This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40 (commit) from 1ba481b3f4d9e31a8d02cdec447e7bff12631318 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40 Author: Arne Fitzenreiter Date: Thu Nov 12 09:02:02 2020 +0100 kernel: update to 4.14.206 Signed-off-by: Arne Fitzenreiter ----------------------------------------------------------------------- Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 4 +- config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +- config/kernel/kernel.config.i586-ipfire | 3 +- config/kernel/kernel.config.x86_64-ipfire | 3 +- config/rootfiles/common/aarch64/linux | 3 + .../124 => core/153}/filelists/aarch64/linux | 0 .../153}/filelists/aarch64/linux-initrd | 0 .../153}/filelists/armv5tel/linux-initrd-multi | 0 .../153}/filelists/armv5tel/linux-multi | 0 .../{oldcore/100 => core/153}/filelists/i586/linux | 0 .../100 => core/153}/filelists/i586/linux-initrd | 0 .../100 => core/153}/filelists/x86_64/linux | 0 .../100 => core/153}/filelists/x86_64/linux-initrd | 0 config/rootfiles/core/153/update.sh | 74 ++++++++++++++++++++++ lfs/linux | 11 ++-- ...86_net_packet_fix_overflow_in_tpacket_rcv.patch | 44 ------------- 16 files changed, 87 insertions(+), 57 deletions(-) copy config/rootfiles/{oldcore/124 => core/153}/filelists/aarch64/linux (100%) copy config/rootfiles/{oldcore/124 => core/153}/filelists/aarch64/linux-initrd (100%) copy config/rootfiles/{oldcore/121 => core/153}/filelists/armv5tel/linux-initrd-multi (100%) copy config/rootfiles/{oldcore/100 => core/153}/filelists/armv5tel/linux-multi (100%) copy config/rootfiles/{oldcore/100 => core/153}/filelists/i586/linux (100%) copy config/rootfiles/{oldcore/100 => core/153}/filelists/i586/linux-initrd (100%) copy config/rootfiles/{oldcore/100 => core/153}/filelists/x86_64/linux (100%) copy config/rootfiles/{oldcore/100 => core/153}/filelists/x86_64/linux-initrd (100%) delete mode 100644 src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index bc389470b..b794cbcf2 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.14.198-ipfire Kernel Configuration +# Linux/arm64 4.14.206-ipfire Kernel Configuration # CONFIG_ARM64=y CONFIG_64BIT=y @@ -5577,6 +5577,8 @@ CONFIG_TIMER_OF=y CONFIG_TIMER_ACPI=y CONFIG_TIMER_PROBE=y CONFIG_CLKSRC_MMIO=y +CONFIG_DW_APB_TIMER=y +CONFIG_DW_APB_TIMER_OF=y CONFIG_ROCKCHIP_TIMER=y CONFIG_ARM_ARCH_TIMER=y CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index d6831aaf0..3c26a3ce2 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.195-ipfire-multi Kernel Configuration +# Linux/arm 4.14.206-ipfire-multi Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 6f3a9cb53..8cac7cd45 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.195-ipfire Kernel Configuration +# Linux/x86 4.14.206-ipfire Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -4648,7 +4648,6 @@ CONFIG_HDMI=y # Console display driver support # CONFIG_VGA_CONSOLE=y -# CONFIG_VGACON_SOFT_SCROLLBACK is not set CONFIG_MDA_CONSOLE=m CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 5ee87722d..4dec50605 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.195-ipfire Kernel Configuration +# Linux/x86 4.14.206-ipfire Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -4530,7 +4530,6 @@ CONFIG_HDMI=y # Console display driver support # CONFIG_VGA_CONSOLE=y -# CONFIG_VGACON_SOFT_SCROLLBACK is not set CONFIG_DUMMY_CONSOLE=y CONFIG_DUMMY_CONSOLE_COLUMNS=80 CONFIG_DUMMY_CONSOLE_ROWS=25 diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 0961daffe..7ffc70468 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -7072,6 +7072,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/dw #lib/modules/KVER-ipfire/build/include/config/dw/apb #lib/modules/KVER-ipfire/build/include/config/dw/apb/ictl.h +#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer +#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer.h +#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer/of.h #lib/modules/KVER-ipfire/build/include/config/dw/dmac #lib/modules/KVER-ipfire/build/include/config/dw/dmac/core.h #lib/modules/KVER-ipfire/build/include/config/dw/dmac/pci.h diff --git a/config/rootfiles/core/153/filelists/aarch64/linux b/config/rootfiles/core/153/filelists/aarch64/linux new file mode 120000 index 000000000..3a2532bc7 --- /dev/null +++ b/config/rootfiles/core/153/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/aarch64/linux-initrd b/config/rootfiles/core/153/filelists/aarch64/linux-initrd new file mode 120000 index 000000000..8acdb0f31 --- /dev/null +++ b/config/rootfiles/core/153/filelists/aarch64/linux-initrd @@ -0,0 +1 @@ +../../../../common/aarch64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi new file mode 120000 index 000000000..0b1b4530a --- /dev/null +++ b/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-initrd-multi \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/armv5tel/linux-multi b/config/rootfiles/core/153/filelists/armv5tel/linux-multi new file mode 120000 index 000000000..204eb4c43 --- /dev/null +++ b/config/rootfiles/core/153/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/i586/linux b/config/rootfiles/core/153/filelists/i586/linux new file mode 120000 index 000000000..693ec4bbf --- /dev/null +++ b/config/rootfiles/core/153/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/i586/linux-initrd b/config/rootfiles/core/153/filelists/i586/linux-initrd new file mode 120000 index 000000000..32a03e6a9 --- /dev/null +++ b/config/rootfiles/core/153/filelists/i586/linux-initrd @@ -0,0 +1 @@ +../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/x86_64/linux b/config/rootfiles/core/153/filelists/x86_64/linux new file mode 120000 index 000000000..0615b5b9a --- /dev/null +++ b/config/rootfiles/core/153/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/x86_64/linux-initrd b/config/rootfiles/core/153/filelists/x86_64/linux-initrd new file mode 120000 index 000000000..1b9fff70f --- /dev/null +++ b/config/rootfiles/core/153/filelists/x86_64/linux-initrd @@ -0,0 +1 @@ +../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/153/update.sh b/config/rootfiles/core/153/update.sh index 6868698c8..4712a0c90 100644 --- a/config/rootfiles/core/153/update.sh +++ b/config/rootfiles/core/153/update.sh @@ -26,11 +26,66 @@ core=153 +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # force fsck at next boot, this may fix free space on xfs + touch /forcefsck + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + # Remove old core updates from pakfire cache to save space... for (( i=1; i<=$core; i++ )); do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire done +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks. +case $(uname -r) in + *-ipfire-kirkwood) + exit_with_error "ERROR cannot update. kirkwood kernel was not supported." 1 + ;; + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac +if [ -e /boot/grub/grub.conf ]; then + exit_with_error "ERROR unsupported GRUB1/pygrub found!" 1 +fi + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 + exit 2 +fi + +# Remove the old kernel +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-*-ipfire-* +rm -rf /boot/zImage-*-ipfire-* +rm -rf /boot/uInit-*-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules + # Remove files # Stop services @@ -50,12 +105,31 @@ chown -vR root:root /etc/ntp # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Fix invalid cronjob syntax +sed -e "s/^%hourly,random \* \* \*/%hourly,random */g" \ + -i /var/spool/cron/root.orig +fcrontab -z + # Start services /etc/init.d/suricata restart # Reload sysctl.conf sysctl -p +# remove lm_sensor config after collectd was started +# to reserch sensors at next boot with updated kernel +rm -f /etc/sysconfig/lm_sensors + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + # This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/linux b/lfs/linux index 1d708a4ce..def32d8c7 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,8 +24,8 @@ include Config -VER = 4.14.198 -ARM_PATCHES = 4.14.198-ipfire0 +VER = 4.14.206 +ARM_PATCHES = 4.14.206-ipfire0 THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -79,8 +79,8 @@ objects =$(DL_FILE) \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz -$(DL_FILE)_MD5 = 9bf8f170f93283549cba55df5247b7b8 -arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 84b7afe9148e02568777ae0338da3844 +$(DL_FILE)_MD5 = c08bf53b35b816089d04b99036e0304a +arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 2b0e8e3ebe9827b2bfed7397b043dbc5 install : $(TARGET) @@ -144,9 +144,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-random_try_to_actively_add_entropy.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.x-add_timer_setup_on_stack.patch - # Patch CVE-2020-14386 - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch - ifeq "$(KCFG)" "-multi" # Apply Arm-multiarch kernel patches. cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1 diff --git a/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch b/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch deleted file mode 100644 index a3eb3231f..000000000 --- a/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Arne Fitzenreiter - -patch based on acf69c946233259ab4d64f8869d4037a198c7f06 -From: Or Cohen -Subject: net/packet: fix overflow in tpacket_rcv - -Using tp_reserve to calculate netoff can overflow as -tp_reserve is unsigned int and netoff is unsigned short. - -This may lead to macoff receving a smaller value then -sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr -is set, an out-of-bounds write will occur when -calling virtio_net_hdr_from_skb. - -The bug is fixed by converting netoff to unsigned int -and checking if it exceeds USHRT_MAX. - -This addresses CVE-2020-14386 - - -diff -Naur linux-4.14.197.org/net/packet/af_packet.c linux-4.14.197/net/packet/af_packet.c ---- linux-4.14.197.org/net/packet/af_packet.c 2020-09-11 22:27:31.003458577 +0200 -+++ linux-4.14.197/net/packet/af_packet.c 2020-09-11 22:38:53.104021712 +0200 -@@ -2201,7 +2201,8 @@ - int skb_len = skb->len; - unsigned int snaplen, res; - unsigned long status = TP_STATUS_USER; -- unsigned short macoff, netoff, hdrlen; -+ unsigned short macoff, hdrlen; -+ unsigned int netoff; - struct sk_buff *copy_skb = NULL; - struct timespec ts; - __u32 ts_status; -@@ -2264,6 +2265,10 @@ - } - macoff = netoff - maclen; - } -+ if (netoff > USHRT_MAX) { -+ po->stats.stats1.tp_drops++; -+ goto drop_n_restore; -+ } - if (po->tp_version <= TPACKET_V2) { - if (macoff + snaplen > po->rx_ring.frame_size) { - if (po->copy_thresh && hooks/post-receive -- IPFire 2.x development tree