 664: s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + +Having: + + 41:#define MEGASAS_MAX_FRAMES 2048 /* Firmware limit at 65535 */ + +In order to update the ld/st*_pci_dma() API to pass the address +of the value to access, it is simpler to have the head/tail declared +as 32-bit values. Replace the uint16_t by uint32_t, wasting 4 bytes in +the MegasasState structure. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=41d5e8da3d5e0a143a9fb397c9f34707ec544997] + +Acked-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-20-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/scsi/megasas.c | 4 ++-- + hw/scsi/trace-events | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 8f35784..14ec6d6 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -109,8 +109,8 @@ struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + uint16_t reply_queue_len; +- uint16_t reply_queue_head; +- uint16_t reply_queue_tail; ++ uint32_t reply_queue_head; ++ uint32_t reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 92d5b40..ae8551f 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -42,18 +42,18 @@ mptsas_config_sas_phy(void *dev, int address, int port, int phy_handle, int dev_ + + # megasas.c + megasas_init_firmware(uint64_t pa) "pa 0x%" PRIx64 " " +-megasas_init_queue(uint64_t queue_pa, int queue_len, uint64_t head, uint64_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx64 " tail 0x%" PRIx64 " flags 0x%x" ++megasas_init_queue(uint64_t queue_pa, int queue_len, uint32_t head, uint32_t tail, uint32_t flags) "queue at 0x%" PRIx64 " len %d head 0x%" PRIx32 " tail 0x%" PRIx32 " flags 0x%x" + megasas_initq_map_failed(int frame) "scmd %d: failed to map queue" + megasas_initq_mapped(uint64_t pa) "queue already mapped at 0x%" PRIx64 + megasas_initq_mismatch(int queue_len, int fw_cmds) "queue size %d max fw cmds %d" + megasas_qf_mapped(unsigned int index) "skip mapped frame 0x%x" + megasas_qf_new(unsigned int index, uint64_t frame) "frame 0x%x addr 0x%" PRIx64 + megasas_qf_busy(unsigned long pa) "all frames busy for frame 0x%lx" +-megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, unsigned int head, unsigned int tail, int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" +-megasas_qf_update(unsigned int head, unsigned int tail, unsigned int busy) "head 0x%x tail 0x%x busy %d" ++megasas_qf_enqueue(unsigned int index, unsigned int count, uint64_t context, uint32_t head, uint32_t tail, unsigned int busy) "frame 0x%x count %d context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" ++megasas_qf_update(uint32_t head, uint32_t tail, unsigned int busy) "head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_qf_map_failed(int cmd, unsigned long frame) "scmd %d: frame %lu" + megasas_qf_complete_noirq(uint64_t context) "context 0x%" PRIx64 " " +-megasas_qf_complete(uint64_t context, unsigned int head, unsigned int tail, int busy) "context 0x%" PRIx64 " head 0x%x tail 0x%x busy %d" ++megasas_qf_complete(uint64_t context, uint32_t head, uint32_t tail, int busy) "context 0x%" PRIx64 " head 0x%" PRIx32 " tail 0x%" PRIx32 " busy %u" + megasas_frame_busy(uint64_t addr) "frame 0x%" PRIx64 " busy" + megasas_unhandled_frame_cmd(int cmd, uint8_t frame_cmd) "scmd %d: MFI cmd 0x%x" + megasas_handle_scsi(const char *frame, int bus, int dev, int lun, void *sdev, unsigned long size) "%s dev %x/%x/%x sdev %p xfer %lu" +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch new file mode 100644 index 0000000000..2713ff370d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch @@ -0,0 +1,59 @@ +From 9b0737858b2b68c3a4d1e0611f2732679c997c6d Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 02/21] softfloat: Add flag specific to Inf - Inf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ba11446c40903b9d97fb75a078d43fee6444d3b6] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-3-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 3 ++- + include/fpu/softfloat-types.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 41d4b17e41..eb2b475ca4 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -354,7 +354,7 @@ static FloatPartsN *partsN(addsub)(FloatPartsN *a, FloatPartsN *b, + return a; + } + /* Inf - Inf */ +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + parts_default_nan(a, s); + return a; + } +@@ -494,6 +494,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (ab_mask & float_cmask_inf) { + if (c->cls == float_class_inf && a->sign != c->sign) { ++ float_raise(float_flag_invalid | float_flag_invalid_isi, s); + goto d_nan; + } + goto return_inf; +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 65a43aff59..eaa12e1e00 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -152,6 +152,7 @@ enum { + float_flag_inexact = 0x0010, + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, ++ float_flag_invalid_isi = 0x0080, /* inf - inf */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..04a655315f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,60 @@ +From 7ccb391ccd594b3f33de8deb293ff8d47bb4e219 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:28:49 +0200 +Subject: [PATCH] dma: Let dma_memory_valid() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_valid(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7ccb391ccd594b3f33de8deb293ff8d47bb4e219] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-2-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/hw/ppc/spapr_vio.h | 2 +- + include/sysemu/dma.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4bea87f..4c45f15 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -91,7 +91,7 @@ static inline void spapr_vio_irq_pulse(SpaprVioDevice *dev) + static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + uint32_t size, DMADirection dir) + { +- return dma_memory_valid(&dev->as, taddr, size, dir); ++ return dma_memory_valid(&dev->as, taddr, size, dir, MEMTXATTRS_UNSPECIFIED); + } + + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3201e79..296f3b5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -73,11 +73,11 @@ static inline void dma_barrier(AddressSpace *as, DMADirection dir) + * dma_memory_{read,write}() and check for errors */ + static inline bool dma_memory_valid(AddressSpace *as, + dma_addr_t addr, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return address_space_access_valid(as, addr, len, + dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + } + + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch new file mode 100644 index 0000000000..1b21e3cfeb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch @@ -0,0 +1,126 @@ +From 613f373f0b652ab2fb2572633e7a23807096790b Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 03/21] softfloat: Add flag specific to Inf * 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=bead3c9b0ff8efd652afb27923d8ab4458b3bbd9] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-4-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 4 ++-- + fpu/softfloat-specialize.c.inc | 12 ++++++------ + include/fpu/softfloat-types.h | 1 + + 3 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index eb2b475ca4..3ed793347b 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -423,7 +423,7 @@ static FloatPartsN *partsN(mul)(FloatPartsN *a, FloatPartsN *b, + + /* Inf * Zero == NaN */ + if (unlikely(ab_mask == float_cmask_infzero)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + parts_default_nan(a, s); + return a; + } +@@ -489,6 +489,7 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + + if (unlikely(ab_mask != float_cmask_normal)) { + if (unlikely(ab_mask == float_cmask_infzero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_imz, s); + goto d_nan; + } + +@@ -567,7 +568,6 @@ static FloatPartsN *partsN(muladd)(FloatPartsN *a, FloatPartsN *b, + goto finish_sign; + + d_nan: +- float_raise(float_flag_invalid, s); + parts_default_nan(a, s); + return a; + } +diff --git a/fpu/softfloat-specialize.c.inc b/fpu/softfloat-specialize.c.inc +index f2ad0f335e..943e3301d2 100644 +--- a/fpu/softfloat-specialize.c.inc ++++ b/fpu/softfloat-specialize.c.inc +@@ -506,7 +506,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * the default NaN + */ + if (infzero && is_qnan(c_cls)) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + +@@ -533,7 +533,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 3; + } + /* Prefer sNaN over qNaN, in the a, b, c order. */ +@@ -556,7 +556,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * case sets InvalidOp and returns the input value 'c' + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + /* Prefer sNaN over qNaN, in the c, a, b order. */ +@@ -580,7 +580,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * a default NaN + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + +@@ -597,7 +597,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + #elif defined(TARGET_RISCV) + /* For RISC-V, InvalidOp is set when multiplicands are Inf and zero */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + } + return 3; /* default NaN */ + #elif defined(TARGET_XTENSA) +@@ -606,7 +606,7 @@ static int pickNaNMulAdd(FloatClass a_cls, FloatClass b_cls, FloatClass c_cls, + * an input NaN if we have one (ie c). + */ + if (infzero) { +- float_raise(float_flag_invalid, status); ++ float_raise(float_flag_invalid | float_flag_invalid_imz, status); + return 2; + } + if (status->use_first_nan) { +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index eaa12e1e00..56b4cf7835 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -153,6 +153,7 @@ enum { + float_flag_input_denormal = 0x0020, + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ ++ float_flag_invalid_imz = 0x0100, /* inf * 0 */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..f13707a407 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,98 @@ +From 7a36e42d9114474278ce30ba36945cc62292eb60 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 10:28:32 +0200 +Subject: [PATCH] dma: Let dma_memory_set() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_set(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=7a36e42d9114474278ce30ba36945cc62292eb60] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-3-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/nvram/fw_cfg.c | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 3 ++- + softmmu/dma-helpers.c | 5 ++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index c06b30d..f7803fe 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -399,7 +399,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + * tested before. + */ + if (read) { +- if (dma_memory_set(s->dma_as, dma.address, 0, len)) { ++ if (dma_memory_set(s->dma_as, dma.address, 0, len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 4c45f15..c90e74a 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -111,7 +111,8 @@ static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + uint8_t c, uint32_t size) + { +- return (dma_memory_set(&dev->as, taddr, c, size) != 0) ? ++ return (dma_memory_set(&dev->as, taddr, ++ c, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 296f3b5..d23516f 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -175,9 +175,10 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @c: constant byte to fill the memory + * @len: the number of bytes to fill with the constant byte ++ * @attrs: memory transaction attributes + */ + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len); ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs); + + /** + * address_space_map: Map a physical memory region into a host virtual address. +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7d766a5..1f07217 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -19,7 +19,7 @@ + /* #define DEBUG_IOMMU */ + + MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, +- uint8_t c, dma_addr_t len) ++ uint8_t c, dma_addr_t len, MemTxAttrs attrs) + { + dma_barrier(as, DMA_DIRECTION_FROM_DEVICE); + +@@ -31,8 +31,7 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + memset(fillbuf, c, FILLBUF_SIZE); + while (len > 0) { + l = len < FILLBUF_SIZE ? len : FILLBUF_SIZE; +- error |= address_space_write(as, addr, MEMTXATTRS_UNSPECIFIED, +- fillbuf, l); ++ error |= address_space_write(as, addr, attrs, fillbuf, l); + len -= l; + addr += l; + } +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch new file mode 100644 index 0000000000..c5377fbe70 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch @@ -0,0 +1,73 @@ +From 52f1760d2d65e1a61028cb9d8610c8a38aa44cfc Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 04/21] softfloat: Add flags specific to Inf / Inf and 0 / 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has these flags, and it's easier to compute them here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=10cc964030fca459591d9353571f3b1b4e1b5aec] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-5-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 16 +++++++++++----- + include/fpu/softfloat-types.h | 2 ++ + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index 3ed793347b..b8563cd2df 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -590,11 +590,13 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + } + + /* 0/0 or Inf/Inf => NaN */ +- if (unlikely(ab_mask == float_cmask_zero) || +- unlikely(ab_mask == float_cmask_inf)) { +- float_raise(float_flag_invalid, s); +- parts_default_nan(a, s); +- return a; ++ if (unlikely(ab_mask == float_cmask_zero)) { ++ float_raise(float_flag_invalid | float_flag_invalid_zdz, s); ++ goto d_nan; ++ } ++ if (unlikely(ab_mask == float_cmask_inf)) { ++ float_raise(float_flag_invalid | float_flag_invalid_idi, s); ++ goto d_nan; + } + + /* All the NaN cases */ +@@ -625,6 +627,10 @@ static FloatPartsN *partsN(div)(FloatPartsN *a, FloatPartsN *b, + float_raise(float_flag_divbyzero, s); + a->cls = float_class_inf; + return a; ++ ++ d_nan: ++ parts_default_nan(a, s); ++ return a; + } + + /* +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 56b4cf7835..5a9671e564 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -154,6 +154,8 @@ enum { + float_flag_output_denormal = 0x0040, + float_flag_invalid_isi = 0x0080, /* inf - inf */ + float_flag_invalid_imz = 0x0100, /* inf * 0 */ ++ float_flag_invalid_idi = 0x0200, /* inf / inf */ ++ float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..cacb12909c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,78 @@ +From 4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:30:10 +0200 +Subject: [PATCH] dma: Let dma_memory_rw_relaxed() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +We will add the MemTxAttrs argument to dma_memory_rw() in +the next commit. Since dma_memory_rw_relaxed() is only used +by dma_memory_rw(), modify it first in a separate commit to +keep the next commit easier to review. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4afd0f2f220ec3dc8518b8de0d66cbf8d2fd1be7] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-4-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/sysemu/dma.h | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d23516f..3be803c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -83,9 +83,10 @@ static inline bool dma_memory_valid(AddressSpace *as, + static inline MemTxResult dma_memory_rw_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, ++ MemTxAttrs attrs) + { +- return address_space_rw(as, addr, MEMTXATTRS_UNSPECIFIED, ++ return address_space_rw(as, addr, attrs, + buf, len, dir == DMA_DIRECTION_FROM_DEVICE); + } + +@@ -93,7 +94,9 @@ static inline MemTxResult dma_memory_read_relaxed(AddressSpace *as, + dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw_relaxed(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw_relaxed(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, +@@ -102,7 +105,8 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + dma_addr_t len) + { + return dma_memory_rw_relaxed(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -124,7 +128,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, ++ MEMTXATTRS_UNSPECIFIED); + } + + /** +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch new file mode 100644 index 0000000000..e4ecb496ae --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch @@ -0,0 +1,121 @@ +From 6bc0b2cffab0ee280ae9730262f162f25c16f6c2 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 05/21] softfloat: Add flag specific to signaling nans +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PowerPC has this flag, and it's easier to compute it here +than after the fact. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e706d4455b8d54252b11fc504c56df060151cb89] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-8-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + fpu/softfloat-parts.c.inc | 18 ++++++++++++------ + fpu/softfloat.c | 4 +++- + include/fpu/softfloat-types.h | 1 + + 3 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/fpu/softfloat-parts.c.inc b/fpu/softfloat-parts.c.inc +index b8563cd2df..9518f3dc61 100644 +--- a/fpu/softfloat-parts.c.inc ++++ b/fpu/softfloat-parts.c.inc +@@ -19,7 +19,7 @@ static void partsN(return_nan)(FloatPartsN *a, float_status *s) + { + switch (a->cls) { + case float_class_snan: +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + if (s->default_nan_mode) { + parts_default_nan(a, s); + } else { +@@ -40,7 +40,7 @@ static FloatPartsN *partsN(pick_nan)(FloatPartsN *a, FloatPartsN *b, + float_status *s) + { + if (is_snan(a->cls) || is_snan(b->cls)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + if (s->default_nan_mode) { +@@ -68,7 +68,7 @@ static FloatPartsN *partsN(pick_nan_muladd)(FloatPartsN *a, FloatPartsN *b, + int which; + + if (unlikely(abc_mask & float_cmask_snan)) { +- float_raise(float_flag_invalid, s); ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); + } + + which = pickNaNMulAdd(a->cls, b->cls, c->cls, +@@ -1049,8 +1049,10 @@ static int64_t partsN(float_to_sint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1114,8 +1116,10 @@ static uint64_t partsN(float_to_uint)(FloatPartsN *p, FloatRoundMode rmode, + + switch (p->cls) { + case float_class_snan: ++ flags |= float_flag_invalid_snan; ++ /* fall through */ + case float_class_qnan: +- flags = float_flag_invalid; ++ flags |= float_flag_invalid; + r = max; + break; + +@@ -1341,7 +1345,9 @@ static FloatRelation partsN(compare)(FloatPartsN *a, FloatPartsN *b, + } + + if (unlikely(ab_mask & float_cmask_anynan)) { +- if (!is_quiet || (ab_mask & float_cmask_snan)) { ++ if (ab_mask & float_cmask_snan) { ++ float_raise(float_flag_invalid | float_flag_invalid_snan, s); ++ } else if (!is_quiet) { + float_raise(float_flag_invalid, s); + } + return float_relation_unordered; +diff --git a/fpu/softfloat.c b/fpu/softfloat.c +index 9a28720d82..834ed3a054 100644 +--- a/fpu/softfloat.c ++++ b/fpu/softfloat.c +@@ -2543,8 +2543,10 @@ floatx80 floatx80_mod(floatx80 a, floatx80 b, float_status *status) + static void parts_float_to_ahp(FloatParts64 *a, float_status *s) + { + switch (a->cls) { +- case float_class_qnan: + case float_class_snan: ++ float_raise(float_flag_invalid_snan, s); ++ /* fall through */ ++ case float_class_qnan: + /* + * There is no NaN in the destination format. Raise Invalid + * and return a zero with the sign of the input NaN. +diff --git a/include/fpu/softfloat-types.h b/include/fpu/softfloat-types.h +index 5a9671e564..e557b9126b 100644 +--- a/include/fpu/softfloat-types.h ++++ b/include/fpu/softfloat-types.h +@@ -156,6 +156,7 @@ enum { + float_flag_invalid_imz = 0x0100, /* inf * 0 */ + float_flag_invalid_idi = 0x0200, /* inf / inf */ + float_flag_invalid_zdz = 0x0400, /* 0 / 0 */ ++ float_flag_invalid_snan = 0x2000, /* any operand was snan */ + }; + + /* +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..e5daf966d5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,158 @@ +From 23faf5694ff8054b847e9733297727be4a641132 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 09:37:43 +0200 +Subject: [PATCH] dma: Let dma_memory_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_rw(). + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=23faf5694ff8054b847e9733297727be4a641132] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-5-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/spapr_xive.c | 3 ++- + hw/usb/hcd-ohci.c | 10 ++++++---- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + softmmu/dma-helpers.c | 3 ++- + 5 files changed, 18 insertions(+), 12 deletions(-) + +diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c +index 4ec659b..eae95c7 100644 +--- a/hw/intc/spapr_xive.c ++++ b/hw/intc/spapr_xive.c +@@ -1684,7 +1684,8 @@ static target_ulong h_int_esb(PowerPCCPU *cpu, + mmio_addr = xive->vc_base + xive_source_esb_mgmt(xsrc, lisn) + offset; + + if (dma_memory_rw(&address_space_memory, mmio_addr, &data, 8, +- (flags & SPAPR_XIVE_ESB_STORE))) { ++ (flags & SPAPR_XIVE_ESB_STORE), ++ MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to access ESB @0x%" + HWADDR_PRIx "\n", mmio_addr); + return H_HARDWARE; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 1cf2816..56e2315 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -586,7 +586,8 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -595,7 +596,7 @@ static int ohci_copy_td(OHCIState *ohci, struct ohci_td *td, + ptr = td->be & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +@@ -613,7 +614,8 @@ static int ohci_copy_iso_td(OHCIState *ohci, + if (n > len) + n = len; + +- if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, n, dir)) { ++ if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, ++ n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + if (n == len) { +@@ -622,7 +624,7 @@ static int ohci_copy_iso_td(OHCIState *ohci, + ptr = end_addr & ~0xfffu; + buf += n; + if (dma_memory_rw(ohci->as, ptr + ohci->localmem_base, buf, +- len - n, dir)) { ++ len - n, dir, MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + return 0; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index e7cdf2d..4383f1c 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -808,7 +808,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, + DMADirection dir) + { +- return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, dir); ++ return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, ++ dir, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 3be803c..e8ad422 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -121,15 +121,15 @@ static inline MemTxResult dma_memory_write_relaxed(AddressSpace *as, + * @buf: buffer with the data transferred + * @len: the number of bytes to read or write + * @dir: indicates the transfer direction ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + dma_barrier(as, dir); + +- return dma_memory_rw_relaxed(as, addr, buf, len, dir, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_memory_rw_relaxed(as, addr, buf, len, dir, attrs); + } + + /** +@@ -147,7 +147,8 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return dma_memory_rw(as, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return dma_memory_rw(as, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -166,7 +167,7 @@ static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, + const void *buf, dma_addr_t len) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 1f07217..5bf76ff 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -305,7 +305,8 @@ static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, ++ MEMTXATTRS_UNSPECIFIED); + ptr += xfer; + len -= xfer; + resid -= xfer; +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch new file mode 100644 index 0000000000..5f38c7265f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch @@ -0,0 +1,114 @@ +From ba4a60dd5df31b9fff8b7b8006bf9f15140cc6c5 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 06/21] target/ppc: Update float_invalid_op_addsub for new + flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxisi and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=941298ecd7e3103d3789d2dd87dd0f119e81c69e] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-9-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index c4896cecc8..f0deada84b 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -450,13 +450,12 @@ void helper_reset_fpstatus(CPUPPCState *env) + set_float_exception_flags(0, &env->fp_status); + } + +-static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_addsub(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) + { +- if ((classes & ~is_neg) == is_inf) { +- /* Magnitude subtraction of infinities */ ++ if (flags & float_flag_invalid_isi) { + float_invalid_op_vxisi(env, set_fpcc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -465,12 +464,10 @@ static void float_invalid_op_addsub(CPUPPCState *env, bool set_fpcc, + float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_add(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -480,12 +477,10 @@ float64 helper_fadd(CPUPPCState *env, float64 arg1, float64 arg2) + float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_sub(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_addsub(env, flags, 1, GETPC()); + } + + return ret; +@@ -1616,9 +1611,8 @@ void helper_##name(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_addsub(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_addsub(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1660,9 +1654,7 @@ void helper_xsaddqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +@@ -3278,9 +3270,7 @@ void helper_xssubqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_addsub(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_addsub(env, tstat.float_exception_flags, 1, GETPC()); + } + + helper_compute_fprf_float128(env, t.f128); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..1973e477f3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,1453 @@ +From ba06fe8add5b788956a7317246c6280dfc157040 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 10:08:29 +0200 +Subject: [PATCH] dma: Let dma_memory_read/write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_read() or dma_memory_write(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + ( + - dma_memory_read(E1, E2, E3, E4) + + dma_memory_read(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + | + - dma_memory_write(E1, E2, E3, E4) + + dma_memory_write(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + ) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ba06fe8add5b788956a7317246c6280dfc157040] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-6-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/arm/musicpal.c | 13 +++++++------ + hw/arm/smmu-common.c | 3 ++- + hw/arm/smmuv3.c | 14 +++++++++----- + hw/core/generic-loader.c | 3 ++- + hw/dma/pl330.c | 12 ++++++++---- + hw/dma/sparc32_dma.c | 16 ++++++++++------ + hw/dma/xlnx-zynq-devcfg.c | 6 ++++-- + hw/dma/xlnx_dpdma.c | 10 ++++++---- + hw/i386/amd_iommu.c | 16 +++++++++------- + hw/i386/intel_iommu.c | 28 +++++++++++++++++----------- + hw/ide/macio.c | 2 +- + hw/intc/xive.c | 7 ++++--- + hw/misc/bcm2835_property.c | 3 ++- + hw/misc/macio/mac_dbdma.c | 10 ++++++---- + hw/net/allwinner-sun8i-emac.c | 18 ++++++++++++------ + hw/net/ftgmac100.c | 25 ++++++++++++++++--------- + hw/net/imx_fec.c | 32 ++++++++++++++++++++------------ + hw/net/npcm7xx_emc.c | 20 ++++++++++++-------- + hw/nvram/fw_cfg.c | 9 ++++++--- + hw/pci-host/pnv_phb3.c | 5 +++-- + hw/pci-host/pnv_phb3_msi.c | 9 ++++++--- + hw/pci-host/pnv_phb4.c | 5 +++-- + hw/sd/allwinner-sdhost.c | 14 ++++++++------ + hw/sd/sdhci.c | 35 ++++++++++++++++++++++------------- + hw/usb/hcd-dwc2.c | 8 ++++---- + hw/usb/hcd-ehci.c | 6 ++++-- + hw/usb/hcd-ohci.c | 18 +++++++++++------- + hw/usb/hcd-xhci.c | 18 +++++++++++------- + include/hw/ppc/spapr_vio.h | 6 ++++-- + include/sysemu/dma.h | 20 ++++++++++++-------- + 30 files changed, 241 insertions(+), 150 deletions(-) + +diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c +index 2d612cc..2680ec5 100644 +--- a/hw/arm/musicpal.c ++++ b/hw/arm/musicpal.c +@@ -185,13 +185,13 @@ static void eth_rx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->buffer_size); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_rx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_rx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->bytes); + le16_to_cpus(&desc->buffer_size); +@@ -215,7 +215,7 @@ static ssize_t eth_receive(NetClientState *nc, const uint8_t *buf, size_t size) + eth_rx_desc_get(&s->dma_as, desc_addr, &desc); + if ((desc.cmdstat & MP_ETH_RX_OWN) && desc.buffer_size >= size) { + dma_memory_write(&s->dma_as, desc.buffer + s->vlan_header, +- buf, size); ++ buf, size, MEMTXATTRS_UNSPECIFIED); + desc.bytes = size + s->vlan_header; + desc.cmdstat &= ~MP_ETH_RX_OWN; + s->cur_rx[i] = desc.next; +@@ -241,13 +241,13 @@ static void eth_tx_desc_put(AddressSpace *dma_as, uint32_t addr, + cpu_to_le16s(&desc->bytes); + cpu_to_le32s(&desc->buffer); + cpu_to_le32s(&desc->next); +- dma_memory_write(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_write(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + } + + static void eth_tx_desc_get(AddressSpace *dma_as, uint32_t addr, + mv88w8618_tx_desc *desc) + { +- dma_memory_read(dma_as, addr, desc, sizeof(*desc)); ++ dma_memory_read(dma_as, addr, desc, sizeof(*desc), MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&desc->cmdstat); + le16_to_cpus(&desc->res); + le16_to_cpus(&desc->bytes); +@@ -269,7 +269,8 @@ static void eth_send(mv88w8618_eth_state *s, int queue_index) + if (desc.cmdstat & MP_ETH_TX_OWN) { + len = desc.bytes; + if (len < 2048) { +- dma_memory_read(&s->dma_as, desc.buffer, buf, len); ++ dma_memory_read(&s->dma_as, desc.buffer, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + qemu_send_packet(qemu_get_queue(s->nic), buf, len); + } + desc.cmdstat &= ~MP_ETH_TX_OWN; +diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c +index 0459850..e09b9c1 100644 +--- a/hw/arm/smmu-common.c ++++ b/hw/arm/smmu-common.c +@@ -193,7 +193,8 @@ static int get_pte(dma_addr_t baseaddr, uint32_t index, uint64_t *pte, + dma_addr_t addr = baseaddr + index * sizeof(*pte); + + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte)); ++ ret = dma_memory_read(&address_space_memory, addr, pte, sizeof(*pte), ++ MEMTXATTRS_UNSPECIFIED); + + if (ret != MEMTX_OK) { + info->type = SMMU_PTW_ERR_WALK_EABT; +diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c +index 01b60be..3b43368 100644 +--- a/hw/arm/smmuv3.c ++++ b/hw/arm/smmuv3.c +@@ -102,7 +102,8 @@ static inline MemTxResult queue_read(SMMUQueue *q, void *data) + { + dma_addr_t addr = Q_CONS_ENTRY(q); + +- return dma_memory_read(&address_space_memory, addr, data, q->entry_size); ++ return dma_memory_read(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + } + + static MemTxResult queue_write(SMMUQueue *q, void *data) +@@ -110,7 +111,8 @@ static MemTxResult queue_write(SMMUQueue *q, void *data) + dma_addr_t addr = Q_PROD_ENTRY(q); + MemTxResult ret; + +- ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size); ++ ret = dma_memory_write(&address_space_memory, addr, data, q->entry_size, ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + return ret; + } +@@ -285,7 +287,8 @@ static int smmu_get_ste(SMMUv3State *s, dma_addr_t addr, STE *buf, + + trace_smmuv3_get_ste(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -306,7 +309,8 @@ static int smmu_get_cd(SMMUv3State *s, STE *ste, uint32_t ssid, + + trace_smmuv3_get_cd(addr); + /* TODO: guarantee 64-bit single-copy atomicity */ +- ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf)); ++ ret = dma_memory_read(&address_space_memory, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Cannot fetch pte at address=0x%"PRIx64"\n", addr); +@@ -411,7 +415,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, + l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); + /* TODO: guarantee 64-bit single-copy atomicity */ + ret = dma_memory_read(&address_space_memory, l1ptr, &l1std, +- sizeof(l1std)); ++ sizeof(l1std), MEMTXATTRS_UNSPECIFIED); + if (ret != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "Could not read L1PTR at 0X%"PRIx64"\n", l1ptr); +diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c +index d14f932..9a24ffb 100644 +--- a/hw/core/generic-loader.c ++++ b/hw/core/generic-loader.c +@@ -57,7 +57,8 @@ static void generic_loader_reset(void *opaque) + + if (s->data_len) { + assert(s->data_len < sizeof(s->data)); +- dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len); ++ dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len, ++ MEMTXATTRS_UNSPECIFIED); + } + } + +diff --git a/hw/dma/pl330.c b/hw/dma/pl330.c +index 0cb4619..31ce01b 100644 +--- a/hw/dma/pl330.c ++++ b/hw/dma/pl330.c +@@ -1111,7 +1111,8 @@ static inline const PL330InsnDesc *pl330_fetch_insn(PL330Chan *ch) + uint8_t opcode; + int i; + +- dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1); ++ dma_memory_read(ch->parent->mem_as, ch->pc, &opcode, 1, ++ MEMTXATTRS_UNSPECIFIED); + for (i = 0; insn_desc[i].size; i++) { + if ((opcode & insn_desc[i].opmask) == insn_desc[i].opcode) { + return &insn_desc[i]; +@@ -1125,7 +1126,8 @@ static inline void pl330_exec_insn(PL330Chan *ch, const PL330InsnDesc *insn) + uint8_t buf[PL330_INSN_MAXSIZE]; + + assert(insn->size <= PL330_INSN_MAXSIZE); +- dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size); ++ dma_memory_read(ch->parent->mem_as, ch->pc, buf, insn->size, ++ MEMTXATTRS_UNSPECIFIED); + insn->exec(ch, buf[0], &buf[1], insn->size - 1); + } + +@@ -1189,7 +1191,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + if (q != NULL && q->len <= pl330_fifo_num_free(&s->fifo)) { + int len = q->len - (q->addr & (q->len - 1)); + +- dma_memory_read(s->mem_as, q->addr, buf, len); ++ dma_memory_read(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +@@ -1220,7 +1223,8 @@ static int pl330_exec_cycle(PL330Chan *channel) + fifo_res = pl330_fifo_get(&s->fifo, buf, len, q->tag); + } + if (fifo_res == PL330_FIFO_OK || q->z) { +- dma_memory_write(s->mem_as, q->addr, buf, len); ++ dma_memory_write(s->mem_as, q->addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + trace_pl330_exec_cycle(q->addr, len); + if (trace_event_get_state_backends(TRACE_PL330_HEXDUMP)) { + pl330_hexdump(buf, len); +diff --git a/hw/dma/sparc32_dma.c b/hw/dma/sparc32_dma.c +index 03bc500..0ef13c5 100644 +--- a/hw/dma/sparc32_dma.c ++++ b/hw/dma/sparc32_dma.c +@@ -81,11 +81,11 @@ void ledma_memory_read(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_read(addr, len); + if (do_bswap) { +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +- dma_memory_read(&is->iommu_as, addr, buf, len); ++ dma_memory_read(&is->iommu_as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + for(i = 0; i < len; i += 2) { + bswap16s((uint16_t *)(buf + i)); + } +@@ -103,7 +103,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + addr |= s->dmaregs[3]; + trace_ledma_memory_write(addr, len); + if (do_bswap) { +- dma_memory_write(&is->iommu_as, addr, buf, len); ++ dma_memory_write(&is->iommu_as, addr, buf, len, ++ MEMTXATTRS_UNSPECIFIED); + } else { + addr &= ~1; + len &= ~1; +@@ -114,7 +115,8 @@ void ledma_memory_write(void *opaque, hwaddr addr, + for(i = 0; i < l; i += 2) { + tmp_buf[i >> 1] = bswap16(*(uint16_t *)(buf + i)); + } +- dma_memory_write(&is->iommu_as, addr, tmp_buf, l); ++ dma_memory_write(&is->iommu_as, addr, tmp_buf, l, ++ MEMTXATTRS_UNSPECIFIED); + len -= l; + buf += l; + addr += l; +@@ -148,7 +150,8 @@ void espdma_memory_read(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_read(s->dmaregs[1], len); +- dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_read(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +@@ -158,7 +161,8 @@ void espdma_memory_write(void *opaque, uint8_t *buf, int len) + IOMMUState *is = (IOMMUState *)s->iommu; + + trace_espdma_memory_write(s->dmaregs[1], len); +- dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len); ++ dma_memory_write(&is->iommu_as, s->dmaregs[1], buf, len, ++ MEMTXATTRS_UNSPECIFIED); + s->dmaregs[1] += len; + } + +diff --git a/hw/dma/xlnx-zynq-devcfg.c b/hw/dma/xlnx-zynq-devcfg.c +index e33112b..f5ad1a0 100644 +--- a/hw/dma/xlnx-zynq-devcfg.c ++++ b/hw/dma/xlnx-zynq-devcfg.c +@@ -161,12 +161,14 @@ static void xlnx_zynq_devcfg_dma_go(XlnxZynqDevcfg *s) + btt = MIN(btt, dmah->dest_len); + } + DB_PRINT("reading %x bytes from %x\n", btt, dmah->src_addr); +- dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt); ++ dma_memory_read(&address_space_memory, dmah->src_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->src_len -= btt; + dmah->src_addr += btt; + if (loopback && (dmah->src_len || dmah->dest_len)) { + DB_PRINT("writing %x bytes from %x\n", btt, dmah->dest_addr); +- dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt); ++ dma_memory_write(&address_space_memory, dmah->dest_addr, buf, btt, ++ MEMTXATTRS_UNSPECIFIED); + dmah->dest_len -= btt; + dmah->dest_addr += btt; + } +diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c +index 967548a..2d7eae7 100644 +--- a/hw/dma/xlnx_dpdma.c ++++ b/hw/dma/xlnx_dpdma.c +@@ -652,7 +652,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + } + + if (dma_memory_read(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor))) { ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_EISR] |= ((1 << 1) << channel); + xlnx_dpdma_update_irq(s); + s->operation_finished[channel] = true; +@@ -708,7 +708,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[0], + &s->data[channel][ptr], +- line_size)) { ++ line_size, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -736,7 +737,8 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + if (dma_memory_read(&address_space_memory, + source_addr[frag], + &(s->data[channel][ptr]), +- fragment_len)) { ++ fragment_len, ++ MEMTXATTRS_UNSPECIFIED)) { + s->registers[DPDMA_ISR] |= ((1 << 12) << channel); + xlnx_dpdma_update_irq(s); + DPRINTF("Can't get data.\n"); +@@ -754,7 +756,7 @@ size_t xlnx_dpdma_start_operation(XlnxDPDMAState *s, uint8_t channel, + DPRINTF("update the descriptor with the done flag set.\n"); + xlnx_dpdma_desc_set_done(&desc); + dma_memory_write(&address_space_memory, desc_addr, &desc, +- sizeof(DPDMADescriptor)); ++ sizeof(DPDMADescriptor), MEMTXATTRS_UNSPECIFIED); + } + + if (xlnx_dpdma_desc_completion_interrupt(&desc)) { +diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c +index 91fe34a..4d13d8e 100644 +--- a/hw/i386/amd_iommu.c ++++ b/hw/i386/amd_iommu.c +@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt) + } + + if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, +- evt, AMDVI_EVENT_LEN)) { ++ evt, AMDVI_EVENT_LEN, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); + } + +@@ -376,7 +376,8 @@ static void amdvi_completion_wait(AMDVIState *s, uint64_t *cmd) + } + if (extract64(cmd[0], 0, 1)) { + if (dma_memory_write(&address_space_memory, addr, &data, +- AMDVI_COMPLETION_DATA_SIZE)) { ++ AMDVI_COMPLETION_DATA_SIZE, ++ MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_completion_wait_fail(addr); + } + } +@@ -502,7 +503,7 @@ static void amdvi_cmdbuf_exec(AMDVIState *s) + uint64_t cmd[2]; + + if (dma_memory_read(&address_space_memory, s->cmdbuf + s->cmdbuf_head, +- cmd, AMDVI_COMMAND_SIZE)) { ++ cmd, AMDVI_COMMAND_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_command_read_fail(s->cmdbuf, s->cmdbuf_head); + amdvi_log_command_error(s, s->cmdbuf + s->cmdbuf_head); + return; +@@ -836,7 +837,7 @@ static bool amdvi_get_dte(AMDVIState *s, int devid, uint64_t *entry) + uint32_t offset = devid * AMDVI_DEVTAB_ENTRY_SIZE; + + if (dma_memory_read(&address_space_memory, s->devtab + offset, entry, +- AMDVI_DEVTAB_ENTRY_SIZE)) { ++ AMDVI_DEVTAB_ENTRY_SIZE, MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_dte_get_fail(s->devtab, offset); + /* log error accessing dte */ + amdvi_log_devtab_error(s, devid, s->devtab + offset, 0); +@@ -881,7 +882,8 @@ static inline uint64_t amdvi_get_pte_entry(AMDVIState *s, uint64_t pte_addr, + { + uint64_t pte; + +- if (dma_memory_read(&address_space_memory, pte_addr, &pte, sizeof(pte))) { ++ if (dma_memory_read(&address_space_memory, pte_addr, ++ &pte, sizeof(pte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_get_pte_hwerror(pte_addr); + amdvi_log_pagetab_error(s, devid, pte_addr, 0); + pte = 0; +@@ -1048,7 +1050,7 @@ static int amdvi_get_irte(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte"); + return -AMDVI_IR_GET_IRTE; + } +@@ -1108,7 +1110,7 @@ static int amdvi_get_irte_ga(AMDVIState *s, MSIMessage *origin, uint64_t *dte, + trace_amdvi_ir_irte(irte_root, offset); + + if (dma_memory_read(&address_space_memory, irte_root + offset, +- irte, sizeof(*irte))) { ++ irte, sizeof(*irte), MEMTXATTRS_UNSPECIFIED)) { + trace_amdvi_ir_err("failed to get irte_ga"); + return -AMDVI_IR_GET_IRTE; + } +diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c +index f584449..5b865ac 100644 +--- a/hw/i386/intel_iommu.c ++++ b/hw/i386/intel_iommu.c +@@ -569,7 +569,8 @@ static int vtd_get_root_entry(IntelIOMMUState *s, uint8_t index, + dma_addr_t addr; + + addr = s->root + index * sizeof(*re); +- if (dma_memory_read(&address_space_memory, addr, re, sizeof(*re))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ re, sizeof(*re), MEMTXATTRS_UNSPECIFIED)) { + re->lo = 0; + return -VTD_FR_ROOT_TABLE_INV; + } +@@ -602,7 +603,8 @@ static int vtd_get_context_entry_from_root(IntelIOMMUState *s, + } + + addr = addr + index * ce_size; +- if (dma_memory_read(&address_space_memory, addr, ce, ce_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ ce, ce_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_CONTEXT_TABLE_INV; + } + +@@ -639,8 +641,8 @@ static uint64_t vtd_get_slpte(dma_addr_t base_addr, uint32_t index) + assert(index < VTD_SL_PT_ENTRY_NR); + + if (dma_memory_read(&address_space_memory, +- base_addr + index * sizeof(slpte), &slpte, +- sizeof(slpte))) { ++ base_addr + index * sizeof(slpte), ++ &slpte, sizeof(slpte), MEMTXATTRS_UNSPECIFIED)) { + slpte = (uint64_t)-1; + return slpte; + } +@@ -704,7 +706,8 @@ static int vtd_get_pdire_from_pdir_table(dma_addr_t pasid_dir_base, + index = VTD_PASID_DIR_INDEX(pasid); + entry_size = VTD_PASID_DIR_ENTRY_SIZE; + addr = pasid_dir_base + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pdire, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pdire, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -728,7 +731,8 @@ static int vtd_get_pe_in_pasid_leaf_table(IntelIOMMUState *s, + index = VTD_PASID_TABLE_INDEX(pasid); + entry_size = VTD_PASID_ENTRY_SIZE; + addr = addr + index * entry_size; +- if (dma_memory_read(&address_space_memory, addr, pe, entry_size)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ pe, entry_size, MEMTXATTRS_UNSPECIFIED)) { + return -VTD_FR_PASID_TABLE_INV; + } + +@@ -2275,7 +2279,8 @@ static bool vtd_get_inv_desc(IntelIOMMUState *s, + uint32_t dw = s->iq_dw ? 32 : 16; + dma_addr_t addr = base_addr + offset * dw; + +- if (dma_memory_read(&address_space_memory, addr, inv_desc, dw)) { ++ if (dma_memory_read(&address_space_memory, addr, ++ inv_desc, dw, MEMTXATTRS_UNSPECIFIED)) { + error_report_once("Read INV DESC failed."); + return false; + } +@@ -2308,8 +2313,9 @@ static bool vtd_process_wait_desc(IntelIOMMUState *s, VTDInvDesc *inv_desc) + dma_addr_t status_addr = inv_desc->hi; + trace_vtd_inv_desc_wait_sw(status_addr, status_data); + status_data = cpu_to_le32(status_data); +- if (dma_memory_write(&address_space_memory, status_addr, &status_data, +- sizeof(status_data))) { ++ if (dma_memory_write(&address_space_memory, status_addr, ++ &status_data, sizeof(status_data), ++ MEMTXATTRS_UNSPECIFIED)) { + trace_vtd_inv_desc_wait_write_fail(inv_desc->hi, inv_desc->lo); + return false; + } +@@ -3120,8 +3126,8 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index, + } + + addr = iommu->intr_root + index * sizeof(*entry); +- if (dma_memory_read(&address_space_memory, addr, entry, +- sizeof(*entry))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ entry, sizeof(*entry), MEMTXATTRS_UNSPECIFIED)) { + error_report_once("%s: read failed: ind=0x%x addr=0x%" PRIx64, + __func__, index, addr); + return -VTD_FR_IR_ROOT_INVAL; +diff --git a/hw/ide/macio.c b/hw/ide/macio.c +index b03d401..f08318c 100644 +--- a/hw/ide/macio.c ++++ b/hw/ide/macio.c +@@ -97,7 +97,7 @@ static void pmac_ide_atapi_transfer_cb(void *opaque, int ret) + /* Non-block ATAPI transfer - just copy to RAM */ + s->io_buffer_size = MIN(s->io_buffer_size, io->len); + dma_memory_write(&address_space_memory, io->addr, s->io_buffer, +- s->io_buffer_size); ++ s->io_buffer_size, MEMTXATTRS_UNSPECIFIED); + io->len = 0; + ide_atapi_cmd_ok(s); + m->dma_active = false; +diff --git a/hw/intc/xive.c b/hw/intc/xive.c +index 190194d..f15f985 100644 +--- a/hw/intc/xive.c ++++ b/hw/intc/xive.c +@@ -1246,8 +1246,8 @@ void xive_end_queue_pic_print_info(XiveEND *end, uint32_t width, Monitor *mon) + uint64_t qaddr = qaddr_base + (qindex << 2); + uint32_t qdata = -1; + +- if (dma_memory_read(&address_space_memory, qaddr, &qdata, +- sizeof(qdata))) { ++ if (dma_memory_read(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to read EQ @0x%" + HWADDR_PRIx "\n", qaddr); + return; +@@ -1311,7 +1311,8 @@ static void xive_end_enqueue(XiveEND *end, uint32_t data) + uint32_t qdata = cpu_to_be32((qgen << 31) | (data & 0x7fffffff)); + uint32_t qentries = 1 << (qsize + 10); + +- if (dma_memory_write(&address_space_memory, qaddr, &qdata, sizeof(qdata))) { ++ if (dma_memory_write(&address_space_memory, qaddr, ++ &qdata, sizeof(qdata), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "XIVE: failed to write END data @0x%" + HWADDR_PRIx "\n", qaddr); + return; +diff --git a/hw/misc/bcm2835_property.c b/hw/misc/bcm2835_property.c +index 73941bd..76ea511 100644 +--- a/hw/misc/bcm2835_property.c ++++ b/hw/misc/bcm2835_property.c +@@ -69,7 +69,8 @@ static void bcm2835_property_mbox_push(BCM2835PropertyState *s, uint32_t value) + break; + case 0x00010003: /* Get board MAC address */ + resplen = sizeof(s->macaddr.a); +- dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen); ++ dma_memory_write(&s->dma_as, value + 12, s->macaddr.a, resplen, ++ MEMTXATTRS_UNSPECIFIED); + break; + case 0x00010004: /* Get board serial */ + qemu_log_mask(LOG_UNIMP, +diff --git a/hw/misc/macio/mac_dbdma.c b/hw/misc/macio/mac_dbdma.c +index e220f1a..efcc026 100644 +--- a/hw/misc/macio/mac_dbdma.c ++++ b/hw/misc/macio/mac_dbdma.c +@@ -94,7 +94,7 @@ static void dbdma_cmdptr_load(DBDMA_channel *ch) + DBDMA_DPRINTFCH(ch, "dbdma_cmdptr_load 0x%08x\n", + ch->regs[DBDMA_CMDPTR_LO]); + dma_memory_read(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void dbdma_cmdptr_save(DBDMA_channel *ch) +@@ -104,7 +104,7 @@ static void dbdma_cmdptr_save(DBDMA_channel *ch) + le16_to_cpu(ch->current.xfer_status), + le16_to_cpu(ch->current.res_count)); + dma_memory_write(&address_space_memory, ch->regs[DBDMA_CMDPTR_LO], +- &ch->current, sizeof(dbdma_cmd)); ++ &ch->current, sizeof(dbdma_cmd), MEMTXATTRS_UNSPECIFIED); + } + + static void kill_channel(DBDMA_channel *ch) +@@ -371,7 +371,8 @@ static void load_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_read(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +@@ -403,7 +404,8 @@ static void store_word(DBDMA_channel *ch, int key, uint32_t addr, + return; + } + +- dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len); ++ dma_memory_write(&address_space_memory, addr, ¤t->cmd_dep, len, ++ MEMTXATTRS_UNSPECIFIED); + + if (conditional_wait(ch)) + goto wait; +diff --git a/hw/net/allwinner-sun8i-emac.c b/hw/net/allwinner-sun8i-emac.c +index ff611f1..ecc0245 100644 +--- a/hw/net/allwinner-sun8i-emac.c ++++ b/hw/net/allwinner-sun8i-emac.c +@@ -350,7 +350,8 @@ static void allwinner_sun8i_emac_get_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static uint32_t allwinner_sun8i_emac_next_desc(AwSun8iEmacState *s, +@@ -402,7 +403,8 @@ static void allwinner_sun8i_emac_flush_desc(AwSun8iEmacState *s, + FrameDescriptor *desc, + uint32_t phys_addr) + { +- dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, phys_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool allwinner_sun8i_emac_can_receive(NetClientState *nc) +@@ -460,7 +462,8 @@ static ssize_t allwinner_sun8i_emac_receive(NetClientState *nc, + << RX_DESC_STATUS_FRM_LEN_SHIFT; + } + +- dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes); ++ dma_memory_write(&s->dma_as, desc.addr, buf, desc_bytes, ++ MEMTXATTRS_UNSPECIFIED); + allwinner_sun8i_emac_flush_desc(s, &desc, s->rx_desc_curr); + trace_allwinner_sun8i_emac_receive(s->rx_desc_curr, desc.addr, + desc_bytes); +@@ -512,7 +515,8 @@ static void allwinner_sun8i_emac_transmit(AwSun8iEmacState *s) + desc.status |= TX_DESC_STATUS_LENGTH_ERR; + break; + } +- dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, bytes); ++ dma_memory_read(&s->dma_as, desc.addr, packet_buf + packet_bytes, ++ bytes, MEMTXATTRS_UNSPECIFIED); + packet_bytes += bytes; + desc.status &= ~DESC_STATUS_CTL; + allwinner_sun8i_emac_flush_desc(s, &desc, s->tx_desc_curr); +@@ -634,7 +638,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_TX_CUR_BUF: /* Transmit Current Buffer */ + if (s->tx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->tx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +@@ -647,7 +652,8 @@ static uint64_t allwinner_sun8i_emac_read(void *opaque, hwaddr offset, + break; + case REG_RX_CUR_BUF: /* Receive Current Buffer */ + if (s->rx_desc_curr != 0) { +- dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc)); ++ dma_memory_read(&s->dma_as, s->rx_desc_curr, &desc, sizeof(desc), ++ MEMTXATTRS_UNSPECIFIED); + value = desc.addr; + } else { + value = 0; +diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c +index 25685ba..83ef0a7 100644 +--- a/hw/net/ftgmac100.c ++++ b/hw/net/ftgmac100.c +@@ -453,7 +453,8 @@ static void do_phy_ctl(FTGMAC100State *s) + + static int ftgmac100_read_bd(FTGMAC100Desc *bd, dma_addr_t addr) + { +- if (dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd))) { ++ if (dma_memory_read(&address_space_memory, addr, ++ bd, sizeof(*bd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -473,7 +474,8 @@ static int ftgmac100_write_bd(FTGMAC100Desc *bd, dma_addr_t addr) + lebd.des1 = cpu_to_le32(bd->des1); + lebd.des2 = cpu_to_le32(bd->des2); + lebd.des3 = cpu_to_le32(bd->des3); +- if (dma_memory_write(&address_space_memory, addr, &lebd, sizeof(lebd))) { ++ if (dma_memory_write(&address_space_memory, addr, ++ &lebd, sizeof(lebd), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -554,7 +556,8 @@ static void ftgmac100_do_tx(FTGMAC100State *s, uint32_t tx_ring, + len = sizeof(s->frame) - frame_size; + } + +- if (dma_memory_read(&address_space_memory, bd.des3, ptr, len)) { ++ if (dma_memory_read(&address_space_memory, bd.des3, ++ ptr, len, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to read packet @ 0x%x\n", + __func__, bd.des3); + s->isr |= FTGMAC100_INT_AHB_ERR; +@@ -1030,20 +1033,24 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf, + bd.des1 = lduw_be_p(buf + 14) | FTGMAC100_RXDES1_VLANTAG_AVAIL; + + if (s->maccr & FTGMAC100_MACCR_RM_VLAN) { +- dma_memory_write(&address_space_memory, buf_addr, buf, 12); +- dma_memory_write(&address_space_memory, buf_addr + 12, buf + 16, +- buf_len - 16); ++ dma_memory_write(&address_space_memory, buf_addr, buf, 12, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(&address_space_memory, buf_addr + 12, ++ buf + 16, buf_len - 16, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, ++ buf_len, MEMTXATTRS_UNSPECIFIED); + } + } else { + bd.des1 = 0; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + } + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + +diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c +index 9c7035b..0db9aaf 100644 +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -387,19 +387,22 @@ static void imx_phy_write(IMXFECState *s, int reg, uint32_t val) + + static void imx_fec_read_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_fec_read_bd(addr, bd->flags, bd->length, bd->data); + } + + static void imx_fec_write_bd(IMXFECBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_read(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + + trace_imx_enet_read_bd(addr, bd->flags, bd->length, bd->data, + bd->option, bd->status); +@@ -407,7 +410,8 @@ static void imx_enet_read_bd(IMXENETBufDesc *bd, dma_addr_t addr) + + static void imx_enet_write_bd(IMXENETBufDesc *bd, dma_addr_t addr) + { +- dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd)); ++ dma_memory_write(&address_space_memory, addr, bd, sizeof(*bd), ++ MEMTXATTRS_UNSPECIFIED); + } + + static void imx_eth_update(IMXFECState *s) +@@ -474,7 +478,8 @@ static void imx_fec_do_tx(IMXFECState *s) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -555,7 +560,8 @@ static void imx_enet_do_tx(IMXFECState *s, uint32_t index) + len = ENET_MAX_FRAME_SIZE - frame_size; + s->regs[ENET_EIR] |= ENET_INT_BABT; + } +- dma_memory_read(&address_space_memory, bd.data, ptr, len); ++ dma_memory_read(&address_space_memory, bd.data, ptr, len, ++ MEMTXATTRS_UNSPECIFIED); + ptr += len; + frame_size += len; + if (bd.flags & ENET_BD_L) { +@@ -1103,11 +1109,12 @@ static ssize_t imx_fec_receive(NetClientState *nc, const uint8_t *buf, + buf_len += size - 4; + } + buf_addr = bd.data; +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +@@ -1210,8 +1217,8 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + */ + const uint8_t zeros[2] = { 0 }; + +- dma_memory_write(&address_space_memory, buf_addr, +- zeros, sizeof(zeros)); ++ dma_memory_write(&address_space_memory, buf_addr, zeros, ++ sizeof(zeros), MEMTXATTRS_UNSPECIFIED); + + buf_addr += sizeof(zeros); + buf_len -= sizeof(zeros); +@@ -1220,11 +1227,12 @@ static ssize_t imx_enet_receive(NetClientState *nc, const uint8_t *buf, + shift16 = false; + } + +- dma_memory_write(&address_space_memory, buf_addr, buf, buf_len); ++ dma_memory_write(&address_space_memory, buf_addr, buf, buf_len, ++ MEMTXATTRS_UNSPECIFIED); + buf += buf_len; + if (size < 4) { + dma_memory_write(&address_space_memory, buf_addr + buf_len, +- crc_ptr, 4 - size); ++ crc_ptr, 4 - size, MEMTXATTRS_UNSPECIFIED); + crc_ptr += 4 - size; + } + bd.flags &= ~ENET_BD_E; +diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c +index 545b2b7..9a23289 100644 +--- a/hw/net/npcm7xx_emc.c ++++ b/hw/net/npcm7xx_emc.c +@@ -200,7 +200,8 @@ static void emc_update_irq_from_reg_change(NPCM7xxEMCState *emc) + + static int emc_read_tx_desc(dma_addr_t addr, NPCM7xxEMCTxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -221,7 +222,7 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + le_desc.status_and_length = cpu_to_le32(desc->status_and_length); + le_desc.ntxdsa = cpu_to_le32(desc->ntxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -231,7 +232,8 @@ static int emc_write_tx_desc(const NPCM7xxEMCTxDesc *desc, dma_addr_t addr) + + static int emc_read_rx_desc(dma_addr_t addr, NPCM7xxEMCRxDesc *desc) + { +- if (dma_memory_read(&address_space_memory, addr, desc, sizeof(*desc))) { ++ if (dma_memory_read(&address_space_memory, addr, desc, ++ sizeof(*desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -252,7 +254,7 @@ static int emc_write_rx_desc(const NPCM7xxEMCRxDesc *desc, dma_addr_t addr) + le_desc.reserved = cpu_to_le32(desc->reserved); + le_desc.nrxdsa = cpu_to_le32(desc->nrxdsa); + if (dma_memory_write(&address_space_memory, addr, &le_desc, +- sizeof(le_desc))) { ++ sizeof(le_desc), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to write descriptor @ 0x%" + HWADDR_PRIx "\n", __func__, addr); + return -1; +@@ -366,7 +368,8 @@ static void emc_try_send_next_packet(NPCM7xxEMCState *emc) + buf = malloced_buf; + } + +- if (dma_memory_read(&address_space_memory, next_buf_addr, buf, length)) { ++ if (dma_memory_read(&address_space_memory, next_buf_addr, buf, ++ length, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to read packet @ 0x%x\n", + __func__, next_buf_addr); + emc_set_mista(emc, REG_MISTA_TXBERR); +@@ -551,10 +554,11 @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1) + + buf_addr = rx_desc.rxbsa; + emc->regs[REG_CRXBSA] = buf_addr; +- if (dma_memory_write(&address_space_memory, buf_addr, buf, len) || ++ if (dma_memory_write(&address_space_memory, buf_addr, buf, ++ len, MEMTXATTRS_UNSPECIFIED) || + (!(emc->regs[REG_MCMDR] & REG_MCMDR_SPCRC) && +- dma_memory_write(&address_space_memory, buf_addr + len, crc_ptr, +- 4))) { ++ dma_memory_write(&address_space_memory, buf_addr + len, ++ crc_ptr, 4, MEMTXATTRS_UNSPECIFIED))) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: Bus error writing packet\n", + __func__); + emc_set_mista(emc, REG_MISTA_RXBERR); +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index f7803fe..9b91b15 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -357,7 +357,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + dma_addr = s->dma_addr; + s->dma_addr = 0; + +- if (dma_memory_read(s->dma_as, dma_addr, &dma, sizeof(dma))) { ++ if (dma_memory_read(s->dma_as, dma_addr, ++ &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), + FW_CFG_DMA_CTL_ERROR); + return; +@@ -419,7 +420,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + */ + if (read) { + if (dma_memory_write(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } + } +@@ -427,7 +429,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (!e->allow_write || + len != dma.length || + dma_memory_read(s->dma_as, dma.address, +- &e->data[s->cur_offset], len)) { ++ &e->data[s->cur_offset], len, ++ MEMTXATTRS_UNSPECIFIED)) { + dma.control |= FW_CFG_DMA_CTL_ERROR; + } else if (e->write_cb) { + e->write_cb(e->callback_opaque, s->cur_offset, len); +diff --git a/hw/pci-host/pnv_phb3.c b/hw/pci-host/pnv_phb3.c +index 9c4451c..c6e7871 100644 +--- a/hw/pci-host/pnv_phb3.c ++++ b/hw/pci-host/pnv_phb3.c +@@ -715,7 +715,8 @@ static bool pnv_phb3_resolve_pe(PnvPhb3DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * ((bus_num << 8) | ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -794,7 +795,7 @@ static void pnv_phb3_translate_tve(PnvPhb3DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb3_error(phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/pci-host/pnv_phb3_msi.c b/hw/pci-host/pnv_phb3_msi.c +index 099d209..8bcbc2c 100644 +--- a/hw/pci-host/pnv_phb3_msi.c ++++ b/hw/pci-host/pnv_phb3_msi.c +@@ -53,7 +53,8 @@ static bool phb3_msi_read_ive(PnvPHB3 *phb, int srcno, uint64_t *out_ive) + return false; + } + +- if (dma_memory_read(&address_space_memory, ive_addr, &ive, sizeof(ive))) { ++ if (dma_memory_read(&address_space_memory, ive_addr, ++ &ive, sizeof(ive), MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, "Failed to read IVE at 0x%" PRIx64, + ive_addr); + return false; +@@ -73,7 +74,8 @@ static void phb3_msi_set_p(Phb3MsiState *msi, int srcno, uint8_t gen) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 4, &p, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 4, ++ &p, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set P) at 0x%" PRIx64, ive_addr); + } +@@ -89,7 +91,8 @@ static void phb3_msi_set_q(Phb3MsiState *msi, int srcno) + return; + } + +- if (dma_memory_write(&address_space_memory, ive_addr + 5, &q, 1)) { ++ if (dma_memory_write(&address_space_memory, ive_addr + 5, ++ &q, 1, MEMTXATTRS_UNSPECIFIED)) { + qemu_log_mask(LOG_GUEST_ERROR, + "Failed to write IVE (set Q) at 0x%" PRIx64, ive_addr); + } +diff --git a/hw/pci-host/pnv_phb4.c b/hw/pci-host/pnv_phb4.c +index 40b7932..1fbf732 100644 +--- a/hw/pci-host/pnv_phb4.c ++++ b/hw/pci-host/pnv_phb4.c +@@ -891,7 +891,8 @@ static bool pnv_phb4_resolve_pe(PnvPhb4DMASpace *ds) + bus_num = pci_bus_num(ds->bus); + addr = rtt & PHB_RTT_BASE_ADDRESS_MASK; + addr += 2 * PCI_BUILD_BDF(bus_num, ds->devfn); +- if (dma_memory_read(&address_space_memory, addr, &rte, sizeof(rte))) { ++ if (dma_memory_read(&address_space_memory, addr, &rte, ++ sizeof(rte), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read RTT entry at 0x%"PRIx64, addr); + /* Set error bits ? fence ? ... */ + return false; +@@ -961,7 +962,7 @@ static void pnv_phb4_translate_tve(PnvPhb4DMASpace *ds, hwaddr addr, + /* Grab the TCE address */ + taddr = base | (((addr >> sh) & ((1ul << tbl_shift) - 1)) << 3); + if (dma_memory_read(&address_space_memory, taddr, &tce, +- sizeof(tce))) { ++ sizeof(tce), MEMTXATTRS_UNSPECIFIED)) { + phb_error(ds->phb, "Failed to read TCE at 0x%"PRIx64, taddr); + return; + } +diff --git a/hw/sd/allwinner-sdhost.c b/hw/sd/allwinner-sdhost.c +index 9166d66..de5bc49 100644 +--- a/hw/sd/allwinner-sdhost.c ++++ b/hw/sd/allwinner-sdhost.c +@@ -311,7 +311,8 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + uint8_t buf[1024]; + + /* Read descriptor */ +- dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_read(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + if (desc->size == 0) { + desc->size = klass->max_desc_size; + } else if (desc->size > klass->max_desc_size) { +@@ -337,23 +338,24 @@ static uint32_t allwinner_sdhost_process_desc(AwSdHostState *s, + /* Write to SD bus */ + if (is_write) { + dma_memory_read(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, buf, buf_bytes); + + /* Read from SD bus */ + } else { + sdbus_read_data(&s->sdbus, buf, buf_bytes); + dma_memory_write(&s->dma_as, +- (desc->addr & DESC_SIZE_MASK) + num_done, +- buf, buf_bytes); ++ (desc->addr & DESC_SIZE_MASK) + num_done, buf, ++ buf_bytes, MEMTXATTRS_UNSPECIFIED); + } + num_done += buf_bytes; + } + + /* Clear hold flag and flush descriptor */ + desc->status &= ~DESC_STATUS_HOLD; +- dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc)); ++ dma_memory_write(&s->dma_as, desc_addr, desc, sizeof(*desc), ++ MEMTXATTRS_UNSPECIFIED); + + return num_done; + } +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index c9dc065..e0bbc90 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -616,8 +616,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->blkcnt--; + } + } +- dma_memory_write(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_write(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -637,8 +637,8 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + s->data_count = block_size; + boundary_count -= block_size - begin; + } +- dma_memory_read(s->dma_as, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count - begin); ++ dma_memory_read(s->dma_as, s->sdmasysad, &s->fifo_buffer[begin], ++ s->data_count - begin, MEMTXATTRS_UNSPECIFIED); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +@@ -670,9 +670,11 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s) + + if (s->trnmod & SDHC_TRNS_READ) { + sdbus_read_data(&s->sdbus, s->fifo_buffer, datacnt); +- dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_write(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + } else { +- dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt); ++ dma_memory_read(s->dma_as, s->sdmasysad, s->fifo_buffer, datacnt, ++ MEMTXATTRS_UNSPECIFIED); + sdbus_write_data(&s->sdbus, s->fifo_buffer, datacnt); + } + s->blkcnt--; +@@ -694,7 +696,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + hwaddr entry_addr = (hwaddr)s->admasysaddr; + switch (SDHC_DMA_TYPE(s->hostctl1)) { + case SDHC_CTRL_ADMA2_32: +- dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2)); ++ dma_memory_read(s->dma_as, entry_addr, &adma2, sizeof(adma2), ++ MEMTXATTRS_UNSPECIFIED); + adma2 = le64_to_cpu(adma2); + /* The spec does not specify endianness of descriptor table. + * We currently assume that it is LE. +@@ -705,7 +708,8 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + dscr->incr = 8; + break; + case SDHC_CTRL_ADMA1_32: +- dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1)); ++ dma_memory_read(s->dma_as, entry_addr, &adma1, sizeof(adma1), ++ MEMTXATTRS_UNSPECIFIED); + adma1 = le32_to_cpu(adma1); + dscr->addr = (hwaddr)(adma1 & 0xFFFFF000); + dscr->attr = (uint8_t)extract32(adma1, 0, 7); +@@ -717,10 +721,13 @@ static void get_adma_description(SDHCIState *s, ADMADescr *dscr) + } + break; + case SDHC_CTRL_ADMA2_64: +- dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1); +- dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2); ++ dma_memory_read(s->dma_as, entry_addr, &dscr->attr, 1, ++ MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(s->dma_as, entry_addr + 2, &dscr->length, 2, ++ MEMTXATTRS_UNSPECIFIED); + dscr->length = le16_to_cpu(dscr->length); +- dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8); ++ dma_memory_read(s->dma_as, entry_addr + 4, &dscr->addr, 8, ++ MEMTXATTRS_UNSPECIFIED); + dscr->addr = le64_to_cpu(dscr->addr); + dscr->attr &= (uint8_t) ~0xC0; + dscr->incr = 12; +@@ -785,7 +792,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_write(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + s->data_count = 0; +@@ -810,7 +818,8 @@ static void sdhci_do_adma(SDHCIState *s) + } + dma_memory_read(s->dma_as, dscr.addr, + &s->fifo_buffer[begin], +- s->data_count - begin); ++ s->data_count - begin, ++ MEMTXATTRS_UNSPECIFIED); + dscr.addr += s->data_count - begin; + if (s->data_count == block_size) { + sdbus_write_data(&s->sdbus, s->fifo_buffer, block_size); +diff --git a/hw/usb/hcd-dwc2.c b/hw/usb/hcd-dwc2.c +index e1d96ac..8755e9c 100644 +--- a/hw/usb/hcd-dwc2.c ++++ b/hw/usb/hcd-dwc2.c +@@ -272,8 +272,8 @@ static void dwc2_handle_packet(DWC2State *s, uint32_t devadr, USBDevice *dev, + + if (pid != USB_TOKEN_IN) { + trace_usb_dwc2_memory_read(hcdma, tlen); +- if (dma_memory_read(&s->dma_as, hcdma, +- s->usb_buf[chan], tlen) != MEMTX_OK) { ++ if (dma_memory_read(&s->dma_as, hcdma, s->usb_buf[chan], tlen, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_read failed\n", + __func__); + } +@@ -328,8 +328,8 @@ babble: + + if (pid == USB_TOKEN_IN) { + trace_usb_dwc2_memory_write(hcdma, actual); +- if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], +- actual) != MEMTX_OK) { ++ if (dma_memory_write(&s->dma_as, hcdma, s->usb_buf[chan], actual, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: dma_memory_write failed\n", + __func__); + } +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 6caa7ac..33a8a37 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -383,7 +383,8 @@ static inline int get_dwords(EHCIState *ehci, uint32_t addr, + } + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- dma_memory_read(ehci->as, addr, buf, sizeof(*buf)); ++ dma_memory_read(ehci->as, addr, buf, sizeof(*buf), ++ MEMTXATTRS_UNSPECIFIED); + *buf = le32_to_cpu(*buf); + } + +@@ -405,7 +406,8 @@ static inline int put_dwords(EHCIState *ehci, uint32_t addr, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp)); ++ dma_memory_write(ehci->as, addr, &tmp, sizeof(tmp), ++ MEMTXATTRS_UNSPECIFIED); + } + + return num; +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 56e2315..a93d6b2 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -452,7 +452,8 @@ static inline int get_dwords(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le32_to_cpu(*buf); +@@ -471,7 +472,8 @@ static inline int put_dwords(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint32_t tmp = cpu_to_le32(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -488,7 +490,8 @@ static inline int get_words(OHCIState *ohci, + addr += ohci->localmem_base; + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { +- if (dma_memory_read(ohci->as, addr, buf, sizeof(*buf))) { ++ if (dma_memory_read(ohci->as, addr, ++ buf, sizeof(*buf), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + *buf = le16_to_cpu(*buf); +@@ -507,7 +510,8 @@ static inline int put_words(OHCIState *ohci, + + for (i = 0; i < num; i++, buf++, addr += sizeof(*buf)) { + uint16_t tmp = cpu_to_le16(*buf); +- if (dma_memory_write(ohci->as, addr, &tmp, sizeof(tmp))) { ++ if (dma_memory_write(ohci->as, addr, ++ &tmp, sizeof(tmp), MEMTXATTRS_UNSPECIFIED)) { + return -1; + } + } +@@ -537,8 +541,8 @@ static inline int ohci_read_iso_td(OHCIState *ohci, + static inline int ohci_read_hcca(OHCIState *ohci, + dma_addr_t addr, struct ohci_hcca *hcca) + { +- return dma_memory_read(ohci->as, addr + ohci->localmem_base, +- hcca, sizeof(*hcca)); ++ return dma_memory_read(ohci->as, addr + ohci->localmem_base, hcca, ++ sizeof(*hcca), MEMTXATTRS_UNSPECIFIED); + } + + static inline int ohci_put_ed(OHCIState *ohci, +@@ -572,7 +576,7 @@ static inline int ohci_put_hcca(OHCIState *ohci, + return dma_memory_write(ohci->as, + addr + ohci->localmem_base + HCCA_WRITEBACK_OFFSET, + (char *)hcca + HCCA_WRITEBACK_OFFSET, +- HCCA_WRITEBACK_SIZE); ++ HCCA_WRITEBACK_SIZE, MEMTXATTRS_UNSPECIFIED); + } + + /* Read/Write the contents of a TD from/to main memory. */ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index e017000..ed2b9ea 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -487,7 +487,7 @@ static inline void xhci_dma_read_u32s(XHCIState *xhci, dma_addr_t addr, + + assert((len % sizeof(uint32_t)) == 0); + +- dma_memory_read(xhci->as, addr, buf, len); ++ dma_memory_read(xhci->as, addr, buf, len, MEMTXATTRS_UNSPECIFIED); + + for (i = 0; i < (len / sizeof(uint32_t)); i++) { + buf[i] = le32_to_cpu(buf[i]); +@@ -507,7 +507,7 @@ static inline void xhci_dma_write_u32s(XHCIState *xhci, dma_addr_t addr, + for (i = 0; i < n; i++) { + tmp[i] = cpu_to_le32(buf[i]); + } +- dma_memory_write(xhci->as, addr, tmp, len); ++ dma_memory_write(xhci->as, addr, tmp, len, MEMTXATTRS_UNSPECIFIED); + } + + static XHCIPort *xhci_lookup_port(XHCIState *xhci, struct USBPort *uport) +@@ -618,7 +618,7 @@ static void xhci_write_event(XHCIState *xhci, XHCIEvent *event, int v) + ev_trb.status, ev_trb.control); + + addr = intr->er_start + TRB_SIZE*intr->er_ep_idx; +- dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE); ++ dma_memory_write(xhci->as, addr, &ev_trb, TRB_SIZE, MEMTXATTRS_UNSPECIFIED); + + intr->er_ep_idx++; + if (intr->er_ep_idx >= intr->er_size) { +@@ -679,7 +679,8 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE); ++ dma_memory_read(xhci->as, ring->dequeue, trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + trb->addr = ring->dequeue; + trb->ccs = ring->ccs; + le64_to_cpus(&trb->parameter); +@@ -726,7 +727,8 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + + while (1) { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE); ++ dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED); + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -781,7 +783,8 @@ static void xhci_er_reset(XHCIState *xhci, int v) + xhci_die(xhci); + return; + } +- dma_memory_read(xhci->as, erstba, &seg, sizeof(seg)); ++ dma_memory_read(xhci->as, erstba, &seg, sizeof(seg), ++ MEMTXATTRS_UNSPECIFIED); + le32_to_cpus(&seg.addr_low); + le32_to_cpus(&seg.addr_high); + le32_to_cpus(&seg.size); +@@ -2397,7 +2400,8 @@ static TRBCCode xhci_get_port_bandwidth(XHCIState *xhci, uint64_t pctx) + /* TODO: actually implement real values here */ + bw_ctx[0] = 0; + memset(&bw_ctx[1], 80, xhci->numports); /* 80% */ +- dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx)); ++ dma_memory_write(xhci->as, ctx, bw_ctx, sizeof(bw_ctx), ++ MEMTXATTRS_UNSPECIFIED); + + return CC_SUCCESS; + } +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index c90e74a..5d2ea8e 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -97,14 +97,16 @@ static inline bool spapr_vio_dma_valid(SpaprVioDevice *dev, uint64_t taddr, + static inline int spapr_vio_dma_read(SpaprVioDevice *dev, uint64_t taddr, + void *buf, uint32_t size) + { +- return (dma_memory_read(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_read(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + + static inline int spapr_vio_dma_write(SpaprVioDevice *dev, uint64_t taddr, + const void *buf, uint32_t size) + { +- return (dma_memory_write(&dev->as, taddr, buf, size) != 0) ? ++ return (dma_memory_write(&dev->as, taddr, ++ buf, size, MEMTXATTRS_UNSPECIFIED) != 0) ? + H_DEST_PARM : H_SUCCESS; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e8ad422..522682b 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -143,12 +143,14 @@ static inline MemTxResult dma_memory_rw(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: length of the data transferred ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, +- void *buf, dma_addr_t len) ++ void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, buf, len, +- DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_TO_DEVICE, attrs); + } + + /** +@@ -162,12 +164,14 @@ static inline MemTxResult dma_memory_read(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @buf: buffer with the data transferred + * @len: the number of bytes to write ++ * @attrs: memory transaction attributes + */ + static inline MemTxResult dma_memory_write(AddressSpace *as, dma_addr_t addr, +- const void *buf, dma_addr_t len) ++ const void *buf, dma_addr_t len, ++ MemTxAttrs attrs) + { + return dma_memory_rw(as, addr, (void *)buf, len, +- DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); ++ DMA_DIRECTION_FROM_DEVICE, attrs); + } + + /** +@@ -239,7 +243,7 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_addr_t addr) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -247,20 +251,20 @@ static inline void dma_memory_unmap(AddressSpace *as, + uint##_bits##_t val) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1); ++ dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + return val; + } + + static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) + { +- dma_memory_write(as, addr, &val, 1); ++ dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch new file mode 100644 index 0000000000..1cc4e9e35c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch @@ -0,0 +1,86 @@ +From ee8ba2dbb046f48457566b64ad95bf0440d2513e Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 07/21] target/ppc: Update float_invalid_op_mul for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=4edf55698fc2ea30903657c63ed95db0d5548943] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-10-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index f0deada84b..23264e6528 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -486,13 +486,12 @@ float64 helper_fsub(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_mul(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- if ((classes & (is_zero | is_inf)) == (is_zero | is_inf)) { +- /* Multiplication of zero by infinity */ ++ if (flags & float_flag_invalid_imz) { + float_invalid_op_vximz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -501,12 +500,10 @@ static void float_invalid_op_mul(CPUPPCState *env, bool set_fprc, + float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_mul(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_mul(env, flags, 1, GETPC()); + } + + return ret; +@@ -1687,9 +1684,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_mul(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_mul(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +@@ -1727,9 +1723,7 @@ void helper_xsmulqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_mul(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_mul(env, tstat.float_exception_flags, 1, GETPC()); + } + helper_compute_fprf_float128(env, t.f128); + +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8dd0476953 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,227 @@ +From a1d4b0a3051b3079c8db607f519bc0fcb30e17ec Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 3 Sep 2020 11:00:47 +0200 +Subject: [PATCH] dma: Let dma_memory_map() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_memory_map(). + +Patch created mechanically using spatch with this script: + + @@ + expression E1, E2, E3, E4; + @@ + - dma_memory_map(E1, E2, E3, E4) + + dma_memory_map(E1, E2, E3, E4, MEMTXATTRS_UNSPECIFIED) + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a1d4b0a3051b3079c8db607f519bc0fcb30e17ec] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Acked-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20211223115554.3155328-7-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/display/virtio-gpu.c | 10 ++++++---- + hw/hyperv/vmbus.c | 8 +++++--- + hw/ide/ahci.c | 8 +++++--- + hw/usb/libhw.c | 3 ++- + hw/virtio/virtio.c | 6 ++++-- + include/hw/pci/pci.h | 3 ++- + include/sysemu/dma.h | 5 +++-- + softmmu/dma-helpers.c | 3 ++- + 8 files changed, 29 insertions(+), 17 deletions(-) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index d78b970..c6dc818 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -814,8 +814,9 @@ int virtio_gpu_create_mapping_iov(VirtIOGPU *g, + + do { + len = l; +- map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- a, &len, DMA_DIRECTION_TO_DEVICE); ++ map = dma_memory_map(VIRTIO_DEVICE(g)->dma_as, a, &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!map) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map MMIO memory for" + " element %d\n", __func__, e); +@@ -1252,8 +1253,9 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, + for (i = 0; i < res->iov_cnt; i++) { + hwaddr len = res->iov[i].iov_len; + res->iov[i].iov_base = +- dma_memory_map(VIRTIO_DEVICE(g)->dma_as, +- res->addrs[i], &len, DMA_DIRECTION_TO_DEVICE); ++ dma_memory_map(VIRTIO_DEVICE(g)->dma_as, res->addrs[i], &len, ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + + if (!res->iov[i].iov_base || len != res->iov[i].iov_len) { + /* Clean up the half-a-mapping we just created... */ +diff --git a/hw/hyperv/vmbus.c b/hw/hyperv/vmbus.c +index dbce3b3..8aad29f 100644 +--- a/hw/hyperv/vmbus.c ++++ b/hw/hyperv/vmbus.c +@@ -373,7 +373,8 @@ static ssize_t gpadl_iter_io(GpadlIter *iter, void *buf, uint32_t len) + + maddr = (iter->gpadl->gfns[idx] << TARGET_PAGE_BITS) | off_in_page; + +- iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir); ++ iter->map = dma_memory_map(iter->as, maddr, &mlen, iter->dir, ++ MEMTXATTRS_UNSPECIFIED); + if (mlen != pgleft) { + dma_memory_unmap(iter->as, iter->map, mlen, iter->dir, 0); + iter->map = NULL; +@@ -490,7 +491,8 @@ int vmbus_map_sgl(VMBusChanReq *req, DMADirection dir, struct iovec *iov, + goto err; + } + +- iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir); ++ iov[ret_cnt].iov_base = dma_memory_map(sgl->as, a, &l, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!l) { + ret = -EFAULT; + goto err; +@@ -566,7 +568,7 @@ static vmbus_ring_buffer *ringbuf_map_hdr(VMBusRingBufCommon *ringbuf) + dma_addr_t mlen = sizeof(*rb); + + rb = dma_memory_map(ringbuf->as, ringbuf->rb_addr, &mlen, +- DMA_DIRECTION_FROM_DEVICE); ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (mlen != sizeof(*rb)) { + dma_memory_unmap(ringbuf->as, rb, mlen, + DMA_DIRECTION_FROM_DEVICE, 0); +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index a94c6e2..8e77ddb 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -249,7 +249,8 @@ static void map_page(AddressSpace *as, uint8_t **ptr, uint64_t addr, + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + } + +- *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE); ++ *ptr = dma_memory_map(as, addr, &len, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (len < wanted && *ptr) { + dma_memory_unmap(as, *ptr, len, DMA_DIRECTION_FROM_DEVICE, len); + *ptr = NULL; +@@ -939,7 +940,8 @@ static int ahci_populate_sglist(AHCIDevice *ad, QEMUSGList *sglist, + + /* map PRDT */ + if (!(prdt = dma_memory_map(ad->hba->as, prdt_addr, &prdt_len, +- DMA_DIRECTION_TO_DEVICE))){ ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED))){ + trace_ahci_populate_sglist_no_map(ad->hba, ad->port_no); + return -1; + } +@@ -1301,7 +1303,7 @@ static int handle_cmd(AHCIState *s, int port, uint8_t slot) + tbl_addr = le64_to_cpu(cmd->tbl_addr); + cmd_len = 0x80; + cmd_fis = dma_memory_map(s->as, tbl_addr, &cmd_len, +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + if (!cmd_fis) { + trace_handle_cmd_badfis(s, port); + return -1; +diff --git a/hw/usb/libhw.c b/hw/usb/libhw.c +index 9c33a16..f350eae 100644 +--- a/hw/usb/libhw.c ++++ b/hw/usb/libhw.c +@@ -36,7 +36,8 @@ int usb_packet_map(USBPacket *p, QEMUSGList *sgl) + + while (len) { + dma_addr_t xlen = len; +- mem = dma_memory_map(sgl->as, base, &xlen, dir); ++ mem = dma_memory_map(sgl->as, base, &xlen, dir, ++ MEMTXATTRS_UNSPECIFIED); + if (!mem) { + goto err; + } +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index ea7c079..e11a8a0d 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1306,7 +1306,8 @@ static bool virtqueue_map_desc(VirtIODevice *vdev, unsigned int *p_num_sg, + iov[num_sg].iov_base = dma_memory_map(vdev->dma_as, pa, &len, + is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!iov[num_sg].iov_base) { + virtio_error(vdev, "virtio: bogus descriptor or out of resources"); + goto out; +@@ -1355,7 +1356,8 @@ static void virtqueue_map_iovec(VirtIODevice *vdev, struct iovec *sg, + sg[i].iov_base = dma_memory_map(vdev->dma_as, + addr[i], &len, is_write ? + DMA_DIRECTION_FROM_DEVICE : +- DMA_DIRECTION_TO_DEVICE); ++ DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + if (!sg[i].iov_base) { + error_report("virtio: error trying to map MMIO memory"); + exit(1); +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 4383f1c..1acefc2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -875,7 +875,8 @@ static inline void *pci_dma_map(PCIDevice *dev, dma_addr_t addr, + { + void *buf; + +- buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir); ++ buf = dma_memory_map(pci_get_address_space(dev), addr, plen, dir, ++ MEMTXATTRS_UNSPECIFIED); + return buf; + } + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 522682b..97ff6f2 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -202,16 +202,17 @@ MemTxResult dma_memory_set(AddressSpace *as, dma_addr_t addr, + * @addr: address within that address space + * @len: pointer to length of buffer; updated on return + * @dir: indicates the transfer direction ++ * @attrs: memory attributes + */ + static inline void *dma_memory_map(AddressSpace *as, + dma_addr_t addr, dma_addr_t *len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + hwaddr xlen = *len; + void *p; + + p = address_space_map(as, addr, &xlen, dir == DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + *len = xlen; + return p; + } +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 5bf76ff..3c06a2f 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -143,7 +143,8 @@ static void dma_blk_cb(void *opaque, int ret) + while (dbs->sg_cur_index < dbs->sg->nsg) { + cur_addr = dbs->sg->sg[dbs->sg_cur_index].base + dbs->sg_cur_byte; + cur_len = dbs->sg->sg[dbs->sg_cur_index].len - dbs->sg_cur_byte; +- mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir); ++ mem = dma_memory_map(dbs->sg->as, cur_addr, &cur_len, dbs->dir, ++ MEMTXATTRS_UNSPECIFIED); + /* + * Make reads deterministic in icount mode. Windows sometimes issues + * disk read requests with overlapping SGs. It leads +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch new file mode 100644 index 0000000000..cb657eefd5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch @@ -0,0 +1,99 @@ +From a13c0819ef14120a0e30077fcc6a7470409fa732 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:14 +0100 +Subject: [PATCH 08/21] target/ppc: Update float_invalid_op_div for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vxidi, vxzdz, and vxsnan are computed directly by +softfloat, we don't need to recompute it via classes. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c07f82416cb7973c64d1e21c09957182b4b033dc] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-11-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 38 ++++++++++++++------------------------ + 1 file changed, 14 insertions(+), 24 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 23264e6528..2ab34236a3 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -509,17 +509,14 @@ float64 helper_fmul(CPUPPCState *env, float64 arg1, float64 arg2) + return ret; + } + +-static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, +- uintptr_t retaddr, int classes) ++static void float_invalid_op_div(CPUPPCState *env, int flags, ++ bool set_fprc, uintptr_t retaddr) + { +- classes &= ~is_neg; +- if (classes == is_inf) { +- /* Division of infinity by infinity */ ++ if (flags & float_flag_invalid_idi) { + float_invalid_op_vxidi(env, set_fprc, retaddr); +- } else if (classes == is_zero) { +- /* Division of zero by zero */ ++ } else if (flags & float_flag_invalid_zdz) { + float_invalid_op_vxzdz(env, set_fprc, retaddr); +- } else if (classes & is_snan) { ++ } else if (flags & float_flag_invalid_snan) { + float_invalid_op_vxsnan(env, retaddr); + } + } +@@ -528,17 +525,13 @@ static void float_invalid_op_div(CPUPPCState *env, bool set_fprc, + float64 helper_fdiv(CPUPPCState *env, float64 arg1, float64 arg2) + { + float64 ret = float64_div(arg1, arg2, &env->fp_status); +- int status = get_float_exception_flags(&env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); + +- if (unlikely(status)) { +- if (status & float_flag_invalid) { +- float_invalid_op_div(env, 1, GETPC(), +- float64_classify(arg1) | +- float64_classify(arg2)); +- } +- if (status & float_flag_divbyzero) { +- float_zero_divide_excp(env, GETPC()); +- } ++ if (unlikely(flags & float_flag_invalid)) { ++ float_invalid_op_div(env, flags, 1, GETPC()); ++ } ++ if (unlikely(flags & float_flag_divbyzero)) { ++ float_zero_divide_excp(env, GETPC()); + } + + return ret; +@@ -1755,9 +1748,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- float_invalid_op_div(env, sfprf, GETPC(), \ +- tp##_classify(xa->fld) | \ +- tp##_classify(xb->fld)); \ ++ float_invalid_op_div(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { \ + float_zero_divide_excp(env, GETPC()); \ +@@ -1798,9 +1790,7 @@ void helper_xsdivqp(CPUPPCState *env, uint32_t opcode, + env->fp_status.float_exception_flags |= tstat.float_exception_flags; + + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { +- float_invalid_op_div(env, 1, GETPC(), +- float128_classify(xa->f128) | +- float128_classify(xb->f128)); ++ float_invalid_op_div(env, tstat.float_exception_flags, 1, GETPC()); + } + if (unlikely(tstat.float_exception_flags & float_flag_divbyzero)) { + float_zero_divide_excp(env, GETPC()); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch new file mode 100644 index 0000000000..0876ef184d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch @@ -0,0 +1,41 @@ +From c0ee1527358474c75067993d1bb233ad3a4ee081 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 16 Dec 2021 11:24:56 +0100 +Subject: [PATCH] dma: Have dma_buf_rw() take a void pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_rw() to take a void pointer argument +to save us pointless casts to uint8_t *. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=c0ee1527358474c75067993d1bb233ad3a4ee081] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-8-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 3c06a2f..09e2999 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,9 +294,10 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(uint8_t *ptr, int32_t len, QEMUSGList *sg, ++static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + DMADirection dir) + { ++ uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; + +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch new file mode 100644 index 0000000000..2e723582b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch @@ -0,0 +1,102 @@ +From ce768160ee1ee9673d60e800389c41b3c707411a Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 09/21] target/ppc: Update fmadd for new flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Now that vximz, vxisi, and vxsnan are computed directly by +softfloat, we don't need to recompute it. This replaces the +separate float{32,64}_maddsub_update_excp functions with a +single float_invalid_op_madd function. + +Fix VSX_MADD by passing sfprf to float_invalid_op_madd, +whereas the previous *_maddsub_update_excp assumed it true. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4052bb773cc829a27786d68caa22f28cff19d39] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-19-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 46 ++++++++++------------------------------- + 1 file changed, 11 insertions(+), 35 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 2ab34236a3..3b1cb25666 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -639,38 +639,15 @@ uint64_t helper_frim(CPUPPCState *env, uint64_t arg) + return do_fri(env, arg, float_round_down); + } + +-#define FPU_MADDSUB_UPDATE(NAME, TP) \ +-static void NAME(CPUPPCState *env, TP arg1, TP arg2, TP arg3, \ +- unsigned int madd_flags, uintptr_t retaddr) \ +-{ \ +- if (TP##_is_signaling_nan(arg1, &env->fp_status) || \ +- TP##_is_signaling_nan(arg2, &env->fp_status) || \ +- TP##_is_signaling_nan(arg3, &env->fp_status)) { \ +- /* sNaN operation */ \ +- float_invalid_op_vxsnan(env, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) && TP##_is_zero(arg2)) || \ +- (TP##_is_zero(arg1) && TP##_is_infinity(arg2))) { \ +- /* Multiplication of zero by infinity */ \ +- float_invalid_op_vximz(env, 1, retaddr); \ +- } \ +- if ((TP##_is_infinity(arg1) || TP##_is_infinity(arg2)) && \ +- TP##_is_infinity(arg3)) { \ +- uint8_t aSign, bSign, cSign; \ +- \ +- aSign = TP##_is_neg(arg1); \ +- bSign = TP##_is_neg(arg2); \ +- cSign = TP##_is_neg(arg3); \ +- if (madd_flags & float_muladd_negate_c) { \ +- cSign ^= 1; \ +- } \ +- if (aSign ^ bSign ^ cSign) { \ +- float_invalid_op_vxisi(env, 1, retaddr); \ +- } \ +- } \ ++static void float_invalid_op_madd(CPUPPCState *env, int flags, ++ bool set_fpcc, uintptr_t retaddr) ++{ ++ if (flags & float_flag_invalid_imz) { ++ float_invalid_op_vximz(env, set_fpcc, retaddr); ++ } else { ++ float_invalid_op_addsub(env, flags, set_fpcc, retaddr); ++ } + } +-FPU_MADDSUB_UPDATE(float32_maddsub_update_excp, float32) +-FPU_MADDSUB_UPDATE(float64_maddsub_update_excp, float64) + + #define FPU_FMADD(op, madd_flags) \ + uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +@@ -682,8 +659,7 @@ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ + flags = get_float_exception_flags(&env->fp_status); \ + if (flags) { \ + if (flags & float_flag_invalid) { \ +- float64_maddsub_update_excp(env, arg1, arg2, arg3, \ +- madd_flags, GETPC()); \ ++ float_invalid_op_madd(env, flags, 1, GETPC()); \ + } \ + do_float_check_status(env, GETPC()); \ + } \ +@@ -2087,8 +2063,8 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ + \ + if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ +- tp##_maddsub_update_excp(env, xa->fld, b->fld, \ +- c->fld, maddflgs, GETPC()); \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ sfprf, GETPC()); \ + } \ + \ + if (r2sp) { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch new file mode 100644 index 0000000000..d65e0b4305 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch @@ -0,0 +1,167 @@ +From 5e468a36dcdd8fd5eb04282842b72967a29875e4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Thu, 16 Dec 2021 11:27:23 +0100 +Subject: [PATCH] dma: Have dma_buf_read() / dma_buf_write() take a void + pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +DMA operations are run on any kind of buffer, not arrays of +uint8_t. Convert dma_buf_read/dma_buf_write functions to take +a void pointer argument and save us pointless casts to uint8_t *. + +Remove this pointless casts in the megasas device model. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=5e468a36dcdd8fd5eb04282842b72967a29875e4] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-9-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/scsi/megasas.c | 22 +++++++++++----------- + include/sysemu/dma.h | 4 ++-- + softmmu/dma-helpers.c | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 14ec6d6..2dae33f 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read((uint8_t *)data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); + return MFI_STAT_OK; + } + +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 97ff6f2..0d5b836 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,8 +302,8 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 09e2999..7f37548 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -317,12 +317,12 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); + } + +-uint64_t dma_buf_write(uint8_t *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { + return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); + } +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch new file mode 100644 index 0000000000..4d19773200 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch @@ -0,0 +1,71 @@ +From f024b8937d8b614994b94e86d2240fafcc7d2d73 Mon Sep 17 00:00:00 2001 +From: Richard Henderson <richard.henderson@linaro.org> +Date: Fri, 17 Dec 2021 17:57:15 +0100 +Subject: [PATCH 10/21] target/ppc: Split out do_fmadd +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Create a common function for all of the madd helpers. +Let the compiler tail call or inline as it chooses. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=ffdaff8e9c698061f57a6b1827570562c5a1c909] + +Signed-off-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211119160502.17432-20-richard.henderson@linaro.org> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 3b1cb25666..9a1e7e6244 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -649,23 +649,26 @@ static void float_invalid_op_madd(CPUPPCState *env, int flags, + } + } + +-#define FPU_FMADD(op, madd_flags) \ +-uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ +- uint64_t arg2, uint64_t arg3) \ +-{ \ +- uint32_t flags; \ +- float64 ret = float64_muladd(arg1, arg2, arg3, madd_flags, \ +- &env->fp_status); \ +- flags = get_float_exception_flags(&env->fp_status); \ +- if (flags) { \ +- if (flags & float_flag_invalid) { \ +- float_invalid_op_madd(env, flags, 1, GETPC()); \ +- } \ +- do_float_check_status(env, GETPC()); \ +- } \ +- return ret; \ ++static float64 do_fmadd(CPUPPCState *env, float64 a, float64 b, ++ float64 c, int madd_flags, uintptr_t retaddr) ++{ ++ float64 ret = float64_muladd(a, b, c, madd_flags, &env->fp_status); ++ int flags = get_float_exception_flags(&env->fp_status); ++ ++ if (flags) { ++ if (flags & float_flag_invalid) { ++ float_invalid_op_madd(env, flags, 1, retaddr); ++ } ++ do_float_check_status(env, retaddr); ++ } ++ return ret; + } + ++#define FPU_FMADD(op, madd_flags) \ ++ uint64_t helper_##op(CPUPPCState *env, uint64_t arg1, \ ++ uint64_t arg2, uint64_t arg3) \ ++ { return do_fmadd(env, arg1, arg2, arg3, madd_flags, GETPC()); } ++ + #define MADD_FLGS 0 + #define MSUB_FLGS float_muladd_negate_c + #define NMADD_FLGS float_muladd_negate_result +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..8207058aca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,91 @@ +From e2d784b67dc724a9b0854b49255ba0ee8ca46543 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 22:18:19 +0100 +Subject: [PATCH] pci: Let pci_dma_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling pci_dma_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=e2d784b67dc724a9b0854b49255ba0ee8ca46543] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-10-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 3 ++- + hw/scsi/esp-pci.c | 2 +- + include/hw/pci/pci.h | 10 ++++++---- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 8ce9df6..fb3d34a 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -427,7 +427,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + dprint(d, 3, "dma: entry %d, pos %d/%d, copy %d\n", + st->be, st->bp, st->bpl[st->be].len, copy); + +- pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output); ++ pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, ++ MEMTXATTRS_UNSPECIFIED); + st->lpib += copy; + st->bp += copy; + buf += copy; +diff --git a/hw/scsi/esp-pci.c b/hw/scsi/esp-pci.c +index dac054a..1792f84 100644 +--- a/hw/scsi/esp-pci.c ++++ b/hw/scsi/esp-pci.c +@@ -280,7 +280,7 @@ static void esp_pci_dma_memory_rw(PCIESPState *pci, uint8_t *buf, int len, + len = pci->dma_regs[DMA_WBC]; + } + +- pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir); ++ pci_dma_rw(PCI_DEVICE(pci), addr, buf, len, dir, MEMTXATTRS_UNSPECIFIED); + + /* update status registers */ + pci->dma_regs[DMA_WBC] -= len; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 1acefc2..a751ab5 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -806,10 +806,10 @@ static inline AddressSpace *pci_get_address_space(PCIDevice *dev) + */ + static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + return dma_memory_rw(pci_get_address_space(dev), addr, buf, len, +- dir, MEMTXATTRS_UNSPECIFIED); ++ dir, attrs); + } + + /** +@@ -827,7 +827,8 @@ static inline MemTxResult pci_dma_rw(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, buf, len, DMA_DIRECTION_TO_DEVICE); ++ return pci_dma_rw(dev, addr, buf, len, ++ DMA_DIRECTION_TO_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + /** +@@ -845,7 +846,8 @@ static inline MemTxResult pci_dma_read(PCIDevice *dev, dma_addr_t addr, + static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + const void *buf, dma_addr_t len) + { +- return pci_dma_rw(dev, addr, (void *) buf, len, DMA_DIRECTION_FROM_DEVICE); ++ return pci_dma_rw(dev, addr, (void *) buf, len, ++ DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch new file mode 100644 index 0000000000..0daae55b99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch @@ -0,0 +1,93 @@ +From a1821ad612994b95cb6597efd15e0a888676386c Mon Sep 17 00:00:00 2001 +From: Victor Colombo <victor.colombo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 11/21] target/ppc: Fix xs{max, min}[cj]dp to use VSX registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PPC instruction xsmaxcdp, xsmincdp, xsmaxjdp, and xsminjdp are using +vector registers when they should be using VSX ones. This happens +because the instructions are using GEN_VSX_HELPER_R3, which adds 32 +to the register numbers, effectively making them vector registers. + +This patch fixes it by changing these instructions to use +GEN_VSX_HELPER_X3. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=201fc774e0e1cc76ec23b595968004a7b14fb6e8] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br> +Message-Id: <20211213120958.24443-2-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 4 ++-- + target/ppc/helper.h | 8 ++++---- + target/ppc/translate/vsx-impl.c.inc | 8 ++++---- + 3 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 9a1e7e6244..ecdcd36a11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2375,7 +2375,7 @@ VSX_MAX_MIN(xvmindp, minnum, 2, float64, VsrD(i)) + VSX_MAX_MIN(xvminsp, minnum, 4, float32, VsrW(i)) + + #define VSX_MAX_MINC(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +@@ -2410,7 +2410,7 @@ VSX_MAX_MINC(xsmaxcdp, 1); + VSX_MAX_MINC(xsmincdp, 0); + + #define VSX_MAX_MINJ(name, max) \ +-void helper_##name(CPUPPCState *env, uint32_t opcode, \ ++void helper_##name(CPUPPCState *env, \ + ppc_vsr_t *xt, ppc_vsr_t *xa, ppc_vsr_t *xb) \ + { \ + ppc_vsr_t t = *xt; \ +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 627811cefc..12a3d5f269 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -392,10 +392,10 @@ DEF_HELPER_4(xscmpoqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscmpuqp, void, env, i32, vsr, vsr) + DEF_HELPER_4(xsmaxdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xsmindp, void, env, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxcdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmincdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsmaxjdp, void, env, i32, vsr, vsr, vsr) +-DEF_HELPER_5(xsminjdp, void, env, i32, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxcdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmincdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsmaxjdp, void, env, vsr, vsr, vsr) ++DEF_HELPER_4(xsminjdp, void, env, vsr, vsr, vsr) + DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c0e38060b4..02df75339e 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,10 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_R3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_R3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) ++GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4f7276ef8b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,65 @@ +From 959384e74e1b508acc3af6e806b3d7b87335fc2a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 22:59:46 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling dma_buf_rw(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=959384e74e1b508acc3af6e806b3d7b87335fc2a] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-11-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 7f37548..fa81d2b 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -295,7 +295,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + + + static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir) ++ DMADirection dir, MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; +@@ -307,8 +307,7 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, +- MEMTXATTRS_UNSPECIFIED); ++ dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; +@@ -319,12 +318,14 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, ++ MEMTXATTRS_UNSPECIFIED); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch new file mode 100644 index 0000000000..e9b99c9b4e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch @@ -0,0 +1,121 @@ +From 1cbb2622de34ee034f1dd7196567673c52c84805 Mon Sep 17 00:00:00 2001 +From: Victor Colombo <victor.colombo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 12/21] target/ppc: Move xs{max,min}[cj]dp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=c5df1898a147c232f0502cda5dac8df6074070fc] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Victor Colombo <victor.colombo@eldorado.org.br> +Message-Id: <20211213120958.24443-3-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 17 +++++++++++++--- + target/ppc/translate/vsx-impl.c.inc | 30 +++++++++++++++++++++++++---- + target/ppc/translate/vsx-ops.c.inc | 4 ---- + 3 files changed, 40 insertions(+), 11 deletions(-) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e135b8aba4..759b2a9aa5 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -123,10 +123,14 @@ + &X_vrt_frbp vrt frbp + @X_vrt_frbp ...... vrt:5 ..... ....0 .......... . &X_vrt_frbp frbp=%x_frbp + ++%xx_xt 0:1 21:5 ++%xx_xb 1:1 11:5 ++%xx_xa 2:1 16:5 + &XX2 xt xb uim:uint8_t +-%xx2_xt 0:1 21:5 +-%xx2_xb 1:1 11:5 +-@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx2_xt xb=%xx2_xb ++@XX2 ...... ..... ... uim:2 ..... ......... .. &XX2 xt=%xx_xt xb=%xx_xb ++ ++&XX3 xt xa xb ++@XX3 ...... ..... ..... ..... ........ ... &XX3 xt=%xx_xt xa=%xx_xa xb=%xx_xb + + &Z22_bf_fra bf fra dm + @Z22_bf_fra ...... bf:3 .. fra:5 dm:6 ......... . &Z22_bf_fra +@@ -427,3 +431,10 @@ XXSPLTW 111100 ..... ---.. ..... 010100100 . . @XX2 + ## VSX Vector Load Special Value Instruction + + LXVKQ 111100 ..... 11111 ..... 0101101000 . @X_uim5 ++ ++## VSX Comparison Instructions ++ ++XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 ++XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 ++XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 ++XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 02df75339e..e2447750dd 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1098,10 +1098,6 @@ GEN_VSX_HELPER_R2_AB(xscmpoqp, 0x04, 0x04, 0, PPC2_VSX) + GEN_VSX_HELPER_R2_AB(xscmpuqp, 0x04, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmaxdp, 0x00, 0x14, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xsmindp, 0x00, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_X3(xsmaxcdp, 0x00, 0x10, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmincdp, 0x00, 0x11, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsmaxjdp, 0x00, 0x12, 0, PPC2_ISA300) +-GEN_VSX_HELPER_X3(xsminjdp, 0x00, 0x12, 0, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300) + GEN_VSX_HELPER_X2(xscvdpsp, 0x12, 0x10, 0, PPC2_VSX) + GEN_VSX_HELPER_R2(xscvdpqp, 0x04, 0x1A, 0x16, PPC2_ISA300) +@@ -2185,6 +2181,32 @@ TRANS(XXBLENDVH, do_xxblendv, MO_16) + TRANS(XXBLENDVW, do_xxblendv, MO_32) + TRANS(XXBLENDVD, do_xxblendv, MO_64) + ++static bool do_xsmaxmincjdp(DisasContext *ctx, arg_XX3 *a, ++ void (*helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr xt, xa, xb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ xt = gen_vsr_ptr(a->xt); ++ xa = gen_vsr_ptr(a->xa); ++ xb = gen_vsr_ptr(a->xb); ++ ++ helper(cpu_env, xt, xa, xb); ++ ++ tcg_temp_free_ptr(xt); ++ tcg_temp_free_ptr(xa); ++ tcg_temp_free_ptr(xb); ++ ++ return true; ++} ++ ++TRANS(XSMAXCDP, do_xsmaxmincjdp, gen_helper_xsmaxcdp) ++TRANS(XSMINCDP, do_xsmaxmincjdp, gen_helper_xsmincdp) ++TRANS(XSMAXJDP, do_xsmaxmincjdp, gen_helper_xsmaxjdp) ++TRANS(XSMINJDP, do_xsmaxmincjdp, gen_helper_xsminjdp) ++ + #undef GEN_XX2FORM + #undef GEN_XX3FORM + #undef GEN_XX2IFORM +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index 152d1e5c3b..f980bc1bae 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -207,10 +207,6 @@ GEN_VSX_XFORM_300(xscmpoqp, 0x04, 0x04, 0x00600001), + GEN_VSX_XFORM_300(xscmpuqp, 0x04, 0x14, 0x00600001), + GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), + GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), +-GEN_XX3FORM(xsmaxcdp, 0x00, 0x10, PPC2_ISA300), +-GEN_XX3FORM(xsmincdp, 0x00, 0x11, PPC2_ISA300), +-GEN_XX3FORM(xsmaxjdp, 0x00, 0x12, PPC2_ISA300), +-GEN_XX3FORM(xsminjdp, 0x00, 0x13, PPC2_ISA300), + GEN_XX2FORM_EO(xscvdphp, 0x16, 0x15, 0x11, PPC2_ISA300), + GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), + GEN_XX2FORM(xscvdpspn, 0x16, 0x10, PPC2_VSX207), +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..9837516422 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,129 @@ +From 392e48af3468d7f8e49db33fdc9e28b5f99276ce Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:02:21 +0100 +Subject: [PATCH] dma: Let dma_buf_write() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_write(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=392e48af3468d7f8e49db33fdc9e28b5f99276ce] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-12-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/ide/ahci.c | 6 ++++-- + hw/nvme/ctrl.c | 3 ++- + hw/scsi/megasas.c | 2 +- + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 11 insertions(+), 9 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 8e77ddb..079d297 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1381,8 +1381,10 @@ static void ahci_pio_transfer(const IDEDMA *dma) + has_sglist ? "" : "o"); + + if (has_sglist && size) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (is_write) { +- dma_buf_write(s->data_ptr, size, &s->sg); ++ dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { + dma_buf_read(s->data_ptr, size, &s->sg); + } +@@ -1479,7 +1481,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + if (is_write) { + dma_buf_read(p, l, &s->sg); + } else { +- dma_buf_write(p, l, &s->sg); ++ dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } + + /* free sglist, update byte count */ +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c4..e1a531d 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1146,10 +1146,11 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + assert(sg->flags & NVME_SG_ALLOC); + + if (sg->flags & NVME_SG_DMA) { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint64_t residual; + + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { +- residual = dma_buf_write(ptr, len, &sg->qsg); ++ residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { + residual = dma_buf_read(ptr, len, &sg->qsg); + } +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 2dae33f..79fd14c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -1465,7 +1465,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) + dcmd_size); + return MFI_STAT_INVALID_PARAMETER; + } +- dma_buf_write(&info, dcmd_size, &cmd->qsg); ++ dma_buf_write(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); + return MFI_STAT_OK; + } +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 77325d8..64a506a 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1423,7 +1423,7 @@ void scsi_req_data(SCSIRequest *req, int len) + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { + req->resid = dma_buf_read(buf, len, req->sg); + } else { +- req->resid = dma_buf_write(buf, len, req->sg); ++ req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } + scsi_req_continue(req); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 0d5b836..e3dd74a 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -303,7 +303,7 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, + QEMUSGList *sg, enum BlockAcctType type); +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index fa81d2b..2f1a241 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -322,10 +322,9 @@ uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) + MEMTXATTRS_UNSPECIFIED); + } + +-uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch new file mode 100644 index 0000000000..100dcd25bc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch @@ -0,0 +1,41 @@ +From 98ff271a4d1a1d60ae53b1f742df7c188b163375 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 13/21] target/ppc: fix xscvqpdp register access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This instruction has VRT and VRB fields instead of T/TX and B/BX. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=38d4914c5065e14f0969161274793ded448f067f] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211213120958.24443-4-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/translate/vsx-impl.c.inc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index e2447750dd..ab5cb21f13 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -913,8 +913,9 @@ static void gen_xscvqpdp(DisasContext *ctx) + return; + } + opc = tcg_const_i32(ctx->opcode); +- xt = gen_vsr_ptr(xT(ctx->opcode)); +- xb = gen_vsr_ptr(xB(ctx->opcode)); ++ ++ xt = gen_vsr_ptr(rD(ctx->opcode) + 32); ++ xb = gen_vsr_ptr(rB(ctx->opcode) + 32); + gen_helper_xscvqpdp(cpu_env, opc, xt, xb); + tcg_temp_free_i32(opc); + tcg_temp_free_ptr(xt); +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..4057caa8b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,222 @@ +From 1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:29:52 +0100 +Subject: [PATCH] dma: Let dma_buf_read() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling +dma_buf_read(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=1e5a3f8b2a976054da96cbbb9de6cbac7c2efb79] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-13-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/ide/ahci.c | 4 ++-- + hw/nvme/ctrl.c | 2 +- + hw/scsi/megasas.c | 24 ++++++++++++------------ + hw/scsi/scsi-bus.c | 2 +- + include/sysemu/dma.h | 2 +- + softmmu/dma-helpers.c | 5 ++--- + 6 files changed, 19 insertions(+), 20 deletions(-) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index 079d297..205dfdc 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -1386,7 +1386,7 @@ static void ahci_pio_transfer(const IDEDMA *dma) + if (is_write) { + dma_buf_write(s->data_ptr, size, &s->sg, attrs); + } else { +- dma_buf_read(s->data_ptr, size, &s->sg); ++ dma_buf_read(s->data_ptr, size, &s->sg, attrs); + } + } + +@@ -1479,7 +1479,7 @@ static int ahci_dma_rw_buf(const IDEDMA *dma, bool is_write) + } + + if (is_write) { +- dma_buf_read(p, l, &s->sg); ++ dma_buf_read(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } else { + dma_buf_write(p, l, &s->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index e1a531d..462f79a 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -1152,7 +1152,7 @@ static uint16_t nvme_tx(NvmeCtrl *n, NvmeSg *sg, uint8_t *ptr, uint32_t len, + if (dir == NVME_TX_DIRECTION_TO_DEVICE) { + residual = dma_buf_write(ptr, len, &sg->qsg, attrs); + } else { +- residual = dma_buf_read(ptr, len, &sg->qsg); ++ residual = dma_buf_read(ptr, len, &sg->qsg, attrs); + } + + if (unlikely(residual)) { +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 79fd14c..091a350 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -848,7 +848,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + MFI_INFO_PDMIX_SATA | + MFI_INFO_PDMIX_LD); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -878,7 +878,7 @@ static int megasas_mfc_get_defaults(MegasasState *s, MegasasCmd *cmd) + info.disable_preboot_cli = 1; + info.cluster_disable = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -899,7 +899,7 @@ static int megasas_dcmd_get_bios_info(MegasasState *s, MegasasCmd *cmd) + info.expose_all_drives = 1; + } + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -910,7 +910,7 @@ static int megasas_dcmd_get_fw_time(MegasasState *s, MegasasCmd *cmd) + + fw_time = cpu_to_le64(megasas_fw_time()); + +- cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&fw_time, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -937,7 +937,7 @@ static int megasas_event_info(MegasasState *s, MegasasCmd *cmd) + info.shutdown_seq_num = cpu_to_le32(s->shutdown_event); + info.boot_seq_num = cpu_to_le32(s->boot_event); + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1006,7 +1006,7 @@ static int megasas_dcmd_pd_get_list(MegasasState *s, MegasasCmd *cmd) + info.size = cpu_to_le32(offset); + info.count = cpu_to_le32(num_pd_disks); + +- cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, offset, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1100,7 +1100,7 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + info->connected_port_bitmap = 0x1; + info->device_speed = 1; + info->link_speed = 1; +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1172,7 +1172,7 @@ static int megasas_dcmd_ld_get_list(MegasasState *s, MegasasCmd *cmd) + info.ld_count = cpu_to_le32(num_ld_disks); + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1221,7 +1221,7 @@ static int megasas_dcmd_ld_list_query(MegasasState *s, MegasasCmd *cmd) + info.size = dcmd_size; + trace_megasas_dcmd_ld_get_list(cmd->index, num_ld_disks, max_ld_disks); + +- resid = dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + cmd->iov_size = dcmd_size - resid; + return MFI_STAT_OK; + } +@@ -1271,7 +1271,7 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + info->ld_config.span[0].num_blocks = info->size; + info->ld_config.span[0].array_ref = cpu_to_le16(sdev_id); + +- resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg); ++ resid = dma_buf_read(cmd->iov_buf, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + g_free(cmd->iov_buf); + cmd->iov_size = dcmd_size - resid; + cmd->iov_buf = NULL; +@@ -1390,7 +1390,7 @@ static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) + ld_offset += sizeof(struct mfi_ld_config); + } + +- cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(data, info->size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +@@ -1420,7 +1420,7 @@ static int megasas_dcmd_get_properties(MegasasState *s, MegasasCmd *cmd) + info.ecc_bucket_leak_rate = cpu_to_le16(1440); + info.expose_encl_devices = 1; + +- cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg); ++ cmd->iov_size -= dma_buf_read(&info, dcmd_size, &cmd->qsg, MEMTXATTRS_UNSPECIFIED); + return MFI_STAT_OK; + } + +diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c +index 64a506a..2b5e9dc 100644 +--- a/hw/scsi/scsi-bus.c ++++ b/hw/scsi/scsi-bus.c +@@ -1421,7 +1421,7 @@ void scsi_req_data(SCSIRequest *req, int len) + + buf = scsi_req_get_buf(req); + if (req->cmd.mode == SCSI_XFER_FROM_DEV) { +- req->resid = dma_buf_read(buf, len, req->sg); ++ req->resid = dma_buf_read(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } else { + req->resid = dma_buf_write(buf, len, req->sg, MEMTXATTRS_UNSPECIFIED); + } +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index e3dd74a..fd8f160 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -302,7 +302,7 @@ BlockAIOCB *dma_blk_read(BlockBackend *blk, + BlockAIOCB *dma_blk_write(BlockBackend *blk, + QEMUSGList *sg, uint64_t offset, uint32_t align, + BlockCompletionFunc *cb, void *opaque); +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg); ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs); + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index 2f1a241..a391773 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -316,10 +316,9 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + return resid; + } + +-uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg) ++uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, +- MEMTXATTRS_UNSPECIFIED); ++ return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch new file mode 100644 index 0000000000..345a49c90c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch @@ -0,0 +1,130 @@ +From c76ea6322bd70c36c9b396cf356167b36928e811 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:18 +0100 +Subject: [PATCH 14/21] target/ppc: move xscvqpdp to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=caf6f9b568479bea6f6d97798be670f21641a006] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211213120958.24443-5-victor.colombo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 10 +++------- + target/ppc/helper.h | 2 +- + target/ppc/insn32.decode | 4 ++++ + target/ppc/translate/vsx-impl.c.inc | 24 +++++++++++++----------- + target/ppc/translate/vsx-ops.c.inc | 1 - + 5 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index ecdcd36a11..5cc7fb1dcb 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2631,18 +2631,14 @@ VSX_CVT_FP_TO_FP_HP(xscvhpdp, 1, float16, float64, VsrH(3), VsrD(0), 1) + VSX_CVT_FP_TO_FP_HP(xvcvsphp, 4, float32, float16, VsrW(i), VsrH(2 * i + 1), 0) + VSX_CVT_FP_TO_FP_HP(xvcvhpsp, 4, float16, float32, VsrH(2 * i + 1), VsrW(i), 0) + +-/* +- * xscvqpdp isn't using VSX_CVT_FP_TO_FP() because xscvqpdpo will be +- * added to this later. +- */ +-void helper_xscvqpdp(CPUPPCState *env, uint32_t opcode, +- ppc_vsr_t *xt, ppc_vsr_t *xb) ++void helper_XSCVQPDP(CPUPPCState *env, uint32_t ro, ppc_vsr_t *xt, ++ ppc_vsr_t *xb) + { + ppc_vsr_t t = { }; + float_status tstat; + + tstat = env->fp_status; +- if (unlikely(Rc(opcode) != 0)) { ++ if (ro != 0) { + tstat.float_rounding_mode = float_round_to_odd; + } + +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index 12a3d5f269..ef5bdd38a7 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -400,7 +400,7 @@ DEF_HELPER_3(xscvdphp, void, env, vsr, vsr) + DEF_HELPER_4(xscvdpqp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xscvdpsp, void, env, vsr, vsr) + DEF_HELPER_2(xscvdpspn, i64, env, i64) +-DEF_HELPER_4(xscvqpdp, void, env, i32, vsr, vsr) ++DEF_HELPER_4(XSCVQPDP, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpsdz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpswz, void, env, i32, vsr, vsr) + DEF_HELPER_4(xscvqpudz, void, env, i32, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 759b2a9aa5..fd6bb13fa0 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -438,3 +438,7 @@ XSMAXCDP 111100 ..... ..... ..... 10000000 ... @XX3 + XSMINCDP 111100 ..... ..... ..... 10001000 ... @XX3 + XSMAXJDP 111100 ..... ..... ..... 10010000 ... @XX3 + XSMINJDP 111100 ..... ..... ..... 10011000 ... @XX3 ++ ++## VSX Binary Floating-Point Convert Instructions ++ ++XSCVQPDP 111111 ..... 10100 ..... 1101000100 . @X_tb_rc +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index ab5cb21f13..c08185e857 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -904,22 +904,24 @@ VSX_CMP(xvcmpgesp, 0x0C, 0x0A, 0, PPC2_VSX) + VSX_CMP(xvcmpgtsp, 0x0C, 0x09, 0, PPC2_VSX) + VSX_CMP(xvcmpnesp, 0x0C, 0x0B, 0, PPC2_VSX) + +-static void gen_xscvqpdp(DisasContext *ctx) ++static bool trans_XSCVQPDP(DisasContext *ctx, arg_X_tb_rc *a) + { +- TCGv_i32 opc; ++ TCGv_i32 ro; + TCGv_ptr xt, xb; +- if (unlikely(!ctx->vsx_enabled)) { +- gen_exception(ctx, POWERPC_EXCP_VSXU); +- return; +- } +- opc = tcg_const_i32(ctx->opcode); + +- xt = gen_vsr_ptr(rD(ctx->opcode) + 32); +- xb = gen_vsr_ptr(rB(ctx->opcode) + 32); +- gen_helper_xscvqpdp(cpu_env, opc, xt, xb); +- tcg_temp_free_i32(opc); ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ ro = tcg_const_i32(a->rc); ++ ++ xt = gen_avr_ptr(a->rt); ++ xb = gen_avr_ptr(a->rb); ++ gen_helper_XSCVQPDP(cpu_env, ro, xt, xb); ++ tcg_temp_free_i32(ro); + tcg_temp_free_ptr(xt); + tcg_temp_free_ptr(xb); ++ ++ return true; + } + + #define GEN_VSX_HELPER_2(name, op1, op2, inval, type) \ +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index f980bc1bae..c974324c4c 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -133,7 +133,6 @@ GEN_VSX_XFORM_300_EO(xsnabsqp, 0x04, 0x19, 0x08, 0x00000001), + GEN_VSX_XFORM_300_EO(xsnegqp, 0x04, 0x19, 0x10, 0x00000001), + GEN_VSX_XFORM_300(xscpsgnqp, 0x04, 0x03, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvdpqp, 0x04, 0x1A, 0x16, 0x00000001), +-GEN_VSX_XFORM_300_EO(xscvqpdp, 0x04, 0x1A, 0x14, 0x0), + GEN_VSX_XFORM_300_EO(xscvqpsdz, 0x04, 0x1A, 0x19, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpswz, 0x04, 0x1A, 0x09, 0x00000001), + GEN_VSX_XFORM_300_EO(xscvqpudz, 0x04, 0x1A, 0x11, 0x00000001), +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..571ce9cc9b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch @@ -0,0 +1,91 @@ +From 292e13142d277c15bdd68331abc607e46628b7e1 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 23:38:52 +0100 +Subject: [PATCH] dma: Let dma_buf_rw() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_rw() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Since dma_buf_rw() was previously returning the QEMUSGList +size not consumed, add an extra argument where this size +can be stored. + +Update the 2 callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=292e13142d277c15bdd68331abc607e46628b7e1] + +Reviewed-by: Klaus Jensen <k.jensen@samsung.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-14-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + softmmu/dma-helpers.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dma-helpers.c b/softmmu/dma-helpers.c +index a391773..b0be156 100644 +--- a/softmmu/dma-helpers.c ++++ b/softmmu/dma-helpers.c +@@ -294,12 +294,14 @@ BlockAIOCB *dma_blk_write(BlockBackend *blk, + } + + +-static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, +- DMADirection dir, MemTxAttrs attrs) ++static MemTxResult dma_buf_rw(void *buf, int32_t len, uint64_t *residp, ++ QEMUSGList *sg, DMADirection dir, ++ MemTxAttrs attrs) + { + uint8_t *ptr = buf; + uint64_t resid; + int sg_cur_index; ++ MemTxResult res = MEMTX_OK; + + resid = sg->size; + sg_cur_index = 0; +@@ -307,23 +309,34 @@ static uint64_t dma_buf_rw(void *buf, int32_t len, QEMUSGList *sg, + while (len > 0) { + ScatterGatherEntry entry = sg->sg[sg_cur_index++]; + int32_t xfer = MIN(len, entry.len); +- dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); ++ res |= dma_memory_rw(sg->as, entry.base, ptr, xfer, dir, attrs); + ptr += xfer; + len -= xfer; + resid -= xfer; + } + +- return resid; ++ if (residp) { ++ *residp = resid; ++ } ++ return res; + } + + uint64_t dma_buf_read(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_FROM_DEVICE, attrs); ++ ++ return resid; + } + + uint64_t dma_buf_write(void *ptr, int32_t len, QEMUSGList *sg, MemTxAttrs attrs) + { +- return dma_buf_rw(ptr, len, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ uint64_t resid; ++ ++ dma_buf_rw(ptr, len, &resid, sg, DMA_DIRECTION_TO_DEVICE, attrs); ++ ++ return resid; + } + + void dma_acct_start(BlockBackend *blk, BlockAcctCookie *cookie, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch new file mode 100644 index 0000000000..5c5f972961 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch @@ -0,0 +1,70 @@ +From 7448ee811d86b18a7f7f59e20853bd852e548f59 Mon Sep 17 00:00:00 2001 +From: "Lucas Mateus Castro (alqotel)" <lucas.araujo@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 15/21] target/ppc: ppc_store_fpscr doesn't update bits 0 to 28 + and 52 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit fixes the difference reported in the bug in the reserved +bit 52, it does this by adding this bit to the mask of bits to not be +directly altered in the ppc_store_fpscr function (the hardware used to +compare to QEMU was a Power9). + +The bits 0 to 27 were also added to the mask, as they are marked as +reserved in the PowerISA and bit 28 is a reserved extension of the DRN +field (bits 29:31) but can't be set using mtfsfi, while the other DRN +bits may be set using mtfsfi instruction, so bit 28 was also added to +the mask. + +Although this is a difference reported in the bug, since it's a reserved +bit it may be a "don't care" case, as put in the bug report. Looking at +the ISA it doesn't explicitly mention this bit can't be set, like it +does for FEX and VX, so I'm unsure if this is necessary. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/266 + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=25ee608d79c1890c0f4e8c495ec8629d5712de45] + +Signed-off-by: Lucas Mateus Castro (alqotel) <lucas.araujo@eldorado.org.br> +Message-Id: <20211201163808.440385-4-lucas.araujo@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/cpu.c | 2 +- + target/ppc/cpu.h | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/target/ppc/cpu.c b/target/ppc/cpu.c +index f933d9f2bd..d7b42bae52 100644 +--- a/target/ppc/cpu.c ++++ b/target/ppc/cpu.c +@@ -112,7 +112,7 @@ static inline void fpscr_set_rounding_mode(CPUPPCState *env) + + void ppc_store_fpscr(CPUPPCState *env, target_ulong val) + { +- val &= ~(FP_VX | FP_FEX); ++ val &= FPSCR_MTFS_MASK; + if (val & FPSCR_IX) { + val |= FP_VX; + } +diff --git a/target/ppc/cpu.h b/target/ppc/cpu.h +index e946da5f3a..441d3dce19 100644 +--- a/target/ppc/cpu.h ++++ b/target/ppc/cpu.h +@@ -759,6 +759,10 @@ enum { + FP_VXZDZ | FP_VXIMZ | FP_VXVC | FP_VXSOFT | \ + FP_VXSQRT | FP_VXCVI) + ++/* FPSCR bits that can be set by mtfsf, mtfsfi and mtfsb1 */ ++#define FPSCR_MTFS_MASK (~(MAKE_64BIT_MASK(36, 28) | PPC_BIT(28) | \ ++ FP_FEX | FP_VX | PPC_BIT(52))) ++ + /*****************************************************************************/ + /* Vector status and control register */ + #define VSCR_NJ 16 /* Vector non-java */ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f56dcb6eb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,120 @@ +From 2280c27afc65bb2af95dd44a88e3b7117bfe240a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:53:34 +0100 +Subject: [PATCH] dma: Let st*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2280c27afc65bb2af95dd44a88e3b7117bfe240a] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-16-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/nvram/fw_cfg.c | 4 ++-- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 12 ++++++++---- + include/sysemu/dma.h | 10 ++++++---- + 4 files changed, 18 insertions(+), 11 deletions(-) + +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c +index 9b91b15..e5f3c981 100644 +--- a/hw/nvram/fw_cfg.c ++++ b/hw/nvram/fw_cfg.c +@@ -360,7 +360,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + if (dma_memory_read(s->dma_as, dma_addr, + &dma, sizeof(dma), MEMTXATTRS_UNSPECIFIED)) { + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- FW_CFG_DMA_CTL_ERROR); ++ FW_CFG_DMA_CTL_ERROR, MEMTXATTRS_UNSPECIFIED); + return; + } + +@@ -446,7 +446,7 @@ static void fw_cfg_dma_transfer(FWCfgState *s) + } + + stl_be_dma(s->dma_as, dma_addr + offsetof(FWCfgDmaAccess, control), +- dma.control); ++ dma.control, MEMTXATTRS_UNSPECIFIED); + + trace_fw_cfg_read(s, 0); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index a751ab5..d07e970 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,7 +859,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val); \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index 5d2ea8e..e87f8e6 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -118,10 +118,14 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + H_DEST_PARM : H_SUCCESS; + } + +-#define vio_stb(_dev, _addr, _val) (stb_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_sth(_dev, _addr, _val) (stw_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stl(_dev, _addr, _val) (stl_be_dma(&(_dev)->as, (_addr), (_val))) +-#define vio_stq(_dev, _addr, _val) (stq_be_dma(&(_dev)->as, (_addr), (_val))) ++#define vio_stb(_dev, _addr, _val) \ ++ (stb_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_sth(_dev, _addr, _val) \ ++ (stw_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stl(_dev, _addr, _val) \ ++ (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) ++#define vio_stq(_dev, _addr, _val) \ ++ (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index fd8f160..009dd3c 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -249,10 +249,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ +- uint##_bits##_t val) \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) +@@ -263,9 +264,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, uint8_t val) ++static inline void stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch new file mode 100644 index 0000000000..3b651c0b3e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch @@ -0,0 +1,133 @@ +From 232f979babccd6dfac40a54ee33521e652a0577c Mon Sep 17 00:00:00 2001 +From: Luis Pires <luis.pires@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:36 +0100 +Subject: [PATCH 16/21] target/ppc: Introduce TRANS*FLAGS macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New macros that add FLAGS and FLAGS2 checking were added for +both TRANS and TRANS64. + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=19f0862dd8fa6510b2f5b3aff4859363602cd0cf] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Luis Pires <luis.pires@eldorado.org.br> +[ferst: - TRANS_FLAGS2 instead of TRANS_FLAGS_E + - Use the new macros in load/store vector insns ] +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/translate.c | 19 +++++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 37 ++++++++++------------------- + 2 files changed, 31 insertions(+), 25 deletions(-) + +diff --git a/target/ppc/translate.c b/target/ppc/translate.c +index 9960df6e18..c12abc32f6 100644 +--- a/target/ppc/translate.c ++++ b/target/ppc/translate.c +@@ -7377,10 +7377,29 @@ static int times_16(DisasContext *ctx, int x) + #define TRANS(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS_FLAGS(FLAGS, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS(ctx, FLAGS); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } ++#define TRANS_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + #define TRANS64(NAME, FUNC, ...) \ + static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ + { REQUIRE_64BIT(ctx); return FUNC(ctx, a, __VA_ARGS__); } ++#define TRANS64_FLAGS2(FLAGS2, NAME, FUNC, ...) \ ++ static bool trans_##NAME(DisasContext *ctx, arg_##NAME *a) \ ++ { \ ++ REQUIRE_64BIT(ctx); \ ++ REQUIRE_INSNS_FLAGS2(ctx, FLAGS2); \ ++ return FUNC(ctx, a, __VA_ARGS__); \ ++ } + + /* TODO: More TRANS* helpers for extra insn_flags checks. */ + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index c08185e857..99c8a57e50 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -2070,12 +2070,6 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ, + + static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2089,7 +2083,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + bool store, bool paired) + { + arg_D d; +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); + REQUIRE_VSX(ctx); + + if (!resolve_PLS_D(ctx, &d, a)) { +@@ -2101,12 +2094,6 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + + static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + { +- if (paired) { +- REQUIRE_INSNS_FLAGS2(ctx, ISA310); +- } else { +- REQUIRE_INSNS_FLAGS2(ctx, ISA300); +- } +- + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { +@@ -2116,18 +2103,18 @@ static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + return do_lstxv(ctx, a->ra, cpu_gpr[a->rb], a->rt, store, paired); + } + +-TRANS(STXV, do_lstxv_D, true, false) +-TRANS(LXV, do_lstxv_D, false, false) +-TRANS(STXVP, do_lstxv_D, true, true) +-TRANS(LXVP, do_lstxv_D, false, true) +-TRANS(STXVX, do_lstxv_X, true, false) +-TRANS(LXVX, do_lstxv_X, false, false) +-TRANS(STXVPX, do_lstxv_X, true, true) +-TRANS(LXVPX, do_lstxv_X, false, true) +-TRANS64(PSTXV, do_lstxv_PLS_D, true, false) +-TRANS64(PLXV, do_lstxv_PLS_D, false, false) +-TRANS64(PSTXVP, do_lstxv_PLS_D, true, true) +-TRANS64(PLXVP, do_lstxv_PLS_D, false, true) ++TRANS_FLAGS2(ISA300, STXV, do_lstxv_D, true, false) ++TRANS_FLAGS2(ISA300, LXV, do_lstxv_D, false, false) ++TRANS_FLAGS2(ISA310, STXVP, do_lstxv_D, true, true) ++TRANS_FLAGS2(ISA310, LXVP, do_lstxv_D, false, true) ++TRANS_FLAGS2(ISA300, STXVX, do_lstxv_X, true, false) ++TRANS_FLAGS2(ISA300, LXVX, do_lstxv_X, false, false) ++TRANS_FLAGS2(ISA310, STXVPX, do_lstxv_X, true, true) ++TRANS_FLAGS2(ISA310, LXVPX, do_lstxv_X, false, true) ++TRANS64_FLAGS2(ISA310, PSTXV, do_lstxv_PLS_D, true, false) ++TRANS64_FLAGS2(ISA310, PLXV, do_lstxv_PLS_D, false, false) ++TRANS64_FLAGS2(ISA310, PSTXVP, do_lstxv_PLS_D, true, true) ++TRANS64_FLAGS2(ISA310, PLXVP, do_lstxv_PLS_D, false, true) + + static void gen_xxblendv_vec(unsigned vece, TCGv_vec t, TCGv_vec a, TCGv_vec b, + TCGv_vec c) +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..a51451d343 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,151 @@ +From 34cdea1db600540a5261dc474e986f28b637c8e6 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:18:07 +0100 +Subject: [PATCH] dma: Let ld*_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=34cdea1db600540a5261dc474e986f28b637c8e6] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-17-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/pnv_xive.c | 7 ++++--- + hw/usb/hcd-xhci.c | 6 +++--- + include/hw/pci/pci.h | 3 ++- + include/hw/ppc/spapr_vio.h | 3 ++- + include/sysemu/dma.h | 11 ++++++----- + 5 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index ad43483..d9249bb 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,7 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -542,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr); ++ vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index ed2b9ea..d960b81 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid); ++ poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3437,8 +3437,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = +- xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid)); ++ slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, ++ MEMTXATTRS_UNSPECIFIED)); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index d07e970..0613308 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,7 +854,8 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr); \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, \ ++ MEMTXATTRS_UNSPECIFIED); \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index e87f8e6..d2ec9b0 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -126,7 +126,8 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + (stl_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) +-#define vio_ldq(_dev, _addr) (ldq_be_dma(&(_dev)->as, (_addr))) ++#define vio_ldq(_dev, _addr) \ ++ (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 009dd3c..d1635f5 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -241,10 +241,11 @@ static inline void dma_memory_unmap(AddressSpace *as, + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ + static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, MEMTXATTRS_UNSPECIFIED); \ ++ dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ + static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +@@ -253,14 +254,14 @@ static inline void dma_memory_unmap(AddressSpace *as, + MemTxAttrs attrs) \ + { \ + val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr) ++static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) + { + uint8_t val; + +- dma_memory_read(as, addr, &val, 1, MEMTXATTRS_UNSPECIFIED); ++ dma_memory_read(as, addr, &val, 1, attrs); + return val; + } + +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch new file mode 100644 index 0000000000..6d6d6b86ed --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch @@ -0,0 +1,105 @@ +From 4c6a16c2bcdd14249eef876d3d029c445716fb13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 17/21] target/ppc: Implement Vector Expand Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vexpandbm: Vector Expand Byte Mask +vexpandhm: Vector Expand Halfword Mask +vexpandwm: Vector Expand Word Mask +vexpanddm: Vector Expand Doubleword Mask +vexpandqm: Vector Expand Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=5f1470b091007f24035d6d33149df49a6dd61682] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211203194229.746275-2-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 11 ++++++++++ + target/ppc/translate/vmx-impl.c.inc | 34 +++++++++++++++++++++++++++++ + 2 files changed, 45 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index fd6bb13fa0..e032251c74 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -56,6 +56,9 @@ + &VX_uim4 vrt uim vrb + @VX_uim4 ...... vrt:5 . uim:4 vrb:5 ........... &VX_uim4 + ++&VX_tb vrt vrb ++@VX_tb ...... vrt:5 ..... vrb:5 ........... &VX_tb ++ + &X rt ra rb + @X ...... rt:5 ra:5 rb:5 .......... . &X + +@@ -412,6 +415,14 @@ VINSWVRX 000100 ..... ..... ..... 00110001111 @VX + VSLDBI 000100 ..... ..... ..... 00 ... 010110 @VN + VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + ++## Vector Mask Manipulation Instructions ++ ++VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb ++VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb ++VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb ++VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb ++VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 8eb8d3a067..ebb0484323 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1491,6 +1491,40 @@ static bool trans_VSRDBI(DisasContext *ctx, arg_VN *a) + return true; + } + ++static bool do_vexpand(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tcg_gen_gvec_sari(vece, avr_full_offset(a->vrt), avr_full_offset(a->vrb), ++ (8 << vece) - 1, 16, 16); ++ ++ return true; ++} ++ ++TRANS(VEXPANDBM, do_vexpand, MO_8) ++TRANS(VEXPANDHM, do_vexpand, MO_16) ++TRANS(VEXPANDWM, do_vexpand, MO_32) ++TRANS(VEXPANDDM, do_vexpand, MO_64) ++ ++static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_sari_i64(tmp, tmp, 63); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..3fc7b631a4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,65 @@ +From 24aed6bcb6b6d266149591f955c2460c28759eb4 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:56:14 +0100 +Subject: [PATCH] dma: Let st*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_write() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=24aed6bcb6b6d266149591f955c2460c28759eb4] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-18-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/sysemu/dma.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index d1635f5..895044d 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -248,13 +248,13 @@ static inline void dma_memory_unmap(AddressSpace *as, + dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ + return _end##_bits##_to_cpu(val); \ + } \ +- static inline void st##_sname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ +- { \ +- val = cpu_to_##_end##_bits(val); \ +- dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ ++ static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ val = cpu_to_##_end##_bits(val); \ ++ return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + + static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) +@@ -265,10 +265,10 @@ static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs att + return val; + } + +-static inline void stb_dma(AddressSpace *as, dma_addr_t addr, +- uint8_t val, MemTxAttrs attrs) ++static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t val, MemTxAttrs attrs) + { +- dma_memory_write(as, addr, &val, 1, attrs); ++ return dma_memory_write(as, addr, &val, 1, attrs); + } + + DEFINE_LDST_DMA(uw, w, 16, le); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch new file mode 100644 index 0000000000..57450c6fb7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch @@ -0,0 +1,141 @@ +From 2dc8450e80b82c481904570dce789843b031db13 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 18/21] target/ppc: Implement Vector Extract Mask +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +vextractbm: Vector Extract Byte Mask +vextracthm: Vector Extract Halfword Mask +vextractwm: Vector Extract Word Mask +vextractdm: Vector Extract Doubleword Mask +vextractqm: Vector Extract Quadword Mask + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=17868d81e0074905b2c1e414af6618570e8059eb] + +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Message-Id: <20211203194229.746275-3-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 6 +++ + target/ppc/translate/vmx-impl.c.inc | 82 +++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index e032251c74..b0568b1356 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -423,6 +423,12 @@ VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb + VEXPANDDM 000100 ..... 00011 ..... 11001000010 @VX_tb + VEXPANDQM 000100 ..... 00100 ..... 11001000010 @VX_tb + ++VEXTRACTBM 000100 ..... 01000 ..... 11001000010 @VX_tb ++VEXTRACTHM 000100 ..... 01001 ..... 11001000010 @VX_tb ++VEXTRACTWM 000100 ..... 01010 ..... 11001000010 @VX_tb ++VEXTRACTDM 000100 ..... 01011 ..... 11001000010 @VX_tb ++VEXTRACTQM 000100 ..... 01100 ..... 11001000010 @VX_tb ++ + # VSX Load/Store Instructions + + LXV 111101 ..... ..... ............ . 001 @DQ_TSX +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index ebb0484323..96c97bf6e7 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1525,6 +1525,88 @@ static bool trans_VEXPANDQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_vextractm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece, ++ mask = dup_const(vece, 1 << (elem_width - 1)); ++ uint64_t i, j; ++ TCGv_i64 lo, hi, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ get_avr64(lo, a->vrb, false); ++ get_avr64(hi, a->vrb, true); ++ ++ tcg_gen_andi_i64(lo, lo, mask); ++ tcg_gen_andi_i64(hi, hi, mask); ++ ++ /* ++ * Gather the most significant bit of each element in the highest element ++ * element. E.g. for bytes: ++ * aXXXXXXXbXXXXXXXcXXXXXXXdXXXXXXXeXXXXXXXfXXXXXXXgXXXXXXXhXXXXXXX ++ * & dup(1 << (elem_width - 1)) ++ * a0000000b0000000c0000000d0000000e0000000f0000000g0000000h0000000 ++ * << 32 - 4 ++ * 0000e0000000f0000000g0000000h00000000000000000000000000000000000 ++ * | ++ * a000e000b000f000c000g000d000h000e0000000f0000000g0000000h0000000 ++ * << 16 - 2 ++ * 00c000g000d000h000e0000000f0000000g0000000h000000000000000000000 ++ * | ++ * a0c0e0g0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h0000000 ++ * << 8 - 1 ++ * 0b0d0f0h0c0e0g000d0f0h000e0g00000f0h00000g0000000h00000000000000 ++ * | ++ * abcdefghbcdefgh0cdefgh00defgh000efgh0000fgh00000gh000000h0000000 ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ tcg_gen_shri_i64(hi, hi, 64 - elem_count_half); ++ tcg_gen_extract2_i64(lo, lo, hi, 64 - elem_count_half); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], lo); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(VEXTRACTBM, do_vextractm, MO_8) ++TRANS(VEXTRACTHM, do_vextractm, MO_16) ++TRANS(VEXTRACTWM, do_vextractm, MO_32) ++TRANS(VEXTRACTDM, do_vextractm, MO_64) ++ ++static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ get_avr64(tmp, a->vrb, true); ++ tcg_gen_shri_i64(tmp, tmp, 63); ++ tcg_gen_trunc_i64_tl(cpu_gpr[a->vrt], tmp); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..d8a136c47f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,175 @@ +From cd1db8df7431edd2210ed0123e2e09b9b6d1e621 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:31:11 +0100 +Subject: [PATCH] dma: Let ld*_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +dma_memory_read() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=cd1db8df7431edd2210ed0123e2e09b9b6d1e621] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-19-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/intc/pnv_xive.c | 8 ++++---- + hw/usb/hcd-xhci.c | 7 ++++--- + include/hw/pci/pci.h | 6 ++++-- + include/hw/ppc/spapr_vio.h | 6 +++++- + include/sysemu/dma.h | 25 ++++++++++++------------- + 5 files changed, 29 insertions(+), 23 deletions(-) + +diff --git a/hw/intc/pnv_xive.c b/hw/intc/pnv_xive.c +index d9249bb..bb20751 100644 +--- a/hw/intc/pnv_xive.c ++++ b/hw/intc/pnv_xive.c +@@ -172,7 +172,7 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -195,8 +195,8 @@ static uint64_t pnv_xive_vst_addr_indirect(PnvXive *xive, uint32_t type, + /* Load the VSD we are looking for, if not already done */ + if (vsd_idx) { + vsd_addr = vsd_addr + vsd_idx * XIVE_VSD_SIZE; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, ++ MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +@@ -543,7 +543,7 @@ static uint64_t pnv_xive_vst_per_subpage(PnvXive *xive, uint32_t type) + + /* Get the page size of the indirect table. */ + vsd_addr = vsd & VSD_ADDRESS_MASK; +- vsd = ldq_be_dma(&address_space_memory, vsd_addr, MEMTXATTRS_UNSPECIFIED); ++ ldq_be_dma(&address_space_memory, vsd_addr, &vsd, MEMTXATTRS_UNSPECIFIED); + + if (!(vsd & VSD_ADDRESS_MASK)) { + #ifdef XIVE_DEBUG +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index d960b81..da5a407 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -2062,7 +2062,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, + assert(slotid >= 1 && slotid <= xhci->numslots); + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); +- poctx = ldq_le_dma(xhci->as, dcbaap + 8 * slotid, MEMTXATTRS_UNSPECIFIED); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &poctx, MEMTXATTRS_UNSPECIFIED); + ictx = xhci_mask64(pictx); + octx = xhci_mask64(poctx); + +@@ -3429,6 +3429,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + uint32_t slot_ctx[4]; + uint32_t ep_ctx[5]; + int slotid, epid, state; ++ uint64_t addr; + + dcbaap = xhci_addr64(xhci->dcbaap_low, xhci->dcbaap_high); + +@@ -3437,8 +3438,8 @@ static int usb_xhci_post_load(void *opaque, int version_id) + if (!slot->addressed) { + continue; + } +- slot->ctx = xhci_mask64(ldq_le_dma(xhci->as, dcbaap + 8 * slotid, +- MEMTXATTRS_UNSPECIFIED)); ++ ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); ++ slot->ctx = xhci_mask64(addr); + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 0613308..8c5f2ed 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -854,8 +854,10 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr) \ + { \ +- return ld##_l##_dma(pci_get_address_space(dev), addr, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ uint##_bits##_t val; \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ ++ MEMTXATTRS_UNSPECIFIED); \ ++ return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, uint##_bits##_t val) \ +diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h +index d2ec9b0..7eae1a4 100644 +--- a/include/hw/ppc/spapr_vio.h ++++ b/include/hw/ppc/spapr_vio.h +@@ -127,7 +127,11 @@ static inline int spapr_vio_dma_set(SpaprVioDevice *dev, uint64_t taddr, + #define vio_stq(_dev, _addr, _val) \ + (stq_be_dma(&(_dev)->as, (_addr), (_val), MEMTXATTRS_UNSPECIFIED)) + #define vio_ldq(_dev, _addr) \ +- (ldq_be_dma(&(_dev)->as, (_addr), MEMTXATTRS_UNSPECIFIED)) ++ ({ \ ++ uint64_t _val; \ ++ ldq_be_dma(&(_dev)->as, (_addr), &_val, MEMTXATTRS_UNSPECIFIED); \ ++ _val; \ ++ }) + + int spapr_vio_send_crq(SpaprVioDevice *dev, uint8_t *crq); + +diff --git a/include/sysemu/dma.h b/include/sysemu/dma.h +index 895044d..b3faef4 100644 +--- a/include/sysemu/dma.h ++++ b/include/sysemu/dma.h +@@ -240,14 +240,15 @@ static inline void dma_memory_unmap(AddressSpace *as, + } + + #define DEFINE_LDST_DMA(_lname, _sname, _bits, _end) \ +- static inline uint##_bits##_t ld##_lname##_##_end##_dma(AddressSpace *as, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- dma_memory_read(as, addr, &val, (_bits) / 8, attrs); \ +- return _end##_bits##_to_cpu(val); \ +- } \ ++ static inline MemTxResult ld##_lname##_##_end##_dma(AddressSpace *as, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *pval, \ ++ MemTxAttrs attrs) \ ++ { \ ++ MemTxResult res = dma_memory_read(as, addr, pval, (_bits) / 8, attrs); \ ++ _end##_bits##_to_cpus(pval); \ ++ return res; \ ++ } \ + static inline MemTxResult st##_sname##_##_end##_dma(AddressSpace *as, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +@@ -257,12 +258,10 @@ static inline void dma_memory_unmap(AddressSpace *as, + return dma_memory_write(as, addr, &val, (_bits) / 8, attrs); \ + } + +-static inline uint8_t ldub_dma(AddressSpace *as, dma_addr_t addr, MemTxAttrs attrs) ++static inline MemTxResult ldub_dma(AddressSpace *as, dma_addr_t addr, ++ uint8_t *val, MemTxAttrs attrs) + { +- uint8_t val; +- +- dma_memory_read(as, addr, &val, 1, attrs); +- return val; ++ return dma_memory_read(as, addr, val, 1, attrs); + } + + static inline MemTxResult stb_dma(AddressSpace *as, dma_addr_t addr, +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch new file mode 100644 index 0000000000..96fda98771 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch @@ -0,0 +1,187 @@ +From 4d5202aad706fd338646d19aafbf255c3864333c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Fri, 17 Dec 2021 17:57:13 +0100 +Subject: [PATCH 19/21] target/ppc: Implement Vector Mask Move insns +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.1 instructions: +mtvsrbm: Move to VSR Byte Mask +mtvsrhm: Move to VSR Halfword Mask +mtvsrwm: Move to VSR Word Mask +mtvsrdm: Move to VSR Doubleword Mask +mtvsrqm: Move to VSR Quadword Mask +mtvsrbmi: Move to VSR Byte Mask Immediate + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=9193eaa901c54dbff4a91ea0b12a99e0135dbca1] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20211203194229.746275-4-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/insn32.decode | 11 +++ + target/ppc/translate/vmx-impl.c.inc | 115 ++++++++++++++++++++++++++++ + 2 files changed, 126 insertions(+) + +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index b0568b1356..8bdc059a4c 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -40,6 +40,10 @@ + %ds_rtp 22:4 !function=times_2 + @DS_rtp ...... ....0 ra:5 .............. .. &D rt=%ds_rtp si=%ds_si + ++&DX_b vrt b ++%dx_b 6:10 16:5 0:1 ++@DX_b ...... vrt:5 ..... .......... ..... . &DX_b b=%dx_b ++ + &DX rt d + %dx_d 6:s10 16:5 0:1 + @DX ...... rt:5 ..... .......... ..... . &DX d=%dx_d +@@ -417,6 +421,13 @@ VSRDBI 000100 ..... ..... ..... 01 ... 010110 @VN + + ## Vector Mask Manipulation Instructions + ++MTVSRBM 000100 ..... 10000 ..... 11001000010 @VX_tb ++MTVSRHM 000100 ..... 10001 ..... 11001000010 @VX_tb ++MTVSRWM 000100 ..... 10010 ..... 11001000010 @VX_tb ++MTVSRDM 000100 ..... 10011 ..... 11001000010 @VX_tb ++MTVSRQM 000100 ..... 10100 ..... 11001000010 @VX_tb ++MTVSRBMI 000100 ..... ..... .......... 01010 . @DX_b ++ + VEXPANDBM 000100 ..... 00000 ..... 11001000010 @VX_tb + VEXPANDHM 000100 ..... 00001 ..... 11001000010 @VX_tb + VEXPANDWM 000100 ..... 00010 ..... 11001000010 @VX_tb +diff --git a/target/ppc/translate/vmx-impl.c.inc b/target/ppc/translate/vmx-impl.c.inc +index 96c97bf6e7..d5e02fd7f2 100644 +--- a/target/ppc/translate/vmx-impl.c.inc ++++ b/target/ppc/translate/vmx-impl.c.inc +@@ -1607,6 +1607,121 @@ static bool trans_VEXTRACTQM(DisasContext *ctx, arg_VX_tb *a) + return true; + } + ++static bool do_mtvsrm(DisasContext *ctx, arg_VX_tb *a, unsigned vece) ++{ ++ const uint64_t elem_width = 8 << vece, elem_count_half = 8 >> vece; ++ uint64_t c; ++ int i, j; ++ TCGv_i64 hi, lo, t0, t1; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = tcg_temp_new_i64(); ++ lo = tcg_temp_new_i64(); ++ t0 = tcg_temp_new_i64(); ++ t1 = tcg_temp_new_i64(); ++ ++ tcg_gen_extu_tl_i64(t0, cpu_gpr[a->vrb]); ++ tcg_gen_extract_i64(hi, t0, elem_count_half, elem_count_half); ++ tcg_gen_extract_i64(lo, t0, 0, elem_count_half); ++ ++ /* ++ * Spread the bits into their respective elements. ++ * E.g. for bytes: ++ * 00000000000000000000000000000000000000000000000000000000abcdefgh ++ * << 32 - 4 ++ * 0000000000000000000000000000abcdefgh0000000000000000000000000000 ++ * | ++ * 0000000000000000000000000000abcdefgh00000000000000000000abcdefgh ++ * << 16 - 2 ++ * 00000000000000abcdefgh00000000000000000000abcdefgh00000000000000 ++ * | ++ * 00000000000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh ++ * << 8 - 1 ++ * 0000000abcdefgh000000abcdefgh000000abcdefgh000000abcdefgh0000000 ++ * | ++ * 0000000abcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgXbcdefgh ++ * & dup(1) ++ * 0000000a0000000b0000000c0000000d0000000e0000000f0000000g0000000h ++ * * 0xff ++ * aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhh ++ */ ++ for (i = elem_count_half / 2, j = 32; i > 0; i >>= 1, j >>= 1) { ++ tcg_gen_shli_i64(t0, hi, j - i); ++ tcg_gen_shli_i64(t1, lo, j - i); ++ tcg_gen_or_i64(hi, hi, t0); ++ tcg_gen_or_i64(lo, lo, t1); ++ } ++ ++ c = dup_const(vece, 1); ++ tcg_gen_andi_i64(hi, hi, c); ++ tcg_gen_andi_i64(lo, lo, c); ++ ++ c = MAKE_64BIT_MASK(0, elem_width); ++ tcg_gen_muli_i64(hi, hi, c); ++ tcg_gen_muli_i64(lo, lo, c); ++ ++ set_avr64(a->vrt, lo, false); ++ set_avr64(a->vrt, hi, true); ++ ++ tcg_temp_free_i64(hi); ++ tcg_temp_free_i64(lo); ++ tcg_temp_free_i64(t0); ++ tcg_temp_free_i64(t1); ++ ++ return true; ++} ++ ++TRANS(MTVSRBM, do_mtvsrm, MO_8) ++TRANS(MTVSRHM, do_mtvsrm, MO_16) ++TRANS(MTVSRWM, do_mtvsrm, MO_32) ++TRANS(MTVSRDM, do_mtvsrm, MO_64) ++ ++static bool trans_MTVSRQM(DisasContext *ctx, arg_VX_tb *a) ++{ ++ TCGv_i64 tmp; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ tmp = tcg_temp_new_i64(); ++ ++ tcg_gen_ext_tl_i64(tmp, cpu_gpr[a->vrb]); ++ tcg_gen_sextract_i64(tmp, tmp, 0, 1); ++ set_avr64(a->vrt, tmp, false); ++ set_avr64(a->vrt, tmp, true); ++ ++ tcg_temp_free_i64(tmp); ++ ++ return true; ++} ++ ++static bool trans_MTVSRBMI(DisasContext *ctx, arg_DX_b *a) ++{ ++ const uint64_t mask = dup_const(MO_8, 1); ++ uint64_t hi, lo; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA310); ++ REQUIRE_VECTOR(ctx); ++ ++ hi = extract16(a->b, 8, 8); ++ lo = extract16(a->b, 0, 8); ++ ++ for (int i = 4, j = 32; i > 0; i >>= 1, j >>= 1) { ++ hi |= hi << (j - i); ++ lo |= lo << (j - i); ++ } ++ ++ hi = (hi & mask) * 0xFF; ++ lo = (lo & mask) * 0xFF; ++ ++ set_avr64(a->vrt, tcg_constant_i64(hi), true); ++ set_avr64(a->vrt, tcg_constant_i64(lo), false); ++ ++ return true; ++} ++ + #define GEN_VAFORM_PAIRED(name0, name1, opc2) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..69101f308d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,303 @@ +From a423a1b523296f8798a5851aaaba64dd166c0a74 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 22:39:42 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling st*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=a423a1b523296f8798a5851aaaba64dd166c0a74] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-21-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 10 ++++++---- + hw/net/eepro100.c | 29 ++++++++++++++++++----------- + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 15 ++++++++++----- + hw/scsi/vmw_pvscsi.c | 3 ++- + include/hw/pci/pci.h | 11 ++++++----- + 6 files changed, 52 insertions(+), 34 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index fb3d34a..3309ae0 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,6 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -367,8 +368,8 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*wp, response); +- stl_le_pci_dma(&d->pci, addr + 8*wp + 4, ex); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +@@ -394,6 +395,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + uint8_t *buf, uint32_t len) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +@@ -428,7 +430,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + st->be, st->bp, st->bpl[st->be].len, copy); + + pci_dma_rw(&d->pci, st->bpl[st->be].addr + st->bp, buf, copy, !output, +- MEMTXATTRS_UNSPECIFIED); ++ attrs); + st->lpib += copy; + st->bp += copy; + buf += copy; +@@ -451,7 +453,7 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + if (d->dp_lbase & 0x01) { + s = st - d->st; + addr = intel_hda_addr(d->dp_lbase & ~0x01, d->dp_ubase); +- stl_le_pci_dma(&d->pci, addr + 8*s, st->lpib); ++ stl_le_pci_dma(&d->pci, addr + 8 * s, st->lpib, attrs); + } + dprint(d, 3, "dma: --\n"); + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 16e95ef..83c4431 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -700,6 +700,8 @@ static void set_ru_state(EEPRO100State * s, ru_state_t state) + + static void dump_statistics(EEPRO100State * s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + /* Dump statistical data. Most data is never changed by the emulation + * and always 0, so we first just copy the whole block and then those + * values which really matter. +@@ -707,16 +709,18 @@ static void dump_statistics(EEPRO100State * s) + */ + pci_dma_write(&s->dev, s->statsaddr, &s->statistics, s->stats_size); + stl_le_pci_dma(&s->dev, s->statsaddr + 0, +- s->statistics.tx_good_frames); ++ s->statistics.tx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 36, +- s->statistics.rx_good_frames); ++ s->statistics.rx_good_frames, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 48, +- s->statistics.rx_resource_errors); ++ s->statistics.rx_resource_errors, attrs); + stl_le_pci_dma(&s->dev, s->statsaddr + 60, +- s->statistics.rx_short_frame_errors); ++ s->statistics.rx_short_frame_errors, attrs); + #if 0 +- stw_le_pci_dma(&s->dev, s->statsaddr + 76, s->statistics.xmt_tco_frames); +- stw_le_pci_dma(&s->dev, s->statsaddr + 78, s->statistics.rcv_tco_frames); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 76, ++ s->statistics.xmt_tco_frames, attrs); ++ stw_le_pci_dma(&s->dev, s->statsaddr + 78, ++ s->statistics.rcv_tco_frames, attrs); + missing("CU dump statistical counters"); + #endif + } +@@ -833,6 +837,7 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + /* The loop below won't stop if it gets special handcrafted data. + Therefore we limit the number of iterations. */ + unsigned max_loop_count = 16; +@@ -911,7 +916,7 @@ static void action_command(EEPRO100State *s) + } + /* Write new status. */ + stw_le_pci_dma(&s->dev, s->cb_address, +- s->tx.status | ok_status | STATUS_C); ++ s->tx.status | ok_status | STATUS_C, attrs); + if (bit_i) { + /* CU completed action. */ + eepro100_cx_interrupt(s); +@@ -937,6 +942,7 @@ static void action_command(EEPRO100State *s) + + static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + cu_state_t cu_state; + switch (val) { + case CU_NOP: +@@ -986,7 +992,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa005, attrs); + break; + case CU_CMD_BASE: + /* Load CU base. */ +@@ -997,7 +1003,7 @@ static void eepro100_cu_command(EEPRO100State * s, uint8_t val) + /* Dump and reset statistical counters. */ + TRACE(OTHER, logout("val=0x%02x (dump stats and reset)\n", val)); + dump_statistics(s); +- stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007); ++ stl_le_pci_dma(&s->dev, s->statsaddr + s->stats_size, 0xa007, attrs); + memset(&s->statistics, 0, sizeof(s->statistics)); + break; + case CU_SRESUME: +@@ -1612,6 +1618,7 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + * - Magic packets should set bit 30 in power management driver register. + * - Interesting packets should set bit 29 in power management driver register. + */ ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + EEPRO100State *s = qemu_get_nic_opaque(nc); + uint16_t rfd_status = 0xa000; + #if defined(CONFIG_PAD_RECEIVED_FRAMES) +@@ -1726,9 +1733,9 @@ static ssize_t nic_receive(NetClientState *nc, const uint8_t * buf, size_t size) + TRACE(OTHER, logout("command 0x%04x, link 0x%08x, addr 0x%08x, size %u\n", + rfd_command, rx.link, rx.rx_buf_addr, rfd_size)); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, status), rfd_status); ++ offsetof(eepro100_rx_t, status), rfd_status, attrs); + stw_le_pci_dma(&s->dev, s->ru_base + s->ru_offset + +- offsetof(eepro100_rx_t, count), size); ++ offsetof(eepro100_rx_t, count), size, attrs); + /* Early receive interrupt not supported. */ + #if 0 + eepro100_er_interrupt(s); +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index ca69f7e..1f2c79d 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -86,16 +86,18 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + static void tulip_desc_write(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- stl_be_pci_dma(&s->dev, p, desc->status); +- stl_be_pci_dma(&s->dev, p + 4, desc->control); +- stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_be_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_be_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_be_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_be_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } else { +- stl_le_pci_dma(&s->dev, p, desc->status); +- stl_le_pci_dma(&s->dev, p + 4, desc->control); +- stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1); +- stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2); ++ stl_le_pci_dma(&s->dev, p, desc->status, attrs); ++ stl_le_pci_dma(&s->dev, p + 4, desc->control, attrs); ++ stl_le_pci_dma(&s->dev, p + 8, desc->buf_addr1, attrs); ++ stl_le_pci_dma(&s->dev, p + 12, desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 091a350..b5e8b14 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -168,14 +168,16 @@ static void megasas_frame_set_cmd_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, cmd_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static void megasas_frame_set_scsi_status(MegasasState *s, + unsigned long frame, uint8_t v) + { + PCIDevice *pci = &s->parent_obj; +- stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), v); ++ stb_pci_dma(pci, frame + offsetof(struct mfi_frame_header, scsi_status), ++ v, MEMTXATTRS_UNSPECIFIED); + } + + static inline const char *mfi_frame_desc(unsigned int cmd) +@@ -542,6 +544,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + + static void megasas_complete_frame(MegasasState *s, uint64_t context) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci_dev = PCI_DEVICE(s); + int tail, queue_offset; + +@@ -555,10 +558,12 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + */ + if (megasas_use_queue64(s)) { + queue_offset = s->reply_queue_head * sizeof(uint64_t); +- stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stq_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } else { + queue_offset = s->reply_queue_head * sizeof(uint32_t); +- stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, context); ++ stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, ++ context, attrs); + } + s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); + trace_megasas_qf_complete(context, s->reply_queue_head, +@@ -572,7 +577,7 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, + s->busy); +- stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head); ++ stl_le_pci_dma(pci_dev, s->producer_pa, s->reply_queue_head, attrs); + /* Notify HBA */ + if (msix_enabled(pci_dev)) { + trace_megasas_msix_raise(0); +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index cd76bd6..59c3e8b 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -55,7 +55,8 @@ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val)) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ ++ MEMTXATTRS_UNSPECIFIED)) + + struct PVSCSIClass { + PCIDeviceClass parent_class; +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 8c5f2ed..9f51ef2 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,11 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + MEMTXATTRS_UNSPECIFIED); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, uint##_bits##_t val) \ +- { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ static inline void st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch new file mode 100644 index 0000000000..7e747298a9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch @@ -0,0 +1,258 @@ +From a3c7553efdec661a8f7d7dfc0c0618a35fab005c Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 20/21] target/ppc: move xs[n]madd[am][ds]p/xs[n]msub[am][ds]p + to decodetree +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=e4318ab2e423c4caf9a88a4e99b5e234096b81a9] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-37-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 23 ++++++------ + target/ppc/helper.h | 16 ++++----- + target/ppc/insn32.decode | 22 ++++++++++++ + target/ppc/translate/vsx-impl.c.inc | 56 ++++++++++++++++++++++++----- + target/ppc/translate/vsx-ops.c.inc | 16 --------- + 5 files changed, 90 insertions(+), 43 deletions(-) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 5cc7fb1dcb..853e5f6029 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2036,10 +2036,11 @@ VSX_TSQRT(xvtsqrtsp, 4, float32, VsrW(i), -126, 23) + * maddflgs - flags for the float*muladd routine that control the + * various forms (madd, msub, nmadd, nmsub) + * sfprf - set FPRF ++ * r2sp - round intermediate double precision result to single precision + */ + #define VSX_MADD(op, nels, tp, fld, maddflgs, sfprf, r2sp) \ + void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ +- ppc_vsr_t *xa, ppc_vsr_t *b, ppc_vsr_t *c) \ ++ ppc_vsr_t *s1, ppc_vsr_t *s2, ppc_vsr_t *s3) \ + { \ + ppc_vsr_t t = *xt; \ + int i; \ +@@ -2055,12 +2056,12 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + * result to odd. \ + */ \ + set_float_rounding_mode(float_round_to_zero, &tstat); \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + t.fld |= (get_float_exception_flags(&tstat) & \ + float_flag_inexact) != 0; \ + } else { \ +- t.fld = tp##_muladd(xa->fld, b->fld, c->fld, \ ++ t.fld = tp##_muladd(s1->fld, s3->fld, s2->fld, \ + maddflgs, &tstat); \ + } \ + env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ +@@ -2082,14 +2083,14 @@ void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, \ + do_float_check_status(env, GETPC()); \ + } + +-VSX_MADD(xsmadddp, 1, float64, VsrD(0), MADD_FLGS, 1, 0) +-VSX_MADD(xsmsubdp, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) +-VSX_MADD(xsnmadddp, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) +-VSX_MADD(xsnmsubdp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) +-VSX_MADD(xsmaddsp, 1, float64, VsrD(0), MADD_FLGS, 1, 1) +-VSX_MADD(xsmsubsp, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) +-VSX_MADD(xsnmaddsp, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) +-VSX_MADD(xsnmsubsp, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) ++VSX_MADD(XSMADDDP, 1, float64, VsrD(0), MADD_FLGS, 1, 0) ++VSX_MADD(XSMSUBDP, 1, float64, VsrD(0), MSUB_FLGS, 1, 0) ++VSX_MADD(XSNMADDDP, 1, float64, VsrD(0), NMADD_FLGS, 1, 0) ++VSX_MADD(XSNMSUBDP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 0) ++VSX_MADD(XSMADDSP, 1, float64, VsrD(0), MADD_FLGS, 1, 1) ++VSX_MADD(XSMSUBSP, 1, float64, VsrD(0), MSUB_FLGS, 1, 1) ++VSX_MADD(XSNMADDSP, 1, float64, VsrD(0), NMADD_FLGS, 1, 1) ++VSX_MADD(XSNMSUBSP, 1, float64, VsrD(0), NMSUB_FLGS, 1, 1) + + VSX_MADD(xvmadddp, 2, float64, VsrD(i), MADD_FLGS, 0, 0) + VSX_MADD(xvmsubdp, 2, float64, VsrD(i), MSUB_FLGS, 0, 0) +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index ef5bdd38a7..e147b37644 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -376,10 +376,10 @@ DEF_HELPER_3(xssqrtdp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtedp, void, env, vsr, vsr) + DEF_HELPER_4(xstdivdp, void, env, i32, vsr, vsr) + DEF_HELPER_3(xstsqrtdp, void, env, i32, vsr) +-DEF_HELPER_5(xsmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubdp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmadddp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubdp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDDP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBDP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_4(xscmpeqdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgtdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xscmpgedp, void, env, vsr, vsr, vsr) +@@ -439,10 +439,10 @@ DEF_HELPER_3(xsresp, void, env, vsr, vsr) + DEF_HELPER_2(xsrsp, i64, env, i64) + DEF_HELPER_3(xssqrtsp, void, env, vsr, vsr) + DEF_HELPER_3(xsrsqrtesp, void, env, vsr, vsr) +-DEF_HELPER_5(xsmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsmsubsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmaddsp, void, env, vsr, vsr, vsr, vsr) +-DEF_HELPER_5(xsnmsubsp, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 8bdc059a4c..0ff8818084 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -451,6 +451,28 @@ STXVX 011111 ..... ..... ..... 0110001100 . @X_TSX + LXVPX 011111 ..... ..... ..... 0101001101 - @X_TSXP + STXVPX 011111 ..... ..... ..... 0111001101 - @X_TSXP + ++## VSX Scalar Multiply-Add Instructions ++ ++XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 ++XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 ++XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 ++XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++ ++XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 ++XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 ++XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 ++XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++ ++XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 ++XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 ++XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 ++XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++ ++XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 ++XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 ++XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 ++XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++ + ## VSX splat instruction + + XXSPLTIB 111100 ..... 00 ........ 0101101000 . @X_imm8 +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 99c8a57e50..90d3ac665b 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1201,6 +1201,54 @@ GEN_VSX_HELPER_2(xvtstdcdp, 0x14, 0x1E, 0, PPC2_VSX) + GEN_VSX_HELPER_X3(xxperm, 0x08, 0x03, 0, PPC2_ISA300) + GEN_VSX_HELPER_X3(xxpermr, 0x08, 0x07, 0, PPC2_ISA300) + ++static bool do_xsmadd(DisasContext *ctx, int tgt, int src1, int src2, int src3, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ TCGv_ptr t, s1, s2, s3; ++ ++ t = gen_vsr_ptr(tgt); ++ s1 = gen_vsr_ptr(src1); ++ s2 = gen_vsr_ptr(src2); ++ s3 = gen_vsr_ptr(src3); ++ ++ gen_helper(cpu_env, t, s1, s2, s3); ++ ++ tcg_temp_free_ptr(t); ++ tcg_temp_free_ptr(s1); ++ tcg_temp_free_ptr(s2); ++ tcg_temp_free_ptr(s3); ++ ++ return true; ++} ++ ++static bool do_xsmadd_XX3(DisasContext *ctx, arg_XX3 *a, bool type_a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ REQUIRE_VSX(ctx); ++ ++ if (type_a) { ++ return do_xsmadd(ctx, a->xt, a->xa, a->xt, a->xb, gen_helper); ++ } ++ return do_xsmadd(ctx, a->xt, a->xa, a->xb, a->xt, gen_helper); ++} ++ ++TRANS_FLAGS2(VSX, XSMADDADP, do_xsmadd_XX3, true, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMADDMDP, do_xsmadd_XX3, false, gen_helper_XSMADDDP) ++TRANS_FLAGS2(VSX, XSMSUBADP, do_xsmadd_XX3, true, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSMSUBDP) ++TRANS_FLAGS2(VSX, XSNMADDADP, do_xsmadd_XX3, true, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMADDMDP, do_xsmadd_XX3, false, gen_helper_XSNMADDDP) ++TRANS_FLAGS2(VSX, XSNMSUBADP, do_xsmadd_XX3, true, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX, XSNMSUBMDP, do_xsmadd_XX3, false, gen_helper_XSNMSUBDP) ++TRANS_FLAGS2(VSX207, XSMADDASP, do_xsmadd_XX3, true, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMADDMSP, do_xsmadd_XX3, false, gen_helper_XSMADDSP) ++TRANS_FLAGS2(VSX207, XSMSUBASP, do_xsmadd_XX3, true, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMADDASP, do_xsmadd_XX3, true, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) ++TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) ++TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +@@ -1231,14 +1279,6 @@ static void gen_##name(DisasContext *ctx) \ + tcg_temp_free_ptr(c); \ + } + +-GEN_VSX_HELPER_VSX_MADD(xsmadddp, 0x04, 0x04, 0x05, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmsubdp, 0x04, 0x06, 0x07, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmadddp, 0x04, 0x14, 0x15, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubdp, 0x04, 0x16, 0x17, 0, PPC2_VSX) +-GEN_VSX_HELPER_VSX_MADD(xsmaddsp, 0x04, 0x00, 0x01, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsmsubsp, 0x04, 0x02, 0x03, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmaddsp, 0x04, 0x10, 0x11, 0, PPC2_VSX207) +-GEN_VSX_HELPER_VSX_MADD(xsnmsubsp, 0x04, 0x12, 0x13, 0, PPC2_VSX207) + GEN_VSX_HELPER_VSX_MADD(xvmadddp, 0x04, 0x0C, 0x0D, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvmsubdp, 0x04, 0x0E, 0x0F, 0, PPC2_VSX) + GEN_VSX_HELPER_VSX_MADD(xvnmadddp, 0x04, 0x1C, 0x1D, 0, PPC2_VSX) +diff --git a/target/ppc/translate/vsx-ops.c.inc b/target/ppc/translate/vsx-ops.c.inc +index c974324c4c..ef0200eead 100644 +--- a/target/ppc/translate/vsx-ops.c.inc ++++ b/target/ppc/translate/vsx-ops.c.inc +@@ -186,14 +186,6 @@ GEN_XX2FORM(xssqrtdp, 0x16, 0x04, PPC2_VSX), + GEN_XX2FORM(xsrsqrtedp, 0x14, 0x04, PPC2_VSX), + GEN_XX3FORM(xstdivdp, 0x14, 0x07, PPC2_VSX), + GEN_XX2FORM(xstsqrtdp, 0x14, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddadp", 0x04, 0x04, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmadddp, "xsmaddmdp", 0x04, 0x05, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubadp", 0x04, 0x06, PPC2_VSX), +-GEN_XX3FORM_NAME(xsmsubdp, "xsmsubmdp", 0x04, 0x07, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddadp", 0x04, 0x14, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmadddp, "xsnmaddmdp", 0x04, 0x15, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubadp", 0x04, 0x16, PPC2_VSX), +-GEN_XX3FORM_NAME(xsnmsubdp, "xsnmsubmdp", 0x04, 0x17, PPC2_VSX), + GEN_XX3FORM(xscmpeqdp, 0x0C, 0x00, PPC2_ISA300), + GEN_XX3FORM(xscmpgtdp, 0x0C, 0x01, PPC2_ISA300), + GEN_XX3FORM(xscmpgedp, 0x0C, 0x02, PPC2_ISA300), +@@ -235,14 +227,6 @@ GEN_XX2FORM(xsresp, 0x14, 0x01, PPC2_VSX207), + GEN_XX2FORM(xsrsp, 0x12, 0x11, PPC2_VSX207), + GEN_XX2FORM(xssqrtsp, 0x16, 0x00, PPC2_VSX207), + GEN_XX2FORM(xsrsqrtesp, 0x14, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddasp", 0x04, 0x00, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmaddsp, "xsmaddmsp", 0x04, 0x01, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubasp", 0x04, 0x02, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsmsubsp, "xsmsubmsp", 0x04, 0x03, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddasp", 0x04, 0x10, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmaddsp, "xsnmaddmsp", 0x04, 0x11, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubasp", 0x04, 0x12, PPC2_VSX207), +-GEN_XX3FORM_NAME(xsnmsubsp, "xsnmsubmsp", 0x04, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvsxdsp, 0x10, 0x13, PPC2_VSX207), + GEN_XX2FORM(xscvuxdsp, 0x10, 0x12, PPC2_VSX207), + +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch new file mode 100644 index 0000000000..7f9de244be --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch @@ -0,0 +1,271 @@ +From 398f9a84ac7132e38caf7b066273734b3bf619ff Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:45:06 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() take MemTxAttrs argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Let devices specify transaction attributes when calling ld*_pci_dma(). + +Keep the default MEMTXATTRS_UNSPECIFIED in the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=398f9a84ac7132e38caf7b066273734b3bf619ff] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-22-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 19 +++++++++++++------ + hw/net/tulip.c | 18 ++++++++++-------- + hw/scsi/megasas.c | 16 ++++++++++------ + hw/scsi/mptsas.c | 10 ++++++---- + hw/scsi/vmw_pvscsi.c | 3 ++- + hw/usb/hcd-xhci.c | 1 + + include/hw/pci/pci.h | 6 +++--- + 8 files changed, 46 insertions(+), 29 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 3309ae0..e34b7ab 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4*rp); ++ verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 83c4431..eb82e9c 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -737,6 +737,7 @@ static void read_cb(EEPRO100State *s) + + static void tx_command(EEPRO100State *s) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + uint32_t tbd_array = s->tx.tbd_array_addr; + uint16_t tcb_bytes = s->tx.tcb_bytes & 0x3fff; + /* Sends larger than MAX_ETH_FRAME_SIZE are allowed, up to 2600 bytes. */ +@@ -772,11 +773,14 @@ static void tx_command(EEPRO100State *s) + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { + uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address); ++ tbd_address, ++ attrs); + uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4); ++ tbd_address + 4, ++ attrs); + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6); ++ tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -792,9 +796,12 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); ++ uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, ++ attrs); ++ uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, ++ attrs); ++ uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, ++ attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 1f2c79d..c76e486 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -70,16 +70,18 @@ static const VMStateDescription vmstate_pci_tulip = { + static void tulip_desc_read(TULIPState *s, hwaddr p, + struct tulip_descriptor *desc) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_be_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12); ++ desc->status = ldl_le_pci_dma(&s->dev, p, attrs); ++ desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); ++ desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); ++ desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index b5e8b14..98b1370 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,7 +202,9 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context)); ++ return ldq_le_pci_dma(pci, ++ frame + offsetof(struct mfi_frame_header, context), ++ MEMTXATTRS_UNSPECIFIED); + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -534,7 +536,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -565,14 +568,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -637,6 +640,7 @@ static void megasas_abort_command(MegasasCmd *cmd) + + static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pcid = PCI_DEVICE(s); + uint32_t pa_hi, pa_lo; + hwaddr iq_pa, initq_size = sizeof(struct mfi_init_qinfo); +@@ -675,9 +679,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); ++ s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); ++ s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index f6c7765..ac9f4df 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -172,14 +172,15 @@ static const int mpi_request_sizes[] = { + static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t *sgaddr) + { ++ const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + PCIDevice *pci = (PCIDevice *) s; + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4); ++ addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); + *sgaddr += 8; + } + return addr; +@@ -203,7 +204,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr); ++ flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -234,7 +235,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr); ++ flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 59c3e8b..33e16f9 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -52,7 +52,8 @@ + + #define RS_GET_FIELD(m, field) \ + (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ +- (m)->rs_pa + offsetof(struct PVSCSIRingsState, field))) ++ (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ ++ MEMTXATTRS_UNSPECIFIED)) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index da5a407..14bdb89 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3440,6 +3440,7 @@ static int usb_xhci_post_load(void *opaque, int version_id) + } + ldq_le_dma(xhci->as, dcbaap + 8 * slotid, &addr, MEMTXATTRS_UNSPECIFIED); + slot->ctx = xhci_mask64(addr); ++ + xhci_dma_read_u32s(xhci, slot->ctx, slot_ctx, sizeof(slot_ctx)); + slot->uport = xhci_lookup_uport(xhci, slot_ctx); + if (!slot->uport) { +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 9f51ef2..7a46c1f 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -852,11 +852,11 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + + #define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ + static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr) \ ++ dma_addr_t addr, \ ++ MemTxAttrs attrs) \ + { \ + uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, \ +- MEMTXATTRS_UNSPECIFIED); \ ++ ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ + static inline void st##_s##_pci_dma(PCIDevice *dev, \ +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch new file mode 100644 index 0000000000..11d732ac13 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch @@ -0,0 +1,174 @@ +From 1c1f82fbf0a434948b041eb35c671137628d5538 Mon Sep 17 00:00:00 2001 +From: Matheus Ferst <matheus.ferst@eldorado.org.br> +Date: Wed, 2 Mar 2022 06:51:38 +0100 +Subject: [PATCH 21/21] target/ppc: implement xs[n]maddqp[o]/xs[n]msubqp[o] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement the following PowerISA v3.0 instuctions: +xsmaddqp[o]: VSX Scalar Multiply-Add Quad-Precision [using round to Odd] +xsmsubqp[o]: VSX Scalar Multiply-Subtract Quad-Precision [using round + to Odd] +xsnmaddqp[o]: VSX Scalar Negative Multiply-Add Quad-Precision [using + round to Odd] +xsnmsubqp[o]: VSX Scalar Negative Multiply-Subtract Quad-Precision + [using round to Odd] + +Upstream-Status: Backport +[https://git.qemu.org/?p=qemu.git;a=commit;h=3bb1aed246d7b59ceee625a82628f7369d492a8f] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Matheus Ferst <matheus.ferst@eldorado.org.br> +Message-Id: <20220225210936.1749575-38-matheus.ferst@eldorado.org.br> +Signed-off-by: Cédric Le Goater <clg@kaod.org> +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + target/ppc/fpu_helper.c | 42 +++++++++++++++++++++++++++++ + target/ppc/helper.h | 9 +++++++ + target/ppc/insn32.decode | 4 +++ + target/ppc/translate/vsx-impl.c.inc | 25 +++++++++++++++++ + 4 files changed, 80 insertions(+) + +diff --git a/target/ppc/fpu_helper.c b/target/ppc/fpu_helper.c +index 853e5f6029..bdbbdb3b11 100644 +--- a/target/ppc/fpu_helper.c ++++ b/target/ppc/fpu_helper.c +@@ -2102,6 +2102,48 @@ VSX_MADD(xvmsubsp, 4, float32, VsrW(i), MSUB_FLGS, 0, 0) + VSX_MADD(xvnmaddsp, 4, float32, VsrW(i), NMADD_FLGS, 0, 0) + VSX_MADD(xvnmsubsp, 4, float32, VsrW(i), NMSUB_FLGS, 0, 0) + ++/* ++ * VSX_MADDQ - VSX floating point quad-precision muliply/add ++ * op - instruction mnemonic ++ * maddflgs - flags for the float*muladd routine that control the ++ * various forms (madd, msub, nmadd, nmsub) ++ * ro - round to odd ++ */ ++#define VSX_MADDQ(op, maddflgs, ro) \ ++void helper_##op(CPUPPCState *env, ppc_vsr_t *xt, ppc_vsr_t *s1, ppc_vsr_t *s2,\ ++ ppc_vsr_t *s3) \ ++{ \ ++ ppc_vsr_t t = *xt; \ ++ \ ++ helper_reset_fpstatus(env); \ ++ \ ++ float_status tstat = env->fp_status; \ ++ set_float_exception_flags(0, &tstat); \ ++ if (ro) { \ ++ tstat.float_rounding_mode = float_round_to_odd; \ ++ } \ ++ t.f128 = float128_muladd(s1->f128, s3->f128, s2->f128, maddflgs, &tstat); \ ++ env->fp_status.float_exception_flags |= tstat.float_exception_flags; \ ++ \ ++ if (unlikely(tstat.float_exception_flags & float_flag_invalid)) { \ ++ float_invalid_op_madd(env, tstat.float_exception_flags, \ ++ false, GETPC()); \ ++ } \ ++ \ ++ helper_compute_fprf_float128(env, t.f128); \ ++ *xt = t; \ ++ do_float_check_status(env, GETPC()); \ ++} ++ ++VSX_MADDQ(XSMADDQP, MADD_FLGS, 0) ++VSX_MADDQ(XSMADDQPO, MADD_FLGS, 1) ++VSX_MADDQ(XSMSUBQP, MSUB_FLGS, 0) ++VSX_MADDQ(XSMSUBQPO, MSUB_FLGS, 1) ++VSX_MADDQ(XSNMADDQP, NMADD_FLGS, 0) ++VSX_MADDQ(XSNMADDQPO, NMADD_FLGS, 1) ++VSX_MADDQ(XSNMSUBQP, NMSUB_FLGS, 0) ++VSX_MADDQ(XSNMSUBQPO, NMSUB_FLGS, 0) ++ + /* + * VSX_SCALAR_CMP_DP - VSX scalar floating point compare double precision + * op - instruction mnemonic +diff --git a/target/ppc/helper.h b/target/ppc/helper.h +index e147b37644..b5080c4955 100644 +--- a/target/ppc/helper.h ++++ b/target/ppc/helper.h +@@ -444,6 +444,15 @@ DEF_HELPER_5(XSMSUBSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMADDSP, void, env, vsr, vsr, vsr, vsr) + DEF_HELPER_5(XSNMSUBSP, void, env, vsr, vsr, vsr, vsr) + ++DEF_HELPER_5(XSMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMADDQPO, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQP, void, env, vsr, vsr, vsr, vsr) ++DEF_HELPER_5(XSNMSUBQPO, void, env, vsr, vsr, vsr, vsr) ++ + DEF_HELPER_4(xvadddp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvsubdp, void, env, vsr, vsr, vsr) + DEF_HELPER_4(xvmuldp, void, env, vsr, vsr, vsr) +diff --git a/target/ppc/insn32.decode b/target/ppc/insn32.decode +index 0ff8818084..6bcb1e6804 100644 +--- a/target/ppc/insn32.decode ++++ b/target/ppc/insn32.decode +@@ -457,21 +457,25 @@ XSMADDADP 111100 ..... ..... ..... 00100001 . . . @XX3 + XSMADDMDP 111100 ..... ..... ..... 00101001 . . . @XX3 + XSMADDASP 111100 ..... ..... ..... 00000001 . . . @XX3 + XSMADDMSP 111100 ..... ..... ..... 00001001 . . . @XX3 ++XSMADDQP 111111 ..... ..... ..... 0110000100 . @X_rc + + XSMSUBADP 111100 ..... ..... ..... 00110001 . . . @XX3 + XSMSUBMDP 111100 ..... ..... ..... 00111001 . . . @XX3 + XSMSUBASP 111100 ..... ..... ..... 00010001 . . . @XX3 + XSMSUBMSP 111100 ..... ..... ..... 00011001 . . . @XX3 ++XSMSUBQP 111111 ..... ..... ..... 0110100100 . @X_rc + + XSNMADDASP 111100 ..... ..... ..... 10000001 . . . @XX3 + XSNMADDMSP 111100 ..... ..... ..... 10001001 . . . @XX3 + XSNMADDADP 111100 ..... ..... ..... 10100001 . . . @XX3 + XSNMADDMDP 111100 ..... ..... ..... 10101001 . . . @XX3 ++XSNMADDQP 111111 ..... ..... ..... 0111000100 . @X_rc + + XSNMSUBASP 111100 ..... ..... ..... 10010001 . . . @XX3 + XSNMSUBMSP 111100 ..... ..... ..... 10011001 . . . @XX3 + XSNMSUBADP 111100 ..... ..... ..... 10110001 . . . @XX3 + XSNMSUBMDP 111100 ..... ..... ..... 10111001 . . . @XX3 ++XSNMSUBQP 111111 ..... ..... ..... 0111100100 . @X_rc + + ## VSX splat instruction + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 90d3ac665b..4253f01319 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -1249,6 +1249,31 @@ TRANS_FLAGS2(VSX207, XSNMADDMSP, do_xsmadd_XX3, false, gen_helper_XSNMADDSP) + TRANS_FLAGS2(VSX207, XSNMSUBASP, do_xsmadd_XX3, true, gen_helper_XSNMSUBSP) + TRANS_FLAGS2(VSX207, XSNMSUBMSP, do_xsmadd_XX3, false, gen_helper_XSNMSUBSP) + ++static bool do_xsmadd_X(DisasContext *ctx, arg_X_rc *a, ++ void (*gen_helper)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr), ++ void (*gen_helper_ro)(TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr, TCGv_ptr)) ++{ ++ int vrt, vra, vrb; ++ ++ REQUIRE_INSNS_FLAGS2(ctx, ISA300); ++ REQUIRE_VSX(ctx); ++ ++ vrt = a->rt + 32; ++ vra = a->ra + 32; ++ vrb = a->rb + 32; ++ ++ if (a->rc) { ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper_ro); ++ } ++ ++ return do_xsmadd(ctx, vrt, vra, vrt, vrb, gen_helper); ++} ++ ++TRANS(XSMADDQP, do_xsmadd_X, gen_helper_XSMADDQP, gen_helper_XSMADDQPO) ++TRANS(XSMSUBQP, do_xsmadd_X, gen_helper_XSMSUBQP, gen_helper_XSMSUBQPO) ++TRANS(XSNMADDQP, do_xsmadd_X, gen_helper_XSNMADDQP, gen_helper_XSNMADDQPO) ++TRANS(XSNMSUBQP, do_xsmadd_X, gen_helper_XSNMSUBQP, gen_helper_XSNMSUBQPO) ++ + #define GEN_VSX_HELPER_VSX_MADD(name, op1, aop, mop, inval, type) \ + static void gen_##name(DisasContext *ctx) \ + { \ +-- +2.17.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..e52a45b90f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,47 @@ +From 6bebb270731758fae3114b7d24c2b12b7c325cc5 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:47:30 +0100 +Subject: [PATCH] pci: Let st*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +st*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=6bebb270731758fae3114b7d24c2b12b7c325cc5] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-23-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + include/hw/pci/pci.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index 7a46c1f..c90cecc 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -859,12 +859,12 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ + return val; \ + } \ +- static inline void st##_s##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- uint##_bits##_t val, \ +- MemTxAttrs attrs) \ ++ static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t val, \ ++ MemTxAttrs attrs) \ + { \ +- st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ return st##_s##_dma(pci_get_address_space(dev), addr, val, attrs); \ + } + + PCI_DMA_DEFINE_LDST(ub, b, 8); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch new file mode 100644 index 0000000000..6bd6350f44 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch @@ -0,0 +1,296 @@ +From 4a63054bce23982b99f4d3c65528e47e614086b2 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Fri, 17 Dec 2021 23:49:30 +0100 +Subject: [PATCH] pci: Let ld*_pci_dma() propagate MemTxResult +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +ld*_dma() returns a MemTxResult type. Do not discard +it, return it to the caller. + +Update the few callers. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=4a63054bce23982b99f4d3c65528e47e614086b2] + +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211223115554.3155328-24-philmd@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + hw/net/eepro100.c | 25 ++++++++++--------------- + hw/net/tulip.c | 16 ++++++++-------- + hw/scsi/megasas.c | 21 ++++++++++++--------- + hw/scsi/mptsas.c | 16 +++++++++++----- + hw/scsi/vmw_pvscsi.c | 16 ++++++++++------ + include/hw/pci/pci.h | 17 ++++++++--------- + 7 files changed, 60 insertions(+), 53 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index e34b7ab..2b55d52 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -335,7 +335,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + rp = (d->corb_rp + 1) & 0xff; + addr = intel_hda_addr(d->corb_lbase, d->corb_ubase); +- verb = ldl_le_pci_dma(&d->pci, addr + 4 * rp, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(&d->pci, addr + 4 * rp, &verb, MEMTXATTRS_UNSPECIFIED); + d->corb_rp = rp; + + dprint(d, 2, "%s: [rp 0x%x] verb 0x%08x\n", __func__, rp, verb); +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index eb82e9c..679f52f 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -769,18 +769,16 @@ static void tx_command(EEPRO100State *s) + } else { + /* Flexible mode. */ + uint8_t tbd_count = 0; ++ uint32_t tx_buffer_address; ++ uint16_t tx_buffer_size; ++ uint16_t tx_buffer_el; ++ + if (s->has_extended_tcb_support && !(s->configuration[6] & BIT(4))) { + /* Extended Flexible TCB. */ + for (; tbd_count < 2; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, +- tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, +- tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, +- tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (extended flexible mode): buffer address 0x%08x, size 0x%04x\n", +@@ -796,12 +794,9 @@ static void tx_command(EEPRO100State *s) + } + tbd_address = tbd_array; + for (; tbd_count < s->tx.tbd_count; tbd_count++) { +- uint32_t tx_buffer_address = ldl_le_pci_dma(&s->dev, tbd_address, +- attrs); +- uint16_t tx_buffer_size = lduw_le_pci_dma(&s->dev, tbd_address + 4, +- attrs); +- uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6, +- attrs); ++ ldl_le_pci_dma(&s->dev, tbd_address, &tx_buffer_address, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 4, &tx_buffer_size, attrs); ++ lduw_le_pci_dma(&s->dev, tbd_address + 6, &tx_buffer_el, attrs); + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (flexible mode): buffer address 0x%08x, size 0x%04x\n", +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index c76e486..d5b6cc5 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -73,15 +73,15 @@ static void tulip_desc_read(TULIPState *s, hwaddr p, + const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; + + if (s->csr[0] & CSR0_DBO) { +- desc->status = ldl_be_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_be_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_be_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_be_pci_dma(&s->dev, p + 12, attrs); ++ ldl_be_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_be_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_be_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_be_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } else { +- desc->status = ldl_le_pci_dma(&s->dev, p, attrs); +- desc->control = ldl_le_pci_dma(&s->dev, p + 4, attrs); +- desc->buf_addr1 = ldl_le_pci_dma(&s->dev, p + 8, attrs); +- desc->buf_addr2 = ldl_le_pci_dma(&s->dev, p + 12, attrs); ++ ldl_le_pci_dma(&s->dev, p, &desc->status, attrs); ++ ldl_le_pci_dma(&s->dev, p + 4, &desc->control, attrs); ++ ldl_le_pci_dma(&s->dev, p + 8, &desc->buf_addr1, attrs); ++ ldl_le_pci_dma(&s->dev, p + 12, &desc->buf_addr2, attrs); + } + } + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 98b1370..dc9bbdb 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -202,9 +202,12 @@ static uint64_t megasas_frame_get_context(MegasasState *s, + unsigned long frame) + { + PCIDevice *pci = &s->parent_obj; +- return ldq_le_pci_dma(pci, +- frame + offsetof(struct mfi_frame_header, context), +- MEMTXATTRS_UNSPECIFIED); ++ uint64_t val; ++ ++ ldq_le_pci_dma(pci, frame + offsetof(struct mfi_frame_header, context), ++ &val, MEMTXATTRS_UNSPECIFIED); ++ ++ return val; + } + + static bool megasas_frame_is_ieee_sgl(MegasasCmd *cmd) +@@ -536,8 +539,8 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + s->busy++; + + if (s->consumer_pa) { +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, ++ MEMTXATTRS_UNSPECIFIED); + } + trace_megasas_qf_enqueue(cmd->index, cmd->count, cmd->context, + s->reply_queue_head, s->reply_queue_tail, s->busy); +@@ -568,14 +571,14 @@ static void megasas_complete_frame(MegasasState *s, uint64_t context) + stl_le_pci_dma(pci_dev, s->reply_queue_pa + queue_offset, + context, attrs); + } +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + trace_megasas_qf_complete(context, s->reply_queue_head, + s->reply_queue_tail, s->busy); + } + + if (megasas_intr_enabled(s)) { + /* Update reply queue pointer */ +- s->reply_queue_tail = ldl_le_pci_dma(pci_dev, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pci_dev, s->consumer_pa, &s->reply_queue_tail, attrs); + tail = s->reply_queue_head; + s->reply_queue_head = megasas_next_index(s, tail, s->fw_cmds); + trace_megasas_qf_update(s->reply_queue_head, s->reply_queue_tail, +@@ -679,9 +682,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) + pa_lo = le32_to_cpu(initq->pi_addr_lo); + pa_hi = le32_to_cpu(initq->pi_addr_hi); + s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; +- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->producer_pa, &s->reply_queue_head, attrs); + s->reply_queue_head %= MEGASAS_MAX_FRAMES; +- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa, attrs); ++ ldl_le_pci_dma(pcid, s->consumer_pa, &s->reply_queue_tail, attrs); + s->reply_queue_tail %= MEGASAS_MAX_FRAMES; + flags = le32_to_cpu(initq->flags); + if (flags & MFI_QUEUE_FLAG_CONTEXT64) { +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index ac9f4df..5181b0c 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -177,10 +177,16 @@ static dma_addr_t mptsas_ld_sg_base(MPTSASState *s, uint32_t flags_and_length, + dma_addr_t addr; + + if (flags_and_length & MPI_SGE_FLAGS_64_BIT_ADDRESSING) { +- addr = ldq_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint64_t addr64; ++ ++ ldq_le_pci_dma(pci, *sgaddr + 4, &addr64, attrs); ++ addr = addr64; + *sgaddr += 12; + } else { +- addr = ldl_le_pci_dma(pci, *sgaddr + 4, attrs); ++ uint32_t addr32; ++ ++ ldl_le_pci_dma(pci, *sgaddr + 4, &addr32, attrs); ++ addr = addr32; + *sgaddr += 8; + } + return addr; +@@ -204,7 +210,7 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + dma_addr_t addr, len; + uint32_t flags_and_length; + +- flags_and_length = ldl_le_pci_dma(pci, sgaddr, MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, sgaddr, &flags_and_length, MEMTXATTRS_UNSPECIFIED); + len = flags_and_length & MPI_SGE_LENGTH_MASK; + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_SIMPLE_ELEMENT || +@@ -235,8 +241,8 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr) + break; + } + +- flags_and_length = ldl_le_pci_dma(pci, next_chain_addr, +- MEMTXATTRS_UNSPECIFIED); ++ ldl_le_pci_dma(pci, next_chain_addr, &flags_and_length, ++ MEMTXATTRS_UNSPECIFIED); + if ((flags_and_length & MPI_SGE_FLAGS_ELEMENT_TYPE_MASK) + != MPI_SGE_FLAGS_CHAIN_ELEMENT) { + return MPI_IOCSTATUS_INVALID_SGL; +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 33e16f9..4d9969f 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -50,10 +50,10 @@ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +-#define RS_GET_FIELD(m, field) \ +- (ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ ++#define RS_GET_FIELD(pval, m, field) \ ++ ldl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), \ +- MEMTXATTRS_UNSPECIFIED)) ++ pval, MEMTXATTRS_UNSPECIFIED) + #define RS_SET_FIELD(m, field, val) \ + (stl_le_pci_dma(&container_of(m, PVSCSIState, rings)->parent_obj, \ + (m)->rs_pa + offsetof(struct PVSCSIRingsState, field), val, \ +@@ -249,10 +249,11 @@ pvscsi_ring_cleanup(PVSCSIRingInfo *mgr) + static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { +- uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ready_ptr; + uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING + * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + ++ RS_GET_FIELD(&ready_ptr, mgr, reqProdIdx); + if (ready_ptr != mgr->consumed_ptr + && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = +@@ -323,8 +324,11 @@ pvscsi_ring_flush_cmp(PVSCSIRingInfo *mgr) + static bool + pvscsi_ring_msg_has_room(PVSCSIRingInfo *mgr) + { +- uint32_t prodIdx = RS_GET_FIELD(mgr, msgProdIdx); +- uint32_t consIdx = RS_GET_FIELD(mgr, msgConsIdx); ++ uint32_t prodIdx; ++ uint32_t consIdx; ++ ++ RS_GET_FIELD(&prodIdx, mgr, msgProdIdx); ++ RS_GET_FIELD(&consIdx, mgr, msgConsIdx); + + return (prodIdx - consIdx) < (mgr->msg_len_mask + 1); + } +diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h +index c90cecc..5b36334 100644 +--- a/include/hw/pci/pci.h ++++ b/include/hw/pci/pci.h +@@ -850,15 +850,14 @@ static inline MemTxResult pci_dma_write(PCIDevice *dev, dma_addr_t addr, + DMA_DIRECTION_FROM_DEVICE, MEMTXATTRS_UNSPECIFIED); + } + +-#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ +- static inline uint##_bits##_t ld##_l##_pci_dma(PCIDevice *dev, \ +- dma_addr_t addr, \ +- MemTxAttrs attrs) \ +- { \ +- uint##_bits##_t val; \ +- ld##_l##_dma(pci_get_address_space(dev), addr, &val, attrs); \ +- return val; \ +- } \ ++#define PCI_DMA_DEFINE_LDST(_l, _s, _bits) \ ++ static inline MemTxResult ld##_l##_pci_dma(PCIDevice *dev, \ ++ dma_addr_t addr, \ ++ uint##_bits##_t *val, \ ++ MemTxAttrs attrs) \ ++ { \ ++ return ld##_l##_dma(pci_get_address_space(dev), addr, val, attrs); \ ++ } \ + static inline MemTxResult st##_s##_pci_dma(PCIDevice *dev, \ + dma_addr_t addr, \ + uint##_bits##_t val, \ +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch new file mode 100644 index 0000000000..aff91a7355 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14394.patch @@ -0,0 +1,79 @@ +From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Tue, 8 Aug 2023 10:44:51 +0000 +Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in + xhci_ring_chain_length() (CVE-2020-14394) + +The loop condition in xhci_ring_chain_length() is under control of +the guest, and additionally the code does not check for failed DMA +transfers (e.g. if reaching the end of the RAM), so the loop there +could run for a very long time or even forever. Fix it by checking +the return value of dma_memory_read() and by introducing a maximum +loop length. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 +Message-Id: <20220804131300.96368-1-thuth@redhat.com> +Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com> +Acked-by: Gerd Hoffmann <kraxel@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +CVE: CVE-2020-14394 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + hw/usb/hcd-xhci.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 14bdb8967..c63a36dcc 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -21,6 +21,7 @@ + + #include "qemu/osdep.h" + #include "qemu/timer.h" ++#include "qemu/log.h" + #include "qemu/module.h" + #include "qemu/queue.h" + #include "migration/vmstate.h" +@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool control_td_set = 0; + uint32_t link_cnt = 0; + +- while (1) { ++ do { + TRBType type; +- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, +- MEMTXATTRS_UNSPECIFIED); ++ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE, ++ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) { ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n", ++ __func__); ++ return -1; ++ } + le64_to_cpus(&trb.parameter); + le32_to_cpus(&trb.status); + le32_to_cpus(&trb.control); +@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + if (!control_td_set && !(trb.control & TRB_TR_CH)) { + return length; + } +- } ++ ++ /* ++ * According to the xHCI spec, Transfer Ring segments should have ++ * a maximum size of 64 kB (see chapter "6 Data Structures") ++ */ ++ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE); ++ ++ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n", ++ __func__); ++ ++ return -1; + } + + static void xhci_er_reset(XHCIState *xhci, int v) +-- +2.35.5 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch new file mode 100644 index 0000000000..dc7990d1b7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch @@ -0,0 +1,74 @@ +From be5a8cf347d0c47ee3e933dde075526fd8bd5c40 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Sat, 18 Dec 2021 17:09:10 +0100 +Subject: [PATCH] hw/audio/intel-hda: Do not ignore DMA overrun errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Per the "High Definition Audio Specification" manual (rev. 1.0a), +section "3.3.30 Offset 5Dh: RIRBSTS - RIRB Status": + + Response Overrun Interrupt Status (RIRBOIS): + + Hardware sets this bit to a 1 when an overrun occurs in the RIRB. + An interrupt may be generated if the Response Overrun Interrupt + Control bit is set. + + This bit will be set if the RIRB DMA engine is not able to write + the incoming responses to memory before additional incoming + responses overrun the internal FIFO. + + When hardware detects an overrun, it will drop the responses which + overrun the buffer and set the RIRBOIS status bit to indicate the + error condition. Optionally, if the RIRBOIC is set, the hardware + will also generate an error to alert software to the problem. + +QEMU emulates the DMA engine with the stl_le_pci_dma() calls. This +function returns a MemTxResult indicating whether the DMA access +was successful. +Handle any MemTxResult error as "DMA engine is not able to write the +incoming responses to memory" and raise the Overrun Interrupt flag +when this case occurs. + +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=be5a8cf347d0c47ee3e933dde075526fd8bd5c40] + +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-Id: <20211218160912.1591633-2-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 5f8a878..47a36ac 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -350,6 +350,7 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; + uint32_t wp, ex; ++ MemTxResult res = MEMTX_OK; + + if (d->ics & ICH6_IRS_BUSY) { + dprint(d, 2, "%s: [irr] response 0x%x, cad 0x%x\n", +@@ -368,8 +369,12 @@ static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t res + ex = (solicited ? 0 : (1 << 4)) | dev->cad; + wp = (d->rirb_wp + 1) & 0xff; + addr = intel_hda_addr(d->rirb_lbase, d->rirb_ubase); +- stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); +- stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp, response, attrs); ++ res |= stl_le_pci_dma(&d->pci, addr + 8 * wp + 4, ex, attrs); ++ if (res != MEMTX_OK && (d->rirb_ctl & ICH6_RBCTL_OVERRUN_EN)) { ++ d->rirb_sts |= ICH6_RBSTS_OVERRUN; ++ intel_hda_update_irq(d); ++ } + d->rirb_wp = wp; + + dprint(d, 2, "%s: [wp 0x%x] response 0x%x, extra 0x%x\n", +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch new file mode 100644 index 0000000000..b79fadf3f6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch @@ -0,0 +1,43 @@ +From 79fa99831debc9782087e834382c577215f2f511 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Sat, 18 Dec 2021 17:09:11 +0100 +Subject: [PATCH] hw/audio/intel-hda: Restrict DMA engine to memories (not MMIO + devices) +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Issue #542 reports a reentrancy problem when the DMA engine accesses +the HDA controller I/O registers. Fix by restricting the DMA engine +to memories regions (forbidding MMIO devices such the HDA controller). + +Reported-by: OSS-Fuzz (Issue 28435) +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/542 +CVE: CVE-2021-3611 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=79fa99831debc9782087e834382c577215f2f511] + +Message-Id: <20211218160912.1591633-3-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/audio/intel-hda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index 47a36ac..78a47bc 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -345,7 +345,7 @@ static void intel_hda_corb_run(IntelHDAState *d) + + static void intel_hda_response(HDACodecDevice *dev, bool solicited, uint32_t response) + { +- const MemTxAttrs attrs = MEMTXATTRS_UNSPECIFIED; ++ const MemTxAttrs attrs = { .memory = true }; + HDACodecBus *bus = HDA_BUS(dev->qdev.parent_bus); + IntelHDAState *d = container_of(bus, IntelHDAState, codecs); + hwaddr addr; +-- +1.8.3.1 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch new file mode 100644 index 0000000000..3cbb34c54c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch @@ -0,0 +1,88 @@ +From 205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 Mon Sep 17 00:00:00 2001 +From: Philippe Mathieu-Daudé <philmd@redhat.com> +Date: Thu, 10 Aug 2023 07:30:54 +0000 +Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + (CVE-2021-3638) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). + +Reported-by: Qiang Liu <qiangliu@zju.edu.cn> +Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") +Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Tested-by: Mauro Matteo Cascella <mcascell@redhat.com> +Message-Id: <20210906153103.1661195-1-philmd@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +CVE: CVE-2021-3638 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea79..692bec91d 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch new file mode 100644 index 0000000000..e898c20767 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch @@ -0,0 +1,59 @@ +From b9d383ab797f54ae5fa8746117770709921dc529 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:19 +0100 +Subject: [PATCH] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + +We are going to introduce more MemTxResult bits, so it is +safer to check for !MEMTX_OK rather than MEMTX_ERROR. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529] +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index c8ff3ec..99b11ca 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch new file mode 100644 index 0000000000..f163b4fab3 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch @@ -0,0 +1,65 @@ +From 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:20 +0100 +Subject: [PATCH] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Remove unuseful local 'result' variables. + +Reviewed-by: Peter Xu <peterx@redhat.com> +Reviewed-by: David Hildenbrand <david@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Message-Id: <20211215182421.418374-3-philmd@redhat.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9] +--- + softmmu/physmem.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 43ae70f..3d968ca 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -2826,14 +2826,11 @@ static MemTxResult flatview_write(FlatVi + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3130,12 +3127,10 @@ bool address_space_access_valid(AddressS + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch new file mode 100644 index 0000000000..24668ad1a5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch @@ -0,0 +1,156 @@ +From 3ab6fdc91b72e156da22848f0003ff4225690ced Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com> +Date: Wed, 15 Dec 2021 19:24:21 +0100 +Subject: [PATCH] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Add the 'memory' bit to the memory attributes to restrict bus +controller accesses to memories. + +Introduce flatview_access_allowed() to check bus permission +before running any bus transaction. + +Have read/write accessors return MEMTX_ACCESS_ERROR if an access is +restricted. + +There is no change for the default case where 'memory' is not set. + +Signed-off-by: Philippe Mathieu-DaudÃf© <philmd@redhat.com> +Message-Id: <20211215182421.418374-4-philmd@redhat.com> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] +Signed-off-by: Thomas Huth <thuth@redhat.com> +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +CVE: CVE-2021-3750 + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced] +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20..9fb98bc 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3d968ca..4e1b27a 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -41,6 +41,7 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" + #include "exec/memory.h" + #include "exec/ioport.h" + #include "sysemu/dma.h" +@@ -2759,6 +2760,33 @@ static bool prepare_mmio_access(MemoryRe + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2773,7 +2801,10 @@ static MemTxResult flatview_write_contin + const uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -2818,6 +2849,9 @@ static MemTxResult flatview_write(FlatVi + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -2836,7 +2870,10 @@ MemTxResult flatview_read_continue(FlatV + + fuzz_dma_read_cb(addr, len, mr); + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -2879,6 +2916,9 @@ static MemTxResult flatview_read(FlatVie + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch new file mode 100644 index 0000000000..7555e5bc40 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3929.patch @@ -0,0 +1,70 @@ +From 12daeafc9868c1ebe482d580494f9e6d3d5c260f Mon Sep 17 00:00:00 2001 +From: Klaus Jensen <k.jensen@samsung.com> +Date: Fri, 17 Dec 2021 10:44:01 +0100 +Subject: [PATCH] hw/nvme: fix CVE-2021-3929 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This fixes CVE-2021-3929 "locally" by denying DMA to the iomem of the +device itself. This still allows DMA to MMIO regions of other devices +(e.g. doing P2P DMA to the controller memory buffer of another NVMe +device). + +Fixes: CVE-2021-3929 +Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com> +Reviewed-by: Keith Busch <kbusch@kernel.org> +Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> +Signed-off-by: Klaus Jensen <k.jensen@samsung.com> + +Upstream-Status: Backport [736b01642d85be832385063f278fe7cd4ffb5221] +CVE: CVE-2021-3929 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/nvme/ctrl.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 5f573c417..eda52c6ac 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -357,6 +357,24 @@ static inline void *nvme_addr_to_pmr(NvmeCtrl *n, hwaddr addr) + return memory_region_get_ram_ptr(&n->pmr.dev->mr) + (addr - n->pmr.cba); + } + ++static inline bool nvme_addr_is_iomem(NvmeCtrl *n, hwaddr addr) ++{ ++ hwaddr hi, lo; ++ ++ /* ++ * The purpose of this check is to guard against invalid "local" access to ++ * the iomem (i.e. controller registers). Thus, we check against the range ++ * covered by the 'bar0' MemoryRegion since that is currently composed of ++ * two subregions (the NVMe "MBAR" and the MSI-X table/pba). Note, however, ++ * that if the device model is ever changed to allow the CMB to be located ++ * in BAR0 as well, then this must be changed. ++ */ ++ lo = n->bar0.addr; ++ hi = lo + int128_get64(n->bar0.size); ++ ++ return addr >= lo && addr < hi; ++} ++ + static int nvme_addr_read(NvmeCtrl *n, hwaddr addr, void *buf, int size) + { + hwaddr hi = addr + size - 1; +@@ -614,6 +632,10 @@ static uint16_t nvme_map_addr(NvmeCtrl *n, NvmeSg *sg, hwaddr addr, size_t len) + + trace_pci_nvme_map_addr(addr, len); + ++ if (nvme_addr_is_iomem(n, addr)) { ++ return NVME_DATA_TRAS_ERROR; ++ } ++ + if (nvme_addr_is_cmb(n, addr)) { + cmb = true; + } else if (nvme_addr_is_pmr(n, addr)) { +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch new file mode 100644 index 0000000000..f6de53244f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-4158.patch @@ -0,0 +1,46 @@ +From a0b64c6d078acb9bcfae600e22bf99a9a7deca7c Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" <mst@redhat.com> +Date: Tue, 21 Dec 2021 09:45:44 -0500 +Subject: [PATCH] acpi: validate hotplug selector on access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bus is looked up on a pci write, we didn't +validate that the lookup succeeded. +Fuzzers thus can trigger QEMU crash by dereferencing the NULL +bus pointer. + +Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device") +Fixes: CVE-2021-4158 +Cc: "Igor Mammedov" <imammedo@redhat.com> +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Reviewed-by: Ani Sinha <ani@anisinha.ca> + +Upstream-Status: Backport [9bd6565ccee68f72d5012e24646e12a1c662827e] +CVE: CVE-2021-4158 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/acpi/pcihp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index 30405b511..a5e182dd3 100644 +--- a/hw/acpi/pcihp.c ++++ b/hw/acpi/pcihp.c +@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, + } + + bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); ++ if (!bus) { ++ break; ++ } + QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { + Object *o = OBJECT(kid->child); + PCIDevice *dev = PCI_DEVICE(o); +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch new file mode 100644 index 0000000000..de7458fc72 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch @@ -0,0 +1,42 @@ +From 1cedc914b2c4b4e0c9dfcd1b0e02917af35b5eb6 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Tue, 5 Jul 2022 22:05:43 +0200 +Subject: [PATCH 1/3] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout + (CVE-2022-0216) + +Set current_req->req to NULL to prevent reusing a free'd buffer in case of +repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-Id: <20220705200543.2366809-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 85e907a78..8033cf050 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1029,8 +1029,9 @@ static void lsi_do_msgout(LSIState *s) + case 0x0d: + /* The ABORT TAG message clears the current I/O process only. */ + trace_lsi_do_msgout_abort(current_tag); +- if (current_req) { ++ if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); ++ current_req->req = NULL; + } + lsi_disconnect(s); + break; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch new file mode 100644 index 0000000000..12f5a602da --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch @@ -0,0 +1,52 @@ +From 8f2c2cb908758192d5ebc00605cbf0989b8a507c Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Mon, 11 Jul 2022 14:33:16 +0200 +Subject: [PATCH 3/3] scsi/lsi53c895a: really fix use-after-free in + lsi_do_msgout (CVE-2022-0216) + +Set current_req to NULL, not current_req->req, to prevent reusing a free'd +buffer in case of repeated SCSI cancel requests. Also apply the fix to +CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel +the request. + +Thanks to Alexander Bulekov for providing a reproducer. + +Fixes: CVE-2022-0216 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972 +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Tested-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20220711123316.421279-1-mcascell@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac] +CVE: CVE-2022-0216 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + hw/scsi/lsi53c895a.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 8033cf050..fbe3fa3dd 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -1031,7 +1031,7 @@ static void lsi_do_msgout(LSIState *s) + trace_lsi_do_msgout_abort(current_tag); + if (current_req && current_req->req) { + scsi_req_cancel(current_req->req); +- current_req->req = NULL; ++ current_req = NULL; + } + lsi_disconnect(s); + break; +@@ -1057,6 +1057,7 @@ static void lsi_do_msgout(LSIState *s) + /* clear the current I/O process */ + if (s->current) { + scsi_req_cancel(s->current->req); ++ current_req = NULL; + } + + /* As the current implemented devices scsi_disk and scsi_generic +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch new file mode 100644 index 0000000000..8eb1475638 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-0358.patch @@ -0,0 +1,106 @@ +From 4d2558ec9336d3614a43f7437c9cf74793ae3a87 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal <vgoyal@redhat.com> +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO <shawtao1125@gmail.com> +Suggested-by: Miklos Szeredi <mszeredi@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Signed-off-by: Vivek Goyal <vgoyal@redhat.com> +Message-Id: <YfBGoriS38eBQrAb@redhat.com> +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> + dgilbert: Fixed missing {}'s style nit + +Upstream-Status: Backport [449e8171f96a6a944d1f3b7d3627ae059eae21ca] +CVE: CVE-2022-0358 + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 64b5b4fbb..b3d0674f6 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -54,6 +54,7 @@ + #include <sys/wait.h> + #include <sys/xattr.h> + #include <syslog.h> ++#include <grp.h> + + #include "qemu/cutils.h" + #include "passthrough_helpers.h" +@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) + + qemu_init_exec_dir(argv[0]); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.33.0 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch new file mode 100644 index 0000000000..a7d061eb99 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch @@ -0,0 +1,61 @@ +From a15f7d9913d050fb72a79bbbefa5c2329d92e71d Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Tue, 8 Nov 2022 17:10:00 +0530 +Subject: [PATCH] CVE-2022-3165 + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/d307040b18] +CVE: CVE-2022-3165 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +ui/vnc-clipboard: fix integer underflow in vnc_client_cut_text_ext + +Extended ClientCutText messages start with a 4-byte header. If len < 4, +an integer underflow occurs in vnc_client_cut_text_ext. The result is +used to decompress data in a while loop in inflate_buffer, leading to +CPU consumption and denial of service. Prevent this by checking dlen in +protocol_client_msg. + +Fixes: CVE-2022-3165 + +("ui/vnc: clipboard support") +Reported-by: default avatarTangPeng <tangpeng@qianxin.com> +Signed-off-by: Mauro Matteo Cascella's avatarMauro Matteo Cascella <mcascell@redhat.com> +Message-Id: <20220925204511.1103214-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann's avatarGerd Hoffmann <kraxel@redhat.com> +--- + ui/vnc.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index af02522e8..a14b6861b 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + if (len == 1) { + return 8; + } ++ uint32_t dlen = abs(read_s32(data, 4)); + if (len == 8) { +- uint32_t dlen = abs(read_s32(data, 4)); + if (dlen > (1 << 20)) { + error_report("vnc: client_cut_text msg payload has %u bytes" + " which exceeds our limit of 1MB.", dlen); +@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + } + + if (read_s32(data, 4) < 0) { +- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)), +- read_u32(data, 8), data + 12); ++ if (dlen < 4) { ++ error_report("vnc: malformed payload (header less than 4 bytes)" ++ " in extended clipboard pseudo-encoding."); ++ vnc_client_error(vs); ++ break; ++ } ++ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12); + break; + } + vnc_client_cut_text(vs, read_u32(data, 4), data + 8); +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch new file mode 100644 index 0000000000..3786497f01 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch @@ -0,0 +1,53 @@ +From ee76e64ee1cb232b77652b21cc94ec6b6c7e4b13 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 27 Jul 2022 10:49:47 +0530 +Subject: [PATCH] CVE-2022-35414 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c] +CVE: CVE-2022-35414 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + softmmu/physmem.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3524c04c2..3c467527d 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -667,7 +667,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu) + + /* Called from RCU critical section */ + MemoryRegionSection * +-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, ++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr, + hwaddr *xlat, hwaddr *plen, + MemTxAttrs attrs, int *prot) + { +@@ -676,6 +676,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + IOMMUMemoryRegionClass *imrc; + IOMMUTLBEntry iotlb; + int iommu_idx; ++ hwaddr addr = orig_addr; + AddressSpaceDispatch *d = + qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch); + +@@ -720,6 +721,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr, + return section; + + translate_fail: ++ /* ++ * We should be given a page-aligned address -- certainly ++ * tlb_set_page_with_attrs() does so. The page offset of xlat ++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0. ++ * The page portion of xlat will be logged by memory_region_access_valid() ++ * when this memory access is rejected, so use the original untranslated ++ * physical address. ++ */ ++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0); ++ *xlat = orig_addr; + return &d->map.sections[PHYS_SECTION_UNASSIGNED]; + } + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch new file mode 100644 index 0000000000..96052a19e8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch @@ -0,0 +1,99 @@ +From 6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org> +Date: Mon, 28 Nov 2022 21:27:40 +0100 +Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt + (CVE-2022-4144) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Have qxl_get_check_slot_offset() return false if the requested +buffer size does not fit within the slot memory region. + +Similarly qxl_phys2virt() now returns NULL in such case, and +qxl_dirty_one_surface() aborts. + +This avoids buffer overrun in the host pointer returned by +memory_region_get_ram_ptr(). + +Fixes: CVE-2022-4144 (out-of-bounds read) +Reported-by: Wenxu Yin (@awxylitol) +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336 + +CVE: CVE-2022-4144 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622] +Comments: Deleted patch hunk in qxl.h,as it contains change +in comments which is not present in current version of qemu + +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20221128202741.4945-5-philmd@linaro.org> +Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> +--- + hw/display/qxl.c | 27 +++++++++++++++++++++++---- + 1 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 231d733250..0b21626aad 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d) + + /* can be also called from spice server thread context */ + static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, +- uint32_t *s, uint64_t *o) ++ uint32_t *s, uint64_t *o, ++ size_t size_requested) + { + uint64_t phys = le64_to_cpu(pqxl); + uint32_t slot = (phys >> (64 - 8)) & 0xff; + uint64_t offset = phys & 0xffffffffffff; ++ uint64_t size_available; + + if (slot >= NUM_MEMSLOTS) { + qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot, +@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + slot, offset, qxl->guest_slots[slot].size); + return false; + } ++ size_available = memory_region_size(qxl->guest_slots[slot].mr); ++ if (qxl->guest_slots[slot].offset + offset >= size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" > region size %"PRIu64"\n", ++ slot, qxl->guest_slots[slot].offset + offset, ++ size_available); ++ return false; ++ } ++ size_available -= qxl->guest_slots[slot].offset + offset; ++ if (size_requested > size_available) { ++ qxl_set_guest_bug(qxl, ++ "slot %d offset %"PRIu64" size %zu: " ++ "overrun by %"PRIu64" bytes\n", ++ slot, offset, size_requested, ++ size_requested - size_available); ++ return false; ++ } + + *s = slot; + *o = offset; +@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id, + offset = le64_to_cpu(pqxl) & 0xffffffffffff; + return (void *)(intptr_t)offset; + case MEMSLOT_GROUP_GUEST: +- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) { ++ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { + return NULL; + } + ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr); +@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, + uint32_t slot; + bool rc; + +- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset); +- assert(rc == true); + size = (uint64_t)height * abs(stride); ++ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size); ++ assert(rc == true); + trace_qxl_surfaces_dirty(qxl->id, offset, size); + qxl_set_dirty(qxl->guest_slots[slot].mr, + qxl->guest_slots[slot].offset + offset, diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch new file mode 100644 index 0000000000..025075fd6d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch @@ -0,0 +1,75 @@ +[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not + exist for this release] +From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 22 May 2023 11:10:11 +0200 +Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI + controller (CVE-2023-0330) + +We cannot use the generic reentrancy guard in the LSI code, so +we have to manually prevent endless reentrancy here. The problematic +lsi_execute_script() function has already a way to detect whether +too many instructions have been executed - we just have to slightly +change the logic here that it also takes into account if the function +has been called too often in a reentrant way. + +The code in fuzz-lsi53c895a-test.c has been taken from an earlier +patch by Mauro Matteo Cascella. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563 +Message-Id: <20230522091011.1082574-1-thuth@redhat.com> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/jammy-security +Upstream commit https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/lsi53c895a.c | 23 +++++++++++++++------ + tests/qtest/fuzz-lsi53c895a-test.c | 33 ++++++++++++++++++++++++++++++ + 2 files changed, 50 insertions(+), 6 deletions(-) + +--- qemu-6.2+dfsg.orig/hw/scsi/lsi53c895a.c ++++ qemu-6.2+dfsg/hw/scsi/lsi53c895a.c +@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState + uint32_t addr, addr_high; + int opcode; + int insn_processed = 0; ++ static int reentrancy_level; ++ ++ reentrancy_level++; + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- if (++insn_processed > LSI_MAX_INSN) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ ++ /* ++ * Some windows drivers make the device spin waiting for a memory location ++ * to change. If we have executed more than LSI_MAX_INSN instructions then ++ * assume this is the case and force an unexpected device disconnect. This ++ * is apparently sufficient to beat the drivers into submission. ++ * ++ * Another issue (CVE-2023-0330) can occur if the script is programmed to ++ * trigger itself again and again. Avoid this problem by stopping after ++ * being called multiple times in a reentrant way (8 is an arbitrary value ++ * which should be enough for all valid use cases). ++ */ ++ if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) { + if (!(s->sien0 & LSI_SIST0_UDC)) { + qemu_log_mask(LOG_GUEST_ERROR, + "lsi_scsi: inf. loop with UDC masked"); +@@ -1597,6 +1606,8 @@ again: + } + } + trace_lsi_execute_script_stop(); ++ ++ reentrancy_level--; + } + + static uint8_t lsi_reg_readb(LSIState *s, int offset) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch new file mode 100644 index 0000000000..b4781e1c18 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-1544.patch @@ -0,0 +1,70 @@ +From e7d6e37675e422cfab2fe8c6bd411d2097228760 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +CVE: CVE-2023-1544 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c] + +Reported-by: Soul Chen <soulchen8650@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth <thuth@redhat.com> +(cherry picked from commit 85fc35afa93c7320d1641d344d0c5dfbe341d087) +Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 4fc6712025..55b338046e 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.35.6 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch new file mode 100644 index 0000000000..a86413fbad --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch @@ -0,0 +1,180 @@ +From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001 +From: Christian Schoenebeck <qemu_oss@crudebyte.com> +Date: Wed, 7 Jun 2023 18:29:33 +0200 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) + +The 9p protocol does not specifically define how server shall behave when +client tries to open a special file, however from security POV it does +make sense for 9p server to prohibit opening any special file on host side +in general. A sane Linux 9p client for instance would never attempt to +open a special file on host side, it would always handle those exclusively +on its guest side. A malicious client however could potentially escape +from the exported 9p tree by creating and opening a device file on host +side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen <ywsPlz@gmail.com> +Reported-by: Jietao Xiao <shawtao1125@gmail.com> +Reported-by: Jinku Li <jkli@xidian.edu.cn> +Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn> +Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com> +Reviewed-by: Greg Kurz <groug@kaod.org> +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com> + +Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5] +CVE: CVE-2023-2861 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 15c0e79b0..f9e4669a5 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index 546f46dc7..23000e917 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,12 +13,16 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (qemu_fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -56,6 +92,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.35.7 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..30080924c8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch @@ -0,0 +1,50 @@ +From 49f1e02bac166821c712534aaa775f50e1afe17f Mon Sep 17 00:00:00 2001 +From: zhenwei pi <pizhenwei@bytedance.com> +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei <arei.gonglei@huawei.com> +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Cc: Yiming Tao <taoym@zju.edu.cn> +Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980) +Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f] +CVE: CVE-2023-3180 +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index a1d122b9aa..ccaa704530 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -635,6 +635,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..f030df111f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,64 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis <kevin.denis@synacktiv.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +CVE: CVE-2023-3255 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> + +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa21..c759be3438 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch new file mode 100644 index 0000000000..ffb5cd3861 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch @@ -0,0 +1,60 @@ +From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Mon Sep 17 00:00:00 2001 +From: Ani Sinha <anisinha@redhat.com> +Date: Mon, 19 Jun 2023 12:22:09 +0530 +Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if + peer nic is present + +When a peer nic is still attached to the vdpa backend, it is too early to free +up the vhost-net and vdpa structures. If these structures are freed here, then +QEMU crashes when the guest is being shut down. The following call chain +would result in an assertion failure since the pointer returned from +vhost_vdpa_get_vhost_net() would be NULL: + +do_vm_stop() -> vm_state_notify() -> virtio_set_status() -> +virtio_net_vhost_status() -> get_vhost_net(). + +Therefore, we defer freeing up the structures until at guest shutdown +time when qemu_cleanup() calls net_cleanup() which then calls +qemu_del_net_client() which would eventually call vhost_vdpa_cleanup() +again to free up the structures. This time, the loop in net_cleanup() +ensures that vhost_vdpa_cleanup() will be called one last time when +all the peer nics are detached and freed. + +All unit tests pass with this change. + +CC: imammedo@redhat.com +CC: jusual@redhat.com +CC: mst@redhat.com +Fixes: CVE-2023-3301 +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929 +Signed-off-by: Ani Sinha <anisinha@redhat.com> +Message-Id: <20230619065209.442185-1-anisinha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8] +CVE: CVE-2023-3301 + + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + net/vhost-vdpa.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/vhost-vdpa.c ++++ b/net/vhost-vdpa.c +@@ -140,6 +140,14 @@ static void vhost_vdpa_cleanup(NetClient + { + VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc); + ++ /* ++ * If a peer NIC is attached, do not cleanup anything. ++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup() ++ * when the guest is shutting down. ++ */ ++ if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) { ++ return; ++ } + if (s->vhost_net) { + vhost_net_cleanup(s->vhost_net); + g_free(s->vhost_net); diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch new file mode 100644 index 0000000000..250716fcfc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch @@ -0,0 +1,87 @@ +From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 20 Jun 2023 09:45:34 +0100 +Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The TLS handshake make take some time to complete, during which time an +I/O watch might be registered with the main loop. If the owner of the +I/O channel invokes qio_channel_close() while the handshake is waiting +to continue the I/O watch must be removed. Failing to remove it will +later trigger the completion callback which the owner is not expecting +to receive. In the case of the VNC server, this results in a SEGV as +vnc_disconnect_start() tries to shutdown a client connection that is +already gone / NULL. + +CVE-2023-3354 +Reported-by: jiangyegen <jiangyegen@huawei.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4] +CVE: CVE-2023-3354 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + include/io/channel-tls.h | 1 + + io/channel-tls.c | 18 ++++++++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h +index 5672479e9..26c67f17e 100644 +--- a/include/io/channel-tls.h ++++ b/include/io/channel-tls.h +@@ -48,6 +48,7 @@ struct QIOChannelTLS { + QIOChannel *master; + QCryptoTLSSession *session; + QIOChannelShutdown shutdown; ++ guint hs_ioc_tag; + }; + + /** +diff --git a/io/channel-tls.c b/io/channel-tls.c +index 2ae1b92fc..34476e6b7 100644 +--- a/io/channel-tls.c ++++ b/io/channel-tls.c +@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc, + } + + trace_qio_channel_tls_handshake_pending(ioc, status); +- qio_channel_add_watch_full(ioc->master, +- condition, +- qio_channel_tls_handshake_io, +- data, +- NULL, +- context); ++ ioc->hs_ioc_tag = ++ qio_channel_add_watch_full(ioc->master, ++ condition, ++ qio_channel_tls_handshake_io, ++ data, ++ NULL, ++ context); + } + } + +@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc, + QIOChannelTLS *tioc = QIO_CHANNEL_TLS( + qio_task_get_source(task)); + ++ tioc->hs_ioc_tag = 0; + g_free(data); + qio_channel_tls_handshake_task(tioc, task, context); + +@@ -373,6 +375,10 @@ static int qio_channel_tls_close(QIOChannel *ioc, + { + QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc); + ++ if (tioc->hs_ioc_tag) { ++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); ++ } ++ + return qio_channel_close(tioc->master, errp); + } + +-- +2.25.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch new file mode 100644 index 0000000000..d53683faa7 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch @@ -0,0 +1,46 @@ +From 7cfcc79b0ab800959716738aff9419f53fc68c9c Mon Sep 17 00:00:00 2001 +From: Thomas Huth <thuth@redhat.com> +Date: Mon, 25 Sep 2023 11:18:54 +0200 +Subject: [PATCH] hw/scsi/scsi-disk: Disallow block sizes smaller than 512 + [CVE-2023-42467] + +We are doing things like + + nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE); + +in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if +the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes +with a division by 0 exception. Thus disallow block sizes of 256 +bytes to avoid this situation. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813 +CVE: 2023-42467 +Signed-off-by: Thomas Huth <thuth@redhat.com> +Message-ID: <20230925091854.49198-1-thuth@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +CVE: CVE-2023-42467 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index e0d79c7966c..477ee2bcd47 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + * Since the existing code only checks/updates bits 8-15 of the block + * size, restrict ourselves to the same requirement for now to ensure + * that a block size set by a block descriptor and then read back by +- * a subsequent SCSI command will be the same ++ * a subsequent SCSI command will be the same. Also disallow a block ++ * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE. + */ +- if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) { + s->qdev.blocksize = bs; + trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); + } +-- diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch new file mode 100644 index 0000000000..c5ea9d739a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch @@ -0,0 +1,112 @@ +From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 6 Sep 2023 15:09:21 +0200 +Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting + state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If there is a pending DMA operation during ide_bus_reset(), the fact +that the IDEState is already reset before the operation is canceled +can be problematic. In particular, ide_dma_cb() might be called and +then use the reset IDEState which contains the signature after the +reset. When used to construct the IO operation this leads to +ide_get_sector() returning 0 and nsector being 1. This is particularly +bad, because a write command will thus destroy the first sector which +often contains a partition table or similar. + +Traces showing the unsolicited write happening with IDEState +0x5595af6949d0 being used after reset: + +> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 0x00000300 +> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port +> ide_reset IDEstate 0x5595af6949d0 +> ide_reset IDEstate 0x5595af694da8 +> ide_bus_reset_aio aio_cancel +> dma_aio_cancel dbs=0x7f64600089a0 +> dma_blk_cb dbs=0x7f64600089a0 ret=0 +> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30 +> ahci_populate_sglist ahci(0x5595af6923f0)[0] +> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 prepared=512 +> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE +> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1 +> dma_blk_cb dbs=0x7f6420802010 ret=0 + +> (gdb) p *qiov +> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 0x0, +> iov_len = 512}}, {__pad = "\001\000\000\000\000\000\000\000\000\000\000", +> size = 512}}} +> (gdb) bt +> #0 blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, flags=0, +> cb=0x5595ace6f0b0 <dma_blk_cb>, opaque=0x7f6420802010) +> at ../block/block-backend.c:1682 +> #1 0x00005595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=<optimized out>) +> at ../softmmu/dma-helpers.c:179 +> #2 0x00005595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> io_func=io_func@entry=0x5595ace6ee30 <dma_blk_write_io_func>, +> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30, +> cb=0x5595acd40b30 <ide_dma_cb>, opaque=0x5595af6949d0, +> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244 +> #3 0x00005595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30, +> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512, +> cb=cb@entry=0x5595acd40b30 <ide_dma_cb>, opaque=opaque@entry=0x5595af6949d0) +> at ../softmmu/dma-helpers.c:280 +> #4 0x00005595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=<optimized out>) +> at ../hw/ide/core.c:953 +> #5 0x00005595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0) +> at ../softmmu/dma-helpers.c:107 +> #6 dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127 +> #7 0x00005595ad12227d in blk_aio_complete (acb=0x7f6460005b10) +> at ../block/block-backend.c:1527 +> #8 blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524 +> #9 blk_aio_write_entry (opaque=0x7f6460005b10) at ../block/block-backend.c:1594 +> #10 0x00005595ad258cfb in coroutine_trampoline (i0=<optimized out>, +> i1=<optimized out>) at ../util/coroutine-ucontext.c:177 + +CVE: CVE-2023-5088 +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e] + +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Tested-by: simon.rowe@nutanix.com +Message-ID: <20230906130922.142845-1-f.ebner@proxmox.com> +Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> +Signed-off-by: Sourav Pramanik <sourav.pramanik@kpit.com> +--- + hw/ide/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index b5e0dcd29b2..63ba665f3d2 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -2515,19 +2515,19 @@ static void ide_dummy_transfer_stop(IDEState *s) + + void ide_bus_reset(IDEBus *bus) + { +- bus->unit = 0; +- bus->cmd = 0; +- ide_reset(&bus->ifs[0]); +- ide_reset(&bus->ifs[1]); +- ide_clear_hob(bus); +- +- /* pending async DMA */ ++ /* pending async DMA - needs the IDEState before it is reset */ + if (bus->dma->aiocb) { + trace_ide_bus_reset_aio(); + blk_aio_cancel(bus->dma->aiocb); + bus->dma->aiocb = NULL; + } + ++ bus->unit = 0; ++ bus->cmd = 0; ++ ide_reset(&bus->ifs[0]); ++ ide_reset(&bus->ifs[1]); ++ ide_clear_hob(bus); ++ + /* reset dma provider too */ + if (bus->dma->ops->reset) { + bus->dma->ops->reset(bus->dma); +-- diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch new file mode 100644 index 0000000000..e528574076 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch @@ -0,0 +1,92 @@ +From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001 +From: Fiona Ebner <f.ebner@proxmox.com> +Date: Wed, 24 Jan 2024 11:57:48 +0100 +Subject: [PATCH] ui/clipboard: mark type as not available when there is no + data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT +message with len=0. In qemu_clipboard_set_data(), the clipboard info +will be updated setting data to NULL (because g_memdup(data, size) +returns NULL when size is 0). If the client does not set the +VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then +the 'request' callback for the clipboard peer is not initialized. +Later, because data is NULL, qemu_clipboard_request() can be reached +via vdagent_chr_write() and vdagent_clipboard_recv_request() and +there, the clipboard owner's 'request' callback will be attempted to +be called, but that is a NULL pointer. + +In particular, this can happen when using the KRDC (22.12.3) VNC +client. + +Another scenario leading to the same issue is with two clients (say +noVNC and KRDC): + +The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and +initializes its cbpeer. + +The KRDC client does not, but triggers a vnc_client_cut_text() (note +it's not the _ext variant)). There, a new clipboard info with it as +the 'owner' is created and via qemu_clipboard_set_data() is called, +which in turn calls qemu_clipboard_update() with that info. + +In qemu_clipboard_update(), the notifier for the noVNC client will be +called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the +noVNC client. The 'owner' in that clipboard info is the clipboard peer +for the KRDC client, which did not initialize the 'request' function. +That sounds correct to me, it is the owner of that clipboard info. + +Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set +the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it +passes), that clipboard info is passed to qemu_clipboard_request() and +the original segfault still happens. + +Fix the issue by handling updates with size 0 differently. In +particular, mark in the clipboard info that the type is not available. + +While at it, switch to g_memdup2(), because g_memdup() is deprecated. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2023-6683 +Reported-by: Markus Frank <m.frank@proxmox.com> +Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Signed-off-by: Fiona Ebner <f.ebner@proxmox.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Tested-by: Markus Frank <m.frank@proxmox.com> +Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a] +CVE: CVE-2023-6683 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + ui/clipboard.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ui/clipboard.c b/ui/clipboard.c +index 3d14bffaf80..b3f6fa3c9e1 100644 +--- a/ui/clipboard.c ++++ b/ui/clipboard.c +@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, + } + + g_free(info->types[type].data); +- info->types[type].data = g_memdup(data, size); +- info->types[type].size = size; +- info->types[type].available = true; ++ if (size) { ++ info->types[type].data = g_memdup2(data, size); ++ info->types[type].size = size; ++ info->types[type].available = true; ++ } else { ++ info->types[type].data = NULL; ++ info->types[type].size = 0; ++ info->types[type].available = false; ++ } + + if (update) { + qemu_clipboard_update(info); +-- +GitLab + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch new file mode 100644 index 0000000000..b91f2e6902 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch @@ -0,0 +1,74 @@ +From 2220e8189fb94068dbad333228659fbac819abb0 Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Tue, 2 Jan 2024 11:29:01 +0800 +Subject: [PATCH] virtio-net: correctly copy vnet header when flushing TX + +When HASH_REPORT is negotiated, the guest_hdr_len might be larger than +the size of the mergeable rx buffer header. Using +virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack +overflow in this case. Fixing this by using virtio_net_hdr_v1_hash +instead. + +Reported-by: Xiao Lei <leixiao.nop@zju.edu.cn> +Cc: Yuri Benditovich <yuri.benditovich@daynix.com> +Cc: qemu-stable@nongnu.org +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Fixes: CVE-2023-6693 +Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") +Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/2220e8189fb94068dbad333228659fbac819abb0] +CVE: CVE-2023-6693 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + hw/net/virtio-net.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index e1f474883..42e66697f 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -600,6 +600,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs, + + n->mergeable_rx_bufs = mergeable_rx_bufs; + ++ /* ++ * Note: when extending the vnet header, please make sure to ++ * change the vnet header copying logic in virtio_net_flush_tx() ++ * as well. ++ */ + if (version_1) { + n->guest_hdr_len = hash_report ? + sizeof(struct virtio_net_hdr_v1_hash) : +@@ -2520,7 +2525,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + ssize_t ret; + unsigned int out_num; + struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg; +- struct virtio_net_hdr_mrg_rxbuf mhdr; ++ struct virtio_net_hdr_v1_hash vhdr; + + elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); + if (!elem) { +@@ -2537,7 +2542,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + } + + if (n->has_vnet_hdr) { +- if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < ++ if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < + n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header incorrect"); + virtqueue_detach_element(q->tx_vq, elem, 0); +@@ -2545,8 +2550,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + return -EINVAL; + } + if (n->needs_vnet_hdr_swap) { +- virtio_net_hdr_swap(vdev, (void *) &mhdr); +- sg2[0].iov_base = &mhdr; ++ virtio_net_hdr_swap(vdev, (void *) &vhdr); ++ sg2[0].iov_base = &vhdr; + sg2[0].iov_len = n->guest_hdr_len; + out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, + out_sg, out_num, +-- +2.34.1 diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch new file mode 100644 index 0000000000..e890fe56cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch @@ -0,0 +1,44 @@ +From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 13 Sep 2023 21:44:09 +0100 +Subject: [PATCH] esp: restrict non-DMA transfer length to that of available + data + +In the case where a SCSI layer transfer is incorrectly terminated, it is +possible for a TI command to cause a SCSI buffer overflow due to the +expected transfer data length being less than the available data in the +FIFO. When this occurs the unsigned async_len variable underflows and +becomes a large offset which writes past the end of the allocated SCSI +buffer. + +Restrict the non-DMA transfer length to be the smallest of the expected +transfer length and the available FIFO data to ensure that it is no longer +possible for the SCSI buffer overflow to occur. + +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810 +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-ID: <20230913204410.65650-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52] +CVE: CVE-2024-24474 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + hw/scsi/esp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 4218a6a96054..9b11d8c5738a 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s) + } + + if (to_device) { +- len = MIN(fifo8_num_used(&s->fifo), ESP_FIFO_SZ); ++ len = MIN(s->async_len, ESP_FIFO_SZ); ++ len = MIN(len, fifo8_num_used(&s->fifo)); + esp_fifo_pop_buf(&s->fifo, s->async_buf, len); + s->async_buf += len; + s->async_len -= len; diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch new file mode 100644 index 0000000000..d8e48d07dd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch @@ -0,0 +1,54 @@ +From 356c4c441ec01910314c5867c680bef80d1dd373 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Wed, 22 Jun 2022 11:53:12 +0100 +Subject: [PATCH] scsi-disk: allow MODE SELECT block descriptor to set the + block size + +The MODE SELECT command can contain an optional block descriptor that can be used +to set the device block size. If the block descriptor is present then update the +block size on the SCSI device accordingly. + +This allows CDROMs to be used with A/UX which requires a CDROM drive which is +capable of switching from a 2048 byte sector size to a 512 byte sector size. + +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Message-Id: <20220622105314.802852-13-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/356c4c441ec01910314c5867c680bef80d1dd373] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 6 ++++++ + hw/scsi/trace-events | 1 + + 2 files changed, 7 insertions(+) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index db27e834dae3..f5cdb9ad4b54 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1616,6 +1616,12 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + goto invalid_param; + } + ++ /* Allow changing the block size */ ++ if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { ++ s->qdev.blocksize = p[6] << 8; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } ++ + len -= bd_len; + p += bd_len; + +diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events +index 8e927ff62de1..ab238293f0da 100644 +--- a/hw/scsi/trace-events ++++ b/hw/scsi/trace-events +@@ -338,6 +338,7 @@scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 ", count %u)" + scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" + scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" + scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd=0x%x (sector %" PRId64 ", count %d) timeout=%u" ++scsi_disk_mode_select_set_blocksize(int blocksize) "set block size to %d" + + # scsi-generic.c + scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d" diff --git a/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch new file mode 100644 index 0000000000..1e1be683fc --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch @@ -0,0 +1,67 @@ +From 55794c904df723109b228da28b5db778e0df3110 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Date: Sat, 30 Jul 2022 13:26:56 +0100 +Subject: [PATCH] scsi-disk: ensure block size is non-zero and changes limited + to bits 8-15 + +The existing code assumes that the block size can be generated from p[1] << 8 +in multiple places which ignores the top and bottom 8 bits. If the block size +is allowed to be set to an arbitrary value then this causes a mismatch +between the value written by the guest in the block descriptor and the value +subsequently read back using READ CAPACITY causing the guest to generate +requests that can crash QEMU. + +For now restrict block size changes to bits 8-15 and also ignore requests to +set the block size to 0 which causes the SCSI emulation to crash in at least +one place with a divide by zero error. + +Fixes: 356c4c441e ("scsi-disk: allow MODE SELECT block descriptor to set the block size") +Closes: https://gitlab.com/qemu-project/qemu/-/issues/1112 +Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> +Message-Id: <20220730122656.253448-3-mark.cave-ayland@ilande.co.uk> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Comment: Patch is refreshed +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/55794c904df723109b228da28b5db778e0df3110] +Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> +--- + hw/scsi/scsi-disk.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index 3027ac3b1ed6..efee6739f9ad 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -1532,7 +1532,7 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + int cmd = r->req.cmd.buf[0]; + int len = r->req.cmd.xfer; + int hdr_len = (cmd == MODE_SELECT ? 4 : 8); +- int bd_len; ++ int bd_len, bs; + int pass; + + /* We only support PF=1, SP=0. */ +@@ -1617,9 +1617,19 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf) + } + + /* Allow changing the block size */ +- if (bd_len && p[6] != (s->qdev.blocksize >> 8)) { +- s->qdev.blocksize = p[6] << 8; +- trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ if (bd_len) { ++ bs = p[5] << 16 | p[6] << 8 | p[7]; ++ ++ /* ++ * Since the existing code only checks/updates bits 8-15 of the block ++ * size, restrict ourselves to the same requirement for now to ensure ++ * that a block size set by a block descriptor and then read back by ++ * a subsequent SCSI command will be the same ++ */ ++ if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) { ++ s->qdev.blocksize = bs; ++ trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize); ++ } + } + + len -= bd_len; + diff --git a/meta/recipes-devtools/qemu/qemu_6.2.0.bb b/meta/recipes-devtools/qemu/qemu_6.2.0.bb index 9f7fad9886..42e133967e 100644 --- a/meta/recipes-devtools/qemu/qemu_6.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_6.2.0.bb @@ -15,12 +15,12 @@ EXTRA_OECONF:append:class-target:mipsarcho32 = "${@bb.utils.contains('BBEXTENDCU EXTRA_OECONF:append:class-nativesdk = " --target-list=${@get_qemu_target_list(d)}" PACKAGECONFIG ??= " \ - fdt sdl kvm pie \ + fdt sdl kvm pie slirp \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ " -PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm pie \ +PACKAGECONFIG:class-nativesdk ??= "fdt sdl kvm pie slirp \ ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer epoxy', '', d)} \ " # ppc32 hosts are no longer supported in qemu diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc index 07611e6d85..72deb24915 100644 --- a/meta/recipes-devtools/quilt/quilt.inc +++ b/meta/recipes-devtools/quilt/quilt.inc @@ -12,6 +12,9 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/quilt/quilt-${PV}.tar.gz \ file://Makefile \ file://test.sh \ file://0001-tests-Allow-different-output-from-mv.patch \ + file://fix-grep-3.8.patch \ + file://faildiff-order.patch \ + file://0001-test-Fix-a-race-condition-in-merge.test.patch \ " SRC_URI:append:class-target = " file://gnu_patch_test_fix_target.patch" diff --git a/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch b/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch new file mode 100644 index 0000000000..01d4c8befc --- /dev/null +++ b/meta/recipes-devtools/quilt/quilt/0001-test-Fix-a-race-condition-in-merge.test.patch @@ -0,0 +1,48 @@ +From c1ce964f3e9312100a60f03c1e1fdd601e1911f2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= + <congdanhqx@gmail.com> +Date: Tue, 28 Feb 2023 18:45:15 +0100 +Subject: [PATCH] test: Fix a race condition in merge.test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Just like commit 4dfe7f9, (test: Fix a race condition, 2023-01-20), +this fix a test race when stdout and stderr in any order. + +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/quilt.git/commit/?id=c1ce964f3e9312100a60f03c1e1fdd601e1911f2] +Signed-off-by: Đoàn Trần Công Danh <congdanhqx@gmail.com> +Signed-off-by: Jean Delvare <jdelvare@suse.de> +--- + test/merge.test | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/test/merge.test b/test/merge.test +index c64b33d..2e67d4f 100644 +--- a/test/merge.test ++++ b/test/merge.test +@@ -39,8 +39,9 @@ Test the patch merging functionality of `quilt diff'. + > Applying patch %{P}c.diff + > Now at patch %{P}c.diff + +- $ quilt diff -P b.diff | grep -v "^\\(---\\|+++\\)" ++ $ quilt diff -P b.diff >/dev/null + > Warning: more recent patches modify files in patch %{P}b.diff ++ $ quilt diff -P b.diff 2>/dev/null | grep -v "^\\(---\\|+++\\)" + >~ Index: [^/]+/abc\.txt + > =================================================================== + > @@ -1,3 +1,3 @@ +@@ -49,8 +50,9 @@ Test the patch merging functionality of `quilt diff'. + > +b+ + > c + +- $ quilt diff --combine a.diff -P b.diff | grep -v "^\\(---\\|+++\\)" ++ $ quilt diff --combine a.diff -P b.diff >/dev/null + > Warning: more recent patches modify files in patch %{P}b.diff ++ $ quilt diff --combine a.diff -P b.diff 2>/dev/null | grep -v "^\\(---\\|+++\\)" + >~ Index: [^/]+/abc\.txt + > =================================================================== + > @@ -1,3 +1,3 @@ +-- +2.40.0 + diff --git a/meta/recipes-devtools/quilt/quilt/faildiff-order.patch b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch new file mode 100644 index 0000000000..f22065a250 --- /dev/null +++ b/meta/recipes-devtools/quilt/quilt/faildiff-order.patch @@ -0,0 +1,41 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From 4dfe7f9e702c85243a71e4de267a13e434b6d6c2 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 20 Jan 2023 12:56:08 +0100 +Subject: [PATCH] test: Fix a race condition + +The test suite does not differentiate between stdout and stderr. When +messages are printed to both, the order in which they will reach us +is apparently not guaranteed. Ideally this would be deterministic, but +until then, explicitly test stdout and stderr separately in the test +case itself. Otherwise the test suite fails randomly, which is a pain +for distribution package maintainers. + +This fixes bug #63651 reported by Ross Burton: +https://savannah.nongnu.org/bugs/index.php?63651 + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +--- + test/faildiff.test | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/faildiff.test b/test/faildiff.test +index 5afb8e3..0444c15 100644 +--- a/test/faildiff.test ++++ b/test/faildiff.test +@@ -27,8 +27,9 @@ What happens on binary files? + > File test.bin added to patch %{P}test.diff + + $ printf "\\003\\000\\001" > test.bin +- $ quilt diff -pab --no-index ++ $ quilt diff -pab --no-index 2>/dev/null + >~ (Files|Binary files) a/test\.bin and b/test\.bin differ ++ $ quilt diff -pab --no-index >/dev/null + > Diff failed on file 'test.bin', aborting + $ echo %{?} + > 1 +-- +2.34.1 + diff --git a/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch b/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch new file mode 100644 index 0000000000..68a4b4c195 --- /dev/null +++ b/meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch @@ -0,0 +1,144 @@ +From f73f8d7f71de2878d3f92881a5fcb8eafd78cb5f Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 9 Sep 2022 10:10:37 +0200 +Subject: Avoid warnings with grep 3.8 + +GNU grep version 3.8 became more strict about needless quoting in +patterns. We have one occurrence of that in quilt, where "/" +characters are being quoted by default. There are cases where they +indeed need to be quoted (typically when used in a sed s/// command) +but most of the time they do not, and this results in the following +warning: + +grep: warning: stray \ before / + +So rename quote_bre() to quote_sed_re(), and introduce +quote_grep_re() which does not quote "/". + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/quilt.git/commit/?id=f73f8d7f71de2878d3f92881a5fcb8eafd78cb5f] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + quilt/diff.in | 2 +- + quilt/patches.in | 2 +- + quilt/scripts/patchfns.in | 20 +++++++++++++------- + quilt/upgrade.in | 4 ++-- + 4 files changed, 17 insertions(+), 11 deletions(-) + +diff --git a/quilt/diff.in b/quilt/diff.in +index e90dc33..07788ff 100644 +--- a/quilt/diff.in ++++ b/quilt/diff.in +@@ -255,7 +255,7 @@ then + # Add all files in the snapshot into the file list (they may all + # have changed). + files=( $(find $QUILT_PC/$snap_subdir -type f \ +- | sed -e "s/^$(quote_bre $QUILT_PC/$snap_subdir/)//" \ ++ | sed -e "s/^$(quote_sed_re $QUILT_PC/$snap_subdir/)//" \ + | sort) ) + printf "%s\n" "${files[@]}" >&4 + unset files +diff --git a/quilt/patches.in b/quilt/patches.in +index bb17a46..eac45a9 100644 +--- a/quilt/patches.in ++++ b/quilt/patches.in +@@ -60,7 +60,7 @@ scan_unapplied() + # Quote each file name only once + for file in "${opt_files[@]}" + do +- files_bre[${#files_bre[@]}]=$(quote_bre "$file") ++ files_bre[${#files_bre[@]}]=$(quote_grep_re "$file") + done + + # "Or" all files in a single pattern +diff --git a/quilt/scripts/patchfns.in b/quilt/scripts/patchfns.in +index c2d5f9d..1bd7233 100644 +--- a/quilt/scripts/patchfns.in ++++ b/quilt/scripts/patchfns.in +@@ -78,8 +78,14 @@ array_join() + done + } + +-# Quote a string for use in a basic regular expression. +-quote_bre() ++# Quote a string for use in a regular expression for a grep pattern. ++quote_grep_re() ++{ ++ echo "$1" | sed -e 's:\([][^$.*\\]\):\\\1:g' ++} ++ ++# Quote a string for use in a regular expression for a sed s/// command. ++quote_sed_re() + { + echo "$1" | sed -e 's:\([][^$/.*\\]\):\\\1:g' + } +@@ -215,7 +221,7 @@ patch_in_series() + + if [ -e "$SERIES" ] + then +- grep -q "^$(quote_bre $patch)\([ \t]\|$\)" "$SERIES" ++ grep -q "^$(quote_grep_re $patch)\([ \t]\|$\)" "$SERIES" + else + return 1 + fi +@@ -365,7 +371,7 @@ is_applied() + { + local patch=$1 + [ -e $DB ] || return 1 +- grep -q "^$(quote_bre $patch)\$" $DB ++ grep -q "^$(quote_grep_re $patch)\$" $DB + } + + applied_patches() +@@ -465,7 +471,7 @@ remove_from_db() + local tmpfile + if tmpfile=$(gen_tempfile) + then +- grep -v "^$(quote_bre $patch)\$" $DB > $tmpfile ++ grep -v "^$(quote_grep_re $patch)\$" $DB > $tmpfile + cat $tmpfile > $DB + rm -f $tmpfile + [ -s $DB ] || rm -f $DB +@@ -520,7 +526,7 @@ find_patch() + fi + + local patch=${1#$SUBDIR_DOWN$QUILT_PATCHES/} +- local bre=$(quote_bre "$patch") ++ local bre=$(quote_sed_re "$patch") + set -- $(sed -e "/^$bre\(\|\.patch\|\.diff\?\)\(\|\.gz\|\.bz2\|\.xz\|\.lzma\|\.lz\)\([ "$'\t'"]\|$\)/!d" \ + -e 's/[ '$'\t''].*//' "$SERIES") + if [ $# -eq 1 ] +@@ -631,7 +637,7 @@ files_in_patch() + then + find "$path" -type f \ + -a ! -path "$(quote_glob "$path")/.timestamp" | +- sed -e "s/$(quote_bre "$path")\///" ++ sed -e "s/$(quote_sed_re "$path")\///" + fi + } + +diff --git a/quilt/upgrade.in b/quilt/upgrade.in +index dbf7d05..866aa33 100644 +--- a/quilt/upgrade.in ++++ b/quilt/upgrade.in +@@ -74,7 +74,7 @@ printf $"Converting meta-data to version %s\n" "$DB_VERSION" + + for patch in $(applied_patches) + do +- proper_name="$(grep "^$(quote_bre $patch)"'\(\|\.patch\|\.diff?\)\(\|\.gz\|\.bz2\)\([ \t]\|$\)' $SERIES)" ++ proper_name="$(grep "^$(quote_grep_re $patch)"'\(\|\.patch\|\.diff?\)\(\|\.gz\|\.bz2\)\([ \t]\|$\)' $SERIES)" + proper_name=${proper_name#$QUILT_PATCHES/} + proper_name=${proper_name%% *} + if [ -z "$proper_name" ] +@@ -84,7 +84,7 @@ do + fi + + if [ "$patch" != "$proper_name" -a -d $QUILT_PC/$patch ] \ +- && grep -q "^$(quote_bre $patch)\$" \ ++ && grep -q "^$(quote_grep_re $patch)\$" \ + $QUILT_PC/applied-patches + then + mv $QUILT_PC/$patch $QUILT_PC/$proper_name \ +-- +cgit v1.1 + diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch deleted file mode 100644 index 044b4dd2a0..0000000000 --- a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen <pmatilai@redhat.com> -Date: Thu, 30 Sep 2021 09:56:20 +0300 -Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function - -No functional changes, just to reduce code duplication and needed by -the following commits. - -CVE: CVE-2021-3521 -Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - rpmio/rpmpgp.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c -index d0688ebe9a..e472b5320f 100644 ---- a/rpmio/rpmpgp.c -+++ b/rpmio/rpmpgp.c -@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype) - return algo; - } - -+static pgpDigParams pgpDigParamsNew(uint8_t tag) -+{ -+ pgpDigParams digp = xcalloc(1, sizeof(*digp)); -+ digp->tag = tag; -+ return digp; -+} -+ - int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, - pgpDigParams * ret) - { -@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, - if (pkttype && pkt.tag != pkttype) { - break; - } else { -- digp = xcalloc(1, sizeof(*digp)); -- digp->tag = pkt.tag; -+ digp = pgpDigParamsNew(pkt.tag); - } - } - -@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen, - digps = xrealloc(digps, alloced * sizeof(*digps)); - } - -- digps[count] = xcalloc(1, sizeof(**digps)); -- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY; -+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY); - /* Copy UID from main key to subkey */ - digps[count]->userid = xstrdup(mainkey->userid); - --- -2.17.1 - diff --git a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch index 6d236ac400..c6cf9d4c88 100644 --- a/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch +++ b/meta/recipes-devtools/rpm/files/0001-Do-not-hardcode-lib-rpm-as-the-installation-path-for.patch @@ -1,4 +1,4 @@ -From 8d013fe154a162305f76141151baf767dd04b598 Mon Sep 17 00:00:00 2001 +From 4ab6a4c5bbad65c3401016bb26b87214cdd0c59b Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Mon, 27 Feb 2017 09:43:30 +0200 Subject: [PATCH] Do not hardcode "lib/rpm" as the installation path for @@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac -index eb7d6941b..10a889b5d 100644 +index 372875fc4..1b7add9ee 100644 --- a/configure.ac +++ b/configure.ac -@@ -871,7 +871,7 @@ else +@@ -884,7 +884,7 @@ else usrprefix=$prefix fi @@ -27,10 +27,10 @@ index eb7d6941b..10a889b5d 100644 AC_SUBST(OBJDUMP) diff --git a/macros.in b/macros.in -index a1f795e5f..689e784ef 100644 +index d53ab5ed5..9d10441c8 100644 --- a/macros.in +++ b/macros.in -@@ -933,7 +933,7 @@ package or when debugging this package.\ +@@ -911,7 +911,7 @@ package or when debugging this package.\ %_sharedstatedir %{_prefix}/com %_localstatedir %{_prefix}/var %_lib lib @@ -40,7 +40,7 @@ index a1f795e5f..689e784ef 100644 %_infodir %{_datadir}/info %_mandir %{_datadir}/man diff --git a/rpm.am b/rpm.am -index 7b57f433b..9bbb9ee96 100644 +index ebe4e40d1..e6920e258 100644 --- a/rpm.am +++ b/rpm.am @@ -1,10 +1,10 @@ @@ -55,4 +55,4 @@ index 7b57f433b..9bbb9ee96 100644 +rpmconfigdir = $(libdir)/rpm # Libtool version (current-revision-age) for all our libraries - rpm_version_info = 11:0:2 + rpm_version_info = 12:0:3 diff --git a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch index 4020a31092..2a0069cafe 100644 --- a/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch +++ b/meta/recipes-devtools/rpm/files/0001-When-cross-installing-execute-package-scriptlets-wit.patch @@ -28,11 +28,18 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> lib/rpmscript.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) -diff --git a/lib/rpmscript.c b/lib/rpmscript.c -index cc98c4885..f8bd3df04 100644 --- a/lib/rpmscript.c +++ b/lib/rpmscript.c -@@ -394,8 +394,7 @@ exit: +@@ -17,7 +17,7 @@ + #include "rpmio/rpmio_internal.h" + + #include "lib/rpmplugins.h" /* rpm plugins hooks */ +- ++#include "lib/rpmchroot.h" /* rpmChrootOut */ + #include "debug.h" + + struct scriptNextFileFunc_s { +@@ -391,8 +391,7 @@ exit: Fclose(out); /* XXX dup'd STDOUT_FILENO */ if (fn) { @@ -42,7 +49,7 @@ index cc98c4885..f8bd3df04 100644 free(fn); } free(mline); -@@ -428,7 +427,13 @@ rpmRC rpmScriptRun(rpmScript script, int arg1, int arg2, FD_t scriptFd, +@@ -426,7 +425,13 @@ rpmRC rpmScriptRun(rpmScript script, int if (rc != RPMRC_FAIL) { if (script_type & RPMSCRIPTLET_EXEC) { @@ -57,6 +64,3 @@ index cc98c4885..f8bd3df04 100644 } else { rc = runLuaScript(plugins, prefixes, script->descr, lvl, scriptFd, &args, script->body, arg1, arg2, &script->nextFileFunc); } --- -2.11.0 - diff --git a/meta/recipes-devtools/rpm/files/0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch b/meta/recipes-devtools/rpm/files/0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch new file mode 100644 index 0000000000..2174a79e75 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch @@ -0,0 +1,31 @@ +From 8f51462d41d8fe942d5d0a06f08d47f625141995 Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Thu, 4 Aug 2022 12:15:08 +0200 +Subject: [PATCH] configure.ac: add linux-gnux32 variant to triplet handling + +x32 is a 64 bit x86 ABI with 32 bit pointers. + +Upstream-Status: Submitted [https://github.com/rpm-software-management/rpm/pull/2143] +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + configure.ac | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 372875fc49..7d6a3d274e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -845,6 +845,10 @@ if echo "$host_os" | grep '.*-gnuabi64$' > /dev/null ; then + host_os=`echo "${host_os}" | sed 's/-gnuabi64$//'` + host_os_gnu=-gnuabi64 + fi ++if echo "$host_os" | grep '.*-gnux32$' > /dev/null ; then ++ host_os=`echo "${host_os}" | sed 's/-gnux32$//'` ++ host_os_gnu=-gnux32 ++fi + if echo "$host_os" | grep '.*-gnu$' > /dev/null ; then + host_os=`echo "${host_os}" | sed 's/-gnu$//'` + fi +-- +2.30.2 + diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch deleted file mode 100644 index 683b57d455..0000000000 --- a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch +++ /dev/null @@ -1,64 +0,0 @@ -From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen <pmatilai@redhat.com> -Date: Thu, 30 Sep 2021 09:51:10 +0300 -Subject: [PATCH 2/3] Process MPI's from all kinds of signatures - -No immediate effect but needed by the following commits. - -CVE: CVE-2021-3521 -Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - ---- - rpmio/rpmpgp.c | 13 +++++-------- - 1 file changed, 5 insertions(+), 8 deletions(-) - -diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c -index 25f67048fd..509e777e6d 100644 ---- a/rpmio/rpmpgp.c -+++ b/rpmio/rpmpgp.c -@@ -543,7 +543,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg) - return NULL; - } - --static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, -+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, - const uint8_t *p, const uint8_t *h, size_t hlen, - pgpDigParams sigp) - { -@@ -556,10 +556,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype, - int mpil = pgpMpiLen(p); - if (pend - p < mpil) - break; -- if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) { -- if (sigalg->setmpi(sigalg, i, p)) -- break; -- } -+ if (sigalg->setmpi(sigalg, i, p)) -+ break; - p += mpil; - } - -@@ -619,7 +617,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, - } - - p = ((uint8_t *)v) + sizeof(*v); -- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); -+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); - } break; - case 4: - { pgpPktSigV4 v = (pgpPktSigV4)h; -@@ -677,8 +675,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen, - p += 2; - if (p > hend) - return 1; -- -- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp); -+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp); - } break; - default: - rpmlog(RPMLOG_WARNING, _("Unsupported version of signature: V%d\n"), version); --- -2.17.1 - diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch deleted file mode 100644 index a5ec802501..0000000000 --- a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch +++ /dev/null @@ -1,329 +0,0 @@ -From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001 -From: Panu Matilainen <pmatilai@redhat.com> -Date: Thu, 30 Sep 2021 09:59:30 +0300 -Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP - public keys - -All subkeys must be followed by a binding signature by the primary key -as per the OpenPGP RFC, enforce the presence and validity in the parser. - -The implementation is as kludgey as they come to work around our -simple-minded parser structure without touching API, to maximise -backportability. Store all the raw packets internally as we decode them -to be able to access previous elements at will, needed to validate ordering -and access the actual data. Add testcases for manipulated keys whose -import previously would succeed. - -Depends on the two previous commits: -7b399fcb8f52566e6f3b4327197a85facd08db91 and -236b802a4aa48711823a191d1b7f753c82a89ec5 - -Fixes CVE-2021-3521. - -Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9] -CVE:CVE-2021-3521 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> - ---- - rpmio/rpmpgp.c | 99 +++++++++++++++++-- - tests/Makefile.am | 3 + - tests/data/keys/CVE-2021-3521-badbind.asc | 25 +++++ - .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++ - tests/data/keys/CVE-2021-3521-nosubsig.asc | 37 +++++++ - tests/rpmsigdig.at | 28 ++++++ - 6 files changed, 209 insertions(+), 8 deletions(-) - create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc - create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc - create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc - -diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c -index 509e777e6d..371ad4d9b6 100644 ---- a/rpmio/rpmpgp.c -+++ b/rpmio/rpmpgp.c -@@ -1061,33 +1061,116 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag) - return digp; - } - -+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag) -+{ -+ int rc = -1; -+ if (pkt->tag == exptag) { -+ uint8_t head[] = { -+ 0x99, -+ (pkt->blen >> 8), -+ (pkt->blen ), -+ }; -+ -+ rpmDigestUpdate(hash, head, 3); -+ rpmDigestUpdate(hash, pkt->body, pkt->blen); -+ rc = 0; -+ } -+ return rc; -+} -+ -+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig, -+ const struct pgpPkt *all, int i) -+{ -+ int rc = -1; -+ DIGEST_CTX hash = NULL; -+ -+ switch (selfsig->sigtype) { -+ case PGPSIGTYPE_SUBKEY_BINDING: -+ hash = rpmDigestInit(selfsig->hash_algo, 0); -+ if (hash) { -+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY); -+ if (!rc) -+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY); -+ } -+ break; -+ default: -+ /* ignore types we can't handle */ -+ rc = 0; -+ break; -+ } -+ -+ if (hash && rc == 0) -+ rc = pgpVerifySignature(key, selfsig, hash); -+ -+ rpmDigestFinal(hash, NULL, NULL, 0); -+ -+ return rc; -+} -+ - int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype, - pgpDigParams * ret) - { - const uint8_t *p = pkts; - const uint8_t *pend = pkts + pktlen; - pgpDigParams digp = NULL; -- struct pgpPkt pkt; -+ pgpDigParams selfsig = NULL; -+ int i = 0; -+ int alloced = 16; /* plenty for normal cases */ -+ struct pgpPkt *all = xmalloc(alloced * sizeof(*all)); - int rc = -1; /* assume failure */ -+ int expect = 0; -+ int prevtag = 0; - - while (p < pend) { -- if (decodePkt(p, (pend - p), &pkt)) -+ struct pgpPkt *pkt = &all[i]; -+ if (decodePkt(p, (pend - p), pkt)) - break; - - if (digp == NULL) { -- if (pkttype && pkt.tag != pkttype) { -+ if (pkttype && pkt->tag != pkttype) { - break; - } else { -- digp = pgpDigParamsNew(pkt.tag); -+ digp = pgpDigParamsNew(pkt->tag); - } - } - -- if (pgpPrtPkt(&pkt, digp)) -+ if (expect) { -+ if (pkt->tag != expect) -+ break; -+ selfsig = pgpDigParamsNew(pkt->tag); -+ } -+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp)) - break; - -- p += (pkt.body - pkt.head) + pkt.blen; -- if (pkttype == PGPTAG_SIGNATURE) -- break; -+ if (selfsig) { -+ /* subkeys must be followed by binding signature */ -+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) { -+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING) -+ break; -+ } -+ -+ int xx = pgpVerifySelf(digp, selfsig, all, i); -+ -+ selfsig = pgpDigParamsFree(selfsig); -+ if (xx) -+ break; -+ expect = 0; -+ } -+ -+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY) -+ expect = PGPTAG_SIGNATURE; -+ prevtag = pkt->tag; -+ -+ i++; -+ p += (pkt->body - pkt->head) + pkt->blen; -+ if (pkttype == PGPTAG_SIGNATURE) -+ break; -+ -+ if (alloced <= i) { -+ alloced *= 2; -+ all = xrealloc(all, alloced * sizeof(*all)); -+ } -+ - } - - rc = (digp && (p == pend)) ? 0 : -1; -diff --git a/tests/Makefile.am b/tests/Makefile.am -index a41ce10de8..7bb23247f1 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec - EXTRA_DIST += data/SPECS/hello-cd.spec - EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub - EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret -+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc -+EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig.asc -+EXTRA_DIST += data/keys/CVE-2022-3521-nosubsig-last.asc - EXTRA_DIST += data/macros.testfile - EXTRA_DIST += data/macros.debug - EXTRA_DIST += data/SOURCES/foo.c -diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc -new file mode 100644 -index 0000000000..aea00f9d7a ---- /dev/null -+++ b/tests/data/keys/CVE-2021-3521-badbind.asc -@@ -0,0 +1,25 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Version: rpm-4.17.90 (NSS-3) -+ -+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g -+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY -+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 -+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas -+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ -+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl -+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK -+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf -+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB -+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr -+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX -+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq -++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN -+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY -+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz -+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 -+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c -+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m -+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= -+=WCfs -+-----END PGP PUBLIC KEY BLOCK----- -+ -diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc -new file mode 100644 -index 0000000000..aea00f9d7a ---- /dev/null -+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc -@@ -0,0 +1,25 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Version: rpm-4.17.90 (NSS-3) -+ -+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g -+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY -+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 -+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas -+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ -+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl -+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK -+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf -+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB -+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr -+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX -+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq -++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN -+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY -+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz -+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 -+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c -+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m -+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE= -+=WCfs -+-----END PGP PUBLIC KEY BLOCK----- -+ -diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc -new file mode 100644 -index 0000000000..3a2e7417f8 ---- /dev/null -+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc -@@ -0,0 +1,37 @@ -+-----BEGIN PGP PUBLIC KEY BLOCK----- -+Version: rpm-4.17.90 (NSS-3) -+ -+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g -+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY -+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8 -+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas -+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ -+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl -+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK -+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf -+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB -+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr -+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX -+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq -++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN -+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY -+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz -+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6 -+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c -+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m -+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4 -+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En -+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ -+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF -+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/ -+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB -+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j -+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos -+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ -+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX -+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ -+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ -+E4XX4jtDmdZPreZALsiB -+=rRop -+-----END PGP PUBLIC KEY BLOCK----- -+ -diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at -index 8e7c759b8f..e2d30a7f1b 100644 ---- a/tests/rpmsigdig.at -+++ b/tests/rpmsigdig.at -@@ -2,6 +2,34 @@ - - AT_BANNER([RPM signatures and digests]) - -+AT_SETUP([rpmkeys --import invalid keys]) -+AT_KEYWORDS([rpmkeys import]) -+RPMDB_INIT -+ -+AT_CHECK([ -+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc -+], -+[1], -+[], -+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.] -+) -+AT_CHECK([ -+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc -+], -+[1], -+[], -+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.] -+) -+ -+AT_CHECK([ -+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc -+], -+[1], -+[], -+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.] -+) -+AT_CLEANUP -+ - # ------------------------------ - # Test pre-built package verification - AT_SETUP([rpmkeys -Kv <unsigned> 1]) --- -2.17.1 - diff --git a/meta/recipes-devtools/rpm/rpm_4.17.0.bb b/meta/recipes-devtools/rpm/rpm_4.17.1.bb index c392ac0db4..9b6446f265 100644 --- a/meta/recipes-devtools/rpm/rpm_4.17.0.bb +++ b/meta/recipes-devtools/rpm/rpm_4.17.1.bb @@ -39,13 +39,11 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.17.x;protoc file://0001-tools-Add-error.h-for-non-glibc-case.patch \ file://0001-docs-do-not-build-manpages-requires-pandoc.patch \ file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \ - file://0001-CVE-2021-3521.patch \ - file://0002-CVE-2021-3521.patch \ - file://0003-CVE-2021-3521.patch \ + file://0001-configure.ac-add-linux-gnux32-variant-to-triplet-han.patch \ " PE = "1" -SRCREV = "3e74e8ba2dd5e76a5353d238dc7fc38651ce27b3" +SRCREV = "5bef402da334595ed9302b8bca1acdf5e88bfe11" S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch b/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch new file mode 100644 index 0000000000..474d82db22 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch @@ -0,0 +1,173 @@ +From 785c0072c80c2f6e0839478453cf65fdeac15da0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 29 Aug 2022 19:53:28 -0700 +Subject: [PATCH] Add missing prototypes to function declarations + +With Clang 15+ compiler -Wstrict-prototypes is triggering warnings which +are turned into errors with -Werror, this fixes the problem by adding +missing prototypes + +Fixes errors like +| log.c:134:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| static void syslog_init() +| ^ +| void + +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032858.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + checksum.c | 2 +- + exclude.c | 2 +- + hlink.c | 3 +-- + lib/pool_alloc.c | 2 +- + log.c | 2 +- + main.c | 2 +- + syscall.c | 4 ++-- + zlib/crc32.c | 2 +- + zlib/trees.c | 2 +- + zlib/zutil.c | 4 ++-- + 10 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/checksum.c b/checksum.c +index fb8c0a0..174c28c 100644 +--- a/checksum.c ++++ b/checksum.c +@@ -629,7 +629,7 @@ int sum_end(char *sum) + return csum_len_for_type(cursum_type, 0); + } + +-void init_checksum_choices() ++void init_checksum_choices(void) + { + #ifdef SUPPORT_XXH3 + char buf[32816]; +diff --git a/exclude.c b/exclude.c +index adc82e2..79f5a82 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -358,7 +358,7 @@ void implied_include_partial_string(const char *s_start, const char *s_end) + memcpy(partial_string_buf, s_start, partial_string_len); + } + +-void free_implied_include_partial_string() ++void free_implied_include_partial_string(void) + { + if (partial_string_buf) { + free(partial_string_buf); +diff --git a/hlink.c b/hlink.c +index 66810a3..6511dfb 100644 +--- a/hlink.c ++++ b/hlink.c +@@ -117,8 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count) + struct ht_int32_node *node = NULL; + int32 gnum, gnum_next; + +- qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)()) hlink_compare_gnum); +- ++ qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)(const void *, const void *)) hlink_compare_gnum); + for (from = 0; from < ndx_count; from++) { + file = hlink_flist->sorted[ndx_list[from]]; + gnum = F_HL_GNUM(file); +diff --git a/lib/pool_alloc.c b/lib/pool_alloc.c +index a1a7245..4eae062 100644 +--- a/lib/pool_alloc.c ++++ b/lib/pool_alloc.c +@@ -9,7 +9,7 @@ struct alloc_pool + size_t size; /* extent size */ + size_t quantum; /* allocation quantum */ + struct pool_extent *extents; /* top extent is "live" */ +- void (*bomb)(); /* called if malloc fails */ ++ void (*bomb)(const char *, const char *, int); /* called if malloc fails */ + int flags; + + /* statistical data */ +diff --git a/log.c b/log.c +index 44344e2..991e359 100644 +--- a/log.c ++++ b/log.c +@@ -131,7 +131,7 @@ static void logit(int priority, const char *buf) + } + } + +-static void syslog_init() ++static void syslog_init(void) + { + int options = LOG_PID; + +diff --git a/main.c b/main.c +index 9ebfbea..affa244 100644 +--- a/main.c ++++ b/main.c +@@ -244,7 +244,7 @@ void read_del_stats(int f) + stats.deleted_files += stats.deleted_specials = read_varint(f); + } + +-static void become_copy_as_user() ++static void become_copy_as_user(void) + { + char *gname; + uid_t uid; +diff --git a/syscall.c b/syscall.c +index d92074a..92ca86d 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -389,9 +389,9 @@ OFF_T do_lseek(int fd, OFF_T offset, int whence) + { + #ifdef HAVE_LSEEK64 + #if !SIZEOF_OFF64_T +- OFF_T lseek64(); ++ OFF_T lseek64(int fd, OFF_T offset, int whence); + #else +- off64_t lseek64(); ++ off64_t lseek64(int fd, off64_t offset, int whence); + #endif + return lseek64(fd, offset, whence); + #else +diff --git a/zlib/crc32.c b/zlib/crc32.c +index 05733f4..50c6c02 100644 +--- a/zlib/crc32.c ++++ b/zlib/crc32.c +@@ -187,7 +187,7 @@ local void write_table(out, table) + /* ========================================================================= + * This function can be used by asm versions of crc32() + */ +-const z_crc_t FAR * ZEXPORT get_crc_table() ++const z_crc_t FAR * ZEXPORT get_crc_table(void) + { + #ifdef DYNAMIC_CRC_TABLE + if (crc_table_empty) +diff --git a/zlib/trees.c b/zlib/trees.c +index 9c66770..0d9047e 100644 +--- a/zlib/trees.c ++++ b/zlib/trees.c +@@ -231,7 +231,7 @@ local void send_bits(s, value, length) + /* =========================================================================== + * Initialize the various 'constant' tables. + */ +-local void tr_static_init() ++local void tr_static_init(void) + { + #if defined(GEN_TREES_H) || !defined(STDC) + static int static_init_done = 0; +diff --git a/zlib/zutil.c b/zlib/zutil.c +index bbba7b2..61f8dc9 100644 +--- a/zlib/zutil.c ++++ b/zlib/zutil.c +@@ -27,12 +27,12 @@ z_const char * const z_errmsg[10] = { + ""}; + + +-const char * ZEXPORT zlibVersion() ++const char * ZEXPORT zlibVersion(void) + { + return ZLIB_VERSION; + } + +-uLong ZEXPORT zlibCompileFlags() ++uLong ZEXPORT zlibCompileFlags(void) + { + uLong flags; + +-- +2.37.2 + diff --git a/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch b/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch new file mode 100644 index 0000000000..1d9c4bfe48 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch @@ -0,0 +1,68 @@ +From e64a58387db46239902b610871a0eb81626e99ff Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Thu, 18 Aug 2022 07:46:28 -0700 +Subject: [PATCH] Turn on -pedantic-errors at the end of 'configure' + +Problem reported by Khem Raj in: +https://lists.gnu.org/r/autoconf-patches/2022-08/msg00009.html +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032862.html] +--- + configure.ac | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d185b2d3..7e9514f7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then + with_included_popt=yes + fi + +-if test x"$GCC" = x"yes"; then +- if test x"$with_included_popt" != x"yes"; then +- # Turn pedantic warnings into errors to ensure an array-init overflow is an error. +- CFLAGS="$CFLAGS -pedantic-errors" +- else +- # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to +- # turn off pedantic warnings (which will not lose the error for array-init overflow). +- # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists +- # -Wpedantic and use that as a flag. +- case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in +- *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; +- esac +- fi +-fi +- + AC_MSG_CHECKING([whether to use included libpopt]) + if test x"$with_included_popt" = x"yes"; then + AC_MSG_RESULT($srcdir/popt) +@@ -1444,6 +1429,26 @@ case "$CC" in + ;; + esac + ++# Enable -pedantic-errors last, so that it doesn't mess up other ++# 'configure' tests. For example, Autoconf uses empty function ++# prototypes like 'int main () {}' which Clang 15's -pedantic-errors ++# would reject. Generally it's not a good idea to try to run ++# 'configure' itself with strict compiler checking. ++if test x"$GCC" = x"yes"; then ++ if test x"$with_included_popt" != x"yes"; then ++ # Turn pedantic warnings into errors to ensure an array-init overflow is an error. ++ CFLAGS="$CFLAGS -pedantic-errors" ++ else ++ # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to ++ # turn off pedantic warnings (which will not lose the error for array-init overflow). ++ # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists ++ # -Wpedantic and use that as a flag. ++ case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in ++ *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; ++ esac ++ fi ++fi ++ + AC_CONFIG_FILES([Makefile lib/dummy zlib/dummy popt/dummy shconfig]) + AC_OUTPUT + +-- +2.37.1 + diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch deleted file mode 100644 index 2d51ddf965..0000000000 --- a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 -From: Matt McCutchen <matt@mattmccutchen.net> -Date: Wed, 26 Aug 2020 12:16:08 -0400 -Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using - openssl. - -CVE: CVE-2020-14387 - -Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] - -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - rsync-ssl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/rsync-ssl b/rsync-ssl -index 8101975..46701af 100755 ---- a/rsync-ssl -+++ b/rsync-ssl -@@ -129,7 +129,7 @@ function rsync_ssl_helper { - fi - - if [[ $RSYNC_SSL_TYPE == openssl ]]; then -- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port -+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port - elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then - exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port - else --- -2.17.1 - diff --git a/meta/recipes-devtools/rsync/files/makefile-no-rebuild.patch b/meta/recipes-devtools/rsync/files/makefile-no-rebuild.patch index 4ba7665280..42a6372ba7 100644 --- a/meta/recipes-devtools/rsync/files/makefile-no-rebuild.patch +++ b/meta/recipes-devtools/rsync/files/makefile-no-rebuild.patch @@ -1,4 +1,4 @@ -From 1f29584e57f5fda09970c66f3b94f4720e09c1bb Mon Sep 17 00:00:00 2001 +From 81700d1a0e51391028c761cc8ef1cd660084d114 Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Tue, 12 Apr 2016 15:51:54 +0100 Subject: [PATCH] rsync: remove upstream's rebuild logic @@ -14,12 +14,12 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> 1 file changed, 54 deletions(-) diff --git a/Makefile.in b/Makefile.in -index 672fcc4..c12d8d4 100644 +index 3cde955..d963a70 100644 --- a/Makefile.in +++ b/Makefile.in -@@ -168,60 +168,6 @@ gen: conf proto.h man - gensend: gen - rsync -aic $(GENFILES) $${SAMBA_HOST-samba.org}:/home/ftp/pub/rsync/generated-files/ +@@ -190,60 +190,6 @@ gensend: gen + fi + rsync -aic $(GENFILES) git-version.h $${SAMBA_HOST-samba.org}:/home/ftp/pub/rsync/generated-files/ || true -aclocal.m4: $(srcdir)/m4/*.m4 - aclocal -I $(srcdir)/m4 @@ -41,7 +41,7 @@ index 672fcc4..c12d8d4 100644 - else \ - echo "config.h.in has CHANGED."; \ - fi -- @if test -f configure.sh.old -o -f config.h.in.old; then \ +- @if test -f configure.sh.old || test -f config.h.in.old; then \ - if test "$(MAKECMDGOALS)" = reconfigure; then \ - echo 'Continuing with "make reconfigure".'; \ - else \ diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.5.bb index 6168ee85fc..983bdd5ab0 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.5.bb @@ -6,7 +6,7 @@ SECTION = "console/network" # GPL-2.0-or-later (<< 3.0.0), GPL-3.0-or-later (>= 3.0.0) # Includes opennsh and xxhash dynamic link exception LICENSE = "GPL-3.0-or-later" -LIC_FILES_CHKSUM = "file://COPYING;md5=9e5a4f9b3a253d51520617aa54f8eb26" +LIC_FILES_CHKSUM = "file://COPYING;md5=24423708fe159c9d12be1ea29fcb18c7" DEPENDS = "popt" @@ -14,10 +14,11 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ file://determism.patch \ - file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \ + file://0001-Add-missing-prototypes-to-function-declarations.patch \ + file://0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch \ " -SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" +SRC_URI[sha256sum] = "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba" # -16548 required for v3.1.3pre1. Already in v3.1.3. CVE_CHECK_IGNORE += " CVE-2017-16548 " @@ -41,7 +42,17 @@ PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd" CACHED_CONFIGUREVARS += "rsync_cv_can_hardlink_special=yes rsync_cv_can_hardlink_symlink=yes" EXTRA_OEMAKE = 'STRIP=""' -EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm --with-nobody-group=nogroup" +EXTRA_OECONF = "--disable-md2man --with-nobody-group=nogroup" + +#| ./simd-checksum-x86_64.cpp: In function 'uint32_t get_checksum1_cpp(char*, int32_t)': +#| ./simd-checksum-x86_64.cpp:89:52: error: multiversioning needs 'ifunc' which is not supported on this target +#| 89 | __attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_avx2_64(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; } +#| | ^~~~~~~~~~~~~~~~~~~~~ +#| ./simd-checksum-x86_64.cpp:480:1: error: use of multiversioned function without a default +#| 480 | } +#| | ^ +#| If you can't fix the issue, re-run ./configure with --disable-roll-simd. +EXTRA_OECONF:append:libc-musl = " --disable-roll-simd" # rsync 3.0 uses configure.sh instead of configure, and # makefile checks the existence of configure.sh diff --git a/meta/recipes-devtools/ruby/ruby.inc b/meta/recipes-devtools/ruby/ruby.inc deleted file mode 100644 index ebff5efd1f..0000000000 --- a/meta/recipes-devtools/ruby/ruby.inc +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "An interpreter of object-oriented scripting language" -DESCRIPTION = "Ruby is an interpreted scripting language for quick \ -and easy object-oriented programming. It has many features to process \ -text files and to do system management tasks (as in Perl). \ -It is simple, straight-forward, and extensible. \ -" -HOMEPAGE = "http://www.ruby-lang.org/" -SECTION = "devel/ruby" -LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ - file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ - file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ - " - -DEPENDS = "zlib openssl libyaml gdbm readline libffi" -DEPENDS:append:class-target = " ruby-native" - -SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" -SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ - file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ - file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ - " -UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" - -inherit autotools ptest pkgconfig - - -# This snippet lets compiled extensions which rely on external libraries, -# such as zlib, compile properly. If we don't do this, then when extmk.rb -# runs, it uses the native libraries instead of the target libraries, and so -# none of the linking operations succeed -- which makes extconf.rb think -# that the libraries aren't available and hence that the extension can't be -# built. - -do_configure:prepend() { - sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk - rm -rf ${S}/ruby/ -} diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch new file mode 100644 index 0000000000..d611c41dcc --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch @@ -0,0 +1,68 @@ +From db4bb57d4af6d097a0c29490536793d95f1d8983 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Date: Mon, 24 Apr 2023 08:27:24 +0000 +Subject: [PATCH] Merge URI-0.12.1 + +CVE: CVE-2023-28755 + +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 4 ++-- + lib/uri/version.rb | 2 +- + test/uri/test_common.rb | 11 +++++++++++ + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3e07de4..3c89311 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module URI + class RFC3986_Parser # :nodoc: + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize +diff --git a/lib/uri/version.rb b/lib/uri/version.rb +index 82188e2..7497a7d 100644 +--- a/lib/uri/version.rb ++++ b/lib/uri/version.rb +@@ -1,6 +1,6 @@ + module URI + # :stopdoc: +- VERSION_CODE = '001100'.freeze ++ VERSION_CODE = '001201'.freeze + VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze + # :startdoc: + end +diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb +index 5e30cda..1d34783 100644 +--- a/test/uri/test_common.rb ++++ b/test/uri/test_common.rb +@@ -78,6 +78,17 @@ class TestCommon < Test::Unit::TestCase + assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") } + end + ++ def test_parse_timeout ++ pre = ->(n) { ++ 'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg' ++ } ++ assert_linear_performance((1..10).map {|i| i * 100}, rehearsal: 1000, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ URI.parse(uri) ++ end ++ end ++ end ++ + def test_encode_www_form_component + assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \ + "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E", +-- +2.35.5 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..cf24b13f53 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch @@ -0,0 +1,73 @@ +From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA <hsbt@ruby-lang.org> +Date: Wed, 29 Mar 2023 13:28:25 +0900 +Subject: [PATCH] CVE-2023-28756 + +CVE: CVE-2023-28756 +Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + lib/time.gemspec | 2 +- + lib/time.rb | 6 +++--- + test/test_time.rb | 9 +++++++++ + 3 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/lib/time.gemspec b/lib/time.gemspec +index 72fba34..bada91a 100644 +--- a/lib/time.gemspec ++++ b/lib/time.gemspec +@@ -1,6 +1,6 @@ + Gem::Specification.new do |spec| + spec.name = "time" +- spec.version = "0.2.0" ++ spec.version = "0.2.2" + spec.authors = ["Tanaka Akira"] + spec.email = ["akr@fsij.org"] + +diff --git a/lib/time.rb b/lib/time.rb +index bd20a1a..6a13212 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -509,8 +509,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +@@ -701,7 +701,7 @@ class Time + # + # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise. + # +- # +fractional_digits+ specifies a number of digits to use for fractional ++ # +fraction_digits+ specifies a number of digits to use for fractional + # seconds. Its default value is 0. + # + # require 'time' +diff --git a/test/test_time.rb b/test/test_time.rb +index b50d841..23e8e10 100644 +--- a/test/test_time.rb ++++ b/test/test_time.rb +@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: + assert_equal(true, t.utc?) + end + ++ def test_rfc2822_nonlinear ++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n} ++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| ++ assert_raise(ArgumentError) do ++ Time.rfc2822(s) ++ end ++ end ++ end ++ + if defined?(Ractor) + def test_rfc2822_ractor + assert_ractor(<<~RUBY, require: 'time') +-- +2.25.1 + diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch new file mode 100644 index 0000000000..57a15d302e --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch @@ -0,0 +1,52 @@ +From 9c2eb12776c1b5df2517a7e618e5fe818cc3395e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 15:53:01 +0800 +Subject: [PATCH] ruby: Fix quadratic backtracking on invalid relative URI + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1] +CVE: CVE-2023-36617 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + lib/uri/rfc2396_parser.rb | 4 ++-- + test/uri/test_parser.rb | 12 ++++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index 76a8f99..00c66cf 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 03de137..01ed32a 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -63,4 +63,16 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal("\u3042", p1.unescape('%e3%81%82'.force_encoding(Encoding::US_ASCII))) + assert_equal("\xe3\x83\x90\xe3\x83\x90", p1.unescape("\xe3\x83\x90%e3%83%90")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch new file mode 100644 index 0000000000..ff558183b6 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch @@ -0,0 +1,47 @@ +From eea5868120509c245216c4b5c2d4b5db1c593d0e Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Thu, 27 Jul 2023 16:16:30 +0800 +Subject: [PATCH] ruby: Fix quadratic backtracking on invalid port number + +Upstream-Status: Backport [https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8] +CVE: CVE-2023-36617 +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3c89311..cde3ea7 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -101,7 +101,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 01ed32a..81c2210 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -75,4 +75,14 @@ class URI::TestParser < Test::Unit::TestCase + end + end + end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.40.0 diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch new file mode 100644 index 0000000000..6f4b35a786 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch @@ -0,0 +1,97 @@ +From da7a0c7553ef7250ca665a3fecdc01dbaacbb43d Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada <nobu@ruby-lang.org> +Date: Mon, 15 Apr 2024 11:40:00 +0000 +Subject: [PATCH] Filter marshaled objets + +CVE: CVE-2024-27281 +Upstream-Status: Backport [https://github.com/ruby/rdoc/commit/da7a0c7553ef7250ca665a3fecdc01dbaacbb43d] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 5ba671c..c793e49 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -556,9 +556,7 @@ class RDoc::Store + def load_cache + #orig_enc = @encoding + +- File.open cache_path, 'rb' do |io| +- @cache = Marshal.load io.read +- end ++ @cache = marshal_load(cache_path) + + load_enc = @cache[:encoding] + +@@ -615,9 +613,7 @@ class RDoc::Store + def load_class_data klass_name + file = class_file klass_name + +- File.open file, 'rb' do |io| +- Marshal.load io.read +- end ++ marshal_load(file) + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name) + error.set_backtrace e.backtrace +@@ -630,14 +626,10 @@ class RDoc::Store + def load_method klass_name, method_name + file = method_file klass_name, method_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj.parent = +- find_class_or_module(klass_name) || load_class(klass_name) unless +- obj.parent +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name) ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name + method_name) + error.set_backtrace e.backtrace +@@ -650,11 +642,9 @@ class RDoc::Store + def load_page page_name + file = page_file page_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, page_name) + error.set_backtrace e.backtrace +@@ -976,4 +966,21 @@ class RDoc::Store + @unique_modules + end + ++ private ++ def marshal_load(file) ++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)} ++ end ++ ++ MarshalFilter = proc do |obj| ++ case obj ++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text ++ else ++ unless obj.class.name.start_with?("RDoc::") ++ raise TypeError, "not permitted class: #{obj.class.name}" ++ end ++ end ++ obj ++ end ++ private_constant :MarshalFilter ++ + end +-- +2.35.5 diff --git a/meta/recipes-devtools/ruby/ruby_3.1.2.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 38ba46731b..2ad3c9e207 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.2.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb @@ -1,8 +1,25 @@ -require ruby.inc - -DEPENDS:append:libc-musl = " libucontext" - -SRC_URI += " \ +SUMMARY = "An interpreter of object-oriented scripting language" +DESCRIPTION = "Ruby is an interpreted scripting language for quick \ +and easy object-oriented programming. It has many features to process \ +text files and to do system management tasks (as in Perl). \ +It is simple, straight-forward, and extensible. \ +" +HOMEPAGE = "http://www.ruby-lang.org/" +SECTION = "devel/ruby" +LICENSE = "Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT" +LIC_FILES_CHKSUM = "file://COPYING;md5=5b8c87559868796979806100db3f3805 \ + file://BSDL;md5=8b50bc6de8f586dc66790ba11d064d75 \ + file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://LEGAL;md5=f260190bc1e92e363f0ee3c0463d4c7c \ + " + +DEPENDS = "zlib openssl libyaml gdbm readline libffi" +DEPENDS:append:class-target = " ruby-native" + +SHRT_VER = "${@oe.utils.trim_version("${PV}", 2)}" +SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ + file://0001-extmk-fix-cross-compilation-of-external-gems.patch \ + file://0002-Obey-LDFLAGS-for-the-link-of-libruby.patch \ file://remove_has_include_macros.patch \ file://run-ptest \ file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ @@ -12,9 +29,32 @@ SRC_URI += " \ file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \ file://0006-Make-gemspecs-reproducible.patch \ file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ + file://CVE-2023-28756.patch \ + file://CVE-2023-28755.patch \ + file://CVE-2023-36617_1.patch \ + file://CVE-2023-36617_2.patch \ + file://CVE-2024-27281.patch \ " +UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" + +inherit autotools ptest pkgconfig + + +# This snippet lets compiled extensions which rely on external libraries, +# such as zlib, compile properly. If we don't do this, then when extmk.rb +# runs, it uses the native libraries instead of the target libraries, and so +# none of the linking operations succeed -- which makes extconf.rb think +# that the libraries aren't available and hence that the extension can't be +# built. + +do_configure:prepend() { + sed -i "s#%%TARGET_CFLAGS%%#$CFLAGS#; s#%%TARGET_LDFLAGS%%#$LDFLAGS#" ${S}/common.mk + rm -rf ${S}/ruby/ +} + +DEPENDS:append:libc-musl = " libucontext" -SRC_URI[sha256sum] = "61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e" +SRC_URI[sha256sum] = "5ea498a35f4cd15875200a52dde42b6eb179e1264e17d78732c3a57cd1c6ab9e" PACKAGECONFIG ??= "" PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service index 7f72f3388a..b6b81d5c1a 100644 --- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service +++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service @@ -1,7 +1,7 @@ [Unit] Description=Run pending postinsts DefaultDependencies=no -After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount +After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service Before=sysinit.target [Service] diff --git a/meta/recipes-devtools/rust/rust-common.inc b/meta/recipes-devtools/rust/rust-common.inc index ef70c48d0f..a73367bbd5 100644 --- a/meta/recipes-devtools/rust/rust-common.inc +++ b/meta/recipes-devtools/rust/rust-common.inc @@ -109,7 +109,7 @@ def llvm_features_from_target_fpu(d): # TARGET_FPU can be hard or soft. +soft-float tell llvm to use soft float # ABI. There is no option for hard. - fpu = d.getVar('TARGET_FPU', True) + fpu = d.getVar('TARGET_FPU') return ["+soft-float"] if fpu == "soft" else [] def llvm_features(d): @@ -119,12 +119,12 @@ def llvm_features(d): ## arm-unknown-linux-gnueabihf -DATA_LAYOUT[arm] = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64" -TARGET_ENDIAN[arm] = "little" -TARGET_POINTER_WIDTH[arm] = "32" -TARGET_C_INT_WIDTH[arm] = "32" -MAX_ATOMIC_WIDTH[arm] = "64" -FEATURES[arm] = "+v6,+vfp2" +DATA_LAYOUT[arm-eabi] = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64" +TARGET_ENDIAN[arm-eabi] = "little" +TARGET_POINTER_WIDTH[arm-eabi] = "32" +TARGET_C_INT_WIDTH[arm-eabi] = "32" +MAX_ATOMIC_WIDTH[arm-eabi] = "64" +FEATURES[arm-eabi] = "+v6,+vfp2" ## armv7-unknown-linux-gnueabihf DATA_LAYOUT[armv7-eabi] = "e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64" @@ -297,6 +297,12 @@ def rust_gen_target(d, thing, wd, features, cpu, arch, abi=""): sys = sys_for(d, thing) prefix = prefix_for(d, thing) + if thing == "TARGET": + abi = d.getVar('ABIEXTENSION') + # arm and armv7 have different targets in llvm + if arch == "arm" and target_is_armv7(d): + arch = 'armv7' + rust_arch = oe.rust.arch_to_rust_arch(arch) if abi: @@ -307,9 +313,13 @@ def rust_gen_target(d, thing, wd, features, cpu, arch, abi=""): features = features or d.getVarFlag('FEATURES', arch_abi) or "" features = features.strip() + llvm_target = d.getVar('RUST_TARGET_SYS') + if thing == "BUILD": + llvm_target = d.getVar('RUST_HOST_SYS') + # build tspec tspec = {} - tspec['llvm-target'] = d.getVar('RUST_TARGET_SYS', arch_abi) + tspec['llvm-target'] = llvm_target tspec['data-layout'] = d.getVarFlag('DATA_LAYOUT', arch_abi) tspec['max-atomic-width'] = int(d.getVarFlag('MAX_ATOMIC_WIDTH', arch_abi)) tspec['target-pointer-width'] = d.getVarFlag('TARGET_POINTER_WIDTH', arch_abi) diff --git a/meta/recipes-devtools/rust/rust-cross-canadian-common.inc b/meta/recipes-devtools/rust/rust-cross-canadian-common.inc index 1f21c8af26..df4901f1fa 100644 --- a/meta/recipes-devtools/rust/rust-cross-canadian-common.inc +++ b/meta/recipes-devtools/rust/rust-cross-canadian-common.inc @@ -27,9 +27,10 @@ DEBUG_PREFIX_MAP = "-fdebug-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDP python do_rust_gen_targets () { wd = d.getVar('WORKDIR') + '/targets/' - rust_gen_target(d, 'TARGET', wd, d.getVar('TARGET_LLVM_FEATURES') or "", d.getVar('TARGET_LLVM_CPU'), d.getVar('TARGET_ARCH')) - rust_gen_target(d, 'HOST', wd, "", "generic", d.getVar('HOST_ARCH')) + # Order of BUILD, HOST, TARGET is important in case the files overwrite, most specific last rust_gen_target(d, 'BUILD', wd, "", "generic", d.getVar('BUILD_ARCH')) + rust_gen_target(d, 'HOST', wd, "", "generic", d.getVar('HOST_ARCH')) + rust_gen_target(d, 'TARGET', wd, d.getVar('TARGET_LLVM_FEATURES') or "", d.getVar('TARGET_LLVM_CPU'), d.getVar('TARGET_ARCH')) } INHIBIT_DEFAULT_RUST_DEPS = "1" diff --git a/meta/recipes-devtools/rust/rust-cross.inc b/meta/recipes-devtools/rust/rust-cross.inc index f6babfeeda..2e47a3aa5f 100644 --- a/meta/recipes-devtools/rust/rust-cross.inc +++ b/meta/recipes-devtools/rust/rust-cross.inc @@ -1,22 +1,9 @@ python do_rust_gen_targets () { wd = d.getVar('WORKDIR') + '/targets/' - # It is important 'TARGET' is last here so that it overrides our less - # informed choices for BUILD & HOST if TARGET happens to be the same as - # either of them. - for thing in ['BUILD', 'HOST', 'TARGET']: - bb.debug(1, "rust_gen_target for " + thing) - features = "" - cpu = "generic" - arch = d.getVar('{}_ARCH'.format(thing)) - abi = "" - if thing is "TARGET": - abi = d.getVar('ABIEXTENSION') - # arm and armv7 have different targets in llvm - if arch == "arm" and target_is_armv7(d): - arch = 'armv7' - features = d.getVar('TARGET_LLVM_FEATURES') or "" - cpu = d.getVar('TARGET_LLVM_CPU') - rust_gen_target(d, thing, wd, features, cpu, arch, abi) + # Order of BUILD, HOST, TARGET is important in case the files overwrite, most specific last + rust_gen_target(d, 'BUILD', wd, "", "generic", d.getVar('BUILD_ARCH')) + rust_gen_target(d, 'HOST', wd, "", "generic", d.getVar('HOST_ARCH')) + rust_gen_target(d, 'TARGET', wd, d.getVar('TARGET_LLVM_FEATURES') or "", d.getVar('TARGET_LLVM_CPU'), d.getVar('TARGET_ARCH')) } # Otherwise we'll depend on what we provide diff --git a/meta/recipes-devtools/rust/rust-llvm.inc b/meta/recipes-devtools/rust/rust-llvm.inc index 5c2ccdac9a..416a07cd40 100644 --- a/meta/recipes-devtools/rust/rust-llvm.inc +++ b/meta/recipes-devtools/rust/rust-llvm.inc @@ -3,7 +3,9 @@ LICENSE ?= "Apache-2.0-with-LLVM-exception" HOMEPAGE = "http://www.rust-lang.org" SRC_URI += "file://0002-llvm-allow-env-override-of-exe-path.patch;striplevel=2 \ - file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2" + file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2 \ + file://0003-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \ +" S = "${RUSTSRC}/src/llvm-project/llvm" @@ -23,9 +25,11 @@ CXXFLAGS:remove = "-g" LLVM_DIR = "llvm${LLVM_RELEASE}" +RUST_LLVM_TARGETS ?= "ARM;AArch64;Mips;PowerPC;RISCV;X86" + EXTRA_OECMAKE = " \ -DCMAKE_BUILD_TYPE=Release \ - -DLLVM_TARGETS_TO_BUILD='ARM;AArch64;Mips;PowerPC;RISCV;X86' \ + -DLLVM_TARGETS_TO_BUILD='${RUST_LLVM_TARGETS}' \ -DLLVM_BUILD_DOCS=OFF \ -DLLVM_ENABLE_TERMINFO=OFF \ -DLLVM_ENABLE_ZLIB=OFF \ diff --git a/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch new file mode 100644 index 0000000000..6ed23aa9c5 --- /dev/null +++ b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch @@ -0,0 +1,32 @@ +From a94bf34221fc4519bd8ec72560c2d363ffe2de4c Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich <slyich@gmail.com> +Date: Mon, 23 May 2022 08:03:23 +0100 +Subject: [PATCH] [Support] Add missing <cstdint> header to Signals.h + +Without the change llvm build fails on this week's gcc-13 snapshot as: + + [ 0%] Building CXX object lib/Support/CMakeFiles/LLVMSupport.dir/Signals.cpp.o + In file included from llvm/lib/Support/Signals.cpp:14: + llvm/include/llvm/Support/Signals.h:119:8: error: variable or field 'CleanupOnSignal' declared void + 119 | void CleanupOnSignal(uintptr_t Context); + | ^~~~~~~~~~~~~~~ + +Upstream-Status: Backport [llvmorg-15.0.0 ff1681ddb303223973653f7f5f3f3435b48a1983] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com> +--- + llvm/include/llvm/Support/Signals.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/llvm/include/llvm/Support/Signals.h b/llvm/include/llvm/Support/Signals.h +index 44f5a750ff5c..937e0572d4a7 100644 +--- a/llvm/include/llvm/Support/Signals.h ++++ b/llvm/include/llvm/Support/Signals.h +@@ -14,6 +14,7 @@ + #ifndef LLVM_SUPPORT_SIGNALS_H + #define LLVM_SUPPORT_SIGNALS_H + ++#include <cstdint> + #include <string> + + namespace llvm { diff --git a/meta/recipes-devtools/rust/rust-source.inc b/meta/recipes-devtools/rust/rust-source.inc index ea70ad786f..c377a680a7 100644 --- a/meta/recipes-devtools/rust/rust-source.inc +++ b/meta/recipes-devtools/rust/rust-source.inc @@ -5,3 +5,6 @@ RUSTSRC = "${WORKDIR}/rustc-${PV}-src" UPSTREAM_CHECK_URI = "https://forge.rust-lang.org/infra/other-installation-methods.html" UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src" + +#CVE-2024-24576 is specific to Microsoft Windows +CVE_CHECK_IGNORE += "CVE-2024-24576" diff --git a/meta/recipes-devtools/rust/rust.inc b/meta/recipes-devtools/rust/rust.inc index f39228e3c0..008b2ce4a4 100644 --- a/meta/recipes-devtools/rust/rust.inc +++ b/meta/recipes-devtools/rust/rust.inc @@ -79,7 +79,7 @@ python do_configure() { config = configparser.RawConfigParser() # [target.ARCH-poky-linux] - target_section = "target.{}".format(d.getVar('TARGET_SYS', True)) + target_section = "target.{}".format(d.getVar('TARGET_SYS')) config.add_section(target_section) llvm_config = d.expand("${YOCTO_ALTERNATE_EXE_PATH}") @@ -90,7 +90,7 @@ python do_configure() { # If we don't do this rust-native will compile it's own llvm for BUILD. # [target.${BUILD_ARCH}-unknown-linux-gnu] - target_section = "target.{}".format(d.getVar('SNAPSHOT_BUILD_SYS', True)) + target_section = "target.{}".format(d.getVar('SNAPSHOT_BUILD_SYS')) config.add_section(target_section) config.set(target_section, "llvm-config", e(llvm_config)) @@ -124,26 +124,26 @@ python do_configure() { config.set("build", "vendor", e(True)) if not "targets" in locals(): - targets = [d.getVar("TARGET_SYS", True)] + targets = [d.getVar("TARGET_SYS")] config.set("build", "target", e(targets)) if not "hosts" in locals(): - hosts = [d.getVar("HOST_SYS", True)] + hosts = [d.getVar("HOST_SYS")] config.set("build", "host", e(hosts)) # We can't use BUILD_SYS since that is something the rust snapshot knows # nothing about when trying to build some stage0 tools (like fabricate) - config.set("build", "build", e(d.getVar("SNAPSHOT_BUILD_SYS", True))) + config.set("build", "build", e(d.getVar("SNAPSHOT_BUILD_SYS"))) # [install] config.add_section("install") # ./x.py install doesn't have any notion of "destdir" # but we can prepend ${D} to all the directories instead - config.set("install", "prefix", e(d.getVar("D", True) + d.getVar("prefix", True))) - config.set("install", "bindir", e(d.getVar("D", True) + d.getVar("bindir", True))) - config.set("install", "libdir", e(d.getVar("D", True) + d.getVar("libdir", True))) - config.set("install", "datadir", e(d.getVar("D", True) + d.getVar("datadir", True))) - config.set("install", "mandir", e(d.getVar("D", True) + d.getVar("mandir", True))) + config.set("install", "prefix", e(d.getVar("D") + d.getVar("prefix"))) + config.set("install", "bindir", e(d.getVar("D") + d.getVar("bindir"))) + config.set("install", "libdir", e(d.getVar("D") + d.getVar("libdir"))) + config.set("install", "datadir", e(d.getVar("D") + d.getVar("datadir"))) + config.set("install", "mandir", e(d.getVar("D") + d.getVar("mandir"))) with open("config.toml", "w") as f: f.write('changelog-seen = 2\n\n') diff --git a/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch b/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch deleted file mode 100644 index 235e803641..0000000000 --- a/meta/recipes-devtools/strace/strace/0001-caps-abbrev.awk-fix-gawk-s-path.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 597cc206d982e7237eb93fdc33e8c4bb6bb2d796 Mon Sep 17 00:00:00 2001 -From: Robert Yang <liezhi.yang@windriver.com> -Date: Thu, 9 Feb 2017 01:27:49 -0800 -Subject: [PATCH] caps-abbrev.awk: fix gawk's path - -It should be /usr/bin/gawk as other scripts use in this package. - -Upstream-Status: Pending - -Signed-off-by: Robert Yang <liezhi.yang@windriver.com> - ---- - tests-m32/caps-abbrev.awk | 2 +- - tests-mx32/caps-abbrev.awk | 2 +- - tests/caps-abbrev.awk | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-m32/caps-abbrev.awk -+++ b/tests-m32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests-mx32/caps-abbrev.awk -+++ b/tests-mx32/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # -diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk -index c00023b..a56cd56 100644 ---- a/tests/caps-abbrev.awk -+++ b/tests/caps-abbrev.awk -@@ -1,4 +1,4 @@ --#!/bin/gawk -+#!/usr/bin/gawk - # - # This file is part of caps strace test. - # diff --git a/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch b/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch new file mode 100644 index 0000000000..b4c6ff99de --- /dev/null +++ b/meta/recipes-devtools/strace/strace/3bbfb541b258baec9eba674b5d8dc30007a61542.patch @@ -0,0 +1,50 @@ +From 3bbfb541b258baec9eba674b5d8dc30007a61542 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Wed, 21 Jun 2023 08:00:00 +0000 +Subject: [PATCH] net: enhance getsockopt decoding + +When getsockopt syscall fails the kernel sometimes updates the optlen +argument, for example, NETLINK_LIST_MEMBERSHIPS updates it even if +optval is not writable. + +* src/net.c (SYS_FUNC(getsockopt)): Try to fetch and print optlen +argument on exiting syscall regardless of getsockopt exit status. + +Upstream-Status: Backport +--- + src/net.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/net.c b/src/net.c +index f68ccb947..7244b5e57 100644 +--- a/src/net.c ++++ b/src/net.c +@@ -1038,7 +1038,7 @@ SYS_FUNC(getsockopt) + } else { + ulen = get_tcb_priv_ulong(tcp); + +- if (syserror(tcp) || umove(tcp, tcp->u_arg[4], &rlen) < 0) { ++ if (umove(tcp, tcp->u_arg[4], &rlen) < 0) { + /* optval */ + printaddr(tcp->u_arg[3]); + tprint_arg_next(); +@@ -1047,6 +1047,19 @@ SYS_FUNC(getsockopt) + tprint_indirect_begin(); + PRINT_VAL_D(ulen); + tprint_indirect_end(); ++ } else if (syserror(tcp)) { ++ /* optval */ ++ printaddr(tcp->u_arg[3]); ++ tprint_arg_next(); ++ ++ /* optlen */ ++ tprint_indirect_begin(); ++ if (ulen != rlen) { ++ PRINT_VAL_D(ulen); ++ tprint_value_changed(); ++ } ++ PRINT_VAL_D(rlen); ++ tprint_indirect_end(); + } else { + /* optval */ + print_getsockopt(tcp, tcp->u_arg[1], tcp->u_arg[2], diff --git a/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch b/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch new file mode 100644 index 0000000000..a0843836c2 --- /dev/null +++ b/meta/recipes-devtools/strace/strace/f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch @@ -0,0 +1,50 @@ +From f31c2f4494779e5c5f170ad10539bfc2dfafe967 Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" <ldv@strace.io> +Date: Sat, 24 Jun 2023 08:00:00 +0000 +Subject: [PATCH] tests: update sockopt-sol_netlink test + +Update sockopt-sol_netlink test that started to fail, likely +due to recent linux kernel commit f4e4534850a9 ("net/netlink: fix +NETLINK_LIST_MEMBERSHIPS length report"). + +* tests/sockopt-sol_netlink.c (main): Always print changing optlen value +on exiting syscall. + +Reported-by: Alexander Gordeev <agordeev@linux.ibm.com> +--- + tests/sockopt-sol_netlink.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +Upstream-Status: Backport + +diff --git a/tests/sockopt-sol_netlink.c b/tests/sockopt-sol_netlink.c +index 82b98adc23..1c33219ac5 100644 +--- a/tests/sockopt-sol_netlink.c ++++ b/tests/sockopt-sol_netlink.c +@@ -94,7 +94,10 @@ main(void) + printf("%p", val); + else + printf("[%d]", *val); +- printf(", [%d]) = %s\n", *len, errstr); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen larger than necessary - shortened */ + *len = sizeof(*val) + 1; +@@ -150,8 +153,12 @@ main(void) + /* optval EFAULT - print address */ + *len = sizeof(*val); + get_sockopt(fd, names[i].val, efault, len); +- printf("getsockopt(%d, SOL_NETLINK, %s, %p, [%d]) = %s\n", +- fd, names[i].str, efault, *len, errstr); ++ printf("getsockopt(%d, SOL_NETLINK, %s, %p", ++ fd, names[i].str, efault); ++ printf(", [%d", (int) sizeof(*val)); ++ if ((int) sizeof(*val) != *len) ++ printf(" => %d", *len); ++ printf("]) = %s\n", errstr); + + /* optlen EFAULT - print address */ + get_sockopt(fd, names[i].val, val, len + 1); diff --git a/meta/recipes-devtools/strace/strace/update-gawk-paths.patch b/meta/recipes-devtools/strace/strace/update-gawk-paths.patch index 0c683496ae..a16ede95c2 100644 --- a/meta/recipes-devtools/strace/strace/update-gawk-paths.patch +++ b/meta/recipes-devtools/strace/strace/update-gawk-paths.patch @@ -125,3 +125,33 @@ index dce78f5..573d9ea 100644 # # Copyright (c) 2014-2015 Dmitry V. Levin <ldv@strace.io> # Copyright (c) 2016 Elvira Khabirova <lineprinter0@gmail.com> +diff --git a/tests-m32/caps-abbrev.awk b/tests-m32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-m32/caps-abbrev.awk ++++ b/tests-m32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests-mx32/caps-abbrev.awk b/tests-mx32/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests-mx32/caps-abbrev.awk ++++ b/tests-mx32/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # +diff --git a/tests/caps-abbrev.awk b/tests/caps-abbrev.awk +index c00023b..a56cd56 100644 +--- a/tests/caps-abbrev.awk ++++ b/tests/caps-abbrev.awk +@@ -1,4 +1,4 @@ +-#!/bin/gawk ++#!/usr/bin/gawk + # + # This file is part of caps strace test. + # diff --git a/meta/recipes-devtools/strace/strace_5.16.bb b/meta/recipes-devtools/strace/strace_5.16.bb index ae19318c20..39082a5bc7 100644 --- a/meta/recipes-devtools/strace/strace_5.16.bb +++ b/meta/recipes-devtools/strace/strace_5.16.bb @@ -9,16 +9,20 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \ file://update-gawk-paths.patch \ file://Makefile-ptest.patch \ file://run-ptest \ - file://0001-caps-abbrev.awk-fix-gawk-s-path.patch \ file://ptest-spacesave.patch \ file://0001-strace-fix-reproducibilty-issues.patch \ file://skip-load.patch \ file://0001-landlock-update-expected-string.patch \ + file://f31c2f4494779e5c5f170ad10539bfc2dfafe967.patch \ + file://3bbfb541b258baec9eba674b5d8dc30007a61542.patch \ " SRC_URI[sha256sum] = "dc7db230ff3e57c249830ba94acab2b862da1fcaac55417e9b85041a833ca285" inherit autotools ptest +# Not yet ported to rv32 +COMPATIBLE_HOST:riscv32 = "null" + PACKAGECONFIG:class-target ??= "\ ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez', '', d)} \ " diff --git a/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch b/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch index 44b2ce0a30..5a10c93a31 100644 --- a/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch +++ b/meta/recipes-devtools/tcltk/tcl/fix_non_native_build_issue.patch @@ -1,4 +1,4 @@ -Upstream-Status: Pending +Upstream-Status: Inappropriate [upstream does not support installed tests] Index: unix/Makefile.in =================================================================== diff --git a/meta/recipes-devtools/tcltk/tcl/run-ptest b/meta/recipes-devtools/tcltk/tcl/run-ptest index a62b703082..87e025fce1 100644 --- a/meta/recipes-devtools/tcltk/tcl/run-ptest +++ b/meta/recipes-devtools/tcltk/tcl/run-ptest @@ -4,8 +4,12 @@ export TZ="Europe/London" export TCL_LIBRARY=library +# Some tests are overly strict with timings and fail on loaded systems. +# See bugs #14825 #14882 #15081 #15321. +SKIPPED_TESTS='async-* cmdMZ-6.6 event-* exit-1.* socket-* socket_inet-*' + for i in `ls tests/*.test | awk -F/ '{print $2}'`; do - ./tcltest tests/all.tcl -file $i >$i.log 2>&1 + ./tcltest tests/all.tcl -file $i -skip "$SKIPPED_TESTS" >$i.log 2>&1 grep -q -F -e "Files with failing tests:" -e "Test files exiting with errors:" $i.log if [ $? -eq 0 ]; then echo "FAIL: $i" diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb index 9f6b003ffb..f8f3d7dd3f 100644 --- a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb +++ b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb @@ -44,6 +44,12 @@ inherit autotools ptest binconfig AUTOTOOLS_SCRIPT_PATH = "${S}/unix" EXTRA_OECONF = "--enable-threads --disable-rpath --enable-man-suffix" +# Prevent installing copy of tzdata based on tzdata installation on the build host +# It doesn't install tzdata if one of the following files exist on the host: +# /usr/share/zoneinfo/UTC /usr/share/zoneinfo/GMT /usr/share/lib/zoneinfo/UTC /usr/share/lib/zoneinfo/GMT /usr/lib/zoneinfo/UTC /usr/lib/zoneinfo/GMT +# otherwise "/usr/lib/tcl8.6/tzdata" is included in tcl package +EXTRA_OECONF += "--with-tzdata=no" + do_install() { autotools_do_install oe_runmake 'DESTDIR=${D}' install-private-headers @@ -83,6 +89,11 @@ do_install_ptest() { cp -r ${S}/tests ${D}${PTEST_PATH} } +do_install_ptest:append:libc-musl () { + # Assumes locales other than provided by musl-locales + sed -i -e 's|SKIPPED_TESTS=|SKIPPED_TESTS="unixInit-3*"|' ${D}${PTEST_PATH}/run-ptest +} + # Fix some paths that might be used by Tcl extensions BINCONFIG_GLOB = "*Config.sh" diff --git a/meta/recipes-devtools/vala/vala.inc b/meta/recipes-devtools/vala/vala.inc index 90e0b77de0..162e99bb03 100644 --- a/meta/recipes-devtools/vala/vala.inc +++ b/meta/recipes-devtools/vala/vala.inc @@ -42,21 +42,30 @@ EXTRA_OECONF += " --disable-valadoc" # Vapigen wrapper needs to be available system-wide, because it will be used # to build vapi files from all other packages with vala support do_install:append:class-target() { - install -d ${D}${bindir}/ - install ${B}/vapigen-wrapper ${D}${bindir}/ + install -d ${D}${bindir_crossscripts}/ + install ${B}/vapigen-wrapper ${D}${bindir_crossscripts}/ } # Put vapigen wrapper into target sysroot so that it can be used when building # vapi files. -SYSROOT_DIRS:append:class-target = " ${bindir}" +SYSROOT_DIRS += "${bindir_crossscripts}" + +inherit multilib_script +MULTILIB_SCRIPTS = "${PN}:${bindir}/vala-gen-introspect-0.56" SYSROOT_PREPROCESS_FUNCS:append:class-target = " vapigen_sysroot_preprocess" vapigen_sysroot_preprocess() { # Tweak the vapigen name in the vapigen pkgconfig file, so that it picks # up our wrapper. sed -i \ - -e "s|vapigen=.*|vapigen=${bindir}/vapigen-wrapper|" \ + -e "s|vapigen=.*|vapigen=${bindir_crossscripts}/vapigen-wrapper|" \ ${SYSROOT_DESTDIR}${libdir}/pkgconfig/vapigen-${SHRT_VER}.pc } SSTATE_SCAN_FILES += "vapigen-wrapper" + +PACKAGE_PREPROCESS_FUNCS += "vala_package_preprocess" + +vala_package_preprocess () { + rm -rf ${PKGD}${bindir_crossscripts} +} diff --git a/meta/recipes-devtools/vala/vala_0.56.0.bb b/meta/recipes-devtools/vala/vala_0.56.0.bb deleted file mode 100644 index a4d6760f10..0000000000 --- a/meta/recipes-devtools/vala/vala_0.56.0.bb +++ /dev/null @@ -1,3 +0,0 @@ -require ${BPN}.inc - -SRC_URI[sha256sum] = "d92bd13c5630905eeb6a983dcb702204da9731460c2a6e4e39f867996f371040" diff --git a/meta/recipes-devtools/vala/vala_0.56.3.bb b/meta/recipes-devtools/vala/vala_0.56.3.bb new file mode 100644 index 0000000000..83f61e5b2f --- /dev/null +++ b/meta/recipes-devtools/vala/vala_0.56.3.bb @@ -0,0 +1,3 @@ +require ${BPN}.inc + +SRC_URI[sha256sum] = "e1066221bf7b89cb1fa7327a3888645cb33b604de3bf45aa81132fd040b699bf" diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 index 887bfd2766..4477f39132 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 @@ -1,211 +1,7 @@ -gdbserver_tests/hgtls -cachegrind/tests/ann1 -callgrind/tests/simwork1 -callgrind/tests/simwork2 -callgrind/tests/simwork3 -callgrind/tests/simwork-both -callgrind/tests/simwork-cache -callgrind/tests/threads -callgrind/tests/threads-use -drd/tests/annotate_barrier -drd/tests/annotate_barrier_xml -drd/tests/annotate_hbefore -drd/tests/annotate_hb_err -drd/tests/annotate_hb_race -drd/tests/annotate_ignore_read -drd/tests/annotate_ignore_rw -drd/tests/annotate_ignore_rw2 -drd/tests/annotate_ignore_write -drd/tests/annotate_ignore_write2 -drd/tests/annotate_order_1 -drd/tests/annotate_order_2 -drd/tests/annotate_order_3 -drd/tests/annotate_publish_hg -drd/tests/annotate_rwlock -drd/tests/annotate_rwlock_hg -drd/tests/annotate_sem -drd/tests/annotate_smart_pointer -drd/tests/annotate_smart_pointer2 -drd/tests/annotate_spinlock -drd/tests/annotate_static -drd/tests/annotate_trace_memory -drd/tests/annotate_trace_memory_xml -drd/tests/atomic_var -drd/tests/bar_bad -drd/tests/bar_trivial drd/tests/boost_thread -drd/tests/bug-235681 -drd/tests/bug322621 -drd/tests/circular_buffer -drd/tests/concurrent_close -drd/tests/custom_alloc -drd/tests/custom_alloc_fiw -drd/tests/dlopen -drd/tests/fork-parallel -drd/tests/fork-serial -drd/tests/fp_race -drd/tests/fp_race2 -drd/tests/fp_race_xml -drd/tests/free_is_write -drd/tests/free_is_write2 -drd/tests/hg01_all_ok -drd/tests/hg02_deadlock -drd/tests/hg03_inherit -drd/tests/hg04_race -drd/tests/hg05_race2 -drd/tests/hg06_readshared -drd/tests/hold_lock_1 -drd/tests/hold_lock_2 -drd/tests/linuxthreads_det -drd/tests/matinv -drd/tests/memory_allocation -drd/tests/monitor_example -drd/tests/new_delete -drd/tests/pth_barrier -drd/tests/pth_barrier2 -drd/tests/pth_barrier3 -drd/tests/pth_barrier_race -drd/tests/pth_barrier_reinit -drd/tests/pth_broadcast -drd/tests/pth_cancel_locked -drd/tests/pth_cleanup_handler -drd/tests/pth_cond_race -drd/tests/pth_cond_race2 -drd/tests/pth_detached2 -drd/tests/pth_detached3 -drd/tests/pth_detached_sem -drd/tests/pth_inconsistent_cond_wait -drd/tests/pth_mutex_reinit -drd/tests/pth_once -drd/tests/pth_process_shared_mutex -drd/tests/pth_spinlock -drd/tests/pth_uninitialized_cond -drd/tests/read_and_free_race -drd/tests/recursive_mutex -drd/tests/rwlock_race -drd/tests/rwlock_test -drd/tests/rwlock_type_checking -drd/tests/sem_as_mutex -drd/tests/sem_as_mutex2 -drd/tests/sem_as_mutex3 -drd/tests/sem_open -drd/tests/sem_open2 -drd/tests/sem_open3 -drd/tests/sem_open_traced -drd/tests/sem_wait -drd/tests/sigalrm -drd/tests/sigaltstack -drd/tests/std_atomic -drd/tests/std_string -drd/tests/std_thread -drd/tests/std_thread2 -drd/tests/str_tester -drd/tests/tc01_simple_race -drd/tests/tc02_simple_tls -drd/tests/tc03_re_excl -drd/tests/tc04_free_lock -drd/tests/tc05_simple_race -drd/tests/tc06_two_races -drd/tests/tc07_hbl1 -drd/tests/tc08_hbl2 -drd/tests/tc10_rec_lock -drd/tests/tc11_XCHG -drd/tests/tc12_rwl_trivial -drd/tests/tc13_laog1 -drd/tests/tc15_laog_lockdel -drd/tests/tc16_byterace -drd/tests/tc17_sembar -drd/tests/tc18_semabuse -drd/tests/tc19_shadowmem -drd/tests/tc21_pthonce -drd/tests/tc22_exit_w_lock -drd/tests/tc23_bogus_condwait -helgrind/tests/annotate_rwlock -helgrind/tests/annotate_smart_pointer -helgrind/tests/bar_bad -helgrind/tests/bar_trivial -helgrind/tests/bug322621 -helgrind/tests/cond_init_destroy -helgrind/tests/cond_timedwait_invalid -helgrind/tests/cond_timedwait_test -helgrind/tests/free_is_write -helgrind/tests/hg01_all_ok -helgrind/tests/hg03_inherit -helgrind/tests/hg04_race -helgrind/tests/hg05_race2 -helgrind/tests/hg06_readshared -helgrind/tests/locked_vs_unlocked1_fwd -helgrind/tests/locked_vs_unlocked1_rev -helgrind/tests/locked_vs_unlocked2 -helgrind/tests/locked_vs_unlocked3 -helgrind/tests/pth_barrier1 -helgrind/tests/pth_barrier2 -helgrind/tests/pth_barrier3 -helgrind/tests/pth_destroy_cond -helgrind/tests/rwlock_race -helgrind/tests/rwlock_test -helgrind/tests/shmem_abits -helgrind/tests/stackteardown -helgrind/tests/t2t_laog -helgrind/tests/tc01_simple_race -helgrind/tests/tc02_simple_tls -helgrind/tests/tc03_re_excl -helgrind/tests/tc04_free_lock -helgrind/tests/tc05_simple_race -helgrind/tests/tc06_two_races -helgrind/tests/tc06_two_races_xml -helgrind/tests/tc07_hbl1 -helgrind/tests/tc08_hbl2 -helgrind/tests/tc09_bad_unlock -helgrind/tests/tc10_rec_lock -helgrind/tests/tc11_XCHG -helgrind/tests/tc12_rwl_trivial -helgrind/tests/tc13_laog1 -helgrind/tests/tc14_laog_dinphils -helgrind/tests/tc15_laog_lockdel -helgrind/tests/tc16_byterace -helgrind/tests/tc17_sembar -helgrind/tests/tc18_semabuse -helgrind/tests/tc19_shadowmem -helgrind/tests/tc20_verifywrap -helgrind/tests/tc21_pthonce -helgrind/tests/tc22_exit_w_lock -helgrind/tests/tc23_bogus_condwait -helgrind/tests/tc24_nonzero_sem -memcheck/tests/accounting -memcheck/tests/addressable -memcheck/tests/arm64-linux/scalar -memcheck/tests/atomic_incs -memcheck/tests/badaddrvalue -memcheck/tests/badfree -memcheck/tests/badfree-2trace -memcheck/tests/badfree3 -memcheck/tests/badjump -memcheck/tests/badjump2 -memcheck/tests/badloop -memcheck/tests/badpoll -memcheck/tests/badrw -memcheck/tests/big_blocks_freed_list -memcheck/tests/brk2 +gdbserver_tests/hgtls memcheck/tests/dw4 -memcheck/tests/err_disable4 -memcheck/tests/err_disable_arange1 -memcheck/tests/leak-autofreepool-5 -memcheck/tests/linux/lsframe1 -memcheck/tests/linux/lsframe2 -memcheck/tests/linux/with-space -memcheck/tests/origin5-bz2 -memcheck/tests/origin6-fp -memcheck/tests/partial_load_dflt -memcheck/tests/pdb-realloc2 -memcheck/tests/sh-mem -memcheck/tests/sh-mem-random -memcheck/tests/sigaltstack -memcheck/tests/sigkill -memcheck/tests/signal2 -memcheck/tests/threadname -memcheck/tests/threadname_xml -memcheck/tests/unit_oset +memcheck/tests/leak_cpp_interior memcheck/tests/varinfo1 memcheck/tests/varinfo2 memcheck/tests/varinfo3 @@ -213,21 +9,5 @@ memcheck/tests/varinfo4 memcheck/tests/varinfo5 memcheck/tests/varinfo6 memcheck/tests/varinforestrict -memcheck/tests/vcpu_bz2 -memcheck/tests/vcpu_fbench -memcheck/tests/vcpu_fnfns -memcheck/tests/wcs -memcheck/tests/wrap1 -memcheck/tests/wrap2 -memcheck/tests/wrap3 -memcheck/tests/wrap4 -memcheck/tests/wrap5 -memcheck/tests/wrap6 -memcheck/tests/wrap7 -memcheck/tests/wrap8 -memcheck/tests/wrapmalloc -memcheck/tests/wrapmallocstatic -memcheck/tests/writev1 -memcheck/tests/xml1 -memcheck/tests/linux/stack_changes -memcheck/tests/linux/timerfd-syscall +helgrind/tests/hg05_race2 +helgrind/tests/tc20_verifywrap diff --git a/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/meta/recipes-devtools/valgrind/valgrind/remove-for-all index cb8d10b18f..226f97b50e 100644 --- a/meta/recipes-devtools/valgrind/valgrind/remove-for-all +++ b/meta/recipes-devtools/valgrind/valgrind/remove-for-all @@ -1,8 +1,10 @@ none/tests/amd64/fb_test_amd64 gdbserver_tests/hginfo +memcheck/tests/linux/timerfd-syscall memcheck/tests/supp_unknown helgrind/tests/tls_threads drd/tests/bar_bad_xml drd/tests/pth_barrier_thr_cr drd/tests/thread_name_xml massif/tests/deep-D + |