From: Quirin Gylstorff <quirin.gylstorff@...>

Also 'TRUE' is not a valid value.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-core/swupdate/swupdate.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-core/swupdate/swupdate.inc b/recipes-core/swupdate/swupdate.inc
index 191aa2b..7812ae7 100644
--- a/recipes-core/swupdate/swupdate.inc
+++ b/recipes-core/swupdate/swupdate.inc
@@ -26,12 +26,12 @@ def get_bootloader_build_profile(d):
SWUPDATE_BUILD_PROFILES += "${@get_bootloader_build_profile(d)}"

def get_bootloader_dependencies(d):
- bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or ""
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER") or ""
if bootloader == "efibootguard":
return "efibootguard-dev"
if bootloader == "u-boot":
- if d.getVar("U_BOOT_CONFIG_PACKAGE", True) == "1":
- return "libubootenv u-boot-{}-config".format(d.getVar("MACHINE", TRUE))
+ if d.getVar("U_BOOT_CONFIG_PACKAGE") == "1":
+ return "libubootenv u-boot-{}-config".format(d.getVar("MACHINE"))
else:
return "libubootenv"
return ""
@@ -48,7 +48,7 @@ dpkg_runbuild_prepend() {
}

python do_check_bootloader () {
- bootloader = d.getVar("SWUPDATE_BOOTLOADER", True) or "None"
+ bootloader = d.getVar("SWUPDATE_BOOTLOADER") or "None"
if not bootloader in ["efibootguard", "u-boot"]:
bb.warn("swupdate: SWUPDATE_BOOTLOADER set to incompatible value: " + bootloader)
}
--
2.30.2

Hi !

On Thu, Nov 11, 2021 at 6:21 PM Pavel Machek <pavel@...> wrote:

Hi!

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

Furthermore, CIP members should really not be using code from staging.

* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.

This one looks rather easy to backport. It failed only because
reformatting of the printk.

Thank you for the patch! The patch looks good to me.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Would it make sense to ask why it was not applied?

Yes, I think so.

Best regards,
Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);

- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;

return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Hi!

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

Furthermore, CIP members should really not be using code from staging.

* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.

This one looks rather easy to backport. It failed only because
reformatting of the printk.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Would it make sense to ask why it was not applied?

Best regards,
Pavel

diff --git a/drivers/media/firewire/firedtv-avc.c b/drivers/media/firewire/firedtv-avc.c
index 280b5ffea592..3a373711f5ad 100644
--- a/drivers/media/firewire/firedtv-avc.c
+++ b/drivers/media/firewire/firedtv-avc.c
@@ -1169,7 +1169,11 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
read_pos += program_info_length;
write_pos += program_info_length;
}
- while (read_pos < length) {
+ while (read_pos + 4 < length) {
+ if (write_pos + 4 >= sizeof(c->operand) - 4) {
+ ret = -EINVAL;
+ goto out;
+ }
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
c->operand[write_pos++] = msg[read_pos++];
@@ -1181,13 +1185,17 @@ int avc_ca_pmt(struct firedtv *fdtv, char *msg, int length)
c->operand[write_pos++] = es_info_length >> 8;
c->operand[write_pos++] = es_info_length & 0xff;
if (es_info_length > 0) {
+ if (read_pos >= length) {
+ ret = -EINVAL;
+ goto out;
+ }
pmt_cmd_id = msg[read_pos++];
if (pmt_cmd_id != 1 && pmt_cmd_id != 4)
dev_err(fdtv->device, "invalid pmt_cmd_id %d "
"at stream level\n", pmt_cmd_id);

- if (es_info_length > sizeof(c->operand) - 4 -
- write_pos) {
+ if (es_info_length > sizeof(c->operand) - 4 - write_pos ||
+ es_info_length > length - read_pos) {
ret = -EINVAL;
goto out;
}
diff --git a/drivers/media/firewire/firedtv-ci.c b/drivers/media/firewire/firedtv-ci.c
index e63f582378bf..f07482fb8010 100644
--- a/drivers/media/firewire/firedtv-ci.c
+++ b/drivers/media/firewire/firedtv-ci.c
@@ -138,6 +138,8 @@ static int fdtv_ca_pmt(struct firedtv *fdtv, void *arg)
} else {
data_length = msg->msg[3];
}
+ if (data_length > sizeof(msg->msg) - data_pos)
+ return -EINVAL;

return avc_ca_pmt(fdtv, &msg->msg[data_pos], data_length);
}

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

On 11/11/2021 7:29 AM Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@...> wrote:
I considered using the gitlab wiki to switch the current patch review
management to another.

The gitlab wiki can be used as a regular git repository and can be
viewed from his browser by writing its contents in markdown.

e.g. git clone git@...:cip-project/cip-kernel/linux-cip.wiki.git

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.

The commit content of [1] is an example, so please let me know if you
have any opinions about the format and others.

It would be helpful if each line would also contain the commit title.
Other than that it looks good to me.

CU
Uli

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

Please note that we moved from Freenode to libera.chat. Our channel is
the following:

irc:irc.libera.chat:6667/cip

Furthermore note that the IRC meeting is now scheduled to UTC (GMT) 13:00:

https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=11&day=11&hour=13&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
06:00 09:00 13:00 14:00 21:00 22:00

Last meeting minutes:

https://irclogs.baserock.org/meetings/cip/2021/11/cip.2021-11-04-13.03.log.html

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu & alicef
2. Look into S3 artifact upload issues - patersonc
3. Propose review coordination workflow via wiki - iwamatsu
4. Update AOSP tracking - iwamatsu
* Kernel maintenance updates
* Kernel testing
* AOB

Jan

Hi,

I considered using the gitlab wiki to switch the current patch review
management to another.

The gitlab wiki can be used as a regular git repository and can be
viewed from his browser by writing its contents in markdown.

e.g. git clone git@...:cip-project/cip-kernel/linux-cip.wiki.git

It can be created using the API on the project wiki[0]. Since
namespaces are available, we can also create hierarchies such as
5.10.y/v5.10.77 [1].
The wiki page is first filled with the commit ID, then the CIP kernel
developer writes the name after the commit they plan to review.

The commit content of [1] is an example, so please let me know if you
have any opinions about the format and others.

Best regards,
Nobuhiro

[0]: https://gitlab.com/-/snippets/2200569
[1]: https://gitlab.com/cip-project/cip-kernel/linux-cip/-/wikis/5.10.y/v5.10.77

Hi !

It's this week's CVE report.

This week reported 4 new CVEs.

* New CVEs

CVE-2021-0920: af_unix: fix garbage collect vs MSG_PEEK

CVSS v3 score is not provided.

Mainline and stable kernels are already fixed.

Fixed status

mainline: [cbcf01128d0a92e131bd09f1688fe032480b65ca]
stable/4.14: [af3e2b87b36100c28feb71da52c57293c4540690]
stable/4.19: [1dabafa9f61118b1377fde424d9a94bf8dbf2813]
stable/4.4: [72247f34d90e25c1493436e45e193e8306082b19]
stable/4.9: [a805a7bd94644207d762d9c287078fecfcf52b3e]
stable/5.10: [93c5951e0ce137e994237c19cd75a7caa1f80543]
stable/5.4: [85abe0d47fe65391ed41f78a66b5eff73987c086]

CVE-2021-0929: staging: ion: move buffer kmap from begin/end_cpu_access()

CVSS v3 score is not provided.

ION is a memory manager which is used by Android. This CVE may affect
4.4, 4.19, and 5.10 however according to the cip-kernel-config, no cip
member enabled ION. The ION driver has been removed since 5.11.

Fixed status

mainline: [3e9e0c5c764704218c0960ffdb139de075afaadf]

CVE-2021-3736: uninitialized kernel stack may lead to information disclosure

According to the Red Hat
bugzilla(https://bugzilla.redhat.com/show_bug.cgi?id=1995570), there
is a memory leak problem in samples/vfio-mdev/mbochs.c. This
vulnerability is in a sample code. Also no cip member enabled
CONFIG_SAMPLE_VFIO_MDEV_MBOCHS. Bugzilla comment #6 pointed commit
de5494af4815a4c9328536c72741229b7de88e7f ("vfio/mbochs: Fix missing
error unwind of mbochs_used_mbytes
") as a fix commit but not confirmed yet. If commit de5494af4815a is
the fix, this vulnerability was introduced since 5.14-rc1.

Fixed status

Not fixed.

CVE-2021-43389: isdn: cpai: check ctr->cnr to avoid array index out of bound

CVSS v3 score is "5.5 MEDIUM".

The array index out of bound bug in the drivers/isdn/capi/kcapi.c.
This bug has been fixed in mainline and stable kernels. No cip member
use CAPI.

Fixed status

mainline: [1f3e2e97c003f80c4b087092b225c8787ff91e4d]
stable/4.14: [9b6b2db77bc3121fe435f1d4b56e34de443bec75]
stable/4.19: [7d91adc0ccb060ce564103315189466eb822cc6a]
stable/4.4: [e8b8de17e164c9f1b7777f1c6f99d05539000036]
stable/4.9: [24219a977bfe3d658687e45615c70998acdbac5a]
stable/5.10: [7f221ccbee4ec662e2292d490a43ce6c314c4594]
stable/5.14: [cc20226e218a2375d50dd9ac14fb4121b43375ff]
stable/5.4: [285e9210b1fab96a11c0be3ed5cea9dd48b6ac54]


* Updated CVEs

CVE-2021-42739: media: firewire: firedtv-avc: fix a buffer overflow in
avc_ca_pmt()

4.19 and 5.X kernels have been fixed in this week. However, appliying
patch to 4.4 and 4.9 are failed.
According to the cip-kernel-config repo, no CIP member uses firewire driver.

Fixed status

mainline: [35d2969ea3c7d32aee78066b1f3cf61a0d935a4e]
stable/4.19: [53ec9dab4eb0a8140fc85760fb50effb526fe219]
stable/5.10: [d7fc85f6104259541ec136199d3bf7c8a736613d]
stable/5.14: [02a476ca886dc8155025fe99cbbad4121d029fa7]
stable/5.15: [cb667140875a3b1db92e4c50b4617a7cbf84659b]
stable/5.4: [2461f38384d50dd966e1db44fe165b1896f5df5a]

CVE-2021-3892: memory leak in fib6_rule_suppress could result in DoS

According to the SUSE bugzilla
(https://bugzilla.suse.com/show_bug.cgi?id=1192261#c1), this CVE is
duplicate of CVE-2019-18198.
If so, this CVE is already fixed.

CVE-2021-3640: UAF in sco_send_frame function

Fixed commit is 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ("Bluetooth:
sco: Fix lock_sock() blockage by memcpy_from_msg()"). Backport patches
for 4.19, 5.4, 5.10, 5.14, and 5.15 have been sent to stable mailing
list on Nov 9. This fix can be applied to 4.4 by git-am without error.

mainline: [99c23da0eed4fd20cae8243f2b51e10e66aa0951]

Currently tracking CVEs

CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in
Bluetooth Core Specifications 4.0 through 5.2

There is no fix information.

CVE-2020-26555: BR/EDR pin code pairing broken

No fix information

CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh
Provisioning Leads to MITM

No fix information.

CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning

No fix information.

CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning

No fix information.


Regards,

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Hi Jan

Sorry for delayed response.
Please find my inline comments.

On 11/8/21 4:14 PM, Jan Kiszka wrote:

On 08.11.21 10:32, Vijai Kumar K wrote:

Same as 0008-debian-rules-Add-Embedded-Lua-handler-option.patch.

Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@...>
---
...ules-Add-Embedded-Lua-handler-option.patch | 30 -------------------
1 file changed, 30 deletions(-)
delete mode 100644 recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch

diff --git a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
deleted file mode 100644
index 84665cd..0000000
--- a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0200687ad67d6e5a0e9bbdf2e8c86e3f8e717c5e Mon Sep 17 00:00:00 2001
-From: Quirin Gylstorff <quirin.gylstorff@...>
-Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 5/6] debian/rules: Add Embedded Lua handler option
-
-Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
----
- debian/rules | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/debian/rules b/debian/rules
-index 69fd790..9ace348 100755
---- a/debian/rules
-+++ b/debian/rules
-@@ -52,7 +52,12 @@ ifneq (,$(LUA_VERSION))
- echo CONFIG_LUAPKG=\"lua$(LUA_VERSION)\" >> configs/debian_defconfig
- echo CONFIG_LUASCRIPTHANDLER=y >> configs/debian_defconfig
- echo CONFIG_HANDLER_IN_LUA=y >> configs/debian_defconfig
-+ifneq (,$(filter pkg.swupdate.embeddedlua,$(DEB_BUILD_PROFILES)))
-+ echo CONFIG_EMBEDDED_LUA_HANDLER=y >> configs/debian_defconfig
-+ echo CONFIG_EMBEDDED_LUA_HANDLER_SOURCE=\"/usr/share/lua/$(LUA_VERSION)/swupdate_handlers.lua\" >> configs/debian_defconfig
- endif
-+endif
-+
- echo CONFIG_EXTRA_CFLAGS=\"$(CFLAGS) $(CPPFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDFLAGS=\"$(LDFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDLIBS=\"$(LDLIBS)\" >> configs/debian_defconfig
---
-2.30.2
-

Was this ever used, Quirin?

It was from a early iteration of the patchset. It was no longer in use in the recipe.

Applied, thanks.
Jan

Quirin

On 08.11.21 11:49, Srinuvasan A wrote:

From: Srinuvasan A <srinuvasan_a@...>

Update the exact image format name in kconfig menu.

Signed-off-by: Srinuvasan A <srinuvasan_a@...>
---
Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Kconfig b/Kconfig
index 13c3315..8421f1b 100644
--- a/Kconfig
+++ b/Kconfig
@@ -110,8 +110,8 @@ endchoice

config KAS_INCLUDE_IMAGE_FORMAT
string
- default "kas/opt/targz.yml" if IMAGE_ARTIFACTS && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
- default "kas/opt/wic-targz.yml" if IMAGE_ARTIFACTS && !(TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ default "kas/opt/targz-img.yml" if IMAGE_ARTIFACTS && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ default "kas/opt/wic-targz-img.yml" if IMAGE_ARTIFACTS && !(TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)

config IMAGE_SECURITY
bool "Security extensions"

Thanks, applied.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

On 08.11.21 10:32, Vijai Kumar K wrote:

Same as 0008-debian-rules-Add-Embedded-Lua-handler-option.patch.

Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@...>
---
...ules-Add-Embedded-Lua-handler-option.patch | 30 -------------------
1 file changed, 30 deletions(-)
delete mode 100644 recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch

diff --git a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
deleted file mode 100644
index 84665cd..0000000
--- a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0200687ad67d6e5a0e9bbdf2e8c86e3f8e717c5e Mon Sep 17 00:00:00 2001
-From: Quirin Gylstorff <quirin.gylstorff@...>
-Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 5/6] debian/rules: Add Embedded Lua handler option
-
-Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
----
- debian/rules | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/debian/rules b/debian/rules
-index 69fd790..9ace348 100755
---- a/debian/rules
-+++ b/debian/rules
-@@ -52,7 +52,12 @@ ifneq (,$(LUA_VERSION))
- echo CONFIG_LUAPKG=\"lua$(LUA_VERSION)\" >> configs/debian_defconfig
- echo CONFIG_LUASCRIPTHANDLER=y >> configs/debian_defconfig
- echo CONFIG_HANDLER_IN_LUA=y >> configs/debian_defconfig
-+ifneq (,$(filter pkg.swupdate.embeddedlua,$(DEB_BUILD_PROFILES)))
-+ echo CONFIG_EMBEDDED_LUA_HANDLER=y >> configs/debian_defconfig
-+ echo CONFIG_EMBEDDED_LUA_HANDLER_SOURCE=\"/usr/share/lua/$(LUA_VERSION)/swupdate_handlers.lua\" >> configs/debian_defconfig
- endif
-+endif
-+
- echo CONFIG_EXTRA_CFLAGS=\"$(CFLAGS) $(CPPFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDFLAGS=\"$(LDFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDLIBS=\"$(LDLIBS)\" >> configs/debian_defconfig
---
-2.30.2
-

Was this ever used, Quirin?

Applied, thanks.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

On 08.11.21 14:45, Q. Gylstorff wrote:

From: Quirin Gylstorff <quirin.gylstorff@...>

During cross compiling for arm the builds fails
with the following message:

```
strip -N main -o /home/builder/swupdate/git/core/built-in.o.tmp /home/builder/swupdate/git/core/built-in.o
strip: Unable to recognise the format of the input file `/home/builder/swupdate/git/core/built-in.o'
make[3]: *** [/home/builder/swupdate/git/test/Makefile:71: test/test_json.lnk] Error 1
m
```

Add cross and nocheck to SWUPDATE_BUILD_PROFILES to avoid
the build error.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes v2:
- Fix commit message

recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index e62230f..7a0fb9b 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -28,6 +28,8 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

+# add cross build and deactivate testing for arm based builds
+SWUPDATE_BUILD_PROFILES += "cross nocheck"
# If the luahandler shall be embedded into the swupdate binary
# include the following lines.
# DEPENDS += "swupdate-handlers"

Thanks, applied.

Jan

--
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

From: Quirin Gylstorff <quirin.gylstorff@...>

During cross compiling for arm the builds fails
with the following message:

```
strip -N main -o /home/builder/swupdate/git/core/built-in.o.tmp /home/builder/swupdate/git/core/built-in.o
strip: Unable to recognise the format of the input file `/home/builder/swupdate/git/core/built-in.o'
make[3]: *** [/home/builder/swupdate/git/test/Makefile:71: test/test_json.lnk] Error 1
m
```

Add cross and nocheck to SWUPDATE_BUILD_PROFILES to avoid
the build error.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---

Changes v2:
- Fix commit message

recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index e62230f..7a0fb9b 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -28,6 +28,8 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

+# add cross build and deactivate testing for arm based builds
+SWUPDATE_BUILD_PROFILES += "cross nocheck"
# If the luahandler shall be embedded into the swupdate binary
# include the following lines.
# DEPENDS += "swupdate-handlers"
--
2.30.2

From: Quirin Gylstorff <quirin.gylstorff@...>

During cross compiling for arm the builds fails during test
build with the following message:

```
strip -N main -o /home/builder/swupdate/git/core/built-in.o.tmp /home/builder/swupdate/git/core/built-in.o
strip: Unable to recognise the format of the input file `/home/builder/swupdate/git/core/built-in.o'
make[3]: *** [/home/builder/swupdate/git/test/Makefile:71: test/test_json.lnk] Error 1
m
```

Add cross and nocheck to SWUPDATE_BUILD_PROFILES to avoid
the build error.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
---
recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
index e62230f..7a0fb9b 100644
--- a/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
+++ b/recipes-core/swupdate/swupdate_2021.04-1+debian-gbp.bb
@@ -28,6 +28,8 @@ SRC_URI += "file://0001-debian-Add-option-to-build-with-efibootguard.patch \
# deactivate signing and encryption for simple a/b rootfs update
SWUPDATE_BUILD_PROFILES += "pkg.swupdate.nosigning pkg.swupdate.noencryption"

+# add cross build and deactivate testing for arm based builds
+SWUPDATE_BUILD_PROFILES += "cross nocheck"
# If the luahandler shall be embedded into the swupdate binary
# include the following lines.
# DEPENDS += "swupdate-handlers"
--
2.30.2

From: Srinuvasan A <srinuvasan_a@...>

Update the exact image format name in kconfig menu.

Signed-off-by: Srinuvasan A <srinuvasan_a@...>
---
Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Kconfig b/Kconfig
index 13c3315..8421f1b 100644
--- a/Kconfig
+++ b/Kconfig
@@ -110,8 +110,8 @@ endchoice

config KAS_INCLUDE_IMAGE_FORMAT
string
- default "kas/opt/targz.yml" if IMAGE_ARTIFACTS && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
- default "kas/opt/wic-targz.yml" if IMAGE_ARTIFACTS && !(TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ default "kas/opt/targz-img.yml" if IMAGE_ARTIFACTS && (TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)
+ default "kas/opt/wic-targz-img.yml" if IMAGE_ARTIFACTS && !(TARGET_QEMU_AMD64 || TARGET_QEMU_ARM64 || TARGET_QEMU_ARM)

config IMAGE_SECURITY
bool "Security extensions"
--
2.25.1

Same as 0008-debian-rules-Add-Embedded-Lua-handler-option.patch.

Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@...>
---
...ules-Add-Embedded-Lua-handler-option.patch | 30 -------------------
1 file changed, 30 deletions(-)
delete mode 100644 recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch

diff --git a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch b/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
deleted file mode 100644
index 84665cd..0000000
--- a/recipes-core/swupdate/files/0005-debian-rules-Add-Embedded-Lua-handler-option.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0200687ad67d6e5a0e9bbdf2e8c86e3f8e717c5e Mon Sep 17 00:00:00 2001
-From: Quirin Gylstorff <quirin.gylstorff@...>
-Date: Wed, 29 Sep 2021 11:32:41 +0200
-Subject: [PATCH 5/6] debian/rules: Add Embedded Lua handler option
-
-Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...>
----
- debian/rules | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/debian/rules b/debian/rules
-index 69fd790..9ace348 100755
---- a/debian/rules
-+++ b/debian/rules
-@@ -52,7 +52,12 @@ ifneq (,$(LUA_VERSION))
- echo CONFIG_LUAPKG=\"lua$(LUA_VERSION)\" >> configs/debian_defconfig
- echo CONFIG_LUASCRIPTHANDLER=y >> configs/debian_defconfig
- echo CONFIG_HANDLER_IN_LUA=y >> configs/debian_defconfig
-+ifneq (,$(filter pkg.swupdate.embeddedlua,$(DEB_BUILD_PROFILES)))
-+ echo CONFIG_EMBEDDED_LUA_HANDLER=y >> configs/debian_defconfig
-+ echo CONFIG_EMBEDDED_LUA_HANDLER_SOURCE=\"/usr/share/lua/$(LUA_VERSION)/swupdate_handlers.lua\" >> configs/debian_defconfig
- endif
-+endif
-+
- echo CONFIG_EXTRA_CFLAGS=\"$(CFLAGS) $(CPPFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDFLAGS=\"$(LDFLAGS)\" >> configs/debian_defconfig
- echo CONFIG_EXTRA_LDLIBS=\"$(LDLIBS)\" >> configs/debian_defconfig
---
-2.30.2
-
--
2.25.1

Hi!

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

Please note that we moved from Freenode to libera.chat. Our channel is
the following:

irc:irc.libera.chat:6667/cip

Furthermore note that the IRC meeting is now scheduled to UTC (GMT)
13:00:

https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=11&day=4&hour=13&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
06:00 09:00 13:00 14:00 21:00 22:00

(NOTE: Winter time shift in Europe!)

I'm sorry. Warning was clear, but I did not open the email... I was
reviewing patches for 5.10.77.

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Hi!

On Thu, Nov 4, 2021 at 6:57 PM Pavel Machek <pavel@...> wrote:

Hi!

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]

This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
good.

Thanks. I accidentally removed stable/4.4 from the above list.
CVE-2021-34981.yml contains stable/4.4 too.

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.

AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.

AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.

NVD hasn't given CVSS v3 Scores yet. However Red Hat and SUSE both
give it a score of 5.9. So it looks like it's not too serious issue.
Of course, it'd be nice to have patches.

https://access.redhat.com/security/cve/CVE-2021-3772
https://www.suse.com/security/cve/CVE-2021-3772.html

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.

This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.

I agree.

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()")

It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

--
Masami Ichikawa
Cybertrust Japan Co., Ltd.

Email :masami.ichikawa@...
:masami.ichikawa@...

Hi!

CVE-2021-34981: Bluetooth CMTP Module Double Free Privilege Escalation
Vulnerability

This CVE is fixed in 5.14-rc1.

Fixed status

mainline: [3cfdf8fcaafa62a4123f92eb0f4a72650da3a479]
stable/4.19: [f8be26b9950710fe50fb45358df5bd01ad18efb7]
stable/4.9: [77c559407276ed4a8854dafc4a5efc8608e51906]
stable/5.10: [1b364f8ede200e79e25df0df588fcedc322518fb]
stable/5.4: [fe201316ac36c48fc3cb2891dfdc8ab68058734d]

This seems to be fixed in stable/4.4, too, as
61a811e8f5229264b822361f8b23d7638fd8c914. And cip-kernel-sec says so,
good.

CVE-2021-43267: tipc: fix size validations for the MSG_CRYPTO type

This vulnerability was introduced since 5.1-rc1 so before 5.10 kernels
aren't affected by this issue.
The mainline and stable kernels have been fixed.

AFAICT the vulnerability was introduced by 1ef6f7c9390f in
5.9-rc3. But that does not change anything for us.

* Updated CVEs

CVE-2021-3772: Invalid chunks may be used to remotely remove existing
associations

This bug is in SCTP stack that attacker may be able to send packet
with spoofed IP address if attacker knows IP address and port number
being used.

AFAICT it is more of "if attacker can send packets with spoofed IP
addresses, he can...". Many of our configs use SCTP.

CVE-2021-42327: drm/amdgpu: fix out of bounds write

The parse_write_buffer_into_params() was introduced since 5.9 so
before 5.9 kernels aren't affected by this vulnerability.

This CVE was fixed by 5afa7898ab7a ("drm/amdgpu: fix out of bounds
write"), however next commit 3f4e54bd312d ("drm/amdgpu: Fix even more
out of bound writes from debugfs") said that amdgpu_dm_debugfs.c
contains same issues so it'd be nice to apply 3f4e54bd312d
("drm/amdgpu: Fix even more out of bound writes from debugfs") too.

This looks quite easy to fix, OTOH CIP configs do not use amdgpu and
it is not too serious in the fist place.

CVE-2021-20322: new DNS Cache Poisoning Attack based on ICMP fragment
needed packets replies

Update stable/5.4 and stable/4.19 fixed revisions.
It seems like stable/4.4 and stable/4.9 need backport following patches.
- 4785305c05b2 ("ipv6: use siphash in rt6_exception_hash()")
- a00df2caffed ("ipv6: make exception cache less predictible")
- 6457378fe796 ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()")

It would not be bad to understand the problem in the first place. Yes,
I guess different hashes have different qualities, but...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

Please note that we moved from Freenode to libera.chat. Our channel is
the following:

irc:irc.libera.chat:6667/cip

Furthermore note that the IRC meeting is now scheduled to UTC (GMT)
13:00:

https://www.timeanddate.com/worldclock/meetingdetails.html?year=2021&month=11&day=4&hour=13&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
06:00 09:00 13:00 14:00 21:00 22:00

(NOTE: Winter time shift in Europe!)

Last meeting minutes:

https://irclogs.baserock.org/meetings/cip/2021/10/cip.2021-10-28-13.01.log.html

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu & alicef
2. Look into S3 artifact upload issues - patersonc
3. Update 5.10-cip branch - iwamatsu & pavel
4. Propose review coordination workflow via wiki - iwamatsu
* Kernel maintenance updates
* Kernel testing
* AOB

Jan