* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40
@ 2020-11-12 8:02 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-11-12 8:02 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 14899 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40 (commit)
from 1ba481b3f4d9e31a8d02cdec447e7bff12631318 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Thu Nov 12 09:02:02 2020 +0100
kernel: update to 4.14.206
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 4 +-
config/kernel/kernel.config.armv5tel-ipfire-multi | 2 +-
config/kernel/kernel.config.i586-ipfire | 3 +-
config/kernel/kernel.config.x86_64-ipfire | 3 +-
config/rootfiles/common/aarch64/linux | 3 +
.../124 => core/153}/filelists/aarch64/linux | 0
.../153}/filelists/aarch64/linux-initrd | 0
.../153}/filelists/armv5tel/linux-initrd-multi | 0
.../153}/filelists/armv5tel/linux-multi | 0
.../{oldcore/100 => core/153}/filelists/i586/linux | 0
.../100 => core/153}/filelists/i586/linux-initrd | 0
.../100 => core/153}/filelists/x86_64/linux | 0
.../100 => core/153}/filelists/x86_64/linux-initrd | 0
config/rootfiles/core/153/update.sh | 74 ++++++++++++++++++++++
lfs/linux | 11 ++--
...86_net_packet_fix_overflow_in_tpacket_rcv.patch | 44 -------------
16 files changed, 87 insertions(+), 57 deletions(-)
copy config/rootfiles/{oldcore/124 => core/153}/filelists/aarch64/linux (100%)
copy config/rootfiles/{oldcore/124 => core/153}/filelists/aarch64/linux-initrd (100%)
copy config/rootfiles/{oldcore/121 => core/153}/filelists/armv5tel/linux-initrd-multi (100%)
copy config/rootfiles/{oldcore/100 => core/153}/filelists/armv5tel/linux-multi (100%)
copy config/rootfiles/{oldcore/100 => core/153}/filelists/i586/linux (100%)
copy config/rootfiles/{oldcore/100 => core/153}/filelists/i586/linux-initrd (100%)
copy config/rootfiles/{oldcore/100 => core/153}/filelists/x86_64/linux (100%)
copy config/rootfiles/{oldcore/100 => core/153}/filelists/x86_64/linux-initrd (100%)
delete mode 100644 src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index bc389470b..b794cbcf2 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.14.198-ipfire Kernel Configuration
+# Linux/arm64 4.14.206-ipfire Kernel Configuration
#
CONFIG_ARM64=y
CONFIG_64BIT=y
@@ -5577,6 +5577,8 @@ CONFIG_TIMER_OF=y
CONFIG_TIMER_ACPI=y
CONFIG_TIMER_PROBE=y
CONFIG_CLKSRC_MMIO=y
+CONFIG_DW_APB_TIMER=y
+CONFIG_DW_APB_TIMER_OF=y
CONFIG_ROCKCHIP_TIMER=y
CONFIG_ARM_ARCH_TIMER=y
CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y
diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi
index d6831aaf0..3c26a3ce2 100644
--- a/config/kernel/kernel.config.armv5tel-ipfire-multi
+++ b/config/kernel/kernel.config.armv5tel-ipfire-multi
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm 4.14.195-ipfire-multi Kernel Configuration
+# Linux/arm 4.14.206-ipfire-multi Kernel Configuration
#
CONFIG_ARM=y
CONFIG_ARM_HAS_SG_CHAIN=y
diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire
index 6f3a9cb53..8cac7cd45 100644
--- a/config/kernel/kernel.config.i586-ipfire
+++ b/config/kernel/kernel.config.i586-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.195-ipfire Kernel Configuration
+# Linux/x86 4.14.206-ipfire Kernel Configuration
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
@@ -4648,7 +4648,6 @@ CONFIG_HDMI=y
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
-# CONFIG_VGACON_SOFT_SCROLLBACK is not set
CONFIG_MDA_CONSOLE=m
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 5ee87722d..4dec50605 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.195-ipfire Kernel Configuration
+# Linux/x86 4.14.206-ipfire Kernel Configuration
#
CONFIG_64BIT=y
CONFIG_X86_64=y
@@ -4530,7 +4530,6 @@ CONFIG_HDMI=y
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
-# CONFIG_VGACON_SOFT_SCROLLBACK is not set
CONFIG_DUMMY_CONSOLE=y
CONFIG_DUMMY_CONSOLE_COLUMNS=80
CONFIG_DUMMY_CONSOLE_ROWS=25
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index 0961daffe..7ffc70468 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -7072,6 +7072,9 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/dw
#lib/modules/KVER-ipfire/build/include/config/dw/apb
#lib/modules/KVER-ipfire/build/include/config/dw/apb/ictl.h
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer.h
+#lib/modules/KVER-ipfire/build/include/config/dw/apb/timer/of.h
#lib/modules/KVER-ipfire/build/include/config/dw/dmac
#lib/modules/KVER-ipfire/build/include/config/dw/dmac/core.h
#lib/modules/KVER-ipfire/build/include/config/dw/dmac/pci.h
diff --git a/config/rootfiles/core/153/filelists/aarch64/linux b/config/rootfiles/core/153/filelists/aarch64/linux
new file mode 120000
index 000000000..3a2532bc7
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/aarch64/linux
@@ -0,0 +1 @@
+../../../../common/aarch64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/aarch64/linux-initrd b/config/rootfiles/core/153/filelists/aarch64/linux-initrd
new file mode 120000
index 000000000..8acdb0f31
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/aarch64/linux-initrd
@@ -0,0 +1 @@
+../../../../common/aarch64/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi
new file mode 120000
index 000000000..0b1b4530a
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/armv5tel/linux-initrd-multi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-initrd-multi
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/armv5tel/linux-multi b/config/rootfiles/core/153/filelists/armv5tel/linux-multi
new file mode 120000
index 000000000..204eb4c43
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/armv5tel/linux-multi
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-multi
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/i586/linux b/config/rootfiles/core/153/filelists/i586/linux
new file mode 120000
index 000000000..693ec4bbf
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/i586/linux
@@ -0,0 +1 @@
+../../../../common/i586/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/i586/linux-initrd b/config/rootfiles/core/153/filelists/i586/linux-initrd
new file mode 120000
index 000000000..32a03e6a9
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/i586/linux-initrd
@@ -0,0 +1 @@
+../../../../common/i586/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/x86_64/linux b/config/rootfiles/core/153/filelists/x86_64/linux
new file mode 120000
index 000000000..0615b5b9a
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/153/filelists/x86_64/linux-initrd b/config/rootfiles/core/153/filelists/x86_64/linux-initrd
new file mode 120000
index 000000000..1b9fff70f
--- /dev/null
+++ b/config/rootfiles/core/153/filelists/x86_64/linux-initrd
@@ -0,0 +1 @@
+../../../../common/x86_64/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/153/update.sh b/config/rootfiles/core/153/update.sh
index 6868698c8..4712a0c90 100644
--- a/config/rootfiles/core/153/update.sh
+++ b/config/rootfiles/core/153/update.sh
@@ -26,11 +26,66 @@
core=153
+exit_with_error() {
+ # Set last succesfull installed core.
+ echo $(($core-1)) > /opt/pakfire/db/core/mine
+ # force fsck at next boot, this may fix free space on xfs
+ touch /forcefsck
+ # don't start pakfire again at error
+ killall -KILL pak_update
+ /usr/bin/logger -p syslog.emerg -t ipfire \
+ "core-update-${core}: $1"
+ exit $2
+}
+
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+ cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+ *-ipfire-kirkwood)
+ exit_with_error "ERROR cannot update. kirkwood kernel was not supported." 1
+ ;;
+ *-ipfire*)
+ # Ok.
+ ;;
+ *)
+ exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+ ;;
+esac
+if [ -e /boot/grub/grub.conf ]; then
+ exit_with_error "ERROR unsupported GRUB1/pygrub found!" 1
+fi
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+ exit_with_error "ERROR cannot update because not enough free space on root." 2
+ exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-*-ipfire-*
+rm -rf /boot/zImage-*-ipfire-*
+rm -rf /boot/uInit-*-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+
# Remove files
# Stop services
@@ -50,12 +105,31 @@ chown -vR root:root /etc/ntp
# Filesytem cleanup
/usr/local/bin/filesystem-cleanup
+# Fix invalid cronjob syntax
+sed -e "s/^%hourly,random \* \* \*/%hourly,random */g" \
+ -i /var/spool/cron/root.orig
+fcrontab -z
+
# Start services
/etc/init.d/suricata restart
# Reload sysctl.conf
sysctl -p
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+ sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+ /boot/pakfire-kernel-update ${KVER}
+fi
+
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/lfs/linux b/lfs/linux
index 1d708a4ce..def32d8c7 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,8 +24,8 @@
include Config
-VER = 4.14.198
-ARM_PATCHES = 4.14.198-ipfire0
+VER = 4.14.206
+ARM_PATCHES = 4.14.206-ipfire0
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
@@ -79,8 +79,8 @@ objects =$(DL_FILE) \
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_MD5 = 9bf8f170f93283549cba55df5247b7b8
-arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 84b7afe9148e02568777ae0338da3844
+$(DL_FILE)_MD5 = c08bf53b35b816089d04b99036e0304a
+arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 = 2b0e8e3ebe9827b2bfed7397b043dbc5
install : $(TARGET)
@@ -144,9 +144,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-random_try_to_actively_add_entropy.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.x-add_timer_setup_on_stack.patch
- # Patch CVE-2020-14386
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch
-
ifeq "$(KCFG)" "-multi"
# Apply Arm-multiarch kernel patches.
cd $(DIR_APP) && xzcat $(DIR_DL)/arm-multi-patches-$(ARM_PATCHES).patch.xz | patch -Np1
diff --git a/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch b/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch
deleted file mode 100644
index a3eb3231f..000000000
--- a/src/patches/linux/linux-4.14_cve-2020-14386_net_packet_fix_overflow_in_tpacket_rcv.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
-
-patch based on acf69c946233259ab4d64f8869d4037a198c7f06
-From: Or Cohen <orcohen(a)paloaltonetworks.com>
-Subject: net/packet: fix overflow in tpacket_rcv
-
-Using tp_reserve to calculate netoff can overflow as
-tp_reserve is unsigned int and netoff is unsigned short.
-
-This may lead to macoff receving a smaller value then
-sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
-is set, an out-of-bounds write will occur when
-calling virtio_net_hdr_from_skb.
-
-The bug is fixed by converting netoff to unsigned int
-and checking if it exceeds USHRT_MAX.
-
-This addresses CVE-2020-14386
-
-
-diff -Naur linux-4.14.197.org/net/packet/af_packet.c linux-4.14.197/net/packet/af_packet.c
---- linux-4.14.197.org/net/packet/af_packet.c 2020-09-11 22:27:31.003458577 +0200
-+++ linux-4.14.197/net/packet/af_packet.c 2020-09-11 22:38:53.104021712 +0200
-@@ -2201,7 +2201,8 @@
- int skb_len = skb->len;
- unsigned int snaplen, res;
- unsigned long status = TP_STATUS_USER;
-- unsigned short macoff, netoff, hdrlen;
-+ unsigned short macoff, hdrlen;
-+ unsigned int netoff;
- struct sk_buff *copy_skb = NULL;
- struct timespec ts;
- __u32 ts_status;
-@@ -2264,6 +2265,10 @@
- }
- macoff = netoff - maclen;
- }
-+ if (netoff > USHRT_MAX) {
-+ po->stats.stats1.tp_drops++;
-+ goto drop_n_restore;
-+ }
- if (po->tp_version <= TPACKET_V2) {
- if (macoff + snaplen > po->rx_ring.frame_size) {
- if (po->copy_thresh &&
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-12 8:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-12 8:02 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2e1bf458e2930cf1d69aa9fa3d6e7ebd25022f40 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox