From patchwork Tue Sep 12 13:53:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30323 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF065CA0EDD for ; Tue, 12 Sep 2023 13:53:38 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.25660.1694526817764706723 for ; Tue, 12 Sep 2023 06:53:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mCQQGcrX; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1c397ed8681so24389255ad.2 for ; Tue, 12 Sep 2023 06:53:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526817; x=1695131617; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/iMdmN7tDUkyyh1Fab4fkWtTOMOLADJ6kmLtdtXVteY=; b=mCQQGcrXk09xMOUMOqmAKrxv01Mjdt3MGOyJNFtAD+xLHALIJC2+/NlA02CDrXPuo2 l8lBP0ISpX9dWt04Tw9d44wY7EIH4l/9jZ4zHDO7ur+1BYF8GNJWhG0zhu9KFYlHxU/T nE7u1MNpO/59epu8sL+qQy5Hu3GpwQQl0cWYN6IvYT7Ff3aI3jvDjDKJM3zpIyuBZMg3 LB9XDwAnVedVo3OrM/0EbhVGh657rDWrbWHx0Jb0UEKHVloD8D/d5BKUX+c/EMPXjLIq UP8zbmlUrWd+dPLXgw2WZPZ2GteBlvFH+U/PoD96g1S2g50iD40pH2pZuIQn4PWvEA7l 7DGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526817; x=1695131617; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/iMdmN7tDUkyyh1Fab4fkWtTOMOLADJ6kmLtdtXVteY=; b=dO3nO2LSeypCKPSyNG3ve8jfW56GgGk89YrlHxYhHD6rCFXVpiDMdQ57FqSL2v6vZe ilQkK8AwAaF1owpLrfmh0Jv+ZORSlPBFmL6M6CAsMWq7F0zQ7a9QVT84QiANExl2whBv xSxJ5/u3BNQWDhS2rGJBOxLu34+cvWh/OtR6wIg4+R3abzcmeDVvym6qkY4sjGVJcp0/ dSKlWWtWcRLAWTNeHeJo2dTQcn8Y5qBJM6ZTWJjjieLh57FARMoFjy4aX4advrqpFWht DjA4ru5iJkGUVmWcNxCQM4omAmK4uUP2Pl5KM+zr/bjOOdPuBK1ydSkfibuMmDWW7Rao QIYg== X-Gm-Message-State: AOJu0YyQ1t50tQH/UJVwDtHSGZzyqn3nTdiohoR6kqFBkMv6/g0v/ctG mUHwWy1l6CFS5mSlqGZ8VNl/nsBV8o0Oy9Oe3x8= X-Google-Smtp-Source: AGHT+IFDsUGV/QT7dDaOvJrMaMq13200rkR0HQp0yaPFKowgD9sRFocCcfoIc8ranSPDLpRWJ5n/GQ== X-Received: by 2002:a17:902:eb46:b0:1bf:7d3b:4405 with SMTP id i6-20020a170902eb4600b001bf7d3b4405mr10404936pli.14.1694526816584; Tue, 12 Sep 2023 06:53:36 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:36 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Date: Tue, 12 Sep 2023 03:53:10 -1000 Message-Id: <1b9d661a82211d6ffdd56e366cfbc3f3c247fd1c.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187516 From: Vijay Anusuri Upstream Patch: https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../bind/bind/CVE-2023-2828.patch | 166 ++++++++++++++++++ .../recipes-connectivity/bind/bind_9.11.37.bb | 1 + 2 files changed, 167 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch new file mode 100644 index 0000000000..6f6c104530 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch @@ -0,0 +1,166 @@ + +Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz +Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch] +Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a +CVE: CVE-2023-2828 +Signed-off-by: Vijay Anusuri + +--- + lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 63 insertions(+), 43 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index b1b928c..3165e26 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + bool tree_locked, expire_t reason); + static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked); ++ size_t purgesize, bool tree_locked); + static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, + rdatasetheader_t *newheader); + static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, +@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, + + static dns_dbmethods_t zone_methods; + ++static size_t ++rdataset_size(rdatasetheader_t *header) { ++ if (!NONEXISTENT(header)) { ++ return (dns_rdataslab_size((unsigned char *)header, ++ sizeof(*header))); ++ } ++ ++ return (sizeof(*header)); ++} ++ + static isc_result_t + addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, +@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (cache_is_overmem) +- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); ++ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), ++ tree_locked); + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + cleanup_dead_nodes(rbtdb, rbtnode->locknum); + + header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); ++ if (header != NULL) { ++ dns_ttl_t rdh_ttl = header->rdh_ttl; ++ ++ if (rdh_ttl < now - RBTDB_VIRTUAL) { ++ expire_header(rbtdb, header, tree_locked, ++ expire_ttl); ++ } ++ } + + /* + * If we've been holding a write lock on the tree just for +@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); + } + ++static size_t ++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, ++ bool tree_locked) { ++ rdatasetheader_t *header, *header_prev; ++ size_t purged = 0; ++ ++ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); ++ header != NULL && purged <= purgesize; header = header_prev) ++ { ++ header_prev = ISC_LIST_PREV(header, link); ++ /* ++ * Unlink the entry at this point to avoid checking it ++ * again even if it's currently used someone else and ++ * cannot be purged at this moment. This entry won't be ++ * referenced any more (so unlinking is safe) since the ++ * TTL was reset to 0. ++ */ ++ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); ++ size_t header_size = rdataset_size(header); ++ expire_header(rbtdb, header, tree_locked, expire_lru); ++ purged += header_size; ++ } ++ ++ return (purged); ++} ++ + /*% +- * Purge some expired and/or stale (i.e. unused for some period) cache entries +- * under an overmem condition. To recover from this condition quickly, up to +- * 2 entries will be purged. This process is triggered while adding a new +- * entry, and we specifically avoid purging entries in the same LRU bucket as +- * the one to which the new entry will belong. Otherwise, we might purge +- * entries of the same name of different RR types while adding RRsets from a +- * single response (consider the case where we're adding A and AAAA glue records +- * of the same NS name). +- */ ++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache ++ * entries under the overmem condition. To recover from this condition quickly, ++ * we cleanup entries up to the size of newly added rdata (passed as purgesize). ++ * ++ * This process is triggered while adding a new entry, and we specifically avoid ++ * purging entries in the same LRU bucket as the one to which the new entry will ++ * belong. Otherwise, we might purge entries of the same name of different RR ++ * types while adding RRsets from a single response (consider the case where ++ * we're adding A and AAAA glue records of the same NS name). ++*/ + static void +-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked) ++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, ++ bool tree_locked) + { +- rdatasetheader_t *header, *header_prev; + unsigned int locknum; +- int purgecount = 2; ++ size_t purged = 0; + + for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; +- locknum != locknum_start && purgecount > 0; ++ locknum != locknum_start && purged <= purgesize; + locknum = (locknum + 1) % rbtdb->node_lock_count) { + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + +- header = isc_heap_element(rbtdb->heaps[locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); +- purgecount--; +- } +- +- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); +- header != NULL && purgecount > 0; +- header = header_prev) { +- header_prev = ISC_LIST_PREV(header, link); +- /* +- * Unlink the entry at this point to avoid checking it +- * again even if it's currently used someone else and +- * cannot be purged at this moment. This entry won't be +- * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. +- */ +- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, +- link); +- expire_header(rbtdb, header, tree_locked, +- expire_lru); +- purgecount--; +- } ++ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, ++ tree_locked); + + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 2fca28e684..80fbcbfa36 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb @@ -22,6 +22,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2022-2795.patch \ file://CVE-2022-38177.patch \ file://CVE-2022-38178.patch \ + file://CVE-2023-2828.patch \ " SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" From patchwork Tue Sep 12 13:53:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30328 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBB4FCA0EE1 for ; Tue, 12 Sep 2023 13:53:48 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.25662.1694526821377182679 for ; Tue, 12 Sep 2023 06:53:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=qnDGDBr6; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1bf7a6509deso38285785ad.3 for ; Tue, 12 Sep 2023 06:53:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526820; x=1695131620; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=r6wDLAhcGh2jl64kkRRArnOPH/i2k71290bgX8NLiLs=; b=qnDGDBr6XaRM/Ixn4FWzAELioHl9s+YkYb75IDn1S5ISwyS4SKLD0ul8WdNhlYmrqy tdf6ydxbb0Np3FraKdfwURA2f8uVtUwJPMiPFhtNpaRDaePzacrfEaLC5WvfwSJyoMxg mDt1iGwqEDtVxu3g7jH+WcXx7PnVq91hMOkKr5HJk3JWVT0C2ziNaaC1yyRNQz4fF4sS arqCWnmiPJlw3ZwBe/VeIUSolnyZuMCu8iJzam+tCCMdYHjc/LxAYEYqbamDZKwRGmr5 T/lINGpwDRCFiDadHb3cq4b7DmHciFCCtX+dI5pVKweKlvKizxtNmkaqFLvWUBM+xcvb +D9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526820; x=1695131620; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r6wDLAhcGh2jl64kkRRArnOPH/i2k71290bgX8NLiLs=; b=DHRHelfP5OFoLh6fhT4qc6H6p3RRDh2KdpjnvPsIAZ2skYFTtYynJ3fwWCpl6ywqrG bETBkeb3dL2xS9PL18rI7VcaLacMSw03yLJb3h0K0YrWyPDZ3BuSpmCVjL6aGkuJcC/f +sMg+E4WvVzoGkc97RxFxlbpjBBy07TjbbAHf/B3VB1xPDFXKclla9m1XBEZhd95WdwO UELWdWZyWYlthtmEioTD5E/ad+N3Go4tCET7F9xOFdDxMBWTo/3FgnC14TbOACNkiyjS vf+FtBTKV9wfA1yYM7YaLbKPmAS7oXT8sjJaaJpMcdqioJnOCF9zTowAnaIsTIcPPENO 2QqQ== X-Gm-Message-State: AOJu0YzUIVYB9dAk00SBBpcrmFj1DW9uIaFNHt+oedwWekQvl9MY7IaR GauS1h4XFJtOeTtHq/Be6K//q1qn0cSqa3WWkUQ= X-Google-Smtp-Source: AGHT+IEZVpRcDrvRJTPEVlEohXa9s5PUBRn791qJ1jw6jQ37dYJJaBX6e85+w/bRauIB414QJ3BPOQ== X-Received: by 2002:a17:902:cec4:b0:1c0:e6e1:4a11 with SMTP id d4-20020a170902cec400b001c0e6e14a11mr13392915plg.54.1694526819110; Tue, 12 Sep 2023 06:53:39 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Date: Tue, 12 Sep 2023 03:53:11 -1000 Message-Id: <9242b8218858d2bebb3235929fea7e7235cd40f3.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187517 From: Shubham Kulkarni The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38408 Upstream patches: https://github.com/openssh/openssh-portable/commit/dee22129, https://github.com/openssh/openssh-portable/commit/099cdf59, https://github.com/openssh/openssh-portable/commit/29ef8a04, https://github.com/openssh/openssh-portable/commit/892506b1, https://github.com/openssh/openssh-portable/commit/0c111eb8, https://github.com/openssh/openssh-portable/commit/52a03e9f, https://github.com/openssh/openssh-portable/commit/1fe16fd6, https://github.com/openssh/openssh-portable/commit/e0e8bee8, https://github.com/openssh/openssh-portable/commit/8afaa7d7, https://github.com/openssh/openssh-portable/commit/1a4b9275, https://github.com/openssh/openssh-portable/commit/4c1e3ce8, https://github.com/openssh/openssh-portable/commit/1f2731f5. Signed-off-by: Shubham Kulkarni Signed-off-by: Steve Sakoman --- .../openssh/openssh/CVE-2023-38408-01.patch | 189 ++++++ .../openssh/openssh/CVE-2023-38408-02.patch | 581 ++++++++++++++++++ .../openssh/openssh/CVE-2023-38408-03.patch | 171 ++++++ .../openssh/openssh/CVE-2023-38408-04.patch | 34 + .../openssh/openssh/CVE-2023-38408-05.patch | 194 ++++++ .../openssh/openssh/CVE-2023-38408-06.patch | 73 +++ .../openssh/openssh/CVE-2023-38408-07.patch | 125 ++++ .../openssh/openssh/CVE-2023-38408-08.patch | 315 ++++++++++ .../openssh/openssh/CVE-2023-38408-09.patch | 38 ++ .../openssh/openssh/CVE-2023-38408-10.patch | 39 ++ .../openssh/openssh/CVE-2023-38408-11.patch | 307 +++++++++ .../openssh/openssh/CVE-2023-38408-12.patch | 120 ++++ .../openssh/openssh_8.2p1.bb | 12 + 13 files changed, 2198 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch @@ -0,0 +1,189 @@ +From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Fri, 1 Oct 2021 16:35:49 +1000 +Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough + +ok dtucker + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-pkcs11-client.c | 16 ++++++++-------- + ssh-pkcs11.c | 26 +++++++++++++------------- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 8a0ffef..41114c7 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static RSA_METHOD *helper_rsa; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *helper_ecdsa; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) + { + if (k->type == KEY_RSA) + RSA_set_method(k->rsa, helper_rsa); +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + else if (k->type == KEY_ECDSA) + EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + else + fatal("%s: unknown key type", __func__); + } +@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) + if (helper_rsa != NULL) + return (0); + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int (*orig_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; + if (helper_ecdsa != NULL) +@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) + return (-1); + EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); + EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal("%s: RSA_meth_dup failed", __func__); +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index a302c79..b56a41b 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -78,7 +78,7 @@ struct pkcs11_key { + + int pkcs11_interactive = 0; + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static void + ossl_error(const char *msg) + { +@@ -89,7 +89,7 @@ ossl_error(const char *msg) + error("%s: libcrypto error: %.100s", __func__, + ERR_error_string(e, NULL)); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + int + pkcs11_init(int interactive) +@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) + + static RSA_METHOD *rsa_method; + static int rsa_idx = 0; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *ec_key_method; + static int ec_key_idx = 0; +-#endif ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* release a wrapped object */ + static void +@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + /* openssl callback doing the actual signing operation */ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, +@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + + return (0); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* remove trailing spaces */ + static void +@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static struct sshkey * + pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + CK_OBJECT_HANDLE *obj) +@@ -802,7 +802,7 @@ fail: + + return (key); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static struct sshkey * + pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + #endif + struct sshkey *key = NULL; + int i; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int nid; + #endif + const u_char *cp; +@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_RSA; + key->flags |= SSHKEY_FLAG_EXT; + rsa = NULL; /* now owned by key */ +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { + if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { + error("invalid x509; no ec key"); +@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_ECDSA; + key->flags |= SSHKEY_FLAG_EXT; + ec = NULL; /* now owned by key */ +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + } else { + error("unknown certificate key type"); + goto out; +@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, + case CKK_RSA: + key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); + break; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + case CKK_ECDSA: + key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); + break; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + default: + /* XXX print key type? */ + key = NULL; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch new file mode 100644 index 0000000000..25ba921869 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch @@ -0,0 +1,581 @@ +From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 14:03:45 +0000 +Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11 + module + +Make ssh-pkcs11-client start an independent helper for each provider, +providing better isolation between modules and reliability if a single +module misbehaves. + +This also implements reference counting of PKCS#11-hosted keys, +allowing ssh-pkcs11-helper subprocesses to be automatically reaped +when no remaining keys reference them. This fixes some bugs we have +that make PKCS11 keys unusable after they have been deleted, e.g. +https://bugzilla.mindrot.org/show_bug.cgi?id=3125 + +ok markus@ + +OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 282 insertions(+), 90 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 41114c7..4f3c6ed 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -30,12 +30,11 @@ + #include + #include + #include ++#include + + #include + #include + +-#include "openbsd-compat/openssl-compat.h" +- + #include "pathnames.h" + #include "xmalloc.h" + #include "sshbuf.h" +@@ -47,18 +46,140 @@ + #include "ssh-pkcs11.h" + #include "ssherr.h" + ++#include "openbsd-compat/openssl-compat.h" ++ + /* borrows code from sftp-server and ssh-agent */ + +-static int fd = -1; +-static pid_t pid = -1; ++/* ++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up ++ * by provider path or their unique EC/RSA METHOD pointers. ++ */ ++struct helper { ++ char *path; ++ pid_t pid; ++ int fd; ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ int (*rsa_finish)(RSA *rsa); ++ void (*ec_finish)(EC_KEY *key); ++ size_t nrsa, nec; /* number of active keys of each type */ ++}; ++static struct helper **helpers; ++static size_t nhelpers; ++ ++static struct helper * ++helper_by_provider(const char *path) ++{ ++ size_t i; ++ ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == NULL || helpers[i]->path == NULL || ++ helpers[i]->fd == -1) ++ continue; ++ if (strcmp(helpers[i]->path, path) == 0) ++ return helpers[i]; ++ } ++ return NULL; ++} ++ ++static struct helper * ++helper_by_rsa(const RSA *rsa) ++{ ++ size_t i; ++ const RSA_METHOD *meth; ++ ++ if ((meth = RSA_get_method(rsa)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->rsa_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static struct helper * ++helper_by_ec(const EC_KEY *ec) ++{ ++ size_t i; ++ const EC_KEY_METHOD *meth; ++ ++ if ((meth = EC_KEY_get_method(ec)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->ec_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static void ++helper_free(struct helper *helper) ++{ ++ size_t i; ++ int found = 0; ++ ++ if (helper == NULL) ++ return; ++ if (helper->path == NULL || helper->ec_meth == NULL || ++ helper->rsa_meth == NULL) ++ fatal("%s: inconsistent helper", __func__); ++ debug3("%s: free helper for provider %s", __func__ , helper->path); ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == helper) { ++ if (found) ++ fatal("%s: helper recorded more than once", __func__); ++ found = 1; ++ } ++ else if (found) ++ helpers[i - 1] = helpers[i]; ++ } ++ if (found) { ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers - 1, sizeof(*helpers)); ++ nhelpers--; ++ } ++ free(helper->path); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ RSA_meth_free(helper->rsa_meth); ++ free(helper); ++} ++ ++static void ++helper_terminate(struct helper *helper) ++{ ++ if (helper == NULL) { ++ return; ++ } else if (helper->fd == -1) { ++ debug3("%s: already terminated", __func__); ++ } else { ++ debug3("terminating helper for %s; " ++ "remaining %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ close(helper->fd); ++ /* XXX waitpid() */ ++ helper->fd = -1; ++ helper->pid = -1; ++ } ++ /* ++ * Don't delete the helper entry until there are no remaining keys ++ * that reference it. Otherwise, any signing operation would call ++ * a free'd METHOD pointer and that would be bad. ++ */ ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_free(helper); ++} + + static void +-send_msg(struct sshbuf *m) ++send_msg(int fd, struct sshbuf *m) + { + u_char buf[4]; + size_t mlen = sshbuf_len(m); + int r; + ++ if (fd == -1) ++ return; + POKE_U32(buf, mlen); + if (atomicio(vwrite, fd, buf, 4) != 4 || + atomicio(vwrite, fd, sshbuf_mutable_ptr(m), +@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m) + } + + static int +-recv_msg(struct sshbuf *m) ++recv_msg(int fd, struct sshbuf *m) + { + u_int l, len; + u_char c, buf[1024]; + int r; + ++ sshbuf_reset(m); ++ if (fd == -1) ++ return 0; /* XXX */ + if ((len = atomicio(read, fd, buf, 4)) != 4) { + error("read from helper failed: %u", len); + return (0); /* XXX */ +@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m) + if (len > 256 * 1024) + fatal("response too long: %u", len); + /* read len bytes into m */ +- sshbuf_reset(m); + while (len > 0) { + l = len; + if (l > sizeof(buf)) +@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m) + int + pkcs11_init(int interactive) + { +- return (0); ++ return 0; + } + + void + pkcs11_terminate(void) + { +- if (fd >= 0) +- close(fd); ++ size_t i; ++ ++ debug3("%s: terminating %zu helpers", __func__, nhelpers); ++ for (i = 0; i < nhelpers; i++) ++ helper_terminate(helpers[i]); + } + + static int +@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, ret = -1; ++ struct helper *helper; + ++ if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); + if (padding != RSA_PKCS1_PADDING) + goto fail; + key = sshkey_new(KEY_UNSPEC); +@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + (r = sshbuf_put_string(msg, from, flen)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (slen <= (size_t)RSA_size(rsa)) { +@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) ++static int ++rsa_finish(RSA *rsa) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_rsa(rsa)) == NULL) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path); ++ if (helper->rsa_finish != NULL) ++ helper->rsa_finish(rsa); ++ if (helper->nrsa == 0) ++ fatal("%s: RSA refcount error", __func__); ++ helper->nrsa--; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++ return 1; ++} ++ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, nid; ++ struct helper *helper; + ++ if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); + nid = sshkey_ecdsa_key_to_nid(ec); + if (nid < 0) { + error("%s: couldn't get curve nid", __func__); +@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + cp = signature; +@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + +-static RSA_METHOD *helper_rsa; +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +-static EC_KEY_METHOD *helper_ecdsa; +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ ++static void ++ecdsa_do_finish(EC_KEY *ec) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_ec(ec)) == NULL) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path); ++ if (helper->ec_finish != NULL) ++ helper->ec_finish(ec); ++ if (helper->nec == 0) ++ fatal("%s: ECDSA refcount error", __func__); ++ helper->nec--; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++} + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +-wrap_key(struct sshkey *k) ++wrap_key(struct helper *helper, struct sshkey *k) + { +- if (k->type == KEY_RSA) +- RSA_set_method(k->rsa, helper_rsa); +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- else if (k->type == KEY_ECDSA) +- EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- else ++ debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path); ++ if (k->type == KEY_RSA) { ++ RSA_set_method(k->rsa, helper->rsa_meth); ++ if (helper->nrsa++ >= INT_MAX) ++ fatal("%s: RSA refcount error", __func__); ++ } else if (k->type == KEY_ECDSA) { ++ EC_KEY_set_method(k->ecdsa, helper->ec_meth); ++ if (helper->nec++ >= INT_MAX) ++ fatal("%s: EC refcount error", __func__); ++ } else + fatal("%s: unknown key type", __func__); ++ k->flags |= SSHKEY_FLAG_EXT; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); + } + + static int +-pkcs11_start_helper_methods(void) ++pkcs11_start_helper_methods(struct helper *helper) + { +- if (helper_rsa != NULL) +- return (0); +- +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- int (*orig_sign)(int, const unsigned char *, int, unsigned char *, ++ int (*ec_init)(EC_KEY *key); ++ int (*ec_copy)(EC_KEY *dest, const EC_KEY *src); ++ int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp); ++ int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key); ++ int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key); ++ int (*ec_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; +- if (helper_ecdsa != NULL) +- return (0); +- helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); +- if (helper_ecdsa == NULL) +- return (-1); +- EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); +- EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- +- if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ ++ if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL) ++ return -1; ++ EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL); ++ EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign); ++ EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish, ++ &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public); ++ EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish, ++ ec_copy, ec_set_group, ec_set_private, ec_set_public); ++ ++ if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal("%s: RSA_meth_dup failed", __func__); +- if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") || +- !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt)) ++ helper->rsa_finish = RSA_meth_get_finish(rsa_meth); ++ if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") || ++ !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) || ++ !RSA_meth_set_finish(rsa_meth, rsa_finish)) + fatal("%s: failed to prepare method", __func__); + +- return (0); ++ helper->ec_meth = ec_meth; ++ helper->rsa_meth = rsa_meth; ++ return 0; + } + +-static int +-pkcs11_start_helper(void) ++static struct helper * ++pkcs11_start_helper(const char *path) + { + int pair[2]; +- char *helper, *verbosity = NULL; +- +- if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) +- verbosity = "-vvv"; +- +- if (pkcs11_start_helper_methods() == -1) { +- error("pkcs11_start_helper_methods failed"); +- return (-1); +- } ++ char *prog, *verbosity = NULL; ++ struct helper *helper; ++ pid_t pid; + ++ if (nhelpers >= INT_MAX) ++ fatal("%s: too many helpers", __func__); ++ debug3("%s: start helper for %s", __func__, path); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { + error("socketpair: %s", strerror(errno)); +- return (-1); ++ return NULL; ++ } ++ helper = xcalloc(1, sizeof(*helper)); ++ if (pkcs11_start_helper_methods(helper) == -1) { ++ error("pkcs11_start_helper_methods failed"); ++ goto fail; + } + if ((pid = fork()) == -1) { + error("fork: %s", strerror(errno)); +- return (-1); ++ fail: ++ close(pair[0]); ++ close(pair[1]); ++ RSA_meth_free(helper->rsa_meth); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ free(helper); ++ return NULL; + } else if (pid == 0) { + if ((dup2(pair[1], STDIN_FILENO) == -1) || + (dup2(pair[1], STDOUT_FILENO) == -1)) { +@@ -297,18 +485,27 @@ pkcs11_start_helper(void) + } + close(pair[0]); + close(pair[1]); +- helper = getenv("SSH_PKCS11_HELPER"); +- if (helper == NULL || strlen(helper) == 0) +- helper = _PATH_SSH_PKCS11_HELPER; ++ prog = getenv("SSH_PKCS11_HELPER"); ++ if (prog == NULL || strlen(prog) == 0) ++ prog = _PATH_SSH_PKCS11_HELPER; ++ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) ++ verbosity = "-vvv"; + debug("%s: starting %s %s", __func__, helper, + verbosity == NULL ? "" : verbosity); +- execlp(helper, helper, verbosity, (char *)NULL); +- fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno)); ++ execlp(prog, prog, verbosity, (char *)NULL); ++ fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno)); + _exit(1); + } + close(pair[1]); +- fd = pair[0]; +- return (0); ++ helper->fd = pair[0]; ++ helper->path = xstrdup(path); ++ helper->pid = pid; ++ debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers, ++ helper->path, helper->fd, (long)helper->pid); ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers + 1, sizeof(*helpers)); ++ helpers[nhelpers++] = helper; ++ return helper; + } + + int +@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + size_t blen; + u_int nkeys, i; + struct sshbuf *msg; ++ struct helper *helper; + +- if (fd < 0 && pkcs11_start_helper() < 0) +- return (-1); ++ if ((helper = helper_by_provider(name)) == NULL && ++ (helper = pkcs11_start_helper(name)) == NULL) ++ return -1; + + if ((msg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); +@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + (r = sshbuf_put_cstring(msg, name)) != 0 || + (r = sshbuf_put_cstring(msg, pin)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- type = recv_msg(msg); ++ type = recv_msg(helper->fd, msg); + if (type == SSH2_AGENT_IDENTITIES_ANSWER) { + if ((r = sshbuf_get_u32(msg, &nkeys)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + __func__, ssh_err(r)); + if ((r = sshkey_from_blob(blob, blen, &k)) != 0) + fatal("%s: bad key: %s", __func__, ssh_err(r)); +- wrap_key(k); ++ wrap_key(helper, k); + (*keysp)[i] = k; + if (labelsp) + (*labelsp)[i] = label; +@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + int + pkcs11_del_provider(char *name) + { +- int r, ret = -1; +- struct sshbuf *msg; +- +- if ((msg = sshbuf_new()) == NULL) +- fatal("%s: sshbuf_new failed", __func__); +- if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 || +- (r = sshbuf_put_cstring(msg, name)) != 0 || +- (r = sshbuf_put_cstring(msg, "")) != 0) +- fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); +- sshbuf_reset(msg); +- +- if (recv_msg(msg) == SSH_AGENT_SUCCESS) +- ret = 0; +- sshbuf_free(msg); +- return (ret); ++ struct helper *helper; ++ ++ /* ++ * ssh-agent deletes keys before calling this, so the helper entry ++ * should be gone before we get here. ++ */ ++ debug3("%s: delete %s", __func__, name); ++ if ((helper = helper_by_provider(name)) != NULL) ++ helper_terminate(helper); ++ return 0; + } +- + #endif /* ENABLE_PKCS11 */ +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch new file mode 100644 index 0000000000..e16e5e245e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch @@ -0,0 +1,171 @@ +From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 14:02:27 +0000 +Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected + symbols + +This checks via nlist(3) that candidate provider libraries contain one +of the symbols that we will require prior to dlopen(), which can cause +a number of side effects, including execution of constructors. + +Feedback deraadt; ok markus + +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + misc.h | 1 + + ssh-pkcs11.c | 4 +++ + ssh-sk.c | 6 ++-- + 4 files changed, 86 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 3a31d5c..8a107e4 100644 +--- a/misc.c ++++ b/misc.c +@@ -28,6 +28,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -41,6 +42,9 @@ + #ifdef HAVE_POLL_H + #include + #endif ++#ifdef HAVE_NLIST_H ++#include ++#endif + #include + #include + #include +@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler) + } + return osa.sa_handler; + } ++ ++ ++/* ++ * Returns zero if the library at 'path' contains symbol 's', nonzero ++ * otherwise. ++ */ ++int ++lib_contains_symbol(const char *path, const char *s) ++{ ++#ifdef HAVE_NLIST_H ++ struct nlist nl[2]; ++ int ret = -1, r; ++ ++ memset(nl, 0, sizeof(nl)); ++ nl[0].n_name = xstrdup(s); ++ nl[1].n_name = NULL; ++ if ((r = nlist(path, nl)) == -1) { ++ error("%s: nlist failed for %s", __func__, path); ++ goto out; ++ } ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { ++ error("%s: library %s does not contain symbol %s", __func__, path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ free(nl[0].n_name); ++ return ret; ++#else /* HAVE_NLIST_H */ ++ int fd, ret = -1; ++ struct stat st; ++ void *m = NULL; ++ size_t sz = 0; ++ ++ memset(&st, 0, sizeof(st)); ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ error("%s: open %s: %s", __func__, path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fd, &st) != 0) { ++ error("%s: fstat %s: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (!S_ISREG(st.st_mode)) { ++ error("%s: %s is not a regular file", __func__, path); ++ goto out; ++ } ++ if (st.st_size < 0 || ++ (size_t)st.st_size < strlen(s) || ++ st.st_size >= INT_MAX/2) { ++ error("%s: %s bad size %lld", __func__, path, (long long)st.st_size); ++ goto out; ++ } ++ sz = (size_t)st.st_size; ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || ++ m == NULL) { ++ error("%s: mmap %s: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (memmem(m, sz, s, strlen(s)) == NULL) { ++ error("%s: %s does not contain expected string %s", __func__, path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ if (m != NULL && m != MAP_FAILED) ++ munmap(m, sz); ++ close(fd); ++ return ret; ++#endif /* HAVE_NLIST_H */ ++} +diff --git a/misc.h b/misc.h +index 4a05db2..3f9f4db 100644 +--- a/misc.h ++++ b/misc.h +@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *); + int parse_absolute_time(const char *, uint64_t *); + void format_absolute_time(uint64_t, char *, size_t); + int path_absolute(const char *); ++int lib_contains_symbol(const char *, const char *); + + void sock_set_v6only(int); + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index b56a41b..639a6f7 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin, + __func__, provider_id); + goto fail; + } ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { ++ error("provider %s is not a PKCS11 library", provider_id); ++ goto fail; ++ } + /* open shared pkcs11-library */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); +diff --git a/ssh-sk.c b/ssh-sk.c +index 5ff9381..9df12cc 100644 +--- a/ssh-sk.c ++++ b/ssh-sk.c +@@ -119,10 +119,12 @@ sshsk_open(const char *path) + #endif + return ret; + } +- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { +- error("Provider \"%s\" dlopen failed: %s", path, dlerror()); ++ if (lib_contains_symbol(path, "sk_api_version") != 0) { ++ error("provider %s is not an OpenSSH FIDO library", path); + goto fail; + } ++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) ++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); + if ((ret->sk_api_version = dlsym(ret->dlhandle, + "sk_api_version")) == NULL) { + error("Provider \"%s\" dlsym(sk_api_version) failed: %s", +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch new file mode 100644 index 0000000000..5e8040c9bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch @@ -0,0 +1,34 @@ +From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH 04/12] upstream: terminate process if requested to load a + PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-pkcs11.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 639a6f7..7530acc 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch new file mode 100644 index 0000000000..0ddbdc68d4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch @@ -0,0 +1,194 @@ +From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 26 May 2020 01:26:58 +0000 +Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web + challenges for FIDO + +keys. + +When signing messages in ssh-agent using a FIDO key that has an +application string that does not start with "ssh:", ensure that the +message being signed is one of the forms expected for the SSH protocol +(currently pubkey authentication and sshsig signatures). + +This prevents ssh-agent forwarding on a host that has FIDO keys +attached granting the ability for the remote side to sign challenges +for web authentication using those keys too. + +Note that the converse case of web browsers signing SSH challenges is +already precluded because no web RP can have the "ssh:" prefix in the +application string that we require. + +ok markus@ + +OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 100 insertions(+), 10 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index ceb348c..1794f35 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -77,6 +77,7 @@ + + #include "xmalloc.h" + #include "ssh.h" ++#include "ssh2.h" + #include "sshbuf.h" + #include "sshkey.h" + #include "authfd.h" +@@ -167,6 +168,9 @@ static long lifetime = 0; + + static int fingerprint_hash = SSH_FP_HASH_DEFAULT; + ++/* Refuse signing of non-SSH messages for web-origin FIDO keys */ ++static int restrict_websafe = 1; ++ + static void + close_socket(SocketEntry *e) + { +@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags) + return NULL; + } + ++/* ++ * This function inspects a message to be signed by a FIDO key that has a ++ * web-like application string (i.e. one that does not begin with "ssh:". ++ * It checks that the message is one of those expected for SSH operations ++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges ++ * for the web. ++ */ ++static int ++check_websafe_message_contents(struct sshkey *key, ++ const u_char *msg, size_t len) ++{ ++ int matched = 0; ++ struct sshbuf *b; ++ u_char m, n; ++ char *cp1 = NULL, *cp2 = NULL; ++ int r; ++ struct sshkey *mkey = NULL; ++ ++ if ((b = sshbuf_from(msg, len)) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ ++ /* SSH userauth request */ ++ if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ ++ (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ ++ (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ ++ (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ ++ (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ ++ (r = sshkey_froms(b, &mkey)) == 0 && /* key */ ++ sshbuf_len(b) == 0) { ++ debug("%s: parsed userauth", __func__); ++ if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && ++ strcmp(cp1, "ssh-connection") == 0 && ++ strcmp(cp2, "publickey") == 0 && ++ sshkey_equal(key, mkey)) { ++ debug("%s: well formed userauth", __func__); ++ matched = 1; ++ } ++ } ++ free(cp1); ++ free(cp2); ++ sshkey_free(mkey); ++ sshbuf_free(b); ++ if (matched) ++ return 1; ++ ++ if ((b = sshbuf_from(msg, len)) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ cp1 = cp2 = NULL; ++ mkey = NULL; ++ ++ /* SSHSIG */ ++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && ++ (r = sshbuf_consume(b, 6)) == 0 && ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ ++ sshbuf_len(b) == 0) { ++ debug("%s: parsed sshsig", __func__); ++ matched = 1; ++ } ++ ++ sshbuf_free(b); ++ if (matched) ++ return 1; ++ ++ /* XXX CA signature operation */ ++ ++ error("web-origin key attempting to sign non-SSH message"); ++ return 0; ++} ++ + /* ssh2 only */ + static void + process_sign_request2(SocketEntry *e) +@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e) + verbose("%s: user refused key", __func__); + goto send; + } +- if (sshkey_is_sk(id->key) && +- (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { +- if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, +- SSH_FP_DEFAULT)) == NULL) +- fatal("%s: fingerprint failed", __func__); +- notifier = notify_start(0, +- "Confirm user presence for key %s %s", +- sshkey_type(id->key), fp); ++ if (sshkey_is_sk(id->key)) { ++ if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && ++ !check_websafe_message_contents(key, data, dlen)) { ++ /* error already logged */ ++ goto send; ++ } ++ if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { ++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ notifier = notify_start(0, ++ "Confirm user presence for key %s %s", ++ sshkey_type(id->key), fp); ++ } + } + if ((r = sshkey_sign(id->key, &signature, &slen, + data, dlen, agent_decode_alg(key, flags), +@@ -1214,7 +1298,7 @@ main(int ac, char **av) + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { + switch (ch) { + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); +@@ -1229,6 +1313,12 @@ main(int ac, char **av) + case 'k': + k_flag++; + break; ++ case 'O': ++ if (strcmp(optarg, "no-restrict-websafe") == 0) ++ restrict_websafe = 0; ++ else ++ fatal("Unknown -O option"); ++ break; + case 'P': + if (provider_whitelist != NULL) + fatal("-P option already specified"); +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch new file mode 100644 index 0000000000..ac494aab0b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch @@ -0,0 +1,73 @@ +From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 18 Sep 2020 08:16:38 +0000 +Subject: [PATCH 06/12] upstream: handle multiple messages in a single read() + +PR#183 by Dennis Kaarsemaker; feedback and ok markus@ + +OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 1794f35..78f7268 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -853,8 +853,10 @@ send: + } + #endif /* ENABLE_PKCS11 */ + +-/* dispatch incoming messages */ +- ++/* ++ * dispatch incoming message. ++ * returns 1 on success, 0 for incomplete messages or -1 on error. ++ */ + static int + process_message(u_int socknum) + { +@@ -908,7 +910,7 @@ process_message(u_int socknum) + /* send a fail message for all other request types */ + send_status(e, 0); + } +- return 0; ++ return 1; + } + + switch (type) { +@@ -952,7 +954,7 @@ process_message(u_int socknum) + send_status(e, 0); + break; + } +- return 0; ++ return 1; + } + + static void +@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum) + if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + explicit_bzero(buf, sizeof(buf)); +- process_message(socknum); ++ for (;;) { ++ if ((r = process_message(socknum)) == -1) ++ return -1; ++ else if (r == 0) ++ break; ++ } + return 0; + } + +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch new file mode 100644 index 0000000000..0dcf23ae17 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch @@ -0,0 +1,125 @@ +From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 26 Jan 2021 00:47:47 +0000 +Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent + sockets table; + +also clear socket entries that are being marked as unused. + +spinkle in some debug2() spam to make it easier to watch an agent +do its thing. + +ok markus + +OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 78f7268..2635bc5 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -175,11 +175,12 @@ static void + close_socket(SocketEntry *e) + { + close(e->fd); +- e->fd = -1; +- e->type = AUTH_UNUSED; + sshbuf_free(e->input); + sshbuf_free(e->output); + sshbuf_free(e->request); ++ memset(e, '\0', sizeof(*e)); ++ e->fd = -1; ++ e->type = AUTH_UNUSED; + } + + static void +@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e) + struct sshbuf *msg; + int r; + ++ debug2("%s: entering", __func__); ++ + if ((msg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || +@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e) + struct sshkey *key = NULL; + Identity *id; + ++ debug2("%s: entering", __func__); + if ((r = sshkey_froms(e->request, &key)) != 0) { + error("%s: get key: %s", __func__, ssh_err(r)); + goto done; +@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e) + { + Identity *id; + ++ debug2("%s: entering", __func__); + /* Loop over all identities and clear the keys. */ + for (id = TAILQ_FIRST(&idtab->idlist); id; + id = TAILQ_FIRST(&idtab->idlist)) { +@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e) + u_char ctype; + int r = SSH_ERR_INTERNAL_ERROR; + ++ debug2("%s: entering", __func__); + if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || + k == NULL || + (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { +@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock) + static u_int fail_count = 0; + size_t pwlen; + ++ debug2("%s: entering", __func__); + /* + * This is deliberately fatal: the user has requested that we lock, + * but we can't parse their request properly. The only safe thing to +@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e) + struct sshkey **keys = NULL, *k; + Identity *id; + ++ debug2("%s: entering", __func__); + if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { + error("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e) + int r, success = 0; + Identity *id, *nxt; + ++ debug2("%s: entering", __func__); + if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { + error("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd) + { + u_int i, old_alloc, new_alloc; + ++ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" : ++ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); + set_nonblock(fd); + + if (fd > max_fd) +@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd) + } + old_alloc = sockets_alloc; + new_alloc = sockets_alloc + 10; +- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0])); ++ sockets = xrecallocarray(sockets, old_alloc, new_alloc, ++ sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) + sockets[i].type = AUTH_UNUSED; + sockets_alloc = new_alloc; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch new file mode 100644 index 0000000000..141c8113bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch @@ -0,0 +1,315 @@ +From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 26 Jan 2021 00:53:31 +0000 +Subject: [PATCH 08/12] upstream: more ssh-agent refactoring + +Allow confirm_key() to accept an additional reason suffix + +Factor publickey userauth parsing out into its own function and allow +it to optionally return things it parsed out of the message to its +caller. + +feedback/ok markus@ + +OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 130 insertions(+), 67 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 2635bc5..7ad323c 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key) + + /* Check confirmation of keysign request */ + static int +-confirm_key(Identity *id) ++confirm_key(Identity *id, const char *extra) + { + char *p; + int ret = -1; + + p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); + if (p != NULL && +- ask_permission("Allow use of key %s?\nKey fingerprint %s.", +- id->comment, p)) ++ ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s", ++ id->comment, p, ++ extra == NULL ? "" : "\n", extra == NULL ? "" : extra)) + ret = 0; + free(p); + +@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags) + } + + /* +- * This function inspects a message to be signed by a FIDO key that has a +- * web-like application string (i.e. one that does not begin with "ssh:". +- * It checks that the message is one of those expected for SSH operations +- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges +- * for the web. ++ * Attempt to parse the contents of a buffer as a SSH publickey userauth ++ * request, checking its contents for consistency and matching the embedded ++ * key against the one that is being used for signing. ++ * Note: does not modify msg buffer. ++ * Optionally extract the username and session ID from the request. + */ + static int +-check_websafe_message_contents(struct sshkey *key, +- const u_char *msg, size_t len) ++parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key, ++ char **userp, struct sshbuf **sess_idp) + { +- int matched = 0; +- struct sshbuf *b; +- u_char m, n; +- char *cp1 = NULL, *cp2 = NULL; ++ struct sshbuf *b = NULL, *sess_id = NULL; ++ char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL; + int r; ++ u_char t, sig_follows; + struct sshkey *mkey = NULL; + +- if ((b = sshbuf_from(msg, len)) == NULL) +- fatal("%s: sshbuf_new", __func__); ++ if (userp != NULL) ++ *userp = NULL; ++ if (sess_idp != NULL) ++ *sess_idp = NULL; ++ if ((b = sshbuf_fromb(msg)) == NULL) ++ fatal("%s: sshbuf_fromb", __func__); + + /* SSH userauth request */ +- if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ +- (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ +- (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ +- (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ +- (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ +- (r = sshkey_froms(b, &mkey)) == 0 && /* key */ +- sshbuf_len(b) == 0) { +- debug("%s: parsed userauth", __func__); +- if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && +- strcmp(cp1, "ssh-connection") == 0 && +- strcmp(cp2, "publickey") == 0 && +- sshkey_equal(key, mkey)) { +- debug("%s: well formed userauth", __func__); +- matched = 1; +- } ++ if ((r = sshbuf_froms(b, &sess_id)) != 0) ++ goto out; ++ if (sshbuf_len(sess_id) == 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; + } +- free(cp1); +- free(cp2); +- sshkey_free(mkey); ++ if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */ ++ (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */ ++ (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */ ++ (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */ ++ (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */ ++ (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */ ++ (r = sshkey_froms(b, &mkey)) != 0) /* key */ ++ goto out; ++ if (t != SSH2_MSG_USERAUTH_REQUEST || ++ sig_follows != 1 || ++ strcmp(service, "ssh-connection") != 0 || ++ !sshkey_equal(expected_key, mkey) || ++ sshkey_type_from_name(pkalg) != expected_key->type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ if (strcmp(method, "publickey") != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ if (sshbuf_len(b) != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ /* success */ ++ r = 0; ++ debug("%s: well formed userauth", __func__); ++ if (userp != NULL) { ++ *userp = user; ++ user = NULL; ++ } ++ if (sess_idp != NULL) { ++ *sess_idp = sess_id; ++ sess_id = NULL; ++ } ++ out: + sshbuf_free(b); +- if (matched) +- return 1; ++ sshbuf_free(sess_id); ++ free(user); ++ free(service); ++ free(method); ++ free(pkalg); ++ sshkey_free(mkey); ++ return r; ++} + +- if ((b = sshbuf_from(msg, len)) == NULL) +- fatal("%s: sshbuf_new", __func__); +- cp1 = cp2 = NULL; +- mkey = NULL; +- +- /* SSHSIG */ +- if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && +- (r = sshbuf_consume(b, 6)) == 0 && +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ +- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ +- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ +- sshbuf_len(b) == 0) { +- debug("%s: parsed sshsig", __func__); +- matched = 1; +- } ++/* ++ * Attempt to parse the contents of a buffer as a SSHSIG signature request. ++ * Note: does not modify buffer. ++ */ ++static int ++parse_sshsig_request(struct sshbuf *msg) ++{ ++ int r; ++ struct sshbuf *b; + ++ if ((b = sshbuf_fromb(msg)) == NULL) ++ fatal("%s: sshbuf_fromb", __func__); ++ ++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 || ++ (r = sshbuf_consume(b, 6)) != 0 || ++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */ ++ goto out; ++ if (sshbuf_len(b) != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ /* success */ ++ r = 0; ++ out: + sshbuf_free(b); +- if (matched) ++ return r; ++} ++ ++/* ++ * This function inspects a message to be signed by a FIDO key that has a ++ * web-like application string (i.e. one that does not begin with "ssh:". ++ * It checks that the message is one of those expected for SSH operations ++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges ++ * for the web. ++ */ ++static int ++check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) ++{ ++ if (parse_userauth_request(data, key, NULL, NULL) == 0) { ++ debug("%s: signed data matches public key userauth request", __func__); + return 1; ++ } ++ if (parse_sshsig_request(data) == 0) { ++ debug("%s: signed data matches SSHSIG signature request", __func__); ++ return 1; ++ } + +- /* XXX CA signature operation */ ++ /* XXX check CA signature operation */ + + error("web-origin key attempting to sign non-SSH message"); + return 0; +@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key, + static void + process_sign_request2(SocketEntry *e) + { +- const u_char *data; + u_char *signature = NULL; +- size_t dlen, slen = 0; ++ size_t i, slen = 0; + u_int compat = 0, flags; + int r, ok = -1; + char *fp = NULL; +- struct sshbuf *msg; ++ struct sshbuf *msg = NULL, *data = NULL; + struct sshkey *key = NULL; + struct identity *id; + struct notifier_ctx *notifier = NULL; + +- if ((msg = sshbuf_new()) == NULL) ++ debug("%s: entering", __func__); ++ ++ if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshkey_froms(e->request, &key)) != 0 || +- (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 || ++ (r = sshbuf_get_stringb(e->request, data)) != 0 || + (r = sshbuf_get_u32(e->request, &flags)) != 0) { + error("%s: couldn't parse request: %s", __func__, ssh_err(r)); + goto send; +@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e) + verbose("%s: %s key not found", __func__, sshkey_type(key)); + goto send; + } +- if (id->confirm && confirm_key(id) != 0) { ++ if (id->confirm && confirm_key(id, NULL) != 0) { + verbose("%s: user refused key", __func__); + goto send; + } + if (sshkey_is_sk(id->key)) { + if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && +- !check_websafe_message_contents(key, data, dlen)) { ++ !check_websafe_message_contents(key, data)) { + /* error already logged */ + goto send; + } +@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e) + } + } + if ((r = sshkey_sign(id->key, &signature, &slen, +- data, dlen, agent_decode_alg(key, flags), ++ sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags), + id->sk_provider, compat)) != 0) { + error("%s: sshkey_sign: %s", __func__, ssh_err(r)); + goto send; +@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e) + ok = 0; + send: + notify_complete(notifier); +- sshkey_free(key); +- free(fp); ++ + if (ok == 0) { + if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 || + (r = sshbuf_put_string(msg, signature, slen)) != 0) +@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e) + if ((r = sshbuf_put_stringb(e->output, msg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + ++ sshbuf_free(data); + sshbuf_free(msg); ++ sshkey_free(key); ++ free(fp); + free(signature); + } + +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch new file mode 100644 index 0000000000..b519ccce42 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch @@ -0,0 +1,38 @@ +From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 29 Jan 2021 06:28:10 +0000 +Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes + the fuzzer I'm + +writing a bit easier + +OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 7ad323c..c99927c 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -108,7 +108,7 @@ typedef enum { + AUTH_CONNECTION + } sock_type; + +-typedef struct { ++typedef struct socket_entry { + int fd; + sock_type type; + struct sshbuf *input; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch new file mode 100644 index 0000000000..27b2eadfae --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch @@ -0,0 +1,39 @@ +From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 29 Jan 2021 06:29:46 +0000 +Subject: [PATCH 10/12] upstream: fix the values of enum sock_type + +OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index c99927c..7f1e14b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -103,9 +103,9 @@ + #define AGENT_RBUF_LEN (4096) + + typedef enum { +- AUTH_UNUSED, +- AUTH_SOCKET, +- AUTH_CONNECTION ++ AUTH_UNUSED = 0, ++ AUTH_SOCKET = 1, ++ AUTH_CONNECTION = 2, + } sock_type; + + typedef struct socket_entry { +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch new file mode 100644 index 0000000000..c300393ebf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch @@ -0,0 +1,307 @@ +From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sun, 19 Dec 2021 22:09:23 +0000 +Subject: [PATCH 11/12] upstream: ssh-agent side of binding + +record session ID/hostkey/forwarding status for each active socket. + +Attempt to parse data-to-be-signed at signature request time and extract +session ID from the blob if it is a pubkey userauth request. + +ok markus@ + +OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + authfd.h | 3 + + ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 170 insertions(+), 8 deletions(-) + +diff --git a/authfd.h b/authfd.h +index c3bf625..9cc9807 100644 +--- a/authfd.h ++++ b/authfd.h +@@ -76,6 +76,9 @@ int ssh_agent_sign(int sock, const struct sshkey *key, + #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 + #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 + ++/* generic extension mechanism */ ++#define SSH_AGENTC_EXTENSION 27 ++ + #define SSH_AGENT_CONSTRAIN_LIFETIME 1 + #define SSH_AGENT_CONSTRAIN_CONFIRM 2 + #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 +diff --git a/ssh-agent.c b/ssh-agent.c +index 7f1e14b..01c7f2b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -98,9 +98,15 @@ + #endif + + /* Maximum accepted message length */ +-#define AGENT_MAX_LEN (256*1024) ++#define AGENT_MAX_LEN (256*1024) + /* Maximum bytes to read from client socket */ +-#define AGENT_RBUF_LEN (4096) ++#define AGENT_RBUF_LEN (4096) ++/* Maximum number of recorded session IDs/hostkeys per connection */ ++#define AGENT_MAX_SESSION_IDS 16 ++/* Maximum size of session ID */ ++#define AGENT_MAX_SID_LEN 128 ++ ++/* XXX store hostkey_sid in a refcounted tree */ + + typedef enum { + AUTH_UNUSED = 0, +@@ -108,12 +114,20 @@ typedef enum { + AUTH_CONNECTION = 2, + } sock_type; + ++struct hostkey_sid { ++ struct sshkey *key; ++ struct sshbuf *sid; ++ int forwarded; ++}; ++ + typedef struct socket_entry { + int fd; + sock_type type; + struct sshbuf *input; + struct sshbuf *output; + struct sshbuf *request; ++ size_t nsession_ids; ++ struct hostkey_sid *session_ids; + } SocketEntry; + + u_int sockets_alloc = 0; +@@ -174,10 +188,17 @@ static int restrict_websafe = 1; + static void + close_socket(SocketEntry *e) + { ++ size_t i; ++ + close(e->fd); + sshbuf_free(e->input); + sshbuf_free(e->output); + sshbuf_free(e->request); ++ for (i = 0; i < e->nsession_ids; i++) { ++ sshkey_free(e->session_ids[i].key); ++ sshbuf_free(e->session_ids[i].sid); ++ } ++ free(e->session_ids); + memset(e, '\0', sizeof(*e)); + e->fd = -1; + e->type = AUTH_UNUSED; +@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) + return 0; + } + ++static int ++buf_equal(const struct sshbuf *a, const struct sshbuf *b) ++{ ++ if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if (sshbuf_len(a) != sshbuf_len(b)) ++ return SSH_ERR_INVALID_FORMAT; ++ if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0) ++ return SSH_ERR_INVALID_FORMAT; ++ return 0; ++} ++ + /* ssh2 only */ + static void + process_sign_request2(SocketEntry *e) +@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e) + size_t i, slen = 0; + u_int compat = 0, flags; + int r, ok = -1; +- char *fp = NULL; +- struct sshbuf *msg = NULL, *data = NULL; ++ char *fp = NULL, *user = NULL, *sig_dest = NULL; ++ struct sshbuf *msg = NULL, *data = NULL, *sid = NULL; + struct sshkey *key = NULL; + struct identity *id; + struct notifier_ctx *notifier = NULL; +@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e) + verbose("%s: %s key not found", __func__, sshkey_type(key)); + goto send; + } +- if (id->confirm && confirm_key(id, NULL) != 0) { ++ /* ++ * If session IDs were recorded for this socket, then use them to ++ * annotate the confirmation messages with the host keys. ++ */ ++ if (e->nsession_ids > 0 && ++ parse_userauth_request(data, key, &user, &sid) == 0) { ++ /* ++ * session ID from userauth request should match the final ++ * ID in the list recorded in the socket, unless the ssh ++ * client at that point lacks the binding extension (or if ++ * an attacker is trying to steal use of the agent). ++ */ ++ i = e->nsession_ids - 1; ++ if (buf_equal(sid, e->session_ids[i].sid) == 0) { ++ if ((fp = sshkey_fingerprint(e->session_ids[i].key, ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ debug3("%s: destination %s %s (slot %zu)", __func__, ++ sshkey_type(e->session_ids[i].key), fp, i); ++ xasprintf(&sig_dest, "public key request for " ++ "target user \"%s\" to %s %s", user, ++ sshkey_type(e->session_ids[i].key), fp); ++ free(fp); ++ fp = NULL; ++ } ++ }// ++ if (id->confirm && confirm_key(id, sig_dest) != 0) { + verbose("%s: user refused key", __func__); + goto send; + } +@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e) + SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint failed", __func__); + notifier = notify_start(0, +- "Confirm user presence for key %s %s", +- sshkey_type(id->key), fp); ++ "Confirm user presence for key %s %s%s%s", ++ sshkey_type(id->key), fp, ++ sig_dest == NULL ? "" : "\n", ++ sig_dest == NULL ? "" : sig_dest); + } + } + if ((r = sshkey_sign(id->key, &signature, &slen, +@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e) + if ((r = sshbuf_put_stringb(e->output, msg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + ++ sshbuf_free(sid); + sshbuf_free(data); + sshbuf_free(msg); + sshkey_free(key); + free(fp); + free(signature); ++ free(sig_dest); ++ free(user); + } + + /* shared */ +@@ -925,6 +989,98 @@ send: + } + #endif /* ENABLE_PKCS11 */ + ++static int ++process_ext_session_bind(SocketEntry *e) ++{ ++ int r, sid_match, key_match; ++ struct sshkey *key = NULL; ++ struct sshbuf *sid = NULL, *sig = NULL; ++ char *fp = NULL; ++ u_char fwd; ++ size_t i; ++ ++ debug2("%s: entering", __func__); ++ if ((r = sshkey_froms(e->request, &key)) != 0 || ++ (r = sshbuf_froms(e->request, &sid)) != 0 || ++ (r = sshbuf_froms(e->request, &sig)) != 0 || ++ (r = sshbuf_get_u8(e->request, &fwd)) != 0) { ++ error("%s: parse: %s", __func__, ssh_err(r)); ++ goto out; ++ } ++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ /* check signature with hostkey on session ID */ ++ if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig), ++ sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) { ++ error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r)); ++ goto out; ++ } ++ /* check whether sid/key already recorded */ ++ for (i = 0; i < e->nsession_ids; i++) { ++ sid_match = buf_equal(sid, e->session_ids[i].sid) == 0; ++ key_match = sshkey_equal(key, e->session_ids[i].key); ++ if (sid_match && key_match) { ++ debug("%s: session ID already recorded for %s %s", __func__, ++ sshkey_type(key), fp); ++ r = 0; ++ goto out; ++ } else if (sid_match) { ++ error("%s: session ID recorded against different key " ++ "for %s %s", __func__, sshkey_type(key), fp); ++ r = -1; ++ goto out; ++ } ++ /* ++ * new sid with previously-seen key can happen, e.g. multiple ++ * connections to the same host. ++ */ ++ } ++ /* record new key/sid */ ++ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { ++ error("%s: too many session IDs recorded", __func__); ++ goto out; ++ } ++ e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, ++ e->nsession_ids + 1, sizeof(*e->session_ids)); ++ i = e->nsession_ids++; ++ debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i, ++ AGENT_MAX_SESSION_IDS); ++ e->session_ids[i].key = key; ++ e->session_ids[i].forwarded = fwd != 0; ++ key = NULL; /* transferred */ ++ /* can't transfer sid; it's refcounted and scoped to request's life */ ++ if ((e->session_ids[i].sid = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0) ++ fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r)); ++ /* success */ ++ r = 0; ++ out: ++ sshkey_free(key); ++ sshbuf_free(sid); ++ sshbuf_free(sig); ++ return r == 0 ? 1 : 0; ++} ++ ++static void ++process_extension(SocketEntry *e) ++{ ++ int r, success = 0; ++ char *name; ++ ++ debug2("%s: entering", __func__); ++ if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) { ++ error("%s: parse: %s", __func__, ssh_err(r)); ++ goto send; ++ } ++ if (strcmp(name, "session-bind@openssh.com") == 0) ++ success = process_ext_session_bind(e); ++ else ++ debug("%s: unsupported extension \"%s\"", __func__, name); ++send: ++ send_status(e, success); ++} + /* + * dispatch incoming message. + * returns 1 on success, 0 for incomplete messages or -1 on error. +@@ -1019,6 +1175,9 @@ process_message(u_int socknum) + process_remove_smartcard_key(e); + break; + #endif /* ENABLE_PKCS11 */ ++ case SSH_AGENTC_EXTENSION: ++ process_extension(e); ++ break; + default: + /* Unknown message. Respond with failure. */ + error("Unknown message %d", type); +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch @@ -0,0 +1,120 @@ +From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 19 Jul 2023 13:56:33 +0000 +Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11 + provider libraries to ssh-agent by default. + +The old behaviour of allowing remote clients from loading providers +can be restored using `ssh-agent -O allow-remote-pkcs11`. + +Detection of local/remote clients requires a ssh(1) that supports +the `session-bind@openssh.com` extension. Forwarding access to a +ssh-agent socket using non-OpenSSH tools may circumvent this control. + +ok markus@ + +OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni +--- + ssh-agent.1 | 20 ++++++++++++++++++++ + ssh-agent.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index fff0db6..a0f1e21 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -97,6 +97,26 @@ The default is + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++Currently two options are supported: ++.Cm allow-remote-pkcs11 ++and ++.Pp ++The ++.Cm allow-remote-pkcs11 ++option allows clients of a forwarded ++.Nm ++to load PKCS#11 or FIDO provider libraries. ++By default only local clients may perform this operation. ++Note that signalling that a ++.Nm ++client remote is performed by ++.Xr ssh 1 , ++and use of other tools to forward access to the agent socket may circumvent ++this restriction. ++.Pp ++The ++.Cm no-restrict-websafe , ++instructs + .It Fl P Ar provider_whitelist + Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator + shared libraries that may be used with the +diff --git a/ssh-agent.c b/ssh-agent.c +index 01c7f2b..40c1b6b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX]; + /* PKCS#11/Security key path whitelist */ + static char *provider_whitelist; + ++/* ++ * Allows PKCS11 providers or SK keys that use non-internal providers to ++ * be added over a remote connection (identified by session-bind@openssh.com). ++ */ ++static int remote_add_provider; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e) + if (strcasecmp(sk_provider, "internal") == 0) { + debug("%s: internal provider", __func__); + } else { ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed add of SK provider \"%.100s\": " ++ "remote addition of providers is disabled", ++ sk_provider); ++ free(sk_provider); ++ free(comment); ++ sshkey_free(k); ++ goto send; ++ } + if (realpath(sk_provider, canonical_provider) == NULL) { + verbose("failed provider \"%.100s\": " + "realpath: %s", sk_provider, +@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e) + goto send; + } + } ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " ++ "providers is disabled", provider); ++ goto send; ++ } + if (realpath(provider, canonical_provider) == NULL) { + verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", + provider, strerror(errno)); +@@ -1556,7 +1576,9 @@ main(int ac, char **av) + break; + case 'O': + if (strcmp(optarg, "no-restrict-websafe") == 0) +- restrict_websafe = 0; ++ restrict_websafe = 0; ++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) ++ remote_add_provider = 1; + else + fatal("Unknown -O option"); + break; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index 79dba121ff..bc4b922301 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -27,6 +27,18 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2020-14145.patch \ file://CVE-2021-28041.patch \ file://CVE-2021-41617.patch \ + file://CVE-2023-38408-01.patch \ + file://CVE-2023-38408-02.patch \ + file://CVE-2023-38408-03.patch \ + file://CVE-2023-38408-04.patch \ + file://CVE-2023-38408-05.patch \ + file://CVE-2023-38408-06.patch \ + file://CVE-2023-38408-07.patch \ + file://CVE-2023-38408-08.patch \ + file://CVE-2023-38408-09.patch \ + file://CVE-2023-38408-10.patch \ + file://CVE-2023-38408-11.patch \ + file://CVE-2023-38408-12.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" From patchwork Tue Sep 12 13:53:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30325 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6F5ACA0EDD for ; Tue, 12 Sep 2023 13:53:48 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web10.25441.1694526822770354120 for ; Tue, 12 Sep 2023 06:53:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=wiVuFyAO; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1c1e780aa95so38222635ad.3 for ; Tue, 12 Sep 2023 06:53:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526822; x=1695131622; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oMAl8RKzF+eU+fKvOAwBGlzuSRBGavQ6c4Fj7BxUrCk=; b=wiVuFyAOJ+aVSLxI3yNgXftgNCJwvrm2sqgypSSgxUbbJDRPteBGiZeYOK2ybChDVL NX7EcS9X/xTGaIadHNs9zffgLYSkioPWjbPmMVJxDgXl/kpV9MplOudHaJd2oV85NMWP PD64Sx2iXlAfdekrlqDwHZTa16Hwxrrq95gPTMqzIIfLxep9zs3sZsVi9+I3Wg7IIv1v W6JeVhyEJtAdobdIeKUli1t6g/s8Dlt7QGQmoPTBV6CNb8fBaEa6+ZdSAZJbhPj4d6+8 zfoOtGKkLewtYw1MaCiMsqOCDEMObdGuzia+NLgHsDoDr/Vbm5hkBqqyOkm3gQQYw2hn Qbtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526822; x=1695131622; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oMAl8RKzF+eU+fKvOAwBGlzuSRBGavQ6c4Fj7BxUrCk=; b=FRT/KefiuLqqi4RdVBAt+9X9+oQAi3fAIO81nM8pcq/1VFxrEEN3frSocVDfyU6/nG Zj9UXgDD8kNI7zcsUZYcbKdH23eBgsOoQHJml7LMt9fb5aFTZwNiaGXuSsCWej84MFol xhhJJ3PwJiUAlqt2xdt2aHqxUOFu/AABjRIW4xmUI+FPlsLyVkhHRIqlXZGgHWxaHK2j sphkSZz+bjiW4Po4JSuKllp3AR5TNyru/FB8d1BvC7VwF3W/BelT2F8edPOOc1kM9FEO Jt96fNdU6SlrtMMF3oTX64vIkHAamQUBKyL90ofbafJ/Z2d+qyEOsXfbCnh0HG2mmYWs 067g== X-Gm-Message-State: AOJu0YxINK1LNJanBdLbgTaFwkWXDZpmTt1DW6uZGN/kLb3c84u45Wdt qf4upGxmNMNKI1lvDWamy9SDX2gDKsbXmwoZdFE= X-Google-Smtp-Source: AGHT+IExLbe8gLSy5WRLOIW8RxgkMq7SbuwjANerhf4rxlX/yi49TLnuNZ3OtnZpLuJ/L8cHzK59QA== X-Received: by 2002:a17:902:b489:b0:1bb:1523:b311 with SMTP id y9-20020a170902b48900b001bb1523b311mr9870331plr.41.1694526821617; Tue, 12 Sep 2023 06:53:41 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:40 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Date: Tue, 12 Sep 2023 03:53:12 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187518 From: Ashish Sharma Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] CVE: CVE-2023-3180 Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-3180.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2871818cb1..3789d77046 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -139,6 +139,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ file://CVE-2023-0330.patch \ file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..7144bdca46 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch @@ -0,0 +1,49 @@ +From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001 +From: zhenwei pi +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei +Cc: Mauro Matteo Cascella +Cc: Yiming Tao +Signed-off-by: zhenwei pi +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] +CVE: CVE-2023-3180 +Signed-off-by: Ashish Sharma + + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 44faf5a522b..13aec771e11 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +GitLab + From patchwork Tue Sep 12 13:53:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30324 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB6A0CA0EE2 for ; Tue, 12 Sep 2023 13:53:48 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.25443.1694526824568004398 for ; Tue, 12 Sep 2023 06:53:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jeOJb/pL; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1c0c6d4d650so47598025ad.0 for ; Tue, 12 Sep 2023 06:53:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526824; x=1695131624; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4qYdYG00kvpf1kA8XnVzbXc3xP+uGwjQeITKUgVHMK0=; b=jeOJb/pLGf+eu/XVHtvnIU4akh6JGar1tJ33wncBgERYK8rNuhnVIDz4NA9qr07QVM E9Ad7N/fIqITr1j/SMfjXJpV5P3KPcLdbcYWAMFLCO11qdzZICsS4qBFDIVK0b3jjMNj CjlhdR8tNaRdoDYXUMaVZciQ14vRnArrRLenhZDtIrm7J94GfTsPJwfilOz0M1XTCw2U DK375i+XeiP4j2dz3DlxScOcx3zhImB+njkaxbMYG6cPx5J8GbOLJhx36CGD6CvoZuKV AiuZKu3dKpX72OiNuXw6o6+05Kd4rE3NJyG2eN04EOO145nYzomXBiTvyQYOvsWlGF9p yfWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526824; x=1695131624; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4qYdYG00kvpf1kA8XnVzbXc3xP+uGwjQeITKUgVHMK0=; b=QRLHt26mFuLWP7IvF87rkygXzbW7vbNNQLMZBv9D68Y+tQJDx0h5vI68ulMqEdEMPI uzFjCdj70Ighm+DlZa5kyy2yBqFBXIw0Wp90hDMcnVu9GcvA+4+ODTR4AWv/mQpLeXFl S96bdbM9xFdDIWsq6yA66/1tZ+RFqlxoG19nMr3Fko8T4dQZelW8RNgOKMFAx1Grzp2g J/bzGJP9YYLcNw55TCC4raB8V9QPwIyQoBOZ6d/WHIDh0pezajc/bgETsH7WOfBviPV4 mSdoP+nAQcNC+MQ/3I1wAqzNJV70VLyDks3FOMDwpb82vUjWcy+kJSM2COqwhJlK/3Lg Bt+Q== X-Gm-Message-State: AOJu0Yxj7Va1i/V9Qtpx796x4uOi1BKBTJrw+bNJyA3fyvYf1m8Jj4hW wMujSCDxzUZa96mBWF0Ds+B12/V4JTfW5NG3crA= X-Google-Smtp-Source: AGHT+IG2USLkM9eayBCXky/NnmCWcaOX/scFvWF48NSuUPMhMAWm+T9siVRFt01PhGpWZrKcsG0pgg== X-Received: by 2002:a17:902:c40e:b0:1bc:98dd:e857 with SMTP id k14-20020a170902c40e00b001bc98dde857mr19530396plk.38.1694526823526; Tue, 12 Sep 2023 06:53:43 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Date: Tue, 12 Sep 2023 03:53:13 -1000 Message-Id: <45ce9885351a2344737170e6e810dc67ab3e7ea9.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187519 From: Vijay Anusuri A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 3 +- ...-2023-0330.patch => CVE-2023-0330_1.patch} | 0 .../qemu/qemu/CVE-2023-0330_2.patch | 135 ++++++++++++++++++ 3 files changed, 137 insertions(+), 1 deletion(-) rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3789d77046..2669ba4ec8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3409-4.patch \ file://CVE-2021-3409-5.patch \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ - file://CVE-2023-0330.patch \ + file://CVE-2023-0330_1.patch \ + file://CVE-2023-0330_2.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ " diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch similarity index 100% rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch new file mode 100644 index 0000000000..3b45bc0411 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch @@ -0,0 +1,135 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov +Date: Thu, 27 Apr 2023 17:10:06 -0400 +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov +Reviewed-by: Thomas Huth +Message-Id: <20230427211013.2994127-2-alxndr@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri +--- + include/exec/memory.h | 5 +++++ + include/hw/qdev-core.h | 7 +++++++ + memory.c | 16 ++++++++++++++++ + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 2b8bccdd..0c8cdb8e 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -378,6 +378,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++ DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -400,6 +402,9 @@ struct MemoryRegion { + const char *name; + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; ++ ++ /* For devices designed to perform re-entrant IO into their own IO MRs */ ++ bool disable_reentrancy_guard; + }; + + struct IOMMUMemoryRegion { +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h +index 1518495b..206f0a70 100644 +--- a/include/hw/qdev-core.h ++++ b/include/hw/qdev-core.h +@@ -138,6 +138,10 @@ struct NamedGPIOList { + QLIST_ENTRY(NamedGPIOList) node; + }; + ++typedef struct { ++ bool engaged_in_io; ++} MemReentrancyGuard; ++ + /** + * DeviceState: + * @realized: Indicates whether the device has been fully constructed. +@@ -163,6 +167,9 @@ struct DeviceState { + int num_child_bus; + int instance_id_alias; + int alias_required_for_version; ++ ++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */ ++ MemReentrancyGuard mem_reentrancy_guard; + }; + + struct DeviceListener { +diff --git a/memory.c b/memory.c +index 8cafb86a..94ebcaf9 100644 +--- a/memory.c ++++ b/memory.c +@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_size_max = 4; + } + ++ /* Do not allow more than one simultaneous access to a device's IO Regions */ ++ if (mr->dev && !mr->disable_reentrancy_guard && ++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: " ++ "%s at addr: 0x%" HWADDR_PRIX, ++ memory_region_name(mr), addr); ++ return MEMTX_ACCESS_ERROR; ++ } ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; ++ } ++ + /* FIXME: support unaligned access? */ + access_size = MAX(MIN(size, access_size_max), access_size_min); + access_mask = MAKE_64BIT_MASK(0, access_size * 8); +@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_mask, attrs); + } + } ++ if (mr->dev) { ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; ++ } + return r; + } + +@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr, + } + mr->name = g_strdup(name); + mr->owner = owner; ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); + mr->ram_block = NULL; + + if (name) { +-- +2.25.1 + From patchwork Tue Sep 12 13:53:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30326 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01D60CA0EE4 for ; Tue, 12 Sep 2023 13:53:49 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web10.25444.1694526826494492311 for ; Tue, 12 Sep 2023 06:53:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BI2EZmDn; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1c364fb8a4cso51270775ad.1 for ; Tue, 12 Sep 2023 06:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526825; x=1695131625; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=h57Cres/y/+fGp+REF5U4gM495ALPp56dwcAqT6Id1A=; b=BI2EZmDnrXXwyB31XO2sVluQ6cQ96gdMIoPkCtRADzKXVOH6VDT4K9yYFZvbUfH6zD 3PT2K26H8qPVjio9GGVc99fPDxSK0G2b5el3IysuwgOXBPvm/0Ptk0b5OAE1Rqi0i1Ey VBX11U6OSjUMrsTtMp+SP39bD1c81OmRHAnLl6A6vtldqPWC25Y5TSmaurN/pHC3mALV 9bBZACWUsQ2mqGCwUuACz0b2CHLPwdEiRW3Vfd5vtQhz+2hx5gaUTKAmhx/hicfGrJ1B oEhbgVCrO/9hYN/rMZin1ZjFGQb8i7cO2gNgJsJBR/aMaC3DX3XNIxkDA76tkqgqm41C gl0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526825; x=1695131625; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h57Cres/y/+fGp+REF5U4gM495ALPp56dwcAqT6Id1A=; b=kmwb2wM8hVxEwMO3H7sZr0NriHe9qB/0L5VXd2aLXCw5ZSqM5GW3JCuPlwO6x8Qskf rV+VUioO9lzb5CMHYvePh1eU0pyF/zl1dBxiledDo1nPNSX7d9P8Oh6LjbOpupfEd3tt /TRCYdX/lIdciusyBSzjn9A2H5lyuQfDAGwE8SQDgJDa0z30Rc5RkcQH6YjnLkxRK0te qx9yfbW+S/WTNFLHF6Z4PgPLtp4Warm22JrBo7BdyVQBklWtLQ2Qe9Rzx7nGokDqG+NN //kVjtNMExZLX3gIHMIRn7UCBZ1ImCvDCxIzArbckq7pd3ftzeUEnJXIw7jJ/cnRGLro 3ZFQ== X-Gm-Message-State: AOJu0YzZZOglAPHfFusDfk6j+mjhywSJY3BIYZCc2UeZCfwNlVM/crPA 0xrUUto36P/ECG0p+Ag1Y/SkcE5fK44wqmlqLEE= X-Google-Smtp-Source: AGHT+IGxZ94z0wMNebxvCiyJfkefaAGFtRaCD5VKROhentzbAgaRBHGerRhMLQOUd7r1CtY8AC+C/w== X-Received: by 2002:a17:902:e5cc:b0:1c1:f6d1:3118 with SMTP id u12-20020a170902e5cc00b001c1f6d13118mr19582464plf.27.1694526825403; Tue, 12 Sep 2023 06:53:45 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:44 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Date: Tue, 12 Sep 2023 03:53:14 -1000 Message-Id: <18246f0bfedb5c729a0fc5b515f25a1ed0cde191.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187520 From: Priyal Doshi remove the traling blanks before the ;-delimiter, so one could use "_remove" to avoid running tasks like 'rootfs_update_timestamp', which are currently hardcoded and not bound to any configurable feature flag Signed-off-by: Priyal Doshi Signed-off-by: Steve Sakoman --- meta/classes/rootfs-postcommands.bbclass | 6 +++--- meta/classes/rootfsdebugfiles.bbclass | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass index d9e2aeab64..943534c57a 100644 --- a/meta/classes/rootfs-postcommands.bbclass +++ b/meta/classes/rootfs-postcommands.bbclass @@ -1,6 +1,6 @@ # Zap the root password if debug-tweaks feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}' @@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}' # Create /etc/timestamp during image construction to give a reasonably sane default time setting -ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " +ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; " # Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}' @@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}' # Generates test data file with data store variables expanded in json format -ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; " +ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; " # Write manifest IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest" diff --git a/meta/classes/rootfsdebugfiles.bbclass b/meta/classes/rootfsdebugfiles.bbclass index e2ba4e3647..85c7ec7434 100644 --- a/meta/classes/rootfsdebugfiles.bbclass +++ b/meta/classes/rootfsdebugfiles.bbclass @@ -28,7 +28,7 @@ ROOTFS_DEBUG_FILES ?= "" ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'" -ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;" +ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;" rootfs_debug_files () { #!/bin/sh -e echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do From patchwork Tue Sep 12 13:53:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30327 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13D53CA0EE6 for ; Tue, 12 Sep 2023 13:53:49 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.25446.1694526828305515420 for ; Tue, 12 Sep 2023 06:53:48 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=LJRLSIfT; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1c39bc0439bso20600895ad.0 for ; Tue, 12 Sep 2023 06:53:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526827; x=1695131627; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=f/N/udGn6sNecScK3cObMOu0ZKZhmOhVngaykRJTIcY=; b=LJRLSIfTMw6F5/8mIH7SsturnnlwsFdZSZ7Nq6OpCWsly9eGQVNDHAmY1rsksloBaR 47EP56G/UzaZI7e+ELa5GxpXj+g98TztYo7QOL77novp7uI4m+nYh5duCrXZebPDlzuj ztQgipOL3KR0evx33D9s+Q6ePpP1aJ32Yd5lKfXwUPHPWNuMn1GgjQdpVvchYcHny1rF zjaebh6ovnjj9mN7dEVhvtm6IoXhwG/cJnY1dPdkTsPXxC7l+nW/m97uQqgrpByq23/X rpTqkw575fkYm+PMqsCjl5TwfaaTKBVbvOfiyQ0gqmiWdCVi+MeiKjSGXfQVqXiu3lYF Dr0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526827; x=1695131627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f/N/udGn6sNecScK3cObMOu0ZKZhmOhVngaykRJTIcY=; b=Xp/DbG8ORWskfrmCODKiJ1gJzx0SUNztyuKEUugV0guq34zVGTq9tIy7ypazQcATmq mhWvaipE2f9FehygXKxAq3g/8+IX0IXM5+55C/0tLkdYtYMEH0ZfqhbIv3iU/+a/TQDD TUOYj1sD0+lLzt8BTwFNIM2AAIQyKW5lXLqNjXdxP4XZbBiU+F6xeB71/vG0OFkWBzj/ X2hLHpmKsHjymJe95nkGmOn9PsD229RaHPc7XRZO6YRk2DofT9Kbf45F9yVlI2hmI2ZP +xSnrGV8zEEgCJ/yBS5v6+cgZ1RVwo3EhmxAvrsYur0j33sEn2U/RWysLTAFtvkHSUiK LP3Q== X-Gm-Message-State: AOJu0YyA5T9Shc8Ti1j0TWv0MqztXbZ1DyV4D6rbreymvBKCD143Rkiw OQUHczVAfuniyzFAL0/QolDWKnlTyEpdW9pJfAg= X-Google-Smtp-Source: AGHT+IE3bB1XiO2xRCL0U3JT0LoKJLG4wl40jZgcTH+wI07d30L2vB7sesO3FyzbW7/kEHwrDT+u5w== X-Received: by 2002:a17:902:da8e:b0:1bc:1e17:6d70 with SMTP id j14-20020a170902da8e00b001bc1e176d70mr3758440plx.24.1694526827339; Tue, 12 Sep 2023 06:53:47 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:46 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Date: Tue, 12 Sep 2023 03:53:15 -1000 Message-Id: <2850119bce7aa9788ab8b163311d42ea273ca1df.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187521 From: Michael Halstead Add in stable updates to glibc 2.38 to fix malloc bugs Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1) Signed-off-by: Steve Sakoman --- meta/conf/distro/include/yocto-uninative.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 6596c0f4a2..eaa3e9b31c 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -7,9 +7,9 @@ # UNINATIVE_MAXGLIBCVERSION = "2.38" -UNINATIVE_VERSION = "4.2" +UNINATIVE_VERSION = "4.3" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "cff40e7bdde50aeda06707af8c001796a71b4cf33c5ae1616e5c47943ff6b94e" -UNINATIVE_CHECKSUM[i686] ?= "a70516447e9a9f1465ffaf1c7f89e79d1692d2356d86fd2a5a63acd908db1ff2" -UNINATIVE_CHECKSUM[x86_64] ?= "6a86d71eeafba4fefec600c9bf8cf4a01324d1eb52788b6e398d3f23c10d19fb" +UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec" +UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd" +UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030" From patchwork Tue Sep 12 13:53:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0BD1ECA0EE5 for ; Tue, 12 Sep 2023 13:53:59 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web10.25450.1694526830090595175 for ; Tue, 12 Sep 2023 06:53:50 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=cRYC8leZ; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1c3bd829b86so16393335ad.0 for ; Tue, 12 Sep 2023 06:53:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526829; x=1695131629; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=h5Lt/aIGN0lUea1VQZEIJWVoZgtFWlby/ygCrm151ms=; b=cRYC8leZUGKyHQFWWWXRPqeJVmd3BxduppNx67EwbSMaD8iq4Ym6PiyVSMzycMLBg6 4pw7trt+7VFpB3ZF6L1WrSV+qSMX6bS2P+ZYJ7p1VcvWpXdZnqCrc9r0BYT6R+J78SVC WgPoOKRaSonx60+4QhiLPDYE+iDfEdKYk6Xy0zJehto1ilFfcs8jdVQlhqI+LUVofkXH HtjK17o8e8JohK4Jc4jLgqH0fJE5ttxAfMU+qkG7U+PUq/5gGj2i+IYGrYCEMxrc8fkQ k1fsoQbcfBciEDtn0Adl5L3WOFt99dJmMAC8k4KWdB5SJDp8lc5ainlczXSQ/g0t4XRM ee/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526829; x=1695131629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h5Lt/aIGN0lUea1VQZEIJWVoZgtFWlby/ygCrm151ms=; b=vnaOa0T/CDx7AANU7XhahBCbs6KwBsWCJV1bUshYHiJmPcKAuCugVRBsWmPP635mbR a4aWplGvWm7y1v7tmICIcVjfQ1a/OU+YBsKCCWHn2nu/VPqk+2IJH0LoDmhgkvXrB3w9 DvRjzbsSoZRiQ5f/bDGhUddtA0DsZGMjKVObQB4pD4dnyFD2I+dK4ZPX5M0eS7d/xTye 4IUCUXZMf81eIRfskr+L6EgRwmcIdPUYb6+aIjFHGqMGZyR/KJe8sbBy8dt5D1KIlAcF dohN3GG8DbAplRLqlts9r4ZbUc+1e+ghCCUgCzUYk1t+em16nlAX57zDEAdop0Y2h7dO /rKg== X-Gm-Message-State: AOJu0YyXLdYSgwVO/+0Buo/zBIbfeljqEn3+i6u1atEqE18mZSdGZnNx byzwnZr2THrAJxeIlZ9ZZSDy4wE+mCzQEqg9TsI= X-Google-Smtp-Source: AGHT+IFfRCtEwiXabYSxCddFiXjNhhtsTOtINb97YLwAg2rwxxS7NylnI0n9abpadL+uXGbzA98d8A== X-Received: by 2002:a17:903:11d1:b0:1c3:bbad:9b7c with SMTP id q17-20020a17090311d100b001c3bbad9b7cmr5444342plh.31.1694526829205; Tue, 12 Sep 2023 06:53:49 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:48 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Date: Tue, 12 Sep 2023 03:53:16 -1000 Message-Id: <31b996c01c72749fc62821a3c9d1da70540bfad6.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187522 From: Michael Halstead non-release indexes will continue to generate when test output is corrupted. Signed-off-by: Michael Halstead Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 1a9157684a6bff8406c9bb470cb2e16ee006bbe9) Signed-off-by: Steve Sakoman --- scripts/lib/resulttool/resultutils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py index 7666331ba2..c5521d81bd 100644 --- a/scripts/lib/resulttool/resultutils.py +++ b/scripts/lib/resulttool/resultutils.py @@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv testseries = posixpath.basename(posixpath.dirname(url.path)) else: with open(f, "r") as filedata: - data = json.load(filedata) + try: + data = json.load(filedata) + except json.decoder.JSONDecodeError: + print("Cannot decode {}. Possible corruption. Skipping.".format(f)) + data = "" testseries = os.path.basename(os.path.dirname(f)) else: data = f From patchwork Tue Sep 12 13:53:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B588CA0EDD for ; Tue, 12 Sep 2023 13:53:59 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.25452.1694526832353687783 for ; Tue, 12 Sep 2023 06:53:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3KkuqsXJ; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1bc0d39b52cso41827765ad.2 for ; Tue, 12 Sep 2023 06:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526831; x=1695131631; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=j+OqtOQFHLuwY2cIM/AEo00//oe/5PUK0JH8ZHhC3wI=; b=3KkuqsXJvG9JRBRlXXG4lisqTYyJ60RFlmO1AGbz/Q5wnZr5c4hfVdzaut9jSkIc9o Yv+7uJmdF1YSassSYVldWNbO2pYgcmxWkGLBO6zI/sA96z8y/R7Zin4jOMBExmqsMtlZ ymUxsFVaGUqLlyN2qj9o0IthbUkGzTrOC1br5f1iatR2rNvF4Ajbbmv4+7GREtU30kra KzUBc9F/tl9NxY3xTl2mLR74E5REFAfxok5/Naa5HOiCkrTieLJX5mkfgfy4u3elZGhj aZYl+beBPoLcr7BdFFNe/WBYF8B4itfzPFDiSnz3YiLbMRC99Tb/BX7hrY8Vw9hjYMqU BDAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526831; x=1695131631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j+OqtOQFHLuwY2cIM/AEo00//oe/5PUK0JH8ZHhC3wI=; b=Hw6xerHcv/Bq+5b6vlrf0q4iZfTk+35ZE11MqsAiMl8Qi5s5XIhqwED9aguwkRKou+ I/aI+yfuc/A20W3Z98dC6OzW55ZVNsOU0grekd7pqJgxg400F4To92idBaV7IVNzV9yp xrzsi+vPSy+bAvK1NlOUqigMSguw0NAjBXSAb3H4XRFbJx1do4COJ9eIQonym3NUD5pW EVgrZiZr1n8dUIestWZoklrlH1GixYOHK8a0dgCQneY90Mwidz8cWRLcZ7giqoEk2T3h H7K4EUBvx1D5Ldrg2Ew6/qrZ9LzD/Cjgm6CSmJ3QM1DGJIAjC7ePNpXWeAEJ/9BP/d47 4x3g== X-Gm-Message-State: AOJu0Yyl2abwdjb3tHyykoCtR9tYAOQCW0JQ6iUCD01KmABQiQsu1+Rz obXiUDw7SRAiwkExkxPcujDwWZwODKrH4x1fa00= X-Google-Smtp-Source: AGHT+IG06OStX9iIA65zagNfNp7g9qNLQX6WS2O9b/gvb/mROxobSdt8d/wvQMJn1HfKa+eBWF29Dw== X-Received: by 2002:a17:902:d501:b0:1c3:bc7b:8805 with SMTP id b1-20020a170902d50100b001c3bc7b8805mr5457697plg.52.1694526831404; Tue, 12 Sep 2023 06:53:51 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:50 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Date: Tue, 12 Sep 2023 03:53:17 -1000 Message-Id: <27a982807caa7ffbdf2d4ef02bc0b037150b1b3b.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187523 From: Staffan Rydén Due to an oversight in the do_symlink_kernsrc function, the path comparison between "S" and "STAGING_KERNEL_DIR" is broken. The code obtains both variables, but modifies the local copy of "S" before comparing them, causing the comparison to always return false. This can cause the build to fail when the EXTERNALSRC flag is enabled, since the code will try to create a symlink even if one already exists. This patch resolves the issue by comparing the variables before they are modified. Signed-off-by: Staffan Rydén Signed-off-by: Alexandre Belloni (cherry picked from commit afd2038ef8a66a5e6433be31a14e1eb0d9f9a1d3) Signed-off-by: Steve Sakoman --- meta/classes/kernel.bbclass | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 5d8b3b062a..ba5b6cf384 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -143,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}" python do_symlink_kernsrc () { s = d.getVar("S") - if s[-1] == '/': - # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail - s=s[:-1] kernsrc = d.getVar("STAGING_KERNEL_DIR") if s != kernsrc: bb.utils.mkdirhier(kernsrc) bb.utils.remove(kernsrc, recurse=True) + if s[-1] == '/': + # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as + # directory name and fail + s = s[:-1] if d.getVar("EXTERNALSRC"): # With EXTERNALSRC S will not be wiped so we can symlink to it os.symlink(s, kernsrc) From patchwork Tue Sep 12 13:53:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30333 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18228CA0EE8 for ; Tue, 12 Sep 2023 13:53:59 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web11.25679.1694526834433220042 for ; Tue, 12 Sep 2023 06:53:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=w2GJS2Iw; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-1bd9b4f8e0eso38246215ad.1 for ; Tue, 12 Sep 2023 06:53:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526833; x=1695131633; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=XG1pCgQOWcxZ64wSbiaSMcYDunGvZByAvA5Jqz1ujpY=; b=w2GJS2IwP44uURBhDoO+vdFTqFmL+AQ4dyzEKBGncdO0sn93d+44I+gDYXDShO4NR/ GuKUGD7B5dEqZL4lnKRpQYV6f33fUF2E9VELG3HBprh5ob6WgNcpGuQ6PPeZmFJeaIJN Nvmgz38uAQlfDyOe8N0yWdxG2I1mov+A3OjPGkqEaHPACJMxs8JFVoHv8NZG7zsBYCwP 1U48TMEg3QJieKuH96rSCVw1zLmzCRaN5kntUNUVODdXdDgxYSJcDF38HEJ5VUxoUPB9 b1UFWkCqiWKPsatTEHkjMq8Z8bMlAt/Ypf434B0kGKg/qYhQDwyWXiozzzFlYW2kSdHJ X/NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526833; x=1695131633; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XG1pCgQOWcxZ64wSbiaSMcYDunGvZByAvA5Jqz1ujpY=; b=m/Os4CL02/1VmEm3bMPcx876NNesXRzW0vvVa6A+4Z9CswG066/evNjb8n1JbHrV/Q MHOVe1eyG3AeneB1wsWCkYoktCu3Mk/aJHn3YVDNdn1xa/UNkaMfaM5ubaY7lUsem12k dT3WbxSWTeRHQJ4j99t9w1CC9PP/m1CkRCAB9S4MAhYSkPFmmwXjLMpk5DwvNU+j4+nD VuN8FEy5bCMThQL5g9P/t4pvRvjknIKISQSZkVd4HxDeIDj6NwyUiqx7tEwmmHsk3gVl gEeRqmji8eMFmIZqc0S1op9xLvIf5MMpxfNhFhmtPHAEguVQKQhkilxTbhKz3ANcLPkk a1DA== X-Gm-Message-State: AOJu0YwpvM7DVqBBuvnV9hRgVwDpIZTRL3IDoZrLYktXb2fdbr06Vxr9 ST6bY/uYwHS1V1btJXVATdV0gVE5pCr36M9u/gg= X-Google-Smtp-Source: AGHT+IGj9/Vz/0GDtZ92ZSunXjHVa8x8ws2va+kCFmq2dYsnMmI+km6mEPe7frX3dlS6Ep8C5NcgJg== X-Received: by 2002:a17:902:f80e:b0:1c3:da0a:c55b with SMTP id ix14-20020a170902f80e00b001c3da0ac55bmr1065215plb.62.1694526833542; Tue, 12 Sep 2023 06:53:53 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:52 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Date: Tue, 12 Sep 2023 03:53:18 -1000 Message-Id: <781c52bb8f9ffe6aeb456fb0c0d628917641fb22.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187524 From: Anuj Mittal Dont fill up the test log with ssh warning about having added the host to list of known hosts. Also helps fix a test case failure where stderr log was being compared to a known value. Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie (cherry picked from commit 63b31ff7e54a171c4c02fca2e6b07aec64a410af) Signed-off-by: Steve Sakoman --- meta/recipes-core/glibc/glibc/check-test-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper b/meta/recipes-core/glibc/glibc/check-test-wrapper index 6ec9b9b29e..5cc993f718 100644 --- a/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -58,7 +58,7 @@ elif targettype == "ssh": user = os.environ.get("SSH_HOST_USER", None) port = os.environ.get("SSH_HOST_PORT", None) - command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"] + command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"] if port: command += ["-p", str(port)] if not host: From patchwork Tue Sep 12 13:53:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30332 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A677CA0EE4 for ; Tue, 12 Sep 2023 13:53:59 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web11.25682.1694526836632583283 for ; Tue, 12 Sep 2023 06:53:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Bp7Yfo9e; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1c1f7f7151fso40595385ad.1 for ; Tue, 12 Sep 2023 06:53:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526836; x=1695131636; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=TzeLOmuSCBfKxoIAxXHq9OHKNPThm/uQFgM1xjNFMIo=; b=Bp7Yfo9e8EoQo57LdlmVxhlFQXr4n7wlr6hqlddjWS39O75c4FU6oKvt18paQueajo X3AkjnswQ4twyOHyXCe3a1c5Ae25w0LIhRwbQTZumMU98XIoH982dmtpUn18b3UMxS4Q FEBysbNtWl7TrMVn1CwH4DyL2phEiORRqTopJhqBzL+XckTJ7nRTIzxwLkoOf1Dp1pyb owqnnFm+FaKiApEquv66yI6g5utXZJMwFgdAKaqGhn21Qm1lrH3p/VQuplfBRXgpyKcQ XCmyDkHfcmTPbNSG4W0bU5hkWYZwNhYxdJ+39XBeTolfqyGOuzcR0W0DjHzxBnvzodBL uWRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526836; x=1695131636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TzeLOmuSCBfKxoIAxXHq9OHKNPThm/uQFgM1xjNFMIo=; b=PHsm+yoo9Fm6qDyd8IOs3Tm6MIFkY6h1pZDGE2CZCkdJy0JlNnTqu3xb9OTCl4g4xA Iz/HTyWCDf0qJqk+3+u47eCbLoh3yV8Ye1lKmkNeMD/Lntp1AV1Ec2Gc7ycpXBkbSCp6 E25XjT8vbChZp20WAjDln6ApGsDlVY441HHd7aS07bGygaswQituKBVVUXAHY80okFcA V/q8b+GrE8+NWIMX+e3B+7Ntq4p8v5k2HFVtqElxRB6rHzvNBH4nGWMvtzQ6h5Bqm0Pl 65sBJeePzcoqmyvrhc6pMD+l6rGFGgOEoDK5Fe2hiN/RAVSeqQpI+pGuItgtFyoUAO5L ONmg== X-Gm-Message-State: AOJu0YwLprhjSGljXCElCjjMTPz1EOVQ/g3MOM+SLkAXYcwdxBducAMA OLzKTNe1Klm0bH1S9Lj1OipHuepTsH+0Nzu19ac= X-Google-Smtp-Source: AGHT+IGd8aq3cKVyWxfVK882cxORReNq7rSZfBQ+Qp7BtnZ2xFSQ7KOEeulNIkfHz9rZfjBcu0Hp3Q== X-Received: by 2002:a17:902:e88b:b0:1c0:b8fd:9c7 with SMTP id w11-20020a170902e88b00b001c0b8fd09c7mr11711984plg.43.1694526835751; Tue, 12 Sep 2023 06:53:55 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Date: Tue, 12 Sep 2023 03:53:19 -1000 Message-Id: <50b07b4c0c814f2832816cf83863687155429b21.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187525 From: Anuj Mittal Some of the tests trigger OOM and fail. Increase the amount of memory available so we dont run into these issues. Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie (cherry picked from commit 4d22dba482cb19ffcff5abee73f24526ea9d1c2a) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/glibc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py index cf8c92887b..f2ed822bf3 100644 --- a/meta/lib/oeqa/selftest/cases/glibc.py +++ b/meta/lib/oeqa/selftest/cases/glibc.py @@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): bitbake("core-image-minimal") # start runqemu - qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic")) + qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024")) # validate that SSH is working status, _ = qemu.run("uname") From patchwork Tue Sep 12 13:53:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30331 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B3FCCA0EEB for ; Tue, 12 Sep 2023 13:53:59 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.25455.1694526838782899176 for ; Tue, 12 Sep 2023 06:53:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yAD8Mjs1; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1bf5c314a57so40038645ad.1 for ; Tue, 12 Sep 2023 06:53:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526838; x=1695131638; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hOf4b9Go+eizTKuvoCpL2wTEtGXbXCEI037EdTGBevA=; b=yAD8Mjs14UE+MRLxAAPDKQ/pKgykqMcV53ToHpf/pvdKmvOp0GovITpDmXroVuZtUs lTcnS+gpVcGupDNXJ69J2+U0KB/GSeN9fQW1JA8DOYHzmAze1oPK8ZcVBtFQzvbevdjM oOmbxD8npVYIoS85cKWIuTYrvDipPh7F7HFmrJq9OXsk9bEMgiibnw94ME9Vf93pltCP GK7jYfnqNYcpb8+imW0lvTDHuDzLD4y3jhyt3udH6TFxGm5PZ51JXKMyAaBYskqx7I45 bGrpYW09+iClPMzom3cPAHocAd6RF5uJdKSzHYsVhg07TCZx9UEOTYcZhisRpSLssDPW JZsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526838; x=1695131638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hOf4b9Go+eizTKuvoCpL2wTEtGXbXCEI037EdTGBevA=; b=DG4CTZLsIO2hIPWZwYB/G9cJuMiA3uVZByTFkZVTXUGv6WFwyTYSPSQfRMEtKo0oD3 o3szkjjSrQUYAzr0zi2nr0qV9XpmFR9TtPi1c7ih9WO/0zDQcuQvDHXiynyOlRlnDAXa mI3E4+XT2PFgm5kMa2fthGDCVL04KcjmGFg4/u7QHzL5fomhbUVDWQhMi2Jzq6j/w7XJ tLwTVW3KDQ1jpbaBN+oFSWw+vtJ6P8L4LsHW/rqB9N6PLPpxnX7pSjZE4+NgVhDlmN4a wrLp0hvh/Dnb26Xqy2klx1+i4+jel5cGSA3EOuufLI4+GkTigKJECKED4b1Cu6+pAKCS f/Qw== X-Gm-Message-State: AOJu0Yxsgiz9evofCY53TiEvlFGkoS1uUtqLP0QWrDtCqpI6lUD1/ciI gVqB3nNnX4aqfde2q9+ThLTIRAx/tdOzxs1E6t4= X-Google-Smtp-Source: AGHT+IG0GWU0ii/w2w0iZzkUBQUMPGSjXoWXTnQEiIZeYbeobUv8ciSuhvOtgOnP12M8Gf40j7Jnjw== X-Received: by 2002:a17:902:c1c4:b0:1c1:e53a:c2f with SMTP id c4-20020a170902c1c400b001c1e53a0c2fmr10754839plc.27.1694526837825; Tue, 12 Sep 2023 06:53:57 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:57 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Date: Tue, 12 Sep 2023 03:53:20 -1000 Message-Id: <148e009374dcbd2101223cf33f2ff69c75895b71.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:53:59 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187526 From: Anuj Mittal Allows setting up NFS over TCP as well. Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie (cherry picked from commit e1ff9b9a3b7f7924aea67d2024581bea2e916036) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/utils/nfs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py index a37686c914..c9bac050a4 100644 --- a/meta/lib/oeqa/utils/nfs.py +++ b/meta/lib/oeqa/utils/nfs.py @@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command from oeqa.utils.network import get_free_port @contextlib.contextmanager -def unfs_server(directory, logger = None): +def unfs_server(directory, logger = None, udp = True): unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native") if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")): # build native tool @@ -22,7 +22,7 @@ def unfs_server(directory, logger = None): exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode()) # find some ports for the server - nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True) + nfsport, mountport = get_free_port(udp), get_free_port(udp) nenv = dict(os.environ) nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '') From patchwork Tue Sep 12 13:53:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30334 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21391CA0EE8 for ; Tue, 12 Sep 2023 13:54:09 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.25685.1694526840950275764 for ; Tue, 12 Sep 2023 06:54:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=CHao8DfU; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1c337aeefbdso51467545ad.0 for ; Tue, 12 Sep 2023 06:54:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526840; x=1695131640; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/8LMa7ahoZXwret8ysTootmVsZRBZ5Fx1RBsxt9oLAQ=; b=CHao8DfU+aV8cH31vJW6iSTca2BJvX2vTlnEx0oBqtZSBQVgAz4e7uicyDIU7D4SnG MTfk/7Y0KnKcAfournhIa2OwaJAKzgyOBlkoM6PCTg68w1co79Yvk7TvOC201O8QIyda /Rzc6zvM5pfqyKagxyZegmyHGNCVZPAxqjXEPCh1YBhT2/EiwGPjDEsKYyP+JgabtYzt SC5wUEdYh7SXW8pUNs73ZuXGOGqy/hML91qYfM7fdhQGm1uSZJ93/wMbqs6rtQCrEqXS ZWntB3cYqeip123UIzSbAq/5JQ7kG3smZ5jdhLzIPp6cVQxABwh1Nqmc0ChN7LCaC9W4 iqzA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526840; x=1695131640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/8LMa7ahoZXwret8ysTootmVsZRBZ5Fx1RBsxt9oLAQ=; b=JRsz81z/jCo5yHCdHvwpj2F4wzQyIVbXQUlgCAnd/qdEururSfGw460OmGzpOGtbE1 sWKwpMB0aN60Uqd9MNKbaLhG0Zt0icvYnCdah8MvTV1GNLdyUHJfGtt4SwxD5ncq+FHu s+kRJ1pgY5QnR+0mmS4uIr1Zmf4XYHuqsVB4mKyaUweKiqCLn9Oe8OlVyCLxEDdlGh4/ E9VjYXVVONlWkFAhqLJkch8myUqhgpgwkMw56VM8EXQbiGJzWBDE6P16dAz/4apYiKZ3 XEGIJeK/X2AmrAzX7/LHX0nQZDf5AiDqCVVbsq7wSUUQjhSx77/lgoHtT+8NOyK651ek dfiA== X-Gm-Message-State: AOJu0YyAKK4e1LEQz5GjLBHBYdfX++GavDlk/Qup4zBDff73cThLcmJi vA/k6geEEzQYFD1lQ7w6PZyO4m3pd4wnLliUYUo= X-Google-Smtp-Source: AGHT+IHSbcivs3GNpj6bxzMjppS1XaAWlatuben2OZs9HbcbkILZyyoEQmhCTshFO33Rn2a5NkZ0SQ== X-Received: by 2002:a17:903:2348:b0:1c2:584:51c8 with SMTP id c8-20020a170903234800b001c2058451c8mr16638375plh.12.1694526840118; Tue, 12 Sep 2023 06:54:00 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.53.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:53:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Date: Tue, 12 Sep 2023 03:53:21 -1000 Message-Id: <1f35336edf13496432fb68e7e048a5c137fc3e47.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:54:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187527 From: Anuj Mittal This provides a more reliable test execution when running tests that write a large buffer/file and significantly reduces the localedata test failures. Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie (cherry picked from commit 97a7612e3959bc9c75116a4e696f47cc31aea75d) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/glibc.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py index f2ed822bf3..c1f6e4c1fb 100644 --- a/meta/lib/oeqa/selftest/cases/glibc.py +++ b/meta/lib/oeqa/selftest/cases/glibc.py @@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): with contextlib.ExitStack() as s: # use the base work dir, as the nfs mount, since the recipe directory may not exist tmpdir = get_bb_var("BASE_WORKDIR") - nfsport, mountport = s.enter_context(unfs_server(tmpdir)) + nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False)) # build core-image-minimal with required packages default_installed_packages = [ @@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): # setup nfs mount if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0: raise Exception("Failed to setup NFS mount directory on target") - mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) + mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) status, output = qemu.run(mountcmd) if status != 0: raise Exception("Failed to setup NFS mount on target ({})".format(repr(output))) From patchwork Tue Sep 12 13:53:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30335 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 213C3CA0EEB for ; Tue, 12 Sep 2023 13:54:09 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.25460.1694526842807931539 for ; Tue, 12 Sep 2023 06:54:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=R0DkP+gK; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1c1f7f7151fso40596295ad.1 for ; Tue, 12 Sep 2023 06:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526842; x=1695131642; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MwXkCFIVP2ZS65yOiVUAPTDr1EQP6NNC4dEXOe+MFHQ=; b=R0DkP+gKQSUmLqcEevJpZvLTbFg2ZpRff1ZKNR5mEh4JijooPLOPFzHs9tAlAXPpQJ s48zWMdgjI6vodD3NIIQayDCpHTNXxt2z21Lg1iMhZnKH+2yCRlfman/opRfIH/lE4Eq aODzi8sA6zxC/6tkFWewLLjmHErDh7BDpna3I20N3AVZTgGa2R/bG/Rxm2te+6Ke8nn1 znCaD3EY5YorMOOHGxNmj1agZ+nxZNARLhdp8jqvZ04Y0NeKNKnFDOEpnJB4epHeVYVX WL18KstrwLWSGJRKWTCiasOKnYkU8VLxuFeob+CZfejRmDUUK9RRlAYnI52Mvgj78v/o OZbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526842; x=1695131642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MwXkCFIVP2ZS65yOiVUAPTDr1EQP6NNC4dEXOe+MFHQ=; b=pjGTKPhL1WhZUCtnyLLt0TlUb5fdFr9aTc5khDtFjTZt8IXd6x9GSK7B2S+Hshjgwb DGsxaN+PFXp04d6GsOW1zxOUh07yjjoSsGJNo3XjWUISJfDBKN03x+kQlyiKvUTWjJgf 5Xk5FpYNyb8nbpEEe22SMuxu5IV9YyjrSDeSmu/D9EyyYTilleECpQb/m43sfJhzYDpI XsYz2i6U/7yfV8lAeWqKhzUai3iXJz9QyyvB1gMagkThvNvK93HRCg827QberwWwfPNA pmtxKv4EQ3PtxKdOYHtPqPLdGBa321OTm4v+Xqm7pFZTCoVFpvunEygAnJRiHkE8cJq6 Rc/Q== X-Gm-Message-State: AOJu0Yxu80+Jk350UvVLNPmQMaENT0QBuqkeGAknoHqeDyp37tg5HnHE 7b80cHNIO3syLwNeK44q2Ir1ve21DqDTrBh33ns= X-Google-Smtp-Source: AGHT+IGdqYWW1NCmVF1OgHP1M1NPo0uPZJtKpFmXlI4pPNvDx5HqkSLtyVicHspWn/zroSMbWhvfRg== X-Received: by 2002:a17:903:4d7:b0:1c3:e30f:6c82 with SMTP id jm23-20020a17090304d700b001c3e30f6c82mr172183plb.53.1694526841965; Tue, 12 Sep 2023 06:54:01 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.54.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:54:01 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Date: Tue, 12 Sep 2023 03:53:22 -1000 Message-Id: <605d832e86f249100adaf3761b4e1701401d0b76.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:54:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187528 From: Richard Purdie We have a suspicion that the read() call may return EAGAIN on the non-blocking fd and this may truncate test output leading to some of our intermittent failures. Tweak the code to avoid this potential issue. Signed-off-by: Richard Purdie (cherry picked from commit a8920c105725431e989cceb616bd04eaa52127ec) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/core/target/ssh.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/lib/oeqa/core/target/ssh.py b/meta/lib/oeqa/core/target/ssh.py index af4a67f266..832b6216f6 100644 --- a/meta/lib/oeqa/core/target/ssh.py +++ b/meta/lib/oeqa/core/target/ssh.py @@ -226,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts): endtime = time.time() + timeout except InterruptedError: continue + except BlockingIOError: + logger.debug('BlockingIOError') + continue # process hasn't returned yet if not eof: From patchwork Tue Sep 12 13:53:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 30336 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F0FFCA0EEC for ; Tue, 12 Sep 2023 13:54:09 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.25462.1694526844617210856 for ; Tue, 12 Sep 2023 06:54:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jZKs04tJ; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1c06f6f98c0so47436255ad.3 for ; Tue, 12 Sep 2023 06:54:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1694526844; x=1695131644; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dwnxQoR0s8b/+SCK+RZriKQK6RNOOR7pxsb9p7RepYA=; b=jZKs04tJZI4iWEwUYIxpsbrB1nEvFaNmg5xG2fP/EYv31nsxZEhmQgAqLTjcd0SUg+ M4SiA7iltnUWlzAbEm1Qb96vJI3NL5M+/7ebELikudt0sEKXMzeYjhrBjF0RlU34xptG dXky8EIKGjdcKOdp31YLyW/yXmtu9zqwGqPIC/GuMUmlc8RhWi+TS8dGld3KXqHIDFZU LfRw4eR7Hfvda8fSiY6kTVLPorqV/lnGMqLD5xLCMwtPeLHq3nh9PgyfKvlO0EuDFdgX ZWEbuIgx3QkwbOANAQyZB9M83iXbIxeP5qSWOPih3rKV7m/KATjIoeTMPz/sYdFPlkoc YZBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694526844; x=1695131644; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dwnxQoR0s8b/+SCK+RZriKQK6RNOOR7pxsb9p7RepYA=; b=iuaLaKQBOBhNYQcpq8fbMjEEnB07kctfFSfPA5Y8oAZRc19Z6REwWQDv5XssNWF9EE pnEoF5sZDmbn34+5V/mRx7qEqeDLHeBroJCG2LO0jz4A06VG9xqgFP28MxDVTvuW8HXY O6MiCveF1/P+l6toi8ILJj0ZXmCKt1u/nHonm74x3nWy85YAVSFYDOgJJBQXFlScrEdk jmgXMSgZX9avoCCJrna/hL0p1zsZK1ZAud2UW2meF9iv/wVt1VlD68PuEqs4fRArrNWh CVZpi8ENmy46boiHXPjh4EThOgo77nUMtj37tHhDRvNsjwn4Xn5zn+iHZTc1mnIQtJ6X sl6w== X-Gm-Message-State: AOJu0YwiP3KmWXPEawN5Gv7Xq8VRkE8tSiN4XZyB2/8vLNvaeG9MC0Nj CR9JE2SpUy9mOod1vm9K/d5enOisf67tcTr+Gy4= X-Google-Smtp-Source: AGHT+IGaAFRFFQMxWYnfUc+3S95Dq13eD82EMU1rTKOqFTH0UVm9ws+/VPrPNrJP2XYTM8RWjzQhfA== X-Received: by 2002:a17:902:c40e:b0:1bc:98dd:e857 with SMTP id k14-20020a170902c40e00b001bc98dde857mr19531633plk.38.1694526843821; Tue, 12 Sep 2023 06:54:03 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-106-30.hawaiiantel.net. [72.234.106.30]) by smtp.gmail.com with ESMTPSA id j7-20020a170902da8700b001bdeedd8579sm7635246plx.252.2023.09.12.06.54.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:54:03 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Date: Tue, 12 Sep 2023 03:53:23 -1000 Message-Id: <76b065b3e802fc7dfa9a370e273b8a4187072623.1694526588.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 12 Sep 2023 13:54:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187529 From: Richard Purdie On our slower arm server, the tests currently timeout leading to inconsistent test results. Increase the timeout to avoid this and aim to make the test results consistent. Signed-off-by: Richard Purdie (cherry picked from commit 9a8b49208f3c99e184eab426360b137bc773aa31) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/runtime/cases/ltp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/runtime/cases/ltp.py b/meta/lib/oeqa/runtime/cases/ltp.py index a66d5d13d7..879f2a673c 100644 --- a/meta/lib/oeqa/runtime/cases/ltp.py +++ b/meta/lib/oeqa/runtime/cases/ltp.py @@ -67,7 +67,7 @@ class LtpTest(LtpTestBase): def runltp(self, ltp_group): cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group) starttime = time.time() - (status, output) = self.target.run(cmd) + (status, output) = self.target.run(cmd, timeout=1200) endtime = time.time() with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f: