This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed, PKG_SOURCE_URL was updated to match
openwrt-18.06, and Eneas U de Queiroz added as maintainer.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54)
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.
While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446)
This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.
5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 991dd5a893)
This fixes:
1) Crash during USB disconnect
2) Crash in brcmf_txfinalize() on rmmod with packets queued
3) Some errors in exit path
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8231f67218)
Those changes are needed for backporting more recent crash fixes. There
are quite many BCDC patches but it's hopefully a very well tested code
by now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The following command was run on the configuration:
./scripts/kconfig.pl target/linux/generic/config-4.4 > target/linux/generic/config-4.4-new
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel v4.4.179 the structure of the scripts/mod/file2alias.c file
changed, this adapts the patch to the changes done in the stable
kernel.
This fixes the following compile problem:
HOSTCC scripts/mod/file2alias.o
scripts/mod/file2alias.c:1199:17: error: expected declaration specifiers or '...' before string constant
ADD_TO_DEVTABLE("fslmc", fsl_mc_device_id, do_fsl_mc_entry);
^
scripts/mod/file2alias.c:1199:26: error: unknown type name 'fsl_mc_device_id'
ADD_TO_DEVTABLE("fslmc", fsl_mc_device_id, do_fsl_mc_entry);
^
scripts/mod/file2alias.c:1199:44: error: expected declaration specifiers or '...' before 'do_fsl_mc_entry'
ADD_TO_DEVTABLE("fslmc", fsl_mc_device_id, do_fsl_mc_entry);
^
scripts/mod/file2alias.c:1190:12: warning: 'do_fsl_mc_entry' defined but not used [-Wunused-function]
static int do_fsl_mc_entry(const char *filename, void *symval,
^
SHIPPED scripts/dtc/dtc-parser.tab.h
Fixes: 6c5c3a2edc ("kernel: Update to version 4.4.182")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This reverts a commit added in kernel v4.4.179 which breaks compilation
on the apm821xx target.
This fixes the following compile problem:
drivers/crypto/amcc/crypto4xx_core.c: In function 'crypto4xx_ablkcipher_done':
drivers/crypto/amcc/crypto4xx_core.c:650:21: warning: dereferencing 'void *' pointer
if (pd_uinfo->sa_va->sa_command_0.bf.save_iv == SA_SAVE_IV) {
^
drivers/crypto/amcc/crypto4xx_core.c:650:21: error: request for member 'sa_command_0' in something not a structure or union
drivers/crypto/amcc/crypto4xx_core.c:651:38: error: implicit declaration of function 'crypto_skcipher_reqtfm' [-Werror=implicit-function-declaration]
struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
^
drivers/crypto/amcc/crypto4xx_core.c:651:61: error: 'req' undeclared (first use in this function)
struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
^
drivers/crypto/amcc/crypto4xx_core.c:651:61: note: each undeclared identifier is reported only once for each function it appears in
drivers/crypto/amcc/crypto4xx_core.c:653:3: error: implicit declaration of function 'crypto4xx_memcpy_from_le32' [-Werror=implicit-function-declaration]
crypto4xx_memcpy_from_le32((u32 *)req->iv,
^
drivers/crypto/amcc/crypto4xx_core.c:654:19: warning: dereferencing 'void *' pointer
pd_uinfo->sr_va->save_iv,
^
drivers/crypto/amcc/crypto4xx_core.c:654:19: error: request for member 'save_iv' in something not a structure or union
drivers/crypto/amcc/crypto4xx_core.c:655:4: error: implicit declaration of function 'crypto_skcipher_ivsize' [-Werror=implicit-function-declaration]
crypto_skcipher_ivsize(skcipher));
^
cc1: some warnings being treated as errors
Fixes: 6c5c3a2edc ("kernel: Update to version 4.4.182")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel 4.4.182 get_user_pages() does not get the write and force
parameter any more, but one flags parameter with WRITE and FORCE
attributes. This adapts the patches to use the changed API and fixes
the compile problems with the brcm2708 target.
This fixes the following compile problem:
drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c: In function 'dump_phys_mem':
drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c:1501:3: warning: passing argument 7 of 'get_user_pages' from incompatible pointer type [-Wincompatible-pointer-types]
pages, /* pages (array of page pointers) */
^
In file included from drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c:42:0:
include/linux/mm.h:1200:6: note: expected 'struct vm_area_struct **' but argument is of type 'struct page **'
long get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
^
drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c:1495:7: error: too many arguments to function 'get_user_pages'
rc = get_user_pages(current, /* task */
^
In file included from drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.c:42:0:
include/linux/mm.h:1200:6: note: declared here
long get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
^
scripts/Makefile.build:277: recipe for target 'drivers/misc/vc04_services/interface/vchiq_arm/vchiq_arm.o' failed
Fixes: 6c5c3a2edc ("kernel: Update to version 4.4.182")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
RTC (the legacy driver) should not really be used, but seems to crop up
after the kernel update. Fix this by disabling it in the generic config.
Fixes the following build issue seen in arm64 or powerpc64:
ARM JTAG DCC console (HVC_DCC) [N/y/?] n
Virtio console (VIRTIO_CONSOLE) [N/m/y/?] n
Enhanced Real Time Clock Support (legacy PC RTC driver) (RTC) [N/m/y/?] (NEW) aborted!
Console input/output is redirected. Run 'make oldconfig' to update configuration.
scripts/kconfig/Makefile:37: recipe for target 'silentoldconfig' failed
This should fix the build on the arm64/generic and the layerscape/64b
targets.
Fixes: 6c5c3a2edc ("kernel: Update to version 4.4.182")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes multiple bugs and this security problem:
* CVE-2018-19608 Local timing attack on RSA decryption
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 2cd234d96b)
This avoids CVE-2019-9498 and CVE-2019-9499 in hostapd
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[DMARC removal, refreshed patches]
This fixes the following security problems:
1.0.2r:
* CVE-2019-1559: 0-byte record padding oracle
Signed-off-by: Daniel Bailey <dbailey@datto.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[fixed patch, refreshed patches]
- Tested on Turris MOX, OpenWrt master
- Removed PKG_BUILD_DIR
In build_dir there were two folders
ca-certificates and ca-certificates-20190110 and it failed as files
were in ca-certificates-20190110
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: f22c33b40c)
remove myself as PKG_MAINTAINER
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: c89195eb25)
OpenSSL defaults X509_CERT_FILE to /etc/ssl/cert.pem. This change is
needed for wget-ssl and possibly others to work seamlessly with fresh
ca-bundle installation
Fixesopenwrt/packages#6152
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: 191078e83d)
ca-certificates: Update to Version 20180409
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry-picked from commit: 80cb5c5703)
Renaming a netdev-trigger-tracked interface was resulting in an
unbalanced dev_hold().
Example:
> iw phy phy0 interface add foo type __ap
> echo netdev > trigger
> echo foo > device_name
> ip link set foo name bar
> iw dev bar del
[ 237.355366] unregister_netdevice: waiting for bar to become free. Usage count = 1
[ 247.435362] unregister_netdevice: waiting for bar to become free. Usage count = 1
[ 257.545366] unregister_netdevice: waiting for bar to become free. Usage count = 1
Above problem was caused by trigger checking a dev->name which obviously
changes after renaming an interface. It meant missing all further events
including the NETDEV_UNREGISTER which is required for calling dev_put().
This change fixes that by:
1) Comparing device struct *address* for notification-filtering purposes
2) Dropping unneeded NETDEV_CHANGENAME code (no behavior change)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit eea538204b)
This backports the most important brcmfmac commits that:
1) Fix some bugs
2) Help debugging bugs
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d32bbd7477)
This fixes the following security problems:
* CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
* CVE-2018-0734: Timing vulnerability in DSA signature generation
* Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module
Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
(backport of commit 989060478a)
As LEDE is rebranding to OpenWrt now, adjust the Git source references
accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit da95c9aa17)
check_signature is a bool option and doesn't take any arguments. The
presence of the 1 falsely suggests setting it to 0 disables the check,
while the option actually needs to be removed or commented out to be
disabled. So remove the argument to make it more clear.
Fixes: beca028bd6 ("build: add integration for managing opkg package feed keys")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
(backported from commit d3bf5ff9bc)
This file is needed to properly use the tc ematch modules present in
kmod-sched-core and kmod-sched. It is a read-only index file of ematch
methods used only by tc.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[cherry picked from commit 10a2ccb7fc]
Commit 7f694582 introduced a bug where default_postinst() often fails to
remove a uci-defaults script after application, leaving it to run again
after a reboot.
(Note: commit 7f694582 also introduced FS#1021, now fixed by 73c745f6)
The subtle problem arises from the shell logical chain:
[ -f "$i" ] && . "$i" && rm -f "$i"
Most uci-defaults scripts contain a terminal 'exit 0' statement which,
when sourced, results in the logic chain exiting before executing 'rm -f'.
This was observed while testing upgrades of 'luci-app-sqm'.
The solution is to wrap the shell sourcing in a subshell relative to the
command 'rm -f':
( [ -f "$i" ] && . "$i" ) && rm -f "$i"
Revert to using 'grep' to prefilter the list of entries from the control
file, which yields the full path of uci-defaults scripts. This allows
keeping the existence check, directory change and script sourcing inside
the subshell, with the script removal correctly outside.
This approach avoids adding a second subshell only around the "." (source)
command. The change also preserves the fix FS#1021, since the full path is
used to source the script, which is POSIX-portable irrespective of PATH
variable or reference to the CWD.
Run Tested on: LEDE 17.01.4 running ar71xx, while tracing installation of
package luci-app-sqm with its associated /etc/uci-defaults/luci-sqm file.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(backported from 4097ab6a97)
upstream commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
reimplemented cns3xxx_pci_read_config() using pci_generic_config_read32(),
which preserved the property of only doing 32-bit reads.
It also replaced cns3xxx_pci_write_config() with pci_generic_config_write(),
so it changed writes from always being 32 bits to being the actual size,
which works just fine.
Due to:
- The documentation does not mention that only 32 bit access is allowed.
- Writes are already executed using the actual size
- Extensive testing shows that 8b, 16b and 32b reads work as intended
It makes perfectly sense to also swap 32 bit reading in favor of actual size.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
1) Using fwctx variable after brcmf_fw_request_done() was executed meant
accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
could reuslt in NULL pointer dereference on fw loading error or if
brcmf_fw_request_done() was executed quickly enough.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 529c95cc15)
In the past, the MX60(W)'s recovery images always had problems
with the size restriction and never really worked without manual
intervention. This patch reworks the initramfs, which allows the
device to ease up on the impossible tight kernel size requirements
for the initramfs image.
This new initramfs can be loaded through the MX60(W) U-boot
in the following way:
=> setenv bootargs console=ttyS0,$baudrate
=> tftpboot $meraki_loadaddr meraki_mx60-initramfs-kernel.bin
[...]
Load address: 0x800000
Loading: ################################################ [...]
done
[...]
=> bootm $fileaddr
\## Booting kernel from Legacy Image at 00800000 ...
...
For more information and the latest flashing guide:
please visit the OpenWrt Wiki Page for the MX60(W):
<https://openwrt.org/toh/meraki/mx60#flashing>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 36c19c9f0b)
This remedies an issue with the MBL Duo if both disks are inserted
and contain OpenWrt. kernel and dtb would be loaded from SATA 1:1
while rootfs (/dev/sda2) would be mounted on SATA 0:1.
Such a mix&match would obviously only work if both OpenWrt versions/
builds are identical, and especially fail after sysupgrade upgraded
the system disk on SATA 0:1.
The fallback to SATA 1:1 needs to be kept for MBL Single (only has
SATA 1:1) and MBL Duo with one disk inserted on SATA 1:1. To speed
up booting in those cases, the unneccesarily doubled "sata init"
will only be called once. (In theory it could be omitted completely
since the on-flash boot script already initializes SATA to load the
on-disk boot script.)
Tested on MBL Duo (all possible combination of disks) and MBL Single
Signed-off-by: Freddy Leitner <hello@square.wf>
Originally, cns3xxx used it's own functions for mapping, reading and writing registers.
Upstream commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
removed the internal PCI config write function in favor of the generic one:
cns3xxx_pci_write_config() --> pci_generic_config_write()
cns3xxx_pci_write_config() expected aligned addresses, being produced by cns3xxx_pci_map_bus()
while the generic one pci_generic_config_write() actually expects the real address
as both the function and hardware are capable of byte-aligned writes.
This currently leads to pci_generic_config_write() writing
to the wrong registers on some ocasions.
First issue seen due to this:
- driver ath9k gets loaded
- The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER, located at 0x0D
- cns3xxx_pci_map_bus() aligns the address to 0x0C
- pci_generic_config_write() effectively writes 0xA8 into register 0x0C (CACHE_LINE_SIZE)
This seems to cause some slight instability when certain PCI devices are used.
Another issue example caused by this this is the PCI bus numbering,
where the primary bus is higher than the secondary, which is impossible.
Before:
00:00.0 PCI bridge: Cavium, Inc. Device 3400 (rev 01) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 255
Bus: primary=02, secondary=01, subordinate=ff, sec-latency=0
After fix:
00:00.0 PCI bridge: Cavium, Inc. Device 3400 (rev 01) (prog-if 00 [Normal decode])
Flags: bus master, fast devsel, latency 0, IRQ 255
Bus: primary=00, secondary=01, subordinate=02, sec-latency=0
And very likely some more ..
Fix all by omitting the alignment being done in the mapping function.
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Rafał Miłecki