Commit Graph

56752 Commits

Author SHA1 Message Date
Eneas U de Queiroz
9a49e257d6
toolchain: wrapper.sh: fix TOOLCHAIN_SYSROOT path
62c1740676 changed the location of the script from $(TOOLCHAIN_DIR)/usr
to $(TOOLCHAIN_DIR), but the TOOLCHAIN_SYSROOT used in wrapper.sh was
still expecting to find the script under usr/bin.

Fixes: 62c1740676 toolchain: fix the sysroot mess by getting...
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-02-12 10:55:05 -03:00
Michael Pratt
eeba2a67ca Revert "tools/fakeroot: update to 1.30.1"
This reverts commit 52167feff8.

Fakeroot 1.30.1 broke building on certain hosts (32-bit archs).

As of 2023-01-10, this was apparently fixed in source code,
however, the version is still 1.30.1 (patch release),
so the old binaries are removed from the repository and replaced,
but the source provided by the repository remains the same.

Furthermore, there are some complicated issues blocking
the "testing" release from being bumped to a 1.30.x version.

Considering all of this, it would likely be better for this package
to follow the "testing" release instead of the "unstable" release,
which is still 1.29-1, so revert to that.

Link: https://bugs.debian.org/1023286
Link: https://tracker.debian.org/news/1407613/accepted-fakeroot-1301-11-source-into-unstable/
Link: https://qa.debian.org/excuses.php?package=fakeroot
Link: https://bugs.debian.org/1027803
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-02-12 01:02:22 +01:00
John Audia
4ae86b3358 openssl: bump to 1.1.1t
Removed upstreamed patch: 010-padlock.patch

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-02-12 00:08:29 +01:00
John Audia
3c0676911b kernel: bump 5.15 to 5.15.93
All patches automatically rebased.

Build system: x86_64
Build-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod
Run-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-02-11 23:39:30 +01:00
Oleg S
b174de2c5f mediatek: mt7622: fix rootfs/ubi detection for Xiaomi AX6S
By specifying the flag "denx,fit" for partition "kernel", the kernel
try to find rootfs in the same partition during boot. Reality is that
the placement of rootfs is precisely determined by the name of another
partition -"ubi".
It was also found that on some device (for example devices with NAND
chips), the "Denx search engine" manages to find roots at the end of
partition "kernel", but such partition doesn't exist and is empty
there.

Fix this by removing the "denx,fit" flag from partition "kernel". With
this change the original behavior of searchif rootfs in partition "ubi"
is restored.

Signed-off-by: Oleg S <remittor@gmail.com>
2023-02-11 21:42:06 +08:00
Xu Yiming
1a145ccb0a
kernel: kmod-fs-ntfs3: fix typo
Fix typo that mistaken the description of ntfs3 for fuse.

Signed-off-by: Xu Yiming <xuyiming.open@outlook.com>
2023-02-09 03:16:51 +01:00
Felix Baumann
e8096de9a2
realtek: fix dts whitespace
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:52 +01:00
Felix Baumann
d87482a8db
ramips: fix dts whitespace
Replace blanks with tabs
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:52 +01:00
Felix Baumann
d88e2aa794
mediatek: fix dts whitespace
Replace blanks with tabs

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:52 +01:00
Felix Baumann
fc4bf73d39
kirkwood: fix dts whitespace
Replace blanks with tabs

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:51 +01:00
Felix Baumann
abdb9f327e
ipq807x: fix dts whitespace
Replace blanks with tabs

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:51 +01:00
Felix Baumann
505cf10e83
ipq806x: fix dts whitespace
Replace blanks with tabs

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:51 +01:00
Felix Baumann
836b994132
bcm63xx: fix dts whitespace
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:50 +01:00
Felix Baumann
d0c64ae695
ath79: fix dts whitespace
Replace blanks with tabs
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:50 +01:00
Felix Baumann
7fd28f2e3a
ipq40xx: fix dts whitespace
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-09 03:03:47 +01:00
Rosen Penev
786c4099b4
tools/cmake: remove rpath ldflag
no longer needed because of tools/zstd

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-09 02:53:36 +01:00
Rosen Penev
e704a2b57b
tools/zstd: build libraries as static
Enables to get rid of rpath hack for all users.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-09 02:53:36 +01:00
Andre Heider
ad564cb019
toolchain/gcc: clean up CFLAGS
Instead of having two different ways to pass flags to the gcc build
process, add them as configure args, which is a reliable way to let
gcc pass them around to its various pieces.

Also add CXXFLAGS, since gcc started to use c++ for itself recently
(~10 years ago now).

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-02-09 02:53:35 +01:00
Andre Heider
4b8b89da50
toolchain/gcc: use explicit configure args
Spell out what we want to enable or disable. This prevents host libs to leak in,
so everyone get the same feature set.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-02-09 02:53:35 +01:00
Andre Heider
dd39f760b7
toolchain/binutils: use explicit configure args
Spell out what we want to enable or disable. This prevents host libs to leak in,
so everyone get the same feature set.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-02-09 02:53:31 +01:00
Robert Marko
721206a1b1 kernel: set default values for ARM low level debugging symbols
Set default values for KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE again
as both of these symbols are non visible if KERNEL_EARLY_PRINTK is not
selected and KConfig wont write their value to .config.

This usually is the intended behaviour, but in OpenWrt we are relying on
the KConfig to set these and disable the debug console settings that
multiple targets like mvebu have set in their kernel config.
This was the behaviour before removing all of the "default n" settings
as KConfig by default considers symbols disabled but they are not visible
anymore and thus their value is not set in .config and build system then
later does not override the values from target kernel config.

So, to restore the behaviour to the previous one lets a default value for
KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE.

Fixes: 8bc72ea7be ("treewide: strip useless default n Kconfig lines")
Tested-by: Georgi Valkov <gvalkov@gmail.com>
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-02-08 16:21:05 +01:00
Felix Baumann
1c31ca5da9 ipq4019: fix dts white-space
Replace blanks with tabs
Remove whitespace from otherwise empty lines

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-08 02:29:55 +01:00
John Audia
712681458a kernel: bump 5.10 to 5.10.167
All patches automatically rebased.

Build system: x86_64
Build-tested: ramips/tplink_archer-a6-v3
Run-tested: ramips/tplink_archer-a6-v3

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-02-08 00:22:58 +01:00
John Audia
64cf31f6ff kernel: bump 5.15 to 5.15.92
All other patches automatically rebased.

Build system: x86_64
Build-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod
Run-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-02-08 00:21:28 +01:00
Felix Baumann
d53ec2943a lantiq: ar9/vr9: add fritz-tffs package
Add fritz-tffs package to AVM devices
Reorder some devices packages for consistency

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-02-08 00:19:54 +01:00
Nick Hainke
b6bc924b19 e2fsprogs: update to 1.46.6
Release information:
https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.6

Remove upstreamed patch:
- 004-CVE-2022-1304-libext2fs-add-sanity-check-to-extent-manipulation.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-02-08 00:14:53 +01:00
Nick Hainke
38350650cb tools/e2fsprogs: update to 1.46.6
Release information:
https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.46.6

Remove upstreamed patch:
- 004-CVE-2022-1304-libext2fs-add-sanity-check-to-extent-manipulation.patch

Refresh patch:
- 003-no-crond.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-02-08 00:12:23 +01:00
Šimon Bořek
628870146d
mpc85xx: p2020: kernel: enable CONFIG_BLK_DEV_NVME
Enables use of NVMe storage devices with appropriate adapter in miniPCIe slots (including for boot)
in Turris 1.x routers and possibly NXP P2020RDB boards
(these are the only currently supported p2020 devices according to docs[^1]).

Proper detection, mountability and readability was proved to be working
on Turris 1.1, OpenWrt 21.02 with similar configuration.

Increases gzip compressed kernel size by approximately 37 KiB (from 3 703 KiB to 3 740 KiB).

Should boot from those devices be possible the driver needs to be built in.
Inclusion as a module would prevent this functionality.

CONFIG_BLK_DEV_NVME=y
Includes NVMe driver in the kernel.[^2]

CONFIG_NVME_CORE=y
Selected by CONFIG_BLK_DEV_NVME.[^3] Not necessarily needed to be enabled explicitly,
but included to match the form of similar functionality implementations
for mvebu, x86_64 and rockchip_armv8 targets.

CONFIG_NVME_MULTIPATH disabled explicitly to prevent using more space than necessary.

[^1]: https://openwrt.org/docs/techref/targets/mpc85xx
[^2]: https://cateee.net/lkddb/web-lkddb/BLK_DEV_NVME.html
[^3]: https://cateee.net/lkddb/web-lkddb/NVME_CORE.html

Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
2023-02-07 21:24:37 +01:00
Šimon Bořek
acd5aa0bb0
mpc85xx: p2020: kernel: refresh configuration
'make kernel_oldconfig CONFIG_TARGET=subtarget'
applied to current master

Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
2023-02-07 21:24:32 +01:00
Leon M. George
67d2a7ef9e
base-files: ipcalc.sh: fix awk regex syntax
It worked fine before but gawk warns about it.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:58 +01:00
Leon M. George
2903924b57
base-files: ipcalc.sh: trim for statement
For gawk compatibility.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:57 +01:00
Leon M. George
e4bd3de1be
dnsmasq: refuse to add empty DHCP range
Use ipcalc's return value to react to invalid range specifications.
By simply ignoring the range instead of aborting with an error code,
dnsmasq should still start when there's an error (best effort).
Aborting the config generation or working with invalid range specs leaves
dnsmasq crash-looping which is the right thing to do concerning that
particular interface but it also hinders DHCP service on other interfaces
and DNS on the router itself.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:57 +01:00
Leon M. George
6ce9f42b98
base-files: ipcalc.sh: use shebang to invoke awk
There's hardly an shell logic in ipcalc.sh and a $* that would garble
parameter positions.
Move the awk invokation to the shebang.

A rename from "ipcalc.sh" to "ipcalc" is desirable but could prove tricky
with packages in other repositories depending on the filename.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:57 +01:00
Leon M. George
a40a96e54b
base-files: ipcalc.sh: fail when network is too small
It's possible to move range boundaries in a way that the start address
lies behind the end address.
Detect this condition and exit with an error message.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:56 +01:00
Leon M. George
4fe106afd1
base-files: ipcalc.sh: don't include own address in range
Make sure our own address doesn't lie in the calculated range.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:56 +01:00
Leon M. George
00a20335ba
base-files: ipcalc.sh: check for params before calculating start/end
With this patch, ipcalc only calculates range boundaries if the
corresponding parameters are supplied.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2023-02-07 21:05:52 +01:00
Rafał Miłecki
4970dd027b bcm47xx: revert bgmac back to the old limited max frame size
Bumping max frame size has significantly affected network performance
and memory usage. It was done by upstream commit that first appeared in
the 5.7 release.

Allocating 512 (BGMAC_RX_RING_SLOTS) buffers, 10 k each, is clearly a
bad idea on 32 MiB devices. This commit fixes support for Linksys E1000
V2.1 which gives up after allocating ~346 such buffers running 5.15
kernel.

Ref: 230c9da963 ("bcm53xx: revert bgmac back to the old limited max frame size")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2023-02-07 18:29:34 +01:00
Filip Matijević
047fb7c76d
ipq806x: add missing enclosing reserved-memory block on C2600/AD7200
Most of the time when booting kernel prints a warning from
mm/page_alloc.c when pstore/ramoops is being initialized and ramoops is
not functional.

Fix this by moving ramopps node into reserved-memory block as described
in kernel documentation.

Fixes: 2964e5024c ("ipq806x: kernel ramoops storage for C2600/AD7200")
Signed-off-by: Filip Matijević <filip.matijevic.pz@gmail.com>
2023-02-07 16:27:02 +01:00
Robert Marko
bd9844a6fd ipq807x: refresh kernel config
Refresh the ipq807x kernel config to keep it up to date and in sync with
the generic one.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-02-07 11:22:50 +01:00
Christian Marangi
f28a604df4
iwinfo: bump to latest git HEAD
c7eb8eb nl80211: restore iterating over all devices in nl80211_phy2ifname()

Fixes: #11902
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-06 21:36:51 +01:00
Cezary Jackiewicz
cefc543b02
ipq40xx: fix assignment of lan port numbers for Cell C RTL30VW
After switching to DSA, the LAN ports in Cell C RTL30VW have swapped numbers. Assigning the right numbers.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
2023-02-06 13:26:58 +01:00
Nick Hainke
6bc675c0be tools/pkgconf: add PKG_CPE_ID
Add PKG_CPE_ID to track vulnerabilities.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-02-05 22:39:17 +01:00
Nick Hainke
57ad2ea110 tools/pkgconf: update to 1.9.4
Release information:
https://github.com/pkgconf/pkgconf/blob/master/NEWS

Fixes CVE-2023-24056.

Further, this commit corrects the "-Dtests" flag and changes it from
"false" to "disabled".

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-02-05 22:39:17 +01:00
John Audia
c5608227ef tools/coreutils: update to 9.1
In addition to version update, this commit applies a fixup to allow building
on MacOS involving renaming: [gt_TYPE_WINT_T] --> [gt_TYPE_WINT_T_GNUTLS]
suggested by zhanhb.

Build system: x86_64
Build-tested: bcm2711/RPi4B

Signed-off-by: John Audia <graysky@archlinux.us>
2023-02-05 21:55:20 +01:00
Brian Norris
b5193291bd
ipq806x: onhub: Enable fstools_partname_fallback_scan
When fstools is unable to parse our root=<...> arg correctly, it can
fall back to scanning all block devices for a 'rootfs_data' partition.
This fallback was deemed wrong (or at least, a breaking/incompatible
change) for some targets, so we're forced to opt back into it with
fstools_partname_fallback_scan=1.

Without this, OnHub devices will use a rootfs-appended loop device for
rootfs_data instead of the intended 3rd partition.

While I'm at it, just move all the boot args into the 'cros-vboot'
build rule, instead of using the custom bootargs-append. All cros-vboot
subtargets here are using the same rootwait (to support both eMMC and
USB boot) and root/partition args.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
[ drop unrelated comments in commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-04 20:16:20 +01:00
Christian Marangi
3ef655375a
fstools: bump to latest Git HEAD
14d535e partname: Correct fstools_partname_fallback_scan comparison

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-04 20:04:58 +01:00
Rosen Penev
059263dd6e ipq807x: remove libwolfsslcpu-crypto dependency
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-04 02:35:03 +01:00
Rosen Penev
4bcc3fd3d2 treewide: replace libustream-wolfssl with -mbedtls
Previous commit does the same for wpad-basic. Also matches
DEFAULT_VARIANT in ustream-ssl Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-04 02:35:03 +01:00
Rosen Penev
2630e5063d treewide: replace wpad-basic-wolfssl default
The newly merged mbedtls backend is smaller and has fewer ABI related
issues than the wolfSSL one.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-04 02:35:03 +01:00
Andre Heider
19988b66d0 scripts: size_compare: print a grand total
Usefull to check the impact of treewide changes:
Change 	Local	Remote 	Package
+281	6191	5910	ubus
-547	56166	56713	procd
-13294	91544	104838	ubi-utils
~~~~~~~	total change	-13560

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-02-03 21:22:49 +01:00