In a pristine build, these directories are created as dependencies of
the tools subdir compile, however this step never runs when the tools
compile stamp already exists. Since commit ed6ba2801c ("tools: keep
stamp file in $(STAGING_DIR_HOST)"), this will happen after `make clean`:
$(STAGING_DIR) has been deleted, but the tools stamp still exists, so
the next build will fail because $(STAGING_DIR) has not been set up
correctly.
Fix builds after `make clean` by adding the preparation as dependencies
for the target and package directories as well.
Fixes: ed6ba2801c ("tools: keep stamp file in $(STAGING_DIR_HOST)")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit fbb924abff)
asterisk-chan-lantiq is by now the only user of the VMMC interface.
And asterisk runs as user 'asterisk' which doesn't give it permission
to open the /dev/vmmc* devices.
Introduce a new user group 'vmmc' and give permission to access the
/dev/vmmc* devices to that group.
Another commit for asterisk-chan-lantiq will add the 'asterisk' user
to that group.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 37bbed6f95)
* fix switch ports with modes other than 1000M/Full
* set 32-bit dma_coherent_mask to get PPE to work with 4 GiB of RAM
* sync driver for built-in 1GE PHY with MediaTek SDK sources
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4ae2f43b3a)
Same as commit 3674689, correct 'buswidth' to 'bus-width'.
Also move the nmbm properties outside the partition definition.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 1be6347b7d)
The flash procedure is similar to the Xiaomi AX6000 router.
Load openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-initramfs-recovery.itb from original Zyxel U-Boot:
tftpboot openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-initramfs-recovery.itb
bootm 0x46000000
Load mtd-rw
insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1
Format ubi and create ubootenv partitions
ubidetach -p /dev/mtd5; ubiformat /dev/mtd5 -y; ubiattach -p /dev/mtd5
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB
Copy openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-initramfs-recovery.itb to /tmp and create recovery partition.
If your recovery image is larger than 10MiB, size the recovery partition accordingly to make it fit.
ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-initramfs-recovery.itb
Copy preloader and uboot to /tmp and write them in the mtd
mtd write /tmp/openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-preloader.bin bl2
mtd write /tmp/openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-bl31-uboot.fip fip
Now write the firmware:
sysupgrade -n /tmp/openwrt-mediatek-filogic-zyxel_ex5601-t0-ubootmod-squashfs-sysupgrade.itb
To create a correct BL2, I had to add a profile for 'spim:4k+256' as I could not find a way to value the variable 'NAND_TYPE'.
Features and fixes from hitech95 tree has been squashed, I'm attaching his commit message:
The Power LED was not working correctly and not reacting
to the boot process and statuses.
The board has space (footprint) for an unpopulated Zigbee chip,
while we dont know the device model having this chip populated
we have to assure that the common dts doesnt enable
interfaces that share pins with such device.
In this instance the PCIe and the uart1 and uart2 are disabled.
Some of the control PCIE pins seems to be used for the Zigbee chip,
UART1 seems to be used as a flash port while UART2 should be the
main comunication interface of Zigbee chip.
The Zigbee chip should be a EFR32MG21. But the pins used for UART
seems to be not on standard PINS used by other adapters.
So it cannot run firmwares shared on the web.
But it should be possible to build a custom firmware with
the corrtect pinmux.
This commit also contains the following squashed commit from hitech95
- mediatek: fix sysupgrade for Zyxel EX7601-T0 ubootmod
Changes and fixes added in common board:
- added aliases for boot status leds.
- added aliases for the mac-label-device.
- added pin claims for core features (MDIO and UART 0)
- added default LEDs configuration (01_leds)
- added default network configuration (02_network)
- added missing kmod-usb3 module for USB3
- fixed LED names
- fixed reset pin for SLIC chip
- removed unused pinmux configurations and devices
- fix LAN (switch) port numbering
- using nvmem cells for wifi eeprom, dropping deprecated "mediatek,mtd-eeprom"
- proper factory partition and mac address handling
- cleaned up spi_nand sections and partition
Changes and fixxes added in stock layout:
- added NMBM, if u-boot has it, the kernel must be informed.
Co-authored-by: Nicolò Veronese <nicveronese@gmail.com>
Co-developed-by: Nicolò Veronese <nicveronese@gmail.com>
Signed-off-by: Nicolò Veronese <nicveronese@gmail.com>
Signed-off-by: Valerio 'ftp21' Mancini <ftp21@ftp21.eu>
(cherry picked from commit b5df398a36)
Device specification:
- MT7629 with 16MB NOR flash W25Q128 and 128 MB DDR3 RAM.
- MT7761N and MT7762N wireless chips (currenlty no driver in OpenWrt available)
- WiFi is NOT working on this device
- Dual core but second CPU doesn't seem to work (Error message during boot: "CPU1: failed to come online")
There are two similar merge requests for similar devices with the same issues:
- https://github.com/openwrt/openwrt/pull/12286
- https://github.com/openwrt/openwrt/pull/5084
UART interface is next to the reset button, pinout:
- 1: TX (the pin with the arrow marker)
- 2: RX
- 3: GND
- 4: VCC
UART settings: 115200,8n1, 3.3V
U-Boot menu can be entered by pressing Ctrl+B during startup.
Booting initramfs:
- Set your computers IP adress to 192.168.1.110
- Run a TFTP server providing the initramfs image
- Power on the AP, press Ctrl+B to get to the U-Boot menu
- Select "1. System Load Linux to SDRAM via TFTP"
- Update kernel file name, input server IP and input device IP (if they deviate from the defaults)
- After booting, create a backup of all partitions, especially for kernel and root_fs. They are required for reverting back to stock firmware
- The sysupgrade image can be flashed now
MAC adresses:
- LAN and 2.4GHz use the same MAC (the one printed on the device)
- 5GHz WiFi MAC is LAN MAC + 1
GPIOs:
- GPIO 21 is the reset pin (low active)
- GPIO 55 is for the green LED (active high)
- GPIO 56 is for the yellow/amber LED (active high)
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
(cherry picked from commit 44cd32d764)
Specification:
- MT7622BV SoC with 2.4GHz wifi
- MT7975AN + MT7915AN for 5GHz
- MT7531BE Switch
- 512MB RAM
- 128 MB flash
- 3 LEDs (red, orange, white)
- 2 buttons (WPS and Reset)
MAC addresses:
- WAN MAC is stored in partition "Odm" at offset 0x83
- LAN (as printed on the device) is WAN MAC + 1
- WLAN MAC (2.4 GHz) is WAN MAC + 2
- WLAN MAC (5GHz) is WAN MAC + 3
Disassembly: Remove 4 screws in the bottom and 2 screws in the top (after removing the blue cover on the top), then the board can be pulled out.
The pins for the serial console are already labeled on the board (VCC, TX, RX, GND). Serial settings: 3.3V, 115200,8n1
Flashing via Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.25
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the status LED blinks fast
- Open a Chromium based and goto http://192.168.0.1
- Download openwrt-mediatek-mt7622-dlink_eagle-pro-ai-m32-a1-squashfs-recovery.bin
Flashing via uBoot:
- Open the case, connect to the UART console
- Set your IP address to 10.10.10.3, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides openwrt-mediatek-mt7622-dlink_eagle-pro-ai-m32-initramfs-kernel.bin. You can rename the file to iverson_uImage (no extension), then you don't have to enter the whole file name in uboot later.
- Power on the device and select "1. System Load Linux to SDRAM via TFTP." in the boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to RAM will start. After a few seconds OpenWrt initramfs should start
- The initramfs is accessible via 192.168.1.1, change your IP address accordingly (or use multiple IP addresses on your interface)
- Create a backup of the Kernel1 partition, this file is required if a revert to stock should be done later
- Perform a sysupgrade using openwrt-mediatek-mt7622-dlink_eagle-pro-ai-m32-squashfs-sysupgrade.bin
- Reboot the device. OpenWrt should start from flash now
Revert back to stock using the Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.25
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the status LED blinks fast
- Open a Chromium based and goto http://192.168.0.1
- Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below.
Decrypting a D-Link firmware image:
- Download https://github.com/RolandoMagico/firmware-utils/blob/M32/src/m32-firmware-util.c
- Compile a binary from the downloaded file, e.g. gcc m32-firmware-util.c -lcrypto -o m32-firmware-util
- Run ./m32-firmware-util M32 --DecryptFactoryImage <OriginalFirmware> <OutputFile>
- Example for firmware 1.03.01_HOTFIX: ./m32-firmware-util M32 --DecryptFactoryImage M32-REVA_1.03.01_HOTFIX.enc.bin M32-REVA_1.03.01_HOTFIX.decrypted.bin
Revert back to stock using uBoot:
- Open the case, connect to the UART console
- Set your IP address to 10.10.10.3, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides the previously created backup of the Kernel1 partition. You can rename the file to iverson_uImage (no extension), then you don't have to enter the whole file name in uboot later.
- Power on the device and select "2. System Load Linux Kernel then write to Flash via TFTP." in the boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to FLASH will start. After a few seconds the stock firmware should start again
There is also an image openwrt-mediatek-mt7622-dlink_eagle-pro-ai-m32-a1-squashfs-tftp.bin which can directly be flashed via U-Boot and TFTP. It can be used if no backup of the Kernel1 partition is reuqired.
Flahsing via OEM web interface is currently not possible, the OEM images are encrypted and require a specific memory layout which is not compatible to the partition layout of OpenWrt.
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
(cherry picked from commit e3a6945b58)
Buffalo WSR-3200AX4S is a 2.4/5 GHz band 11ax (Wi-Fi 6) router, based on
MT7622B.
Specification:
- SoC : MediaTek MT7622B
- RAM : DDR3 512 MiB
- Flash : SPI-NAND 128 MiB (Winbond W25N01GVZEIG)
- WLAN : 2.4/5 GHz 4T4R
- 2.4 GHz : MediaTek MT7622B (SoC)
- 5 GHz : MediaTek MT7915
- Ethernet : 5x 10/100/1000 Mbps
- Switch : MediaTek MT7531
- LEDs/Keys : 6x/5x (2x: buttons, 3x: slide-switches)
- UART : through-hole on PCB (J4)
- assignment: 3.3V, GND, TX, RX from tri-angle marking
- settings : 115200n8
- Power : 12 VDC, 1.5 A
Flash instruction using factory.bin image:
1. Boot WSR-3200AX4S with "Router" mode
2. Access to "http://192.168.11.1/" and open firmware update page
("ファームウェア更新")
3. Select the OpenWrt factory.bin image and click update ("更新実行")
button
4. Wait ~120 seconds to complete flashing
Note:
- This device has 2x OS images on flash. The first one will always be
used for booting and the secondary is for backup.
- This support generates multiple factory*.bin image:
- factory.bin : for flashing from OEM WebUI
- factory-uboot.bin: for flashing from U-Boot or clean installation
via sysupgrade (don't use for normal sysupgrade)
Known issues:
- Wi-Fi MAC addresses won't be applied to each adapter.
MAC Addresses:
LAN : C4:3C:EA:xx:xx:60 (board_data, mac (text))
WAN : C4:3C:EA:xx:xx:60 (board_data, mac (text))
2.4 GHz: C4:3C:EA:xx:xx:61
5 GHz : C4:3C:EA:xx:xx:68
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
(cherry picked from commit 7383eb266b)
Separate dts/dtsi from the dts of Buffalo WSR-2533DHP2 to prepare adding
suppport for WSR-3200AX4S.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
(cherry picked from commit 9f640cae75)
Merge similar helpers of trx image generation, "buffalo-kernel-trx" and
"trx-nand".
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
(cherry picked from commit d0929006f2)
Update NVMEM-related nodes and use newer binding for MAC addresses on
Buffalo WSR-2533DHP2.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
(cherry picked from commit de62e01652)
Update LED and key nodes with newer DeviceTree bindings for WSR-2533DHP2.
- LED
- use led-[0-9] for node name of LEDs
- add "color" and "function" properties
- drop default-state = "on" from green:power LED
- this LED will be turned on by led-running alias
- key
- drop unnecessary poll-interval property
- use key-[0-9] for node name of keys
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
(cherry picked from commit 6b8e7144c8)
This doubles the number of cooling-levels.
In addition the fan is turned on with a low speed at lower temperatures
and with a higher speed at higher temperatures.
This also attempts to reduce the likelihood of constant start-stop actions.
The change only affects the GL.iNet MT3000 and has been tested with it.
Signed-off-by: Łukasz M <lukasz1992m@gmail.com>
(cherry picked from commit 5a603c7a31)
Drop the flow-hash of the skb when forwarding to the L2TP netdev.
This avoids the L2TP qdisc from using the flow-hash from the outer
packet, which is identical for every flow within the tunnel.
This does not affect every platform but is specific for the ethernet
driver. It depends on the platform including L4 information in the
flow-hash.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 35a5e62da7)
WPS button activation method is wrong . It should be active low
Signed-off-by: Robert Senderek <robert.senderek@10g.pl>
(cherry picked from commit 611a9894b2)
Synchronize the ath11k backports with upstream linux.
Most of them are changes in kernel 6.5, the rest are
fixes for the ath11k_pci. The most important one is
"Revert 'wifi: ath11k: Enable threaded NAPI'", which
fixes the problem that QCN9074 cannot be used after
restarting on the x86 platform.
[ 23.462718] ath11k_pci 0000:02:00.0: failed to vdev 0 create peer for AP: -110
[ 28.503020] ath11k_pci 0000:02:00.0: Timeout in receiving vdev delete response
Changes to ipq8074 coldboot part pick from commit
b33bfcf ("mac80211: ath11k: sync with ath-next").
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
With mac80211_hwsim I have seen such entries in OpenWrt 22.03:
HE Iftypes: managed, AP
The mac80211.sh script did not detect the entry and failed. Allow
arbitrary other entries before to fix this problem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5df7a78e82)
When `log.showSignature` is set, it causes the `SOURCE_DATE_EPOCH` to
include a textual signature description on OpenPGP-signed commits,
because Git prints the description into stdout. This then causes some
scripts to fail because they cannot parse the date from the variable.
Adding an explicit `--no-show-signature` prevents the signatures from
being displayed even when one has Git configured to show them by
default, fixing the scripts.
Signed-off-by: Oto Šťáva <oto.stava@gmail.com>
(cherry picked from commit 1e93208bd2)
Recent OEM firmware versions test the version number embedded in the uimage
"name" header field. The exact restricton is unknown, but "7.0.8.4" seems
to be the lowest number accepted on a GS110TPPv1 which already has that
version or higher.
A "9.9.9.9" version is accepted as valid by the GS110TPPv1 OEM firmware,
and considered both unique enough to identify an OpenWrt image and
moderately future proof against OEM version bumps.
This change is also boot tested on a GS108Tv3 with
"BOOT Loader Version 1.0.0.2 (2018-08-31 17:05:26 UTC)"
to verify that it doesn't break boot on older hardware.
Link: https://forum.openwrt.org/t/72510/58
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit 6da308f4de)
Fix netifd hostapd.sh selection of FILS-SHA384 algorithm with eap-192.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 472312f83f)
Backport merged upstream patch that adds support for firmware loader
from NVMEM or attached filesystem for Aquantia PHYs.
Refresh all kernel patches affected by this change.
Also update the path for aquantia .ko that got moved to dedicated
directory upstream.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
[rmilecki: port to 5.15]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1b3259eb5c)
The NWA50AX Pro only has a eth0 interface for its only ethernet port.
Use this port for preinit.
Fixes non-working network in failsafe mode.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit b589434a0b)
Add dtb makefile target to targets list to permit correct working of
make target/linux/dtb
Fixes: c47532b1ea ("kernel-buildOnmk: add support for compiling only DTS")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit c4910e9cb3)
Add support for compiling DTS for the selected target. This can be
useful for testing if the DTS correctly compile and doesn't produce any
error.
This adds a new make target. To compile only DTS use:
make target/linux/dtb
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit c47532b1ea)
Checking for AP_VLAN misdetects ath10k-ath12k as fullmac, because of software
crypto limitations. Check for monitor mode support instead, which is more
reliable.
Fixes: https://github.com/openwrt/openwrt/issues/14575
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 2b4941a6f1)
The maintainer and repository of wireless-regdb has changed.
https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/
Changes:
37dcea0 wireless-regdb: Update keys and maintainer information
9e0aee6 wireless-regdb: Makefile: Reproducible signatures
8c784a1 wireless-regdb: Update regulatory rules for China (CN)
149c709 wireless-regdb: Update regulatory rules for Japan (JP) for December 2023
bd69898 wireless-regdb: Update regulatory rules for Singapore (SG) for September 2023
d695bf2 wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)
4541300 wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit b463737826)
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q parameter
value ([CVE-2023-5678])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 44cd90c49a)
Commit daefc646e6 ("realtek: fix ZyXEL initramfs image generation")
fixed a shell expansion issue with zyxel-vers usage. Commit 045baca10b
("realtek: deduplicate GS1900 recipes") took care of this for the
rtl838x and rtl839x subtargets, but the single device officially
supported in rtl930x - the XGS1250-12 - was overlooked. This commit
updates the XGS1250-12 build recipe as well.
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 557db5106c)
Only bcm2708 and bcm2709 use "kernel.img" file name.
bcm2710 and bcm2711 use "kernel8.img" and bcm2712 uses "kernel_2712.img".
(cherry picked from commit 1a5e51ab00)
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Automatically detect boot partition instead of forcing /dev/mmcblk0p1.
This way users can still get /boot mounted when booting from USB.
(cherry picked from commit a391760102)
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Will be used for conversions in later commits and is a requirement for
PHY backports.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[rmilecki: update commit message for 23.05]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 511c7ff032)
Ubiquiti Rocket M XW is a single-band, 2x2:2 external Wi-Fi AP, with optional
GPS receiver, with two external RP-SMA antenna connections, based on
AR9342 SoC. Two band variants exists, for 2.4GHz and 5GHz band, usable
with the same image.
Specs:
- CPU: Atheros AR9342 MIPS SoC at 535MHz
- RAM: 64MB DDR400
- ROM: 8MB SPI-NOR in SO16W package, MX25L6408E
- Wi-Fi Atheros AR9342 built-in 2x2:2 radio
- Ethernet: Atheros AR8035 PHY, limited to 100Mbps speeds due to
magnetics
- Power: 24V passive PoE input.
Installation: please refer to Ubiquiti Bullet M2HP for documentation.
The device runs with exactly same image as the Bullet, and after fixes
in preceding commit, is fully functional again. Add the alternative name
to the build system.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit 54387fddea)
Since commit 6f2e1b7485 ("ath79: disable delays on AT803X config init")
Ubiquiti XW boards equipped with AR8035 PHY suffered from lack of
outbound traffic on the Ethernet port. This was caused by the fact, the
U-boot has set this during boot and it wasn't reset by the PHY driver,
and the corresponding setting in device tree was wrong.
Set the 'phy-mode = "rgmii-txid"' at the ð0, and drop this property
from PHY node, as it is not parsed there. This causes the device to
connect using Ethernet once again.
Fixes: db4b6535f8 ("ath79: Add support for Ubiquity Bullet M (XW)")
Fixes: 6f2e1b7485 ("ath79: disable delays on AT803X config init")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit a9b2ba4d7b)
Onboard AR8035 PHY supports 1000Base-T operation, but onboard
Ethernet magnetics do not. Reduce advertised link speeds to 100Mbps and
lower.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit d406777fb1)
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:
* Timing side channel in private key RSA operations (CVE-2024-23170)
Mbed TLS is vulnerable to a timing side channel in private key RSA
operations. This side channel could be sufficient for an attacker to
recover the plaintext. A local attacker or a remote attacker who is
close to the victim on the network might have precise enough timing
measurements to exploit this. It requires the attacker to send a large
number of messages for decryption.
* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)
When writing x509 extensions we failed to validate inputs passed in to
mbedtls_x509_set_extension(), which could result in an integer overflow,
causing a zero-length buffer to be allocated to hold the extension. The
extension would then be copied into the buffer, causing a heap buffer
overflow.
Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
(cherry picked from commit 920414ca88)
While flashing sysupgrade image from U-Boot, then the rootfs_data
overlay filesystem formatting is left for the fstools during firstboot,
but that wont work as mkfs.f2fs is missing in the sysupgrade image:
mount_root: overlay filesystem in /dev/loop0 has not been formatted yet
mount_root: no usable overlay filesystem found, using tmpfs overlay
sh: mkfs.f2fs: not found
Filesystem Size Used Available Use% Mounted on
/dev/loop0 139.6M 46.9M 92.6M 34% /overlay
Number Start (sector) End (sector) Size Code Name
20 98850 406349 150.1 MiB FFFF rootfs
So lets fix it by adding f2fs support to the sysupgrade image.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ba415af570)
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.
This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1f11a4e283)