John Crispin [Fri, 10 Aug 2018 13:48:21 +0000 (15:48 +0200)]
wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Matthias Schiffer [Thu, 9 Aug 2018 20:45:26 +0000 (22:45 +0200)]
kernel: ext4: fix check to prevent initializing reserved inodes
The broken check would detect a newly generated root filesystem as corrupt
under certain circumstances, in some cases actually currupting the it while
trying to handle the error condition.
This is a regression introduced in kernel 4.4.140. The 4.14.y stable series
has already received this fix, while it is still pending for 4.4.y and
4.9.y.
Matthias Schiffer [Thu, 9 Aug 2018 18:25:38 +0000 (20:25 +0200)]
kernel: bump kernel 4.4 to version 4.4.147
target/linux/ar71xx/patches-4.4/103-MIPS-ath79-fix-register-address-in-ath79_ddr_wb_flus.patch
has been applied upstream; the two deleted brcm2708 patches have been
useless even before (as the second one only reverted the first one).
* New microcode update packages from AMD upstream:
+ New Microcodes:
sig 0x00800f12, patch id 0x08001227, 2018-02-09
+ Updated Microcodes:
sig 0x00600f12, patch id 0x0600063e, 2018-02-07
sig 0x00600f20, patch id 0x06000852, 2018-02-06
* Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
plus other unspecified fixes/updates.
Jo-Philipp Wich [Wed, 1 Aug 2018 07:11:17 +0000 (09:11 +0200)]
sdk: bundle usbip userspace sources
Bundle the usbip utility sources shipped with the Linux kernel tree in
order to allow the usbip packages from the package feed to build within
the OpenWrt SDK.
This backports tc class support to kernel 4.9 and other than conditional
kernel compilation pre-processor macros represents the cake that has
gone upstream into kernel 4.19. Loud cheer!
Fun may be had by changing cake tin classification for packets on
ingress. e.g.
tc filter add dev ifb4eth0 parent 800b: protocol ip u32 match \
ip dport 6981 0xffff action skbedit priority 800b:1
Where 800b: represents the filter handle for the ifb obtained by 'tc
qdisc' and the 1 from 800b:1 represents the cake tin number. So the
above example puts all incoming packets destined for port 6981 into the
BULK (lowest priority) tin.
f39ab9a Obey tin_order for tc filter classifiers 1e2473f Clean up after latest backport. 82531d0 Reorder includes to fix out of tree compilation 52cbc00 Code style cleanup 6cdb496 Fix argument order for NL_SET_ERR_MSG_ATTR() cab17b6 Remove duplicate call to qdisc_watchdog_init() 71c7991 Merge branch 'backport-classful' 32aa7fb Fix compilation on Linux 4.9 9f8fe7a Fix compilation on Linux 4.14 ceab7a3 Rework filter classification aad5436 Fixed version of class stats be1c549 Add cake-specific class stats 483399d Use tin_order for class dumps 80dc129 Add class dumping 0c8e6c1 Fix dropping when using filters c220493 Add the minimum class ops 5ed54d2 Start implementing tc filter/class support
Add upstream support for CAKE into iproute2 and conditionally enable it
depending on the build environment we're running under.
When running with SDK=1 and CONFIG_BUILDBOT=y we assume that we're
invoked by the release package builder at
http://release-builds.lede-project.org/17.01/packages/ and produce shared
iproute2 executables with legacy CAKE support for older released kernels.
When not running under the release package builder environment, produce
nonshared packages using the new, upstream CAKE support suitable for
the latest kernel.
Depending on the environment, suffix the PKG_RELEASE field with either
"-cake-legacy" or "-cake-upstream" to ensure that the nonshared packages
are preferred by opkg for newer builds.
Tim Small [Wed, 4 Jul 2018 13:05:18 +0000 (14:05 +0100)]
WDR4900v1 remove dt node for absent hw crypto.
The WDR4900v1 uses the P1040 SoC, so the device tree pulls in the
definition for the related P1010 SoC. However, the P1040 lacks the
CAAM/SEC4 hardware crypto accelerator which the P1010 device tree
defines. If left defined, this causes the CAAM drivers (if present) to
attempt to use the non-existent device, making various crypto-related
operations (e.g. macsec and ipsec) fail.
This commit overrides the incorrect dt node definition in the included
file.
See also:
- https://bugs.openwrt.org/index.php?do=details&task_id=1262
- https://community.nxp.com/thread/338432#comment-474107
Signed-off-by: Tim Small <tim@seoss.co.uk> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit e97aaf483c71fd5e3072ec2dce53354fc97357c9)
Christian Lamparter [Mon, 16 Jul 2018 20:56:35 +0000 (22:56 +0200)]
apm821xx: fix sata access freezes
The original vendor's driver programmed the dma controller's
AHB HPROT values to enable bufferable, privileged mode. This
along with the "same priorty for both channels" fixes the
freezes according to @takimata, @And.short, that have been
reported on the forum by @ticerex.
Furtheremore, @takimata reported that the patch also improved
the performance of the HDDs considerably:
|<https://forum.lede-project.org/t/wd-mybook-live-duo-two-disks/16195/55>
|It seems your patch unleashed the full power of the SATA port.
|Where I was previously hitting a really hard limit at around
|82 MB/s for reading and 27 MB/s for writing, I am now getting this:
|
|root@OpenWrt:/mnt# time dd if=/dev/zero of=tempfile bs=1M count=1024
|1024+0 records in
|1024+0 records out
|real 0m 13.65s
|user 0m 0.01s
|sys 0m 11.89s
|
|root@OpenWrt:/mnt# time dd if=tempfile of=/dev/null bs=1M count=1024
|1024+0 records in
|1024+0 records out
|real 0m 8.41s
|user 0m 0.01s
|sys 0m 4.70s
|
|This means: 121 MB/s reading and 75 MB/s writing!
|
|[...]
|
|The drive is a WD Green WD10EARX taken from an older MBL Single.
|I repeated the test a few times with even larger files to rule out
|any caching, I'm still seeing the same great performance. OpenWrt is
|now completely on par with the original MBL firmware's performance.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
scripts: bundle-libraries: fix build on OS X (FS#1493)
This allegedly fixes compilation of the library bundler preload library on
Apple OS X. The resulting executables have not been runtime tested due to a
lack of suitable test hardware.
Jo-Philipp Wich [Thu, 25 Jan 2018 16:12:29 +0000 (17:12 +0100)]
build: bundle-libraries.sh: patch bundled ld.so
Remove references to /etc/, /lib/ and /usr/ from the bundled ld.so
interpreter using simple binary patching.
This is needed to prevent loading host system libraries such as
libnss_compat.so.2 on foreign systems, which may result in ld.so
inconsistency assertions.
mtd: improve check for TRX header being already fixed
First of all lengths should be compared after checking all blocks for
being good/bad. It's because requested length may differ from a final
one if there were some bad blocks.
Secondly it makes sense to also compare crc32 since we already have a
new one calculated.
Reading MTD data with (p)read doesn't return any error when accessing
bad block. As the result, with current code, CRC32 covers "data" stored
in bad blocks.
That behavior doesn't match CFE's one (bootloader simply skips bad
blocks) and may result in:
1) Invalid CRC32
2) CFE refusing to boot firmware with a following error:
Boot program checksum is invalid
Fix that problem by checking every block before reading its content.
This backports tc class support to kernel 4.9 and other than conditional
kernel compilation pre-processor macros represents the cake that has
gone upstream into kernel 4.19. Loud cheer!
Fun may be had by changing cake tin classification for packets on
ingress. e.g.
tc filter add dev ifb4eth0 parent 800b: protocol ip u32 match \
ip dport 6981 0xffff action skbedit priority 800b:1
Where 800b: represents the filter handle for the ifb obtained by 'tc
qdisc' and the 1 from 800b:1 represents the cake tin number. So the
above example puts all incoming packets destined for port 6981 into the
BULK (lowest priority) tin.
f39ab9a Obey tin_order for tc filter classifiers 1e2473f Clean up after latest backport. 82531d0 Reorder includes to fix out of tree compilation 52cbc00 Code style cleanup 6cdb496 Fix argument order for NL_SET_ERR_MSG_ATTR() cab17b6 Remove duplicate call to qdisc_watchdog_init() 71c7991 Merge branch 'backport-classful' 32aa7fb Fix compilation on Linux 4.9 9f8fe7a Fix compilation on Linux 4.14 ceab7a3 Rework filter classification aad5436 Fixed version of class stats be1c549 Add cake-specific class stats 483399d Use tin_order for class dumps 80dc129 Add class dumping 0c8e6c1 Fix dropping when using filters c220493 Add the minimum class ops 5ed54d2 Start implementing tc filter/class support
These two patches:
target/linux/ar71xx/patches-4.4/403-mtd_fix_cfi_cmdset_0002_status_check.patch
target/linux/ramips/patches-4.4/0036-mtd-fix-cfi-cmdset-0002-erase-status-check.patch
are replaced by upstream commit 242dbd2b3df ("mtd: cfi_cmdset_0002:
Change erase functions to check chip good only")
Matti Laakso [Sun, 14 Jan 2018 15:39:53 +0000 (17:39 +0200)]
ar71xx: fix 5 GHz Wi-Fi on NBG6716
Some NBG6716 do not have ath10k calibration data in flash, only in chip
OTP. To determine if flash has a valid calibration data, the first two
bytes telling the length of the calibration data are checked against the
requested length. If the lengths match, calibration data is valid and
read from flash.
Signed-off-by: Matti Laakso <matti.laakso@outlook.com>
Hauke Mehrtens [Sat, 9 Jun 2018 13:59:41 +0000 (15:59 +0200)]
kernel: bump kernel 4.4 to version 4.4.137
The new option CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE was added, in this
commit:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?h=linux-4.4.y&id=ffe4bf3eb3cfa10f9ef295c08c21f4fe3bb07e21
Handle it by setting it to the opposite value
CONFIG_CC_OPTIMIZE_FOR_SIZE is set to.
Tony Ambardar [Thu, 8 Mar 2018 05:00:45 +0000 (21:00 -0800)]
base-files: fix UCI config parsing and callback handling
There are several long-standing issues present in the UCI shell API as
documented in https://wiki.openwrt.org/doc/devel/config-scripting. They
relate both to high-level, user-defined callback functions used to
process UCI config files, and also to low-level functions used within
scripts generally.
The related problems have been encountered now and in the past, e.g.
https://forum.openwrt.org/viewtopic.php?id=54295, and include:
a) UCI parsing option() function and user-defined option_cb() callbacks
being erroneously called during processing of "list" config file entries;
b) normal usage of the low-level config_set() unexpectedy calling any
defined option_cb() if present; and
c) handling of the list_cb() not respecting the NO_CALLBACK variable.
Root causes include a function stack "inversion", where the low-level
config_set() function incorrectly calls the high-level option() function,
intended only for processing the "option" keyword of UCI config files.
This change addresses the inversion and other issues, making the option
handling code more consistent and smaller, and simplifying developers'
usage of UCI callbacks.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
Jo-Philipp Wich [Wed, 6 Jun 2018 11:41:26 +0000 (13:41 +0200)]
mtd: add build hack to reintroduce shared mtd for older releases
When running in SDK context, treat the mtd package as shared to reintroduce
the common repository binary package for older released IBs.
When building outside of the SDK, create a nonshared package with a higher
PKG_REVISION to let opkg prefer that over the shared one in the common repo.
Ref: https://forum.lede-project.org/t/17-01-4-opkg-install-cmd-cannot-install-package-mtd/15312 Fixes: aaac9e82aa ("mtd: mark as nonshared to fix FS#484") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The mtd tool is built with different configurations depending on the
target. For example, brcm47xx adds the fixtrx subcommand, without which
an image fails when booting the second time.
Mark the mtd package as nonshared to really fix FS#484.
This make sit possible to store informations about a session and reuse
it later. When used by a server it increases the time to create a new
TLS session from about 1 second to less than 0.1 seconds.
The size of the ipkg file increased by about 800 Bytes.
Imre Kaloz [Thu, 15 Feb 2018 18:57:05 +0000 (19:57 +0100)]
mvebu: Add support for WRT3200ACM with new NAND flash
Newer Linksys boards might come with a Winbond W29N02GV which can be
configured in different ways. Make sure we configure it the same way as
the older chips so everything keeps working.
Mirko Parthey [Tue, 22 May 2018 19:23:36 +0000 (21:23 +0200)]
brcm47xx: add switch port mapping to Asus WL-500W
Switch ports 0..3 are connected to external ports LAN{1..4} in sequence,
switch port 4 is not used, and switch port 5 is connected to the CPU.
The WAN port is attached to the CPU's second network interface; it has no
connection to the internal switch.
Reuse the "Dell TrueMobile 2300" entry, which describes the same mapping.
Chris Blake [Fri, 31 Mar 2017 09:31:21 +0000 (04:31 -0500)]
apm821xx: Add default packages to NAND target
This moves core router packages to the NAND target, to ensure they are
applied to all images. This change is being done due to an issue found
when flashing the MX60W image, which came without these when built as a
multi image.
"The OpenWRT Commit" - this significantly speeds up performance on cheap
plastic MIPS routers, and presumably the remaining MIPS32r2 super computers
out there.
* timers: reinitialize state on init
* timers: round up instead of down in slack_time
* timers: remove slack_time
* timers: clear send_keepalive timer on sending handshake response
* timers: no need to clear keepalive in persistent keepalive
Andrew He and I have helped simplify the timers and remove some old warts,
making the whole system a bit easier to analyze.
* tools: fix errno propagation and messages
Error messages are now more coherent.
* device: remove allowedips before individual peers
This avoids an O(n^2) traversal in favor of an O(n) one. Before systems with
many peers would grind when deleting the interface.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Toke Høiland-Jørgensen [Sun, 13 May 2018 18:15:50 +0000 (20:15 +0200)]
wireguard: Add support for ip6prefix config option
This makes it easier to distribute prefixes over a wireguard tunnel
interface, by simply setting the ip6prefix option in uci (just like with
other protocols).
Obviously, routing etc needs to be setup properly for things to work; this
just adds the config option so the prefix can be assigned to other
interfaces.
6b4a340 version: bump snapshot faa2103 compat: don't clear header bits on RHEL 4014532 compat: handle RHEL 7.5's recent backports 66589bc queueing: preserve pfmemalloc header bit 37f114a chacha20poly1305: make gcc 8.1 happy 926caae socket: use skb_put_data 724d979 wg-quick: preliminary support for go implementation c454c26 allowedips: simplify arithmetic 71d44be allowedips: produce better assembly with unsigned arithmetic 5e3532e allowedips: use native endian on lookup 856f105 allowedips: add selftest for allowedips_walk_by_peer 41df6d2 embeddable-wg-library: zero attribute padding 9a1bea6 keygen-html: add zip file example f182b1a qemu: retry on 404 in wget for kernel.org race
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7cc2668 version: bump snapshot 860c7c7 poly1305: do not place constants in different sections 5f1e4ca compat: remove unused dev_recursion_level backport 7e4b991 blake2s: remove unused helper 13225fc send: simplify skb_padding with nice macro a1525bf send: account for route-based MTU bbb2fde wg-quick: account for specified fwmark in auto routing mode c452105 qemu: bump default version dbe5223 version: bump snapshot 1d3ef31 chacha20poly1305: put magic constant behind macro cdc164c chacha20poly1305: add self tests from wycheproof 1060e54 curve25519: add self tests from wycheproof 0e1e127 wg-quick.8: fix typo 2b06b8e curve25519: precomp const correctness 8102664 curve25519: memzero in batches 1f54c43 curve25519: use cmov instead of xor for cswap fa5326f curve25519: use precomp implementation instead of sandy2x 9b19328 compat: support OpenSUSE 15 3102d28 compat: silence warning on frankenkernels 8f64c61 compat: stable kernels are now receiving b87b619 62127f9 wg-quick: hide errors on save
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
7c0d711 version: bump snapshot b6a5cc0 contrib: add extract-handshakes kprobe example 37dc953 wg-quick: if resolvconf/run/iface exists, use it 1f9be19 wg-quick: if resolvconf/interface-order exists, use it 4d2d395 noise: align static_identity keys 14395d2 compat: use correct -include path 38c6d8f noise: fix function prototype 302d0c0 global: in gnu code, use un-underscored asm ff4e06b messages: MESSAGE_TOTAL is unused ea81962 crypto: read only after init e35f409 Kconfig: require DST_CACHE explicitly 9d5baf7 Revert "contrib: keygen-html: rewrite in pure javascript" 6e09a46 contrib: keygen-html: rewrite in pure javascript e0af0f4 compat: workaround netlink refcount bug ec65415 contrib: embedded-wg-library: add key generation functions 06099b8 allowedips: fix comment style ce04251 contrib: embedded-wg-library: add ability to add and del interfaces 7403191 queueing: skb_reset: mark as xnet
Changes:
* queueing: skb_reset: mark as xnet
This allows cgroups to classify packets.
* contrib: embedded-wg-library: add ability to add and del interfaces
* contrib: embedded-wg-library: add key generation functions
The embeddable library gains a few extra tricks, for people implementing
plugins for various network managers.
* crypto: read only after init
* allowedips: fix comment style
* messages: MESSAGE_TOTAL is unused
* global: in gnu code, use un-underscored asm
* noise: fix function prototype
Small cleanups.
* compat: workaround netlink refcount bug
An upstream refcounting bug meant that in certain situations it became
impossible to unload the module. So, we work around it in the compat code. The
problem has been fixed in 4.16.
* contrib: keygen-html: rewrite in pure javascript
* Revert "contrib: keygen-html: rewrite in pure javascript"
We nearly moved away from emscripten'ing the fiat32 code, but the resultant
floating point javascript was just too terrifying.
* Kconfig: require DST_CACHE explicitly
Required for certain frankenkernels.
* compat: use correct -include path
Fixes certain out-of-tree build systems.
* noise: align static_identity keys
Gives us better alignment of private keys.
* wg-quick: if resolvconf/interface-order exists, use it
* wg-quick: if resolvconf/run/iface exists, use it
Better compatibility with Debian's resolvconf.
* contrib: add extract-handshakes kprobe example
Small utility for extracting ephemeral key data from the kernel's memory.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (git log --oneline description)
2675814 version: bump snapshot 381d703 qemu: update base versions c3fbd9d curve25519: break more things with more test cases 93fa0d9 curve25519: replace fiat64 with faster hacl64 6177bdd curve25519: replace hacl64 with fiat64 b9bf37d curve25519: verify that specialized basepoint implementations are correct bd3f0d8 tools: dedup secret normalization 1f87434 chacha20poly1305: better buffer alignment 78959ed chacha20poly1305: use existing rol32 function 494cdea tools: fread doesn't change errno ab89bdc device: let udev know what kind of device we are 62e8720 qemu: disable AVX-512 in userland 6342bf7 qemu: disable PIE for compilation e23e451 contrib: keygen-html: share curve25519 implementation with kernel 6b28fa6 tools: share curve25519 implementations with kernel c80cbfa poly1305: add poly-specific self-tests 10a2edf curve25519-fiat32: uninline certain functions
9a93a3d version: bump snapshot 7bc0579 contrib: keygen-html: update curve25519 implementation ffc13a3 tools: import new curve25519 implementations 0ae7356 curve25519: wire up new impls and remove donna f90e36b curve25519: resolve symbol clash between fe types 505bc05 curve25519: import 64-bit hacl-star implementation 8c02050 curve25519: import 32-bit fiat-crypto implementation 96157fd curve25519: modularize implementation 4830fc7 poly1305: remove indirect calls bfd1a5e tools: plug memleak in config error path 09bf49b external-tests: add python implementation b4d5801 wg-quick: ifnames have max len of 15 6fcd86c socket: check for null socket before fishing out sport ddb8270 global: year bump 399d766 receive: treat packet checking as irrelevant for timers
Felix Fietkau [Mon, 30 Apr 2018 12:03:28 +0000 (14:03 +0200)]
kernel: add missing in6_dev_put_clear call to an ipv6 network patch
Fixes "unregister_netdevice: waiting for lo to become free. Usage count = 1"
messages which started appearing since the update to 4.4.103. That
problem was exposed by upstream commit 76da0704507bb ("ipv6: only call
ip6_route_dev_notify() once for NETDEV_UNREGISTER") backported to 4.4.x
branch in 2417da3f4d6bc.
Fixes: 2b664499cd622 ("kernel: bump 4.4 to 4.4.103 for 17.01") Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 58f7b5b96c301176d639540df4723c798af2a999)
ar71xx: Ubiquiti Airmax M: add relocate-kernel to invalidate cache
Some Ubiquiti U-boot versions, in particular the "U-Boot 1.1.4.2-s956
(Jun 10 2015 - 10:54:50)" found with AirOS 5.6, do not correctly flush the
caches for the whole kernel address range after decompressing the kernel
image, leading to hard to debug boot failures, depending on kernel version
and configuration.
As a workaround, prepend the relocate-kernels loader, which will invalidate
the caches after moving the kernel to the correct load address.
Reported-by: Andreas Ziegler <dev@andreas-ziegler.de> Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
base-files: /lib/functions.sh: ignore errors in insert_modules
Package postinst will pass even names of builtin modules to insert_modules,
leading to postinst failing with error 255. This has been fixed in master
in r5279, but for lede-17.01 this minimal change is preferable.
mbedtls: change libmbedcrypto.so soversion back to 0
mbedtls changed in version 2.7.0 and 2.7.2 the soversion of the
libmbedcrypto.so library, use the old version again to be able to use
the new library with binaries compiled against the old mbedtls library.
Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.
Go back to libmbedcrypto.so.0 and make the system rebuild the binaries
which were rebuild for 2.7.0 again.
This should make the libmbedcrypto.so library be compatible with the old
version shipped with 17.01.
Fixes: 3ca1438ae0 ("mbedtls: update to version 2.7.2") Fixes: f609913b5c ("mbedtls: update to version 2.7.0") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is important fix for flash parsing in some corner cases. In case
of TRX subpartition with rootfs being aligned to the flash block size it
was incorrectly registered twice. Detecting & registering it as a
standalone partition was resulting in an incorrect "firmware" partition
size and possibly broken sysupgrade.
It wasn't noticed before because "rootfs" alignment depends on a kernel
size. It can happen though - depending on the configuration and the
kernel size.
ar71xx: sysupgrade: improve CPE/WBS 210/510 validation, add new metadata offset
Previously, tplink_pharos_check_image() would accept any image with ELF
magic and only non-printable data in the support-list, as in this case the
while-read loop would not run at all. Add the new support-list offset and
ensure an image is only accepted when the model string is actually found.
Switching from kernel 4.4.120 to 4.4.124 introduced a regression in
the genirq code. It was caused by a commit 9d0273bb1c4b6 ("genirq: Use
irqd_get_trigger_type to compare the trigger type for shared IRQs").
On bcm53xx it breaks serial console and results in a flood of:
[ 22.078829] genirq: Flags mismatch irq 18. 00000080 (serial) vs. 00000080 (gpio)
[ 22.086432] genirq: Flags mismatch irq 18. 00000080 (serial) vs. 00000080 (gpio)
[ 22.601150] genirq: Flags mismatch irq 18. 00000080 (serial) vs. 00000080 (gpio)
[ 22.608845] genirq: Flags mismatch irq 18. 00000080 (serial) vs. 00000080 (gpio)
Later in the upstream "linux-4.4.y" branch that commit was reverted and
it was followed by a 4.4.126 release. Until we switch from 4.4.124 to
4.4.126 (or newer), let's backport that reverting commit.
Fixes: bed0ee7cbfaa5 ("Kernel: bump 4.4 to 4.4.124 for 17.01") Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Hauke Mehrtens [Sun, 4 Mar 2018 19:38:00 +0000 (20:38 +0100)]
mbedtls: update to version 2.7.0
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
This release is also ABI incompatible with the previous one, but it is
API compatible.
Some functions used by a lot of other software was renamed and the old
function names are provided as a static inline now, but they are only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.
Also increase the PKG_RELEASE version to force a rebuild and update of
packages depending on mbedtls to handle the changed ABI.
Stefan Lippers-Hollmann [Sun, 4 Mar 2018 21:57:04 +0000 (22:57 +0100)]
tools/e2fsprogs: fix building on a glibc 2.27 host
The e2fsprogs host build fails on a glibc 2.27 host with
make[6]: Entering directory 'build_dir/host/e2fsprogs-1.43.7/debugfs'
CC create_inode.o
./../misc/create_inode.c:399:18: error: conflicting types for 'copy_file_range'
static errcode_t copy_file_range(ext2_filsys fs, int fd, ext2_file_t e2_file,
^~~~~~~~~~~~~~~
In file included from ./../misc/create_inode.c:19:0:
/usr/include/unistd.h:1110:9: note: previous declaration of 'copy_file_range' was here
ssize_t copy_file_range (int __infd, __off64_t *__pinoff,
^~~~~~~~~~~~~~~
Matthias Schiffer [Mon, 5 Mar 2018 08:13:53 +0000 (09:13 +0100)]
base-files: tune fragment queue thresholds for available system memory
The default fragment low/high thresholds are 3 and 4 MB. On devices with
only 32MB RAM, these settings may lead to OOM when many fragments that
cannot be reassembled are received. Decrease fragment low/high thresholds
to 384 and 512 kB on devices with less than 64 MB RAM.
Matthias Schiffer [Tue, 6 Mar 2018 13:29:46 +0000 (14:29 +0100)]
include/rootfs.mk: retain list of conffiles with CONFIG_CLEAN_IPKG
/usr/lib/opkg/status must not be removed completely, otherwise the
packages' conffile lists will be missing. Replace it with a reduced version
only containing the conffile entries.
Zoltan HERPAI [Sat, 10 Feb 2018 20:19:41 +0000 (21:19 +0100)]
firmware: add microcode package for Intel
Compiling the Intel microcode package results in a
microcode.bin and a microcode-64.bin. As we can
decide based on the subtarget which should be used,
we'll only split the required .bin file with
iucode-tool.
x64 will get the intel-microcode-64.bin
All other variants will get intel-microcode.bin
The microcodes will be updated from preinit via a common
script - that's the earliest place where we can do it.
Zoltan HERPAI [Sun, 11 Feb 2018 11:30:07 +0000 (12:30 +0100)]
tools: add iucode-tool
Add tool to "compile" Intel microcode files. The tool will be
compiled for host (to split the microcode.dat) and for target
(to forcibly reload the microcode if required).
Instead of using the large microcode.bin/microcode-64.bin, the
splitted ucode files (separate for CPU families) will be
installed.
projects / users / dwmw2 / openwrt.git / log