microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge for Mariner 2.0 June 2024 (#9361)

This commit is contained in:
Pawel Winogrodzki 2024-06-07 17:26:47 -07:00 коммит произвёл GitHub
Родитель b593ba2e31 bc8648f36b
Коммит a952e5f20a
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
137 изменённых файлов: 4927 добавлений и 2526 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

100
.github/CODEOWNERS поставляемый
Просмотреть файл

@ -1,98 +1,2 @@
# By default all files require a review by at lest one member of the CBL-Mariner developers team.
* @microsoft/cbl-mariner-devs
# Modification to this file require admin approval.
/.github/CODEOWNERS @microsoft/cbl-mariner-admins
# Modifications to the build pipelines require admin approval.
/.pipelines/* @microsoft/cbl-mariner-admins
# Modifications to the CredScan exceptions require admin approval.
/.config/CredScanSuppressions.json @microsoft/cbl-mariner-admins
# Modification to what is considered "core packages" require admin approval.
/SPECS/core-packages/* @microsoft/cbl-mariner-admins
# Modification to specific packages go to specific teams
/SPECS/installkernel/* @microsoft/cbl-mariner-kernel
/SPECS/kernel/* @microsoft/cbl-mariner-kernel
/SPECS/kernel-azure/* @microsoft/cbl-mariner-kernel
/SPECS/kernel-hci/* @microsoft/cbl-mariner-kernel
/SPECS/kernel-headers/* @microsoft/cbl-mariner-kernel
/SPECS/kernel-mshv/* @microsoft/cbl-mariner-kata-containers
/SPECS/kernel-uvm/* @microsoft/cbl-mariner-kata-containers
/SPECS-SIGNED/kernel-signed/* @microsoft/cbl-mariner-kernel
/SPECS-SIGNED/kernel-hci-signed/* @microsoft/cbl-mariner-kernel
/SPECS-SIGNED/kernel-azure-signed/* @microsoft/cbl-mariner-kernel
/SPECS-SIGNED/kernel-mstflint-signed/* @microsoft/cbl-mariner-kernel
/SPECS-SIGNED/kernel-mshv-signed/* @microsoft/cbl-mariner-kata-containers
/SPECS/grub2/* @microsoft/cbl-mariner-bootloader
/SPECS/grubby/* @microsoft/cbl-mariner-bootloader
/SPECS/shim/* @microsoft/cbl-mariner-bootloader
/SPECS/shim-unsigned/* @microsoft/cbl-mariner-bootloader
/SPECS/shim-unsigned-x64/* @microsoft/cbl-mariner-bootloader
/SPECS/shim-unsigned-aarch64/* @microsoft/cbl-mariner-bootloader
/SPECS-SIGNED/grub2-efi-binary-signed/* @microsoft/cbl-mariner-bootloader
/SPECS/dracut/* @microsoft/cbl-mariner-dracut
/SPECS/initramfs/* @microsoft/cbl-mariner-dracut
/SPECS/verity-read-only-root/* @microsoft/cbl-mariner-dracut
/SPECS/systemd/* @microsoft/cbl-mariner-systemd
/SPECS/bcc/* @microsoft/cbl-mariner-debug-tools
/SPECS/bpftrace/* @microsoft/cbl-mariner-debug-tools
/SPECS/crash/* @microsoft/cbl-mariner-debug-tools
/SPECS/gdb/* @microsoft/cbl-mariner-debug-tools
/SPECS/kexec-tools/* @microsoft/cbl-mariner-debug-tools
/SPECS/openssl/* @microsoft/cbl-mariner-openssl
/SPECS/SymCrypt-OpenSSL/* @microsoft/cbl-mariner-openssl
/SPECS/SymCrypt/* @microsoft/cbl-mariner-openssl
/SPECS/KeysInUse-OpenSSL/* @microsoft/cbl-mariner-openssl
/SPECS/dnf/* @microsoft/cbl-mariner-package-managers
/SPECS/dnf-plugins-core/* @microsoft/cbl-mariner-package-managers
/SPECS/rpm/* @microsoft/cbl-mariner-package-managers
/SPECS/tdnf/* @microsoft/cbl-mariner-package-managers
/SPECS/moby-buildx/* @microsoft/cbl-mariner-container-runtime
/SPECS/moby-cli/* @microsoft/cbl-mariner-container-runtime
/SPECS/moby-containerd/* @microsoft/cbl-mariner-container-runtime
/SPECS/moby-containerd-cc/* @microsoft/cbl-mariner-kata-containers
/SPECS/moby-engine/* @microsoft/cbl-mariner-container-runtime
/SPECS/moby-runc/* @microsoft/cbl-mariner-container-runtime
/SPECS/kata-containers/* @microsoft/cbl-mariner-kata-containers
/SPECS/kata-containers-cc/* @microsoft/cbl-mariner-kata-containers
/SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers
/SPECS/cloud-hypervisor/* @microsoft/cbl-mariner-virtualization
/SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers
/SPECS-SIGNED/hvloader-signed/* @microsoft/cbl-mariner-kata-containers
/SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning
/SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning
# Modifications to the toolkit requires reviews from the toolkit team
/toolkit/ @microsoft/cbl-mariner-tooling
# Docs to be reviewed by general CBL-Mariner devs
/toolkit/docs/ @microsoft/cbl-mariner-devs
# Default image configurations to be reviewed by general CBL-Mariner devs
/toolkit/imageconfigs/ @microsoft/cbl-mariner-devs
# Package and toolchain manifests to be reviewed by general CBL-Mariner devs
/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @microsoft/cbl-mariner-devs
/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @microsoft/cbl-mariner-devs
/toolkit/resources/manifests/package/toolchain_aarch64.txt @microsoft/cbl-mariner-devs
/toolkit/resources/manifests/package/toolchain_x86_64.txt @microsoft/cbl-mariner-devs
# Modifications to the raw toolchain require admin approval.
/toolkit/scripts/toolchain/container/* @microsoft/cbl-mariner-admins
/toolkit/scripts/toolchain/cgmanifest.json @microsoft/cbl-mariner-admins
/toolkit/scripts/toolchain/create_toolchain_in_container.sh @microsoft/cbl-mariner-admins
# Modifications to the trusted CA certificates require admin approval.
/SPECS/*ca-certificates*/* @microsoft/cbl-mariner-admins
# For stable release branches, ensure stable release maintainers are added as code reviewers
* @microsoft/cbl-mariner-stable-maintainers

5
SPECS-SIGNED/hvloader-signed/hvloader-signed.spec
Просмотреть файл

@ -6,7 +6,7 @@
Summary: Signed HvLoader.efi for %{buildarch} systems
Name: hvloader-signed-%{buildarch}
Version: 1.0.1
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -69,6 +69,9 @@ popd
/boot/efi/HvLoader.efi
%changelog
* Fri May 31 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-3.cm2
- Update version for consistency with hvloader spec
* Fri May 10 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-2
- Update version for consistency with hvloader spec

8
SPECS-SIGNED/kernel-azure-signed/kernel-azure-signed.spec
Просмотреть файл

@ -9,7 +9,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for Azure
Name: kernel-azure-signed-%{buildarch}
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

8
SPECS-SIGNED/kernel-hci-signed/kernel-hci-signed.spec
Просмотреть файл

@ -4,7 +4,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for HCI
Name: kernel-hci-signed-%{buildarch}
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -149,6 +149,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

5
SPECS-SIGNED/kernel-mos-signed/kernel-mos-signed.spec
Просмотреть файл

@ -4,7 +4,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for MOS systems
Name: kernel-mos-signed-%{buildarch}
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -150,6 +150,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Jun 07 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.158.2-1
- Update to 5.15.158.2
* Wed May 08 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.158.1-1
- Update to 5.15.158.1

7
SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
Просмотреть файл

@ -6,8 +6,8 @@
%define uname_r %{version}-%{release}
Summary: Signed MSHV-enabled Linux Kernel for %{buildarch} systems
Name: kernel-mshv-signed-%{buildarch}
Version: 5.15.126.mshv9
Release: 3%{?dist}
Version: 5.15.157.mshv1
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -149,6 +149,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg
%exclude /lib/modules/%{uname_r}/build
%changelog
* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.157.mshv1-1
- Auto-upgrade to 5.15.157.mshv1
* Mon Apr 01 2024 Cameron Baird <cameronbaird@microsoft.com> - 5.15.126.mshv9-3
- BuildRequires: grub2-rpm-macros to expand mkconfig configuration requirement

8
SPECS-SIGNED/kernel-signed/kernel-signed.spec
Просмотреть файл

@ -9,7 +9,7 @@
%define uname_r %{version}-%{release}
Summary: Signed Linux Kernel for %{buildarch} systems
Name: kernel-signed-%{buildarch}
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -153,6 +153,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%exclude /module_info.ld
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

2
SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md сгенерированный
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

1
SPECS/LICENSES-AND-NOTICES/data/licenses.json
Просмотреть файл

@ -2165,6 +2165,7 @@
"check-restart",
"clamav",
"cloud-hypervisor",
"cloud-hypervisor-cvm",
"cmake-fedora",
"coredns",
"csi-driver-lvm",

40
SPECS/apparmor/CVE-2024-31755.patch Normal file
Просмотреть файл

@ -0,0 +1,40 @@
commit 7e4d5dabe7a9b754c601f214e65b544e67ba9f59
Author: Up-wind <lj.upwind@gmail.com>
Date: Mon Mar 25 20:07:11 2024 +0800
Add NULL check to cJSON_SetValuestring()
If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen.
This commit adds the NULL check of valuestring before it is dereferenced.
---
binutils/cJSON.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/binutils/cJSON.c b/binutils/cJSON.c
index 541934c..e85ac11 100644
--- a/binutils/cJSON.c
+++ b/binutils/cJSON.c
@@ -393,6 +393,7 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)
return object->valuedouble = number;
}
+/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */
CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
char *copy = NULL;
@@ -401,8 +402,8 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
return NULL;
}
- /* return NULL if the object is corrupted */
- if (object->valuestring == NULL)
+ /* return NULL if the object is corrupted or valuestring is NULL */
+ if (object->valuestring == NULL || valuestring == NULL)
{
return NULL;
}
--
2.25.1

6
SPECS/apparmor/apparmor.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: AppArmor is an effective and easy-to-use Linux application security system.
Name: apparmor
Version: 3.0.4
Release: 3%{?dist}
Release: 4%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -10,6 +10,7 @@ URL: https://launchpad.net/apparmor
Source0: https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{version}.tar.gz
Patch1: apparmor-service-start-fix.patch
Patch2: CVE-2023-50471.patch
Patch3: CVE-2024-31755.patch
# CVE-2016-1585 has no upstream fix as of 2020/09/28
Patch100: CVE-2016-1585.nopatch
BuildRequires: apr
@ -354,6 +355,9 @@ make DESTDIR=%{buildroot} install
%exclude %{perl_archlib}/perllocal.pod
%changelog
* Thu May 30 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.0.4-4
- Add patch for CVE-2024-31755
* Wed Dec 27 2023 Dallas Delaney <dadelan@microsoft.com> - 3.0.4-3
- Add patch for CVE-2023-50471 and CVE-2023-50472

2
SPECS/azl-compliance/azl-compliance.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"azl-compliance-1.0.1.tar.gz": "1d96b99ec755500383e5ff6bad01f1ac85848f067488f3ce29a99e6eb57a86b7"
"azl-compliance-1.0.2.tar.gz": "552605848f3bf8bf311f5356b13e318babad0f9288b5c75df9094c1d6ad038aa"
}
}

5
SPECS/azl-compliance/azl-compliance.spec
Просмотреть файл

@ -1,6 +1,6 @@
Summary: Azure Linux compliance package to meet all sorts of compliance rules
Name: azl-compliance
Version: 1.0.1
Version: 1.0.2
Release: 1%{?dist}
License: BSD-3-Clause
Vendor: Microsoft Corporation
@ -53,6 +53,9 @@ cd azl-compliance
cargo test --release --offline
%changelog
* Thu Jun 06 2024 Tobias Brick <tobiasb@microsoft.com> 1.0.2-1
- Update to version 1.0.2
* Tue Mar 19 2024 Tobias Brick <tobiasb@microsoft.com> 1.0.1-1
- Original version for CBL-Mariner.
- License verified

43
SPECS/cert-manager/CVE-2024-26147.patch Normal file
Просмотреть файл

@ -0,0 +1,43 @@
From d02be38fc6c54828d5eec15efe058c61f3df4a60 Mon Sep 17 00:00:00 2001
From: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
Date: Thu, 30 May 2024 16:33:17 -0700
Subject: [PATCH] backport patch CVE-2024-26147. Based off commit https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af
---
vendor/helm.sh/helm/v3/pkg/plugin/plugin.go | 4 ++++
vendor/helm.sh/helm/v3/pkg/repo/index.go | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
index 1399b71..df580db 100644
--- a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
+++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
@@ -173,6 +173,10 @@ var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$")
// validatePluginData validates a plugin's YAML data.
func validatePluginData(plug *Plugin, filepath string) error {
+ // When metadata section missing, initialize with no data
+ if plug.Metadata == nil {
+ plug.Metadata = &Metadata{}
+ }
if !validPluginName.MatchString(plug.Metadata.Name) {
return fmt.Errorf("invalid plugin name at %q", filepath)
}
diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go
index 60cfe58..94852bb 100644
--- a/vendor/helm.sh/helm/v3/pkg/repo/index.go
+++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go
@@ -347,6 +347,10 @@ func loadIndex(data []byte, source string) (*IndexFile, error) {
log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
continue
}
+ // When metadata section missing, initialize with no data
+ if cvs[idx].Metadata == nil {
+ cvs[idx].Metadata = &chart.Metadata{}
+ }
if cvs[idx].APIVersion == "" {
cvs[idx].APIVersion = chart.APIVersionV1
}
--
2.34.1

6
SPECS/cert-manager/cert-manager.spec
Просмотреть файл

@ -1,7 +1,7 @@
Summary: Automatically provision and manage TLS certificates in Kubernetes
Name: cert-manager
Version: 1.11.2
Release: 9%{?dist}
Release: 10%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -21,6 +21,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version
Source1: %{name}-%{version}-govendor.tar.gz
Patch0: CVE-2023-48795.patch
Patch1: CVE-2023-45288.patch
Patch2: CVE-2024-26147.patch
BuildRequires: golang
Requires: %{name}-acmesolver
Requires: %{name}-cainjector
@ -113,6 +114,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
%{_bindir}/webhook
%changelog
* Thu May 30 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.2-10
- Patch for CVE-2024-26147
* Thu Apr 18 2024 Chris Gunn <chrisgun@microsoft.com> - 1.11.2-9
- Fix for CVE-2023-45288

7
SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.signatures.json Normal file
Просмотреть файл

@ -0,0 +1,7 @@
{
"Signatures": {
"cloud-hypervisor-cvm-38.0.72-vendor.tar.gz": "6092868ed042c0397e4e96f2572a59d80491662b6c68fd210fe458a8f7d0d429",
"cloud-hypervisor-cvm-38.0.72.tar.gz": "e6d15d99c5d9ec4bede43ef8fac971d2cc0ae49a7eafffc6ca7e5b948ed4282a",
"config.toml": "74c28b7520c157109b8990b325fe8f13504e56561a9bac51499d4c6bf4a66e52"
}
}

216
SPECS/cloud-hypervisor-cvm/cloud-hypervisor-cvm.spec Normal file
Просмотреть файл

@ -0,0 +1,216 @@
%define using_rustup 0
%define using_musl_libc 0
%define using_vendored_crates 1
Name: cloud-hypervisor-cvm
Summary: Cloud Hypervisor CVM is an open source Virtual Machine Monitor (VMM) that enables running SEV SNP enabled VMs on top of MSHV using the IGVM file format as payload.
Version: 38.0.72
Release: 1%{?dist}
License: ASL 2.0 OR BSD-3-clause
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Applications/System
URL: https://github.com/microsoft/cloud-hypervisor
Source0: https://github.com/microsoft/cloud-hypervisor/archive/refs/tags/msft/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
%if 0%{?using_vendored_crates}
# Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
# To update the cache and config.toml run:
# tar -xf %{name}-%{version}.tar.gz
# cd %{name}-%{version}
# cargo vendor > config.toml
# tar -czf %{name}-%{version}-cargo.tar.gz vendor/
# rename the tarball to %{name}-%{version}-cargo.tar.gz when updating version
Source1: %{name}-%{version}-vendor.tar.gz
Source2: config.toml
%endif
Conflicts: cloud-hypervisor
BuildRequires: binutils
BuildRequires: gcc
BuildRequires: git
BuildRequires: glibc-devel
BuildRequires: openssl-devel
%if ! 0%{?using_rustup}
BuildRequires: rust >= 1.62.0
BuildRequires: cargo >= 1.62.0
%endif
Requires: bash
Requires: glibc
Requires: libgcc
Requires: libcap
ExclusiveArch: x86_64
%ifarch x86_64
%define rust_def_target x86_64-unknown-linux-gnu
%define cargo_pkg_feature_opts --no-default-features --features "mshv,kvm,sev_snp,igvm"
%endif
%ifarch aarch64
%define rust_def_target aarch64-unknown-linux-gnu
%define cargo_pkg_feature_opts --all
%endif
%if 0%{?using_musl_libc}
%ifarch x86_64
%define rust_musl_target x86_64-unknown-linux-musl
%endif
%ifarch aarch64
%define rust_musl_target aarch64-unknown-linux-musl
%endif
%endif
%if 0%{?using_vendored_crates}
%define cargo_offline --offline
%endif
%description
Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM. The project focuses on exclusively running modern, cloud workloads, on top of a limited set of hardware architectures and platforms. Cloud workloads refers to those that are usually run by customers inside a cloud provider. For our purposes this means modern Linux* distributions with most I/O handled by paravirtualised devices (i.e. virtio), no requirement for legacy devices and recent CPUs and KVM.
%prep
%setup -q -n cloud-hypervisor-%{version}
%if 0%{?using_vendored_crates}
tar xf %{SOURCE1}
mkdir -p .cargo
cp %{SOURCE2} .cargo/
%endif
%install
install -d %{buildroot}%{_bindir}
install -D -m755 ./target/%{rust_def_target}/release/cloud-hypervisor %{buildroot}%{_bindir}
%if 0%{?using_musl_libc}
install -d %{buildroot}%{_libdir}/cloud-hypervisor/static
install -D -m755 target/%{rust_musl_target}/release/cloud-hypervisor %{buildroot}%{_libdir}/cloud-hypervisor/static
install -D -m755 target/%{rust_musl_target}/release/ch-remote %{buildroot}%{_libdir}/cloud-hypervisor/static
%endif
%build
cargo_version=$(cargo --version)
if [[ $? -ne 0 ]]; then
echo "Cargo not found, please install cargo. exiting"
exit 0
fi
%if 0%{?using_rustup}
which rustup
if [[ $? -ne 0 ]]; then
echo "Rustup not found please install rustup #curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh"
fi
%endif
echo ${cargo_version}
%if 0%{?using_rustup}
rustup target list --installed | grep x86_64-unknown-linux-gnu
if [[ $? -ne 0 ]]; then
echo "Target x86_64-unknown-linux-gnu not found, please install(#rustup target add x86_64-unknown-linux-gnu). exiting"
fi
%if 0%{?using_musl_libc}
rustup target list --installed | grep x86_64-unknown-linux-musl
if [[ $? -ne 0 ]]; then
echo "Target x86_64-unknown-linux-musl not found, please install(#rustup target add x86_64-unknown-linux-musl). exiting"
fi
%endif
%endif
%if 0%{?using_vendored_crates}
# For vendored build, prepend this so openssl-sys doesn't trigger full OpenSSL build
export OPENSSL_NO_VENDOR=1
%endif
cargo build --release --target=%{rust_def_target} %{cargo_pkg_feature_opts} %{cargo_offline}
%if 0%{?using_musl_libc}
cargo build --release --target=%{rust_musl_target} %{cargo_pkg_feature_opts} %{cargo_offline}
%endif
%files
%defattr(-,root,root,-)
%caps(cap_net_admin=ep) %{_bindir}/cloud-hypervisor
%if 0%{?using_musl_libc}
%{_libdir}/cloud-hypervisor/static/ch-remote
%caps(cap_net_admim=ep) %{_libdir}/cloud-hypervisor/static/cloud-hypervisor
%endif
%license LICENSE-APACHE
%license LICENSE-BSD-3-Clause
%changelog
* Wed May 15 2024 Saul Paredes <saulparedes@microsoft.com> - 38.0.72-1
- Initial CBL-Mariner import from Azure
- Upgrade to v38.0.72
- Update install to match cloud-hypervisor install locations
- Add conflicts with cloud-hypervisor
- License verified.
* Mon Nov 6 2023 Dallas Delaney <dadelan@microsoft.com> - 32.0.314-2000
- Upgrade to v32.0.314
* Thu Sep 21 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.209-2000
- Upgrade to v32.0.209
* Fri Sep 15 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.192-2000
- Upgrade to v32.0.192
* Tue Aug 1 2023 Saul Paredes <saulparedes@microsoft.com> - 32.0.0-2000
- Accomodate cloud-hypervisor
* Fri May 19 2023 Anatol Belski <anbelski@linux.microsoft.com> - 32.0.0-1000
- Upgrade to v32.0
* Wed Apr 19 2023 Anatol Belski <anbelski@linux.microsoft.com> - 31.1.0-1000
- Upgrade to v31.1
* Thu Apr 06 2023 Anatol Belski <anbelski@linux.microsoft.com> - 31.0.0-1000
- Upgrade to v31.0
* Fri Feb 24 2023 Anatol Belski <anbelski@linux.microsoft.com> - 30.0.0-1000
- Upgrade to v30.0
* Sun Jan 15 2023 Anatol Belski <anbelski@linux.microsoft.com> - 29.0.0-1000
- Upgrade to v29.0
* Thu Dec 15 2022 Anatol Belski <anbelski@linux.microsoft.com> - 28.1.0-1000
- Upgrade to v28.1
* Thu Nov 17 2022 Anatol Belski <anbelski@linux.microsoft.com> - 28.0.0-1000
- Upgrade to v28.0
* Wed Oct 12 2022 Anatol Belski <anbelski@linux.microsoft.com> - 27.0.0-1001
- Spec refactoring towards pulling an arbitrary revision
* Wed Oct 05 2022 Anatol Belski <anbelski@linux.microsoft.com> - 27.0-1
- Upgrade to 27.0
* Thu Sep 15 2022 Anatol Belski <anbelski@linux.microsoft.com> - 26.0-2
- Unbundle tarballs from git
* Wed Aug 17 2022 Anatol Belski <anbelski@linux.microsoft.com> - 26.0-1
- Pull release 26.0 for Mariner from upstream
* Tue May 16 2022 Anatol Belski <anbelski@linux.microsoft.com> - 23.1-0
- Initial import 23.1 for Mariner from upstream
* Thu Apr 13 2022 Rob Bradford <robert.bradford@intel.com> 23.0-0
- Update to 23.0
* Thu Mar 03 2022 Rob Bradford <robert.bradford@intel.com> 22.0-0
- Update to 22.0
* Thu Jan 20 2022 Rob Bradford <robert.bradford@intel.com> 21.0-0
- Update to 21.0
* Thu Dec 02 2021 Sebastien Boeuf <sebastien.boeuf@intel.com> 20.0-0
- Update to 20.0
* Mon Nov 08 2021 Fabiano Fidêncio <fabiano.fidencio@intel.com> 19.0-0
- Update to 19.0
* Fri May 28 2021 Muminul Islam <muislam@microsoft.com> 15.0-0
- Update version to 15.0
* Wed Jul 22 2020 Muminul Islam <muislam@microsoft.com> 0.8.0-0
- Initial version

50
SPECS/cloud-hypervisor-cvm/config.toml Normal file
Просмотреть файл

@ -0,0 +1,50 @@
[source.crates-io]
replace-with = "vendored-sources"
[source."git+https://github.com/cloud-hypervisor/kvm-bindings?branch=ch-v0.7.0"]
git = "https://github.com/cloud-hypervisor/kvm-bindings"
branch = "ch-v0.7.0"
replace-with = "vendored-sources"
[source."git+https://github.com/cloud-hypervisor/versionize_derive?branch=ch-0.1.6"]
git = "https://github.com/cloud-hypervisor/versionize_derive"
branch = "ch-0.1.6"
replace-with = "vendored-sources"
[source."git+https://github.com/firecracker-microvm/micro-http?branch=main"]
git = "https://github.com/firecracker-microvm/micro-http"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/microsoft/igvm?branch=main"]
git = "https://github.com/microsoft/igvm"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/rust-vmm/acpi_tables?branch=main"]
git = "https://github.com/rust-vmm/acpi_tables"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/rust-vmm/mshv?branch=main"]
git = "https://github.com/rust-vmm/mshv"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/rust-vmm/vfio-user?branch=main"]
git = "https://github.com/rust-vmm/vfio-user"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/rust-vmm/vfio?branch=main"]
git = "https://github.com/rust-vmm/vfio"
branch = "main"
replace-with = "vendored-sources"
[source."git+https://github.com/rust-vmm/vm-fdt?branch=main"]
git = "https://github.com/rust-vmm/vm-fdt"
branch = "main"
replace-with = "vendored-sources"
[source.vendored-sources]
directory = "vendor"

10
SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json
Просмотреть файл

@ -1,7 +1,7 @@
{
"Signatures": {
"cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915",
"cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419",
"config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458"
}
"Signatures": {
"cloud-hypervisor-32.0-cargo.tar.gz": "2dd7ca374109ba337afeb0ff95d5edac8193431ec74cdbb6b1a400c600f4d915",
"cloud-hypervisor-32.0.tar.gz": "b9754a5ecd26697e5416a642345b2f35f4fdc983a83d540d740978309f2eb419",
"config.toml": "6d2aeec19782ae17eb2708262b0a7c551db3cc36b56542abca18d577de042458"
}
}

7
SPECS/cloud-hypervisor/cloud-hypervisor.spec
Просмотреть файл

@ -5,7 +5,7 @@
Summary: Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
Name: cloud-hypervisor
Version: 32.0
Release: 3%{?dist}
Release: 4%{?dist}
License: ASL 2.0 OR BSD-3-clause
Vendor: Microsoft Corporation
Distribution: Mariner
@ -28,6 +28,8 @@ Patch2: CVE-2023-50711-vhost.patch
Patch3: CVE-2023-50711-versionize.patch
%endif
Conflicts: cloud-hypervisor-cvm
BuildRequires: binutils
BuildRequires: gcc
BuildRequires: git
@ -162,6 +164,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
%license LICENSE-BSD-3-Clause
%changelog
* Mon May 20 2024 Saul Paredes <saulparedes@microsoft.com> - 32.0-4
- Add conflicts with cloud-hypervisor-cvm
* Mon Jan 15 2024 Sindhu Karri <lakarri@microsoft.com> - 32.0-3
- Patch CVE-2023-50711 in vendor/vmm-sys-util, vendor/vhost, vendor/versionize

38
SPECS/cri-o/CVE-2024-3154.patch Normal file
Просмотреть файл

@ -0,0 +1,38 @@
From 976ab1f4c916099fc1f2e6569f13e45df2f26b4f Mon Sep 17 00:00:00 2001
From: Peter Hunt <pehunt@redhat.com>
Date: Tue, 26 Mar 2024 12:07:17 -0400
Subject: [PATCH] annotations: add OCI runtime specific annotations to the
AllowedAnnotations
meaning an admin would have to opt-into allowing them to be used
Signed-off-by: Peter Hunt <pehunt@redhat.com>
---
pkg/annotations/annotations.go | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
index 51920eb..e517f18 100644
--- a/pkg/annotations/annotations.go
+++ b/pkg/annotations/annotations.go
@@ -48,4 +48,17 @@ var AllAllowedAnnotations = []string{
OCISeccompBPFHookAnnotation,
rdt.RdtContainerAnnotation,
TrySkipVolumeSELinuxLabelAnnotation,
+ // Keep in sync with
+ // https://github.com/opencontainers/runc/blob/3db0871f1cf25c7025861ba0d51d25794cb21623/features.go#L67
+ // Once runc 1.2 is released, we can use the `runc features` command to get this programatically,
+ // but we should hardcode these for now to prevent misuse.
+ "bundle",
+ "org.systemd.property.",
+ "org.criu.config",
+
+ // Simiarly, keep in sync with
+ // https://github.com/containers/crun/blob/475a3fd0be/src/libcrun/container.c#L362-L366
+ "module.wasm.image/variant",
+ "io.kubernetes.cri.container-type",
+ "run.oci.",
}
--
2.33.8

6
SPECS/cri-o/cri-o.spec
Просмотреть файл

@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 1%{?dist}
Release: 2%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
@ -63,6 +63,7 @@ Patch7: CVE-2022-21698.patch
Patch8: CVE-2023-44487.patch
Patch9: CVE-2024-28180.patch
Patch10: CVE-2024-21626.patch
Patch11: CVE-2024-3154.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
@ -215,6 +216,9 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet
%changelog
* Mon Jun 03 2024 Bala <balakumaran.kannan@microsoft.com> - 1.22.3-2
- Patch CVE-2024-3154
* Thu May 21 2024 Henry Li <lihl@microsoft.com> - 1.22.3-1
- Upgrade to 1.22.3 to resolve regressed CVE-2022-0811
- Updated vendor source tar

190
SPECS/dhcp/CVE-2023-2828.patch Normal file
Просмотреть файл

@ -0,0 +1,190 @@
Backported patch upstream to apply to CBL-Mariner.
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
From da0eafcdee52147e72d407cc3b9f179378ee1d3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 30 May 2023 08:46:17 +0200
Subject: [PATCH] Improve RBT overmem cache cleaning
When cache memory usage is over the configured cache size (overmem) and
we are cleaning unused entries, it might not be enough to clean just two
entries if the entries to be expired are smaller than the newly added
rdata. This could be abused by an attacker to cause a remote Denial of
Service by possibly running out of the operating system memory.
Currently, the addrdataset() tries to do a single TTL-based cleaning
considering the serve-stale TTL and then optionally moves to overmem
cleaning if we are in that condition. Then the overmem_purge() tries to
do another single TTL based cleaning from the TTL heap and then continue
with LRU-based cleaning up to 2 entries cleaned.
Squash the TTL-cleaning mechanism into single call from addrdataset(),
but ignore the serve-stale TTL if we are currently overmem.
Then instead of having a fixed number of entries to clean, pass the size
of newly added rdatasetheader to the overmem_purge() function and
cleanup at least the size of the newly added data. This prevents the
cache going over the configured memory limit (`max-cache-size`).
Additionally, refactor the overmem_purge() function to reduce for-loop
nesting for readability.
---
bind_ln/lib/dns/rbtdb.c | 102 ++++++++++++++++++------------
1 file changed, 60 insertions(+), 42 deletions(-)
diff --git a/bind_ln/lib/dns/rbtdb.c b/bind_ln/lib/dns/rbtdb.c
index 3ee1876..68b45d8 100644
--- a/bind_ln/lib/dns/rbtdb.c
+++ b/bind_ln/lib/dns/rbtdb.c
@@ -815,7 +815,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
bool tree_locked, expire_t reason);
static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
- isc_stdtime_t now, bool tree_locked);
+ size_t purgesize, bool tree_locked);
static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
rdatasetheader_t *newheader);
static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
@@ -6817,6 +6817,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
static dns_dbmethods_t zone_methods;
+static size_t
+rdataset_size(rdatasetheader_t *header) {
+ if (!NONEXISTENT(header)) {
+ return (dns_rdataslab_size((unsigned char *)header,
+ sizeof(*header)));
+ }
+
+ return (sizeof(*header));
+}
+
static isc_result_t
addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
@@ -6971,7 +6981,7 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
}
if (cache_is_overmem)
- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), tree_locked);
NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
isc_rwlocktype_write);
@@ -6986,10 +6996,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
cleanup_dead_nodes(rbtdb, rbtnode->locknum);
header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
- expire_header(rbtdb, header, tree_locked,
- expire_ttl);
+ if (header != NULL) {
+ dns_ttl_t rdh_ttl = header->rdh_ttl;
+ if (rdh_ttl < now - RBTDB_VIRTUAL) {
+ expire_header(rbtdb, header, tree_locked,
+ expire_ttl);
+ }
+ }
/*
* If we've been holding a write lock on the tree just for
* cleaning, we can release it now. However, we still need the
@@ -10494,54 +10508,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
}
-/*%
- * Purge some expired and/or stale (i.e. unused for some period) cache entries
- * under an overmem condition. To recover from this condition quickly, up to
- * 2 entries will be purged. This process is triggered while adding a new
- * entry, and we specifically avoid purging entries in the same LRU bucket as
- * the one to which the new entry will belong. Otherwise, we might purge
- * entries of the same name of different RR types while adding RRsets from a
- * single response (consider the case where we're adding A and AAAA glue records
- * of the same NS name).
+static size_t
+expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
+ bool tree_locked) {
+ rdatasetheader_t *header, *header_prev;
+ size_t purged = 0;
+
+ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+ header != NULL && purged <= purgesize; header = header_prev)
+ {
+ header_prev = ISC_LIST_PREV(header, link);
+ /*
+ * Unlink the entry at this point to avoid checking it
+ * again even if it's currently used someone else and
+ * cannot be purged at this moment. This entry won't be
+ * referenced any more (so unlinking is safe) since the
+ * TTL was reset to 0.
+ */
+ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
+ size_t header_size = rdataset_size(header);
+ expire_header(rbtdb, header, tree_locked, expire_lru);
+ purged += header_size;
+ }
+
+ return (purged);
+}
+
+ /*%
+ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache
+ * entries under the overmem condition. To recover from this condition quickly,
+ * we cleanup entries up to the size of newly added rdata (passed as purgesize).
+ *
+ * This process is triggered while adding a new entry, and we specifically avoid
+ * purging entries in the same LRU bucket as the one to which the new entry will
+ * belong. Otherwise, we might purge entries of the same name of different RR
+ * types while adding RRsets from a single response (consider the case where
+ * we're adding A and AAAA glue records of the same NS name).
*/
static void
overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
- isc_stdtime_t now, bool tree_locked)
+ size_t purgesize, bool tree_locked)
{
- rdatasetheader_t *header, *header_prev;
unsigned int locknum;
- int purgecount = 2;
+ size_t purged = 0;
for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
- locknum != locknum_start && purgecount > 0;
+ locknum != locknum_start && purged <= purgesize;
locknum = (locknum + 1) % rbtdb->node_lock_count) {
NODE_LOCK(&rbtdb->node_locks[locknum].lock,
isc_rwlocktype_write);
- header = isc_heap_element(rbtdb->heaps[locknum], 1);
- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) {
- expire_header(rbtdb, header, tree_locked,
- expire_ttl);
- purgecount--;
- }
-
- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
- header != NULL && purgecount > 0;
- header = header_prev) {
- header_prev = ISC_LIST_PREV(header, link);
- /*
- * Unlink the entry at this point to avoid checking it
- * again even if it's currently used someone else and
- * cannot be purged at this moment. This entry won't be
- * referenced any more (so unlinking is safe) since the
- * TTL was reset to 0.
- */
- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
- link);
- expire_header(rbtdb, header, tree_locked,
- expire_lru);
- purgecount--;
- }
+ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged,
+ tree_locked);
NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
isc_rwlocktype_write);
--
2.25.1

6
SPECS/dhcp/dhcp.spec
Просмотреть файл

@ -1,13 +1,14 @@
Summary: Dynamic host configuration protocol
Name: dhcp
Version: 4.4.3
Release: 2%{?dist}
Release: 3%{?dist}
License: MPLv2.0
Url: https://www.isc.org/dhcp/
Source0: ftp://ftp.isc.org/isc/dhcp/%{version}/%{name}-%{version}.tar.gz
Patch0: CVE-2022-38177.patch
Patch1: CVE-2022-38178.patch
Patch2: CVE-2022-2795.patch
Patch3: CVE-2023-2828.patch
Group: System Environment/Base
Vendor: Microsoft Corporation
Distribution: Mariner
@ -178,6 +179,9 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/dhclient/
%{_mandir}/man8/dhclient.8.gz
%changelog
* Wed May 29 2024 Sumedh Sharma <sumsharma@microsoft.com> - 4.4.3-3
- Fix CVE-2023-2828
* Tue Apr 30 2024 Elaine Zhao <elainezhao@microsoft.com> - 4.4.3-2
- Fix CVE-2022-38177, CVE-2022-38178, CVE-2022-2795 for bundled bind

3
SPECS/docbook-style-xsl/docbook-style-xsl.signatures.json
Просмотреть файл

@ -1,5 +1,6 @@
{
"Signatures": {
"docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968"
"docbook-xsl-1.79.1.tar.bz2": "725f452e12b296956e8bfb876ccece71eeecdd14b94f667f3ed9091761a4a968",
"xalan-j_2_7_3-bin.tar.gz": "c3a36e027f91acbec3f2139343a4798a943f8b2957aab1cfb2eb57f4aeadccbc"
}
}

16
SPECS/docbook-style-xsl/docbook-style-xsl.spec
Просмотреть файл

@ -1,13 +1,15 @@
Summary: Docbook-xsl-1.79.1
Name: docbook-style-xsl
Version: 1.79.1
Release: 13%{?dist}
License: ASL 2.0
Release: 14%{?dist}
License: DMIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: Development/Tools
URL: https://www.docbook.org
Source0: http://downloads.sourceforge.net/docbook/docbook-xsl-%{version}.tar.bz2
# CVE-2022-34169: xalan 2.7.2 has security issue that is solved in 2.7.3
Source1: https://dlcdn.apache.org/xalan/xalan-j/binaries/xalan-j_2_7_3-bin.tar.gz
BuildRequires: libxml2
BuildRequires: zip
Requires: docbook-dtd-xml
@ -24,6 +26,12 @@ allowing you to utilize transformations already written for that standard.
%prep
%setup -q -n docbook-xsl-%{version}
# CVE-2022-34169: xalan 2.7.2 has security issue that is solved by 2.7.3,
# so replace the embedded jar files in docbook-xsl release before continuing
mkdir ./CVE-2022-34169
tar -xf %{SOURCE1} -C ./CVE-2022-34169
mv ./CVE-2022-34169/xalan-j_2_7_3/*.jar ./tools/lib/.
rm -rf ./CVE-2022-34169
%build
zip -d tools/lib/jython.jar Lib/distutils/command/wininst-6.exe
@ -102,6 +110,10 @@ fi
%{_docdir}/*
%changelog
* Mon Jun 03 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.79.1-14
- Fix CVE-2022-34169 by using newer release of xalan
- License should be DMIT. License verified
* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.79.1-10
- Added %%license line automatically

114
SPECS/fluent-bit/CVE-2024-34250.patch Normal file
Просмотреть файл

@ -0,0 +1,114 @@
diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
index 2a06f42..87af852 100644
--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
+++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c
@@ -219,7 +219,10 @@ type2str(uint8 type)
static bool
is_32bit_type(uint8 type)
{
- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
+ if (type == VALUE_TYPE_I32
+ || type == VALUE_TYPE_F32
+ /* the operand stack is in polymorphic state */
+ || type == VALUE_TYPE_ANY
#if WASM_ENABLE_REF_TYPES != 0
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
#endif
@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth,
int32 i, available_stack_cell;
uint16 cell_num;
+ bh_assert(loader_ctx->csp_num > 0);
if (loader_ctx->csp_num < depth + 1) {
set_error_buf(error_buf, error_buf_size,
"unknown label, "
@@ -7758,8 +7762,7 @@ re_scan:
}
if (available_stack_cell > 0) {
- if (is_32bit_type(*(loader_ctx->frame_ref - 1))
- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
+ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
loader_ctx->frame_ref--;
loader_ctx->stack_cell_num--;
#if WASM_ENABLE_FAST_INTERP != 0
diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
index 47ec549..157a82c 100644
--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
+++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c
@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string)
static bool
is_32bit_type(uint8 type)
{
- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32
+ if (type == VALUE_TYPE_I32
+ || type == VALUE_TYPE_F32
+ /* the operand stack is in polymorphic state */
+ || type == VALUE_TYPE_ANY
#if WASM_ENABLE_REF_TYPES != 0
|| type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF
#endif
@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf,
ctx->frame_ref--;
ctx->stack_cell_num--;
- if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY)
+ if (is_32bit_type(type))
return true;
ctx->frame_ref--;
@@ -5839,13 +5842,11 @@ re_scan:
case WASM_OP_BR_TABLE:
{
uint8 *ret_types = NULL;
- uint32 ret_count = 0;
+ uint32 ret_count = 0, depth = 0;
#if WASM_ENABLE_FAST_INTERP == 0
- uint8 *p_depth_begin, *p_depth;
- uint32 depth, j;
BrTableCache *br_table_cache = NULL;
-
- p_org = p - 1;
+ uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1;
+ uint32 j;
#endif
read_leb_uint32(p, p_end, count);
@@ -5854,6 +5855,16 @@ re_scan:
#endif
POP_I32();
+ /* Get each depth and check it */
+ p_org = p;
+ for (i = 0; i <= count; i++) {
+ read_leb_uint32(p, p_end, depth);
+ bh_assert(loader_ctx->csp_num > 0);
+ bh_assert(loader_ctx->csp_num - 1 >= depth);
+ (void)depth;
+ }
+ p = p_org;
+
#if WASM_ENABLE_FAST_INTERP == 0
p_depth_begin = p_depth = p;
#endif
@@ -5879,8 +5890,8 @@ re_scan:
error_buf, error_buf_size))) {
goto fail;
}
- *p_org = EXT_OP_BR_TABLE_CACHE;
- br_table_cache->br_table_op_addr = p_org;
+ *p_opcode = EXT_OP_BR_TABLE_CACHE;
+ br_table_cache->br_table_op_addr = p_opcode;
br_table_cache->br_count = count;
/* Copy previous depths which are one byte */
for (j = 0; j < i; j++) {
@@ -6099,8 +6110,7 @@ re_scan:
&& !cur_block->is_stack_polymorphic));
if (available_stack_cell > 0) {
- if (is_32bit_type(*(loader_ctx->frame_ref - 1))
- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) {
+ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) {
loader_ctx->frame_ref--;
loader_ctx->stack_cell_num--;
#if WASM_ENABLE_FAST_INTERP != 0

779
SPECS/fluent-bit/fix_issue_8025.patch Normal file
Просмотреть файл

@ -0,0 +1,779 @@
From c60999c186c23cff79dad4dd31c838404ace228e Mon Sep 17 00:00:00 2001
From: "jinyong.choi" <inimax801@gmail.com>
Date: Wed, 18 Oct 2023 23:58:38 +0900
Subject: [PATCH 1/2] in_tail: Delete unmanaged inodes from db during startup
(#8025) (1/2)
To prevent incorrect inode references,
FluentBit automatically removes unmanaged inodes during startup.
Signed-off-by: jinyong.choi <inimax801@gmail.com>
---
plugins/in_tail/tail.c | 9 ++
plugins/in_tail/tail_db.c | 161 +++++++++++++++++++++++++++++++
plugins/in_tail/tail_db.h | 3 +
plugins/in_tail/tail_sql.h | 22 +++++
tests/runtime/in_tail.c | 189 +++++++++++++++++++++++++++++++++++++
5 files changed, 384 insertions(+)
diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c
index 34a0fec3dbd..37b1f4f6c68 100644
--- a/plugins/in_tail/tail.c
+++ b/plugins/in_tail/tail.c
@@ -372,6 +372,15 @@ static int in_tail_init(struct flb_input_instance *in,
/* Scan path */
flb_tail_scan(ctx->path_list, ctx);
+#ifdef FLB_HAVE_SQLDB
+ /* Delete stale files that are not monitored from the database */
+ ret = flb_tail_db_stale_file_delete(in, config, ctx);
+ if (ret == -1) {
+ flb_tail_config_destroy(ctx);
+ return -1;
+ }
+#endif
+
/*
* After the first scan (on start time), all new files discovered needs to be
* read from head, so we switch the 'read_from_head' flag to true so any
diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c
index 664963b6dba..99242f8a15b 100644
--- a/plugins/in_tail/tail_db.c
+++ b/plugins/in_tail/tail_db.c
@@ -168,6 +168,42 @@ static int db_file_insert(struct flb_tail_file *file, struct flb_tail_config *ct
return flb_sqldb_last_id(ctx->db);
}
+static int stmt_add_param_concat(struct flb_tail_config *ctx,
+ flb_sds_t *stmt_sql, uint64_t count)
+{
+ uint64_t idx;
+ flb_sds_t sds_tmp;
+
+ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_START_PARAM,
+ SQL_STMT_START_PARAM_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param start");
+ return -1;
+ }
+ *stmt_sql = sds_tmp;
+
+ for (idx = 1; idx < count; idx++) {
+ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_ADD_PARAM,
+ SQL_STMT_ADD_PARAM_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: add param");
+ return -1;
+ }
+
+ *stmt_sql = sds_tmp;
+ }
+
+ sds_tmp = flb_sds_cat(*stmt_sql, SQL_STMT_PARAM_END,
+ SQL_STMT_PARAM_END_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_debug(ctx->ins, "error concatenating stmt_sql: param end");
+ return -1;
+ }
+ *stmt_sql = sds_tmp;
+
+ return 0;
+}
+
int flb_tail_db_file_set(struct flb_tail_file *file,
struct flb_tail_config *ctx)
{
@@ -275,3 +311,128 @@ int flb_tail_db_file_delete(struct flb_tail_file *file,
flb_plg_debug(ctx->ins, "db: file deleted from database: %s", file->name);
return 0;
}
+
+/*
+ * Delete stale file from database
+ */
+int flb_tail_db_stale_file_delete(struct flb_input_instance *ins,
+ struct flb_config *config,
+ struct flb_tail_config *ctx)
+{
+ int ret = -1;
+ size_t sql_size;
+ uint64_t idx;
+ uint64_t file_count = ctx->files_static_count;
+ flb_sds_t stale_delete_sql;
+ flb_sds_t sds_tmp;
+ sqlite3_stmt *stmt_delete_inodes = NULL;
+ struct mk_list *tmp;
+ struct mk_list *head;
+ struct flb_tail_file *file;
+
+ if (!ctx->db) {
+ return 0;
+ }
+
+ /* Create a stmt sql buffer */
+ sql_size = SQL_DELETE_STALE_FILE_START_LEN;
+ sql_size += SQL_DELETE_STALE_FILE_WHERE_LEN;
+ sql_size += SQL_STMT_START_PARAM_LEN;
+ sql_size += SQL_STMT_PARAM_END_LEN;
+ sql_size += SQL_STMT_END_LEN;
+ if (file_count > 0) {
+ sql_size += (SQL_STMT_ADD_PARAM_LEN * file_count);
+ }
+
+ stale_delete_sql = flb_sds_create_size(sql_size + 1);
+ if (!stale_delete_sql) {
+ flb_plg_error(ctx->ins, "cannot allocate buffer for stale_delete_sql:"
+ " size: %zu", sql_size);
+ return -1;
+ }
+
+ /* Create a stmt sql */
+ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_START,
+ SQL_DELETE_STALE_FILE_START_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_error(ctx->ins,
+ "error concatenating stale_delete_sql: start");
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+ stale_delete_sql = sds_tmp;
+
+ if (file_count > 0) {
+ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_DELETE_STALE_FILE_WHERE,
+ SQL_DELETE_STALE_FILE_WHERE_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_error(ctx->ins,
+ "error concatenating stale_delete_sql: where");
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+ stale_delete_sql = sds_tmp;
+
+ ret = stmt_add_param_concat(ctx, &stale_delete_sql, file_count);
+ if (ret == -1) {
+ flb_plg_error(ctx->ins,
+ "error concatenating stale_delete_sql: param");
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+ }
+
+ sds_tmp = flb_sds_cat(stale_delete_sql, SQL_STMT_END, SQL_STMT_END_LEN);
+ if (sds_tmp == NULL) {
+ flb_plg_error(ctx->ins,
+ "error concatenating stale_delete_sql: end");
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+ stale_delete_sql = sds_tmp;
+
+ /* Prepare stmt */
+ ret = sqlite3_prepare_v2(ctx->db->handler, stale_delete_sql, -1,
+ &stmt_delete_inodes, 0);
+ if (ret != SQLITE_OK) {
+ flb_plg_error(ctx->ins, "error preparing database SQL statement:"
+ " stmt_delete_inodes sql:%s, ret=%d", stale_delete_sql,
+ ret);
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+
+ /* Bind parameters */
+ idx = 1;
+ mk_list_foreach_safe(head, tmp, &ctx->files_static) {
+ file = mk_list_entry(head, struct flb_tail_file, _head);
+ ret = sqlite3_bind_int64(stmt_delete_inodes, idx, file->inode);
+ if (ret != SQLITE_OK) {
+ flb_plg_error(ctx->ins, "error binding to stmt_delete_inodes:"
+ " inode=%lu, ret=%d", file->inode, ret);
+ sqlite3_finalize(stmt_delete_inodes);
+ flb_sds_destroy(stale_delete_sql);
+ return -1;
+ }
+ idx++;
+ }
+
+ /* Run the delete inodes */
+ ret = sqlite3_step(stmt_delete_inodes);
+ if (ret != SQLITE_DONE) {
+ sqlite3_finalize(stmt_delete_inodes);
+ flb_sds_destroy(stale_delete_sql);
+ flb_plg_error(ctx->ins, "cannot execute delete stale inodes: ret=%d",
+ ret);
+ return -1;
+ }
+
+ ret = sqlite3_changes(ctx->db->handler);
+ flb_plg_info(ctx->ins, "db: delete unmonitored stale inodes from the"
+ " database: count=%d", ret);
+
+ sqlite3_finalize(stmt_delete_inodes);
+ flb_sds_destroy(stale_delete_sql);
+
+ return 0;
+}
diff --git a/plugins/in_tail/tail_db.h b/plugins/in_tail/tail_db.h
index 7b5355d229c..b1fde721d29 100644
--- a/plugins/in_tail/tail_db.h
+++ b/plugins/in_tail/tail_db.h
@@ -40,4 +40,7 @@ int flb_tail_db_file_rotate(const char *new_name,
struct flb_tail_config *ctx);
int flb_tail_db_file_delete(struct flb_tail_file *file,
struct flb_tail_config *ctx);
+int flb_tail_db_stale_file_delete(struct flb_input_instance *ins,
+ struct flb_config *config,
+ struct flb_tail_config *ctx);
#endif
diff --git a/plugins/in_tail/tail_sql.h b/plugins/in_tail/tail_sql.h
index 855933a0149..bf724f318cd 100644
--- a/plugins/in_tail/tail_sql.h
+++ b/plugins/in_tail/tail_sql.h
@@ -53,6 +53,28 @@
#define SQL_DELETE_FILE \
"DELETE FROM in_tail_files WHERE id=@id;"
+#define SQL_STMT_START_PARAM "(?"
+#define SQL_STMT_START_PARAM_LEN (sizeof(SQL_STMT_START_PARAM) - 1)
+
+#define SQL_STMT_ADD_PARAM ",?"
+#define SQL_STMT_ADD_PARAM_LEN (sizeof(SQL_STMT_ADD_PARAM) - 1)
+
+#define SQL_STMT_PARAM_END ")"
+#define SQL_STMT_PARAM_END_LEN (sizeof(SQL_STMT_PARAM_END) - 1)
+
+#define SQL_STMT_END ";"
+#define SQL_STMT_END_LEN (sizeof(SQL_STMT_END) - 1)
+
+#define SQL_DELETE_STALE_FILE_START \
+ "DELETE FROM in_tail_files "
+#define SQL_DELETE_STALE_FILE_START_LEN \
+ (sizeof(SQL_DELETE_STALE_FILE_START) - 1)
+
+#define SQL_DELETE_STALE_FILE_WHERE \
+ "WHERE inode NOT IN "
+#define SQL_DELETE_STALE_FILE_WHERE_LEN \
+ (sizeof(SQL_DELETE_STALE_FILE_WHERE) - 1)
+
#define SQL_PRAGMA_SYNC \
"PRAGMA synchronous=%i;"
diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c
index ee5fba88744..74accb66ed6 100644
--- a/tests/runtime/in_tail.c
+++ b/tests/runtime/in_tail.c
@@ -1545,6 +1545,194 @@ void flb_test_db()
test_tail_ctx_destroy(ctx);
unlink(db);
}
+
+void flb_test_db_delete_stale_file()
+{
+ struct flb_lib_out_cb cb_data;
+ struct test_tail_ctx *ctx;
+ char *org_file[] = {"test_db.log", "test_db_stale.log"};
+ char *tmp_file[] = {"test_db.log"};
+ char *path = "test_db.log, test_db_stale.log";
+ char *move_file[] = {"test_db_stale.log", "test_db_stale_new.log"};
+ char *new_file[] = {"test_db.log", "test_db_stale_new.log"};
+ char *new_path = "test_db.log, test_db_stale_new.log";
+ char *db = "test_db.db";
+ char *msg_init = "hello world";
+ char *msg_end = "hello db end";
+ int i;
+ int ret;
+ int num;
+ int unused;
+
+ unlink(db);
+
+ clear_output_num();
+
+ cb_data.cb = cb_count_msgpack;
+ cb_data.data = &unused;
+
+ ctx = test_tail_ctx_create(&cb_data,
+ &org_file[0],
+ sizeof(org_file)/sizeof(char *),
+ FLB_FALSE);
+ if (!TEST_CHECK(ctx != NULL)) {
+ TEST_MSG("test_ctx_create failed");
+ exit(EXIT_FAILURE);
+ }
+
+ ret = flb_input_set(ctx->flb, ctx->o_ffd,
+ "path", path,
+ "read_from_head", "true",
+ "db", db,
+ "db.sync", "full",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ ret = flb_output_set(ctx->flb, ctx->o_ffd,
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ /* Start the engine */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ ret = write_msg(ctx, msg_init, strlen(msg_init));
+ if (!TEST_CHECK(ret > 0)) {
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ num = get_output_num();
+ if (!TEST_CHECK(num > 0)) {
+ TEST_MSG("no output");
+ }
+
+ if (ctx->fds != NULL) {
+ for (i=0; i<ctx->fd_num; i++) {
+ close(ctx->fds[i]);
+ }
+ flb_free(ctx->fds);
+ }
+ flb_stop(ctx->flb);
+ flb_destroy(ctx->flb);
+ flb_free(ctx);
+
+ /* re-init to use db */
+ clear_output_num();
+
+ /*
+ * Changing the file name from 'test_db_stale.log' to
+ * 'test_db_stale_new.log.' In this scenario, it is assumed that the
+ * file was deleted after the FluentBit was terminated. However, since
+ * the FluentBit was shutdown, the inode remains in the database.
+ * The reason for renaming is to preserve the existing file for later use.
+ */
+ ret = rename(move_file[0], move_file[1]);
+ TEST_CHECK(ret == 0);
+
+ cb_data.cb = cb_count_msgpack;
+ cb_data.data = &unused;
+
+ ctx = test_tail_ctx_create(&cb_data,
+ &tmp_file[0],
+ sizeof(tmp_file)/sizeof(char *),
+ FLB_FALSE);
+ if (!TEST_CHECK(ctx != NULL)) {
+ TEST_MSG("test_ctx_create failed");
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ ret = flb_input_set(ctx->flb, ctx->o_ffd,
+ "path", path,
+ "read_from_head", "true",
+ "db", db,
+ "db.sync", "full",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ /*
+ * Start the engine
+ * FluentBit will delete stale inodes.
+ */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ if (ctx->fds != NULL) {
+ for (i=0; i<ctx->fd_num; i++) {
+ close(ctx->fds[i]);
+ }
+ flb_free(ctx->fds);
+ }
+ flb_stop(ctx->flb);
+ flb_destroy(ctx->flb);
+ flb_free(ctx);
+
+ /* re-init to use db */
+ clear_output_num();
+
+ cb_data.cb = cb_count_msgpack;
+ cb_data.data = &unused;
+
+ ctx = test_tail_ctx_create(&cb_data,
+ &new_file[0],
+ sizeof(new_file)/sizeof(char *),
+ FLB_FALSE);
+ if (!TEST_CHECK(ctx != NULL)) {
+ TEST_MSG("test_ctx_create failed");
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ ret = flb_input_set(ctx->flb, ctx->o_ffd,
+ "path", new_path,
+ "read_from_head", "true",
+ "db", db,
+ "db.sync", "full",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ /*
+ * Start the engine
+ * 'test_db_stale_new.log.' is a new file.
+ * The inode of 'test_db_stale.log' was deleted previously.
+ * So, it reads from the beginning of the file.
+ */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ ret = write_msg(ctx, msg_end, strlen(msg_end));
+ if (!TEST_CHECK(ret > 0)) {
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ num = get_output_num();
+ if (!TEST_CHECK(num == 3)) {
+ /* 3 =
+ * test_db.log : "hello db end"
+ * test_db_stale.log : "msg_init" + "hello db end"
+ */
+ TEST_MSG("num error. expect=3 got=%d", num);
+ }
+
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+}
#endif /* FLB_HAVE_SQLDB */
/* Test list */
@@ -1569,6 +1757,7 @@ TEST_LIST = {
#ifdef FLB_HAVE_SQLDB
{"db", flb_test_db},
+ {"db_delete_stale_file", flb_test_db_delete_stale_file},
#endif
#ifdef in_tail
From d06114cbb1419ef9e8969b897730de07b64cfe28 Mon Sep 17 00:00:00 2001
From: "jinyong.choi" <inimax801@gmail.com>
Date: Thu, 19 Oct 2023 00:37:36 +0900
Subject: [PATCH 2/2] in_tail: Introducing the compare_filename option to
db_file_exists (#8025)(2/2)
When checking the existence of a file's inode, if the 'compare_filename'
option is enabled, it is modified to compare the filename as well.
If the inode matches but the filename is different, it removes the stale
inode from the database.
Signed-off-by: jinyong.choi <inimax801@gmail.com>
---
plugins/in_tail/tail.c | 8 ++
plugins/in_tail/tail_config.h | 1 +
plugins/in_tail/tail_db.c | 58 ++++++++++++-
tests/runtime/in_tail.c | 148 ++++++++++++++++++++++++++++++++++
4 files changed, 213 insertions(+), 2 deletions(-)
diff --git a/plugins/in_tail/tail.c b/plugins/in_tail/tail.c
index 37b1f4f6c68..52bf2ed6d40 100644
--- a/plugins/in_tail/tail.c
+++ b/plugins/in_tail/tail.c
@@ -734,6 +734,14 @@ static struct flb_config_map config_map[] = {
"provides higher performance. Note that WAL is not compatible with "
"shared network file systems."
},
+ {
+ FLB_CONFIG_MAP_BOOL, "db.compare_filename", "false",
+ 0, FLB_TRUE, offsetof(struct flb_tail_config, compare_filename),
+ "This option determines whether to check both the inode and the filename "
+ "when retrieving file information from the db."
+ "'true' verifies both the inode and filename, while 'false' checks only "
+ "the inode (default)."
+ },
#endif
/* Multiline Options */
diff --git a/plugins/in_tail/tail_config.h b/plugins/in_tail/tail_config.h
index dcfa54e0264..c0263b46503 100644
--- a/plugins/in_tail/tail_config.h
+++ b/plugins/in_tail/tail_config.h
@@ -107,6 +107,7 @@ struct flb_tail_config {
struct flb_sqldb *db;
int db_sync;
int db_locking;
+ int compare_filename;
flb_sds_t db_journal_mode;
sqlite3_stmt *stmt_get_file;
sqlite3_stmt *stmt_insert_file;
diff --git a/plugins/in_tail/tail_db.c b/plugins/in_tail/tail_db.c
index 99242f8a15b..6f535ea646b 100644
--- a/plugins/in_tail/tail_db.c
+++ b/plugins/in_tail/tail_db.c
@@ -95,9 +95,38 @@ int flb_tail_db_close(struct flb_sqldb *db)
return 0;
}
+static int flb_tail_db_file_delete_by_id(struct flb_tail_config *ctx,
+ uint64_t id)
+{
+ int ret;
+
+ /* Bind parameters */
+ ret = sqlite3_bind_int64(ctx->stmt_delete_file, 1, id);
+ if (ret != SQLITE_OK) {
+ flb_plg_error(ctx->ins, "db: error binding id=%"PRIu64", ret=%d", id, ret);
+ return -1;
+ }
+
+ ret = sqlite3_step(ctx->stmt_delete_file);
+
+ sqlite3_clear_bindings(ctx->stmt_delete_file);
+ sqlite3_reset(ctx->stmt_delete_file);
+
+ if (ret != SQLITE_DONE) {
+ flb_plg_error(ctx->ins, "db: error deleting stale entry from database:"
+ " id=%"PRIu64, id);
+ return -1;
+ }
+
+ flb_plg_info(ctx->ins, "db: stale file deleted from database:"
+ " id=%"PRIu64, id);
+ return 0;
+}
+
/*
- * Check if an file inode exists in the database. Return FLB_TRUE or
- * FLB_FALSE
+ * Check if an file inode exists in the database.
+ * If the 'compare_filename' option is enabled,
+ * it checks along with the filename. Return FLB_TRUE or FLB_FALSE
*/
static int db_file_exists(struct flb_tail_file *file,
struct flb_tail_config *ctx,
@@ -105,6 +134,7 @@ static int db_file_exists(struct flb_tail_file *file,
{
int ret;
int exists = FLB_FALSE;
+ const unsigned char *name;
/* Bind parameters */
sqlite3_bind_int64(ctx->stmt_get_file, 1, file->inode);
@@ -116,11 +146,30 @@ static int db_file_exists(struct flb_tail_file *file,
/* id: column 0 */
*id = sqlite3_column_int64(ctx->stmt_get_file, 0);
+ /* name: column 1 */
+ name = sqlite3_column_text(ctx->stmt_get_file, 1);
+ if (ctx->compare_filename && name == NULL) {
+ flb_plg_error(ctx->ins, "db: error getting name: id=%"PRIu64, *id);
+ return -1;
+ }
+
/* offset: column 2 */
*offset = sqlite3_column_int64(ctx->stmt_get_file, 2);
/* inode: column 3 */
*inode = sqlite3_column_int64(ctx->stmt_get_file, 3);
+
+ /* Checking if the file's name and inode match exactly */
+ if (ctx->compare_filename) {
+ if (flb_tail_target_file_name_cmp((char *) name, file) != 0) {
+ exists = FLB_FALSE;
+ flb_plg_debug(ctx->ins, "db: exists stale file from database:"
+ " id=%"PRIu64" inode=%"PRIu64" offset=%"PRIu64
+ " name=%s file_inode=%"PRIu64" file_name=%s",
+ *id, *inode, *offset, name, file->inode,
+ file->name);
+ }
+ }
}
else if (ret == SQLITE_DONE) {
/* all good */
@@ -221,6 +270,11 @@ int flb_tail_db_file_set(struct flb_tail_file *file,
}
if (ret == FLB_FALSE) {
+ /* Delete stale file of same inode */
+ if (ctx->compare_filename && id > 0) {
+ flb_tail_db_file_delete_by_id(ctx, id);
+ }
+
/* Get the database ID for this file */
file->db_id = db_file_insert(file, ctx);
}
diff --git a/tests/runtime/in_tail.c b/tests/runtime/in_tail.c
index 74accb66ed6..90d8832bc79 100644
--- a/tests/runtime/in_tail.c
+++ b/tests/runtime/in_tail.c
@@ -1733,6 +1733,153 @@ void flb_test_db_delete_stale_file()
test_tail_ctx_destroy(ctx);
unlink(db);
}
+
+void flb_test_db_compare_filename()
+{
+ struct flb_lib_out_cb cb_data;
+ struct test_tail_ctx *ctx;
+ char *org_file[] = {"test_db.log"};
+ char *moved_file[] = {"test_db_moved.log"};
+ char *db = "test_db.db";
+ char *msg_init = "hello world";
+ char *msg_moved = "hello world moved";
+ char *msg_end = "hello db end";
+ int i;
+ int ret;
+ int num;
+ int unused;
+
+ unlink(db);
+
+ clear_output_num();
+
+ cb_data.cb = cb_count_msgpack;
+ cb_data.data = &unused;
+
+ ctx = test_tail_ctx_create(&cb_data,
+ &org_file[0],
+ sizeof(org_file)/sizeof(char *),
+ FLB_FALSE);
+ if (!TEST_CHECK(ctx != NULL)) {
+ TEST_MSG("test_ctx_create failed");
+ exit(EXIT_FAILURE);
+ }
+
+ ret = flb_input_set(ctx->flb, ctx->o_ffd,
+ "path", org_file[0],
+ "read_from_head", "true",
+ "db", db,
+ "db.sync", "full",
+ "db.compare_filename", "true",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ ret = flb_output_set(ctx->flb, ctx->o_ffd,
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ /* Start the engine */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ ret = write_msg(ctx, msg_init, strlen(msg_init));
+ if (!TEST_CHECK(ret > 0)) {
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ num = get_output_num();
+ if (!TEST_CHECK(num > 0)) {
+ TEST_MSG("no output");
+ }
+
+ if (ctx->fds != NULL) {
+ for (i=0; i<ctx->fd_num; i++) {
+ close(ctx->fds[i]);
+ }
+ flb_free(ctx->fds);
+ }
+ flb_stop(ctx->flb);
+ flb_destroy(ctx->flb);
+ flb_free(ctx);
+
+ /* re-init to use db */
+ clear_output_num();
+
+ /*
+ * Changing the file name from 'test_db.log' to 'test_db_moved.log.'
+ * In this scenario, it is assumed that the FluentBit has been terminated,
+ * and the file has been recreated with the same inode, with offsets equal
+ * to or greater than the previous file.
+ */
+ ret = rename(org_file[0], moved_file[0]);
+ TEST_CHECK(ret == 0);
+
+ cb_data.cb = cb_count_msgpack;
+ cb_data.data = &unused;
+
+ ctx = test_tail_ctx_create(&cb_data,
+ &moved_file[0],
+ sizeof(moved_file)/sizeof(char *),
+ FLB_FALSE);
+ if (!TEST_CHECK(ctx != NULL)) {
+ TEST_MSG("test_ctx_create failed");
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ ret = flb_input_set(ctx->flb, ctx->o_ffd,
+ "path", moved_file[0],
+ "read_from_head", "true",
+ "db", db,
+ "db.sync", "full",
+ "db.compare_filename", "true",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+ /*
+ * Start the engine
+ * The file has been newly created, and due to the 'db.compare_filename'
+ * option being set to true, it compares filenames to consider it a new
+ * file even if the inode is the same. If the option is set to false,
+ * it can be assumed to be the same file as before.
+ */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ ret = write_msg(ctx, msg_moved, strlen(msg_moved));
+ if (!TEST_CHECK(ret > 0)) {
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ ret = write_msg(ctx, msg_end, strlen(msg_end));
+ if (!TEST_CHECK(ret > 0)) {
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+ exit(EXIT_FAILURE);
+ }
+
+ /* waiting to flush */
+ flb_time_msleep(500);
+
+ num = get_output_num();
+ if (!TEST_CHECK(num == 3)) {
+ /* 3 = msg_init + msg_moved + msg_end */
+ TEST_MSG("num error. expect=3 got=%d", num);
+ }
+
+ test_tail_ctx_destroy(ctx);
+ unlink(db);
+}
#endif /* FLB_HAVE_SQLDB */
/* Test list */
@@ -1758,6 +1905,7 @@ TEST_LIST = {
#ifdef FLB_HAVE_SQLDB
{"db", flb_test_db},
{"db_delete_stale_file", flb_test_db_delete_stale_file},
+ {"db_compare_filename", flb_test_db_compare_filename},
#endif
#ifdef in_tail

12
SPECS/fluent-bit/fluent-bit.spec
Просмотреть файл

@ -1,12 +1,15 @@
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
Name: fluent-bit
Version: 2.2.3
Release: 1%{?dist}
Release: 3%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://fluentbit.io
Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: CVE-2024-34250.patch
Patch1: in_emitter_fix_issue_8198.patch
Patch2: fix_issue_8025.patch
BuildRequires: bison
BuildRequires: cmake
BuildRequires: cyrus-sasl-devel
@ -80,6 +83,13 @@ Development files for %{name}
%{_libdir}/fluent-bit/*.so
%changelog
* Wed Jun 05 2024 Sindhu Karri <lakarri@microsoft.com> - 2.2.3-3
- Apply patch in_emitter_fix_issue_8198.patch to fix #8198 ( Potential log loss during high load at Multiline & Rewrite Tag Filter (in_emitter) )
- Fix issue #8025 with a patch ( in_tail: missing log for offset processing due to non-existent old inodes in sqlite )
* Wed May 30 2024 Sindhu Karri <lakarri@microsoft.com> - 2.2.3-2
- Fix CVE-2024-34250 with a patch
* Tue May 28 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.2.3-1
- Auto-upgrade to 2.2.3 - CVE-2024-4323

661
SPECS/fluent-bit/in_emitter_fix_issue_8198.patch Normal file
Просмотреть файл

@ -0,0 +1,661 @@
From feb424367d08666dd9fb0a6405f05c19b6678873 Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Fri, 9 Feb 2024 23:46:32 +0100
Subject: [PATCH 1/6] in_emitter: Fix to prevent single record chunks and do
pause on mem_buf_limit
The current code creates a situation, where only one record per chunk
is created. In case of a non-existing ring-buffer, the old mechanism is used.
Also the in_emitter plugin continued to accept records even after the
set emitter_mem_buf_limit was reached. This commit implements a
check if the plugin was paused and returns accordingly.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
plugins/in_emitter/emitter.c | 67 +++++++++++++++++++++++++++++++++---
1 file changed, 62 insertions(+), 5 deletions(-)
diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c
index 62886d1346c..532a629b924 100644
--- a/plugins/in_emitter/emitter.c
+++ b/plugins/in_emitter/emitter.c
@@ -31,6 +31,9 @@
#define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000
+/* return values */
+#define FLB_EMITTER_BUSY 3
+
struct em_chunk {
flb_sds_t tag;
struct msgpack_sbuffer mp_sbuf; /* msgpack sbuffer */
@@ -39,6 +42,7 @@ struct em_chunk {
};
struct flb_emitter {
+ int coll_fd; /* collector id */
struct mk_list chunks; /* list of all pending chunks */
struct flb_input_instance *ins; /* input instance */
struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */
@@ -97,7 +101,6 @@ int static do_in_emitter_add_record(struct em_chunk *ec,
em_chunk_destroy(ec);
return -1;
}
- /* Release the echunk */
em_chunk_destroy(ec);
return 0;
}
@@ -118,6 +121,12 @@ int in_emitter_add_record(const char *tag, int tag_len,
ctx = (struct flb_emitter *) in->context;
ec = NULL;
+ /* Restricted by mem_buf_limit */
+ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) {
+ flb_plg_debug(ctx->ins, "emitter memory buffer limit reached. Not accepting record.");
+ return FLB_EMITTER_BUSY;
+ }
+
/* Use the ring buffer first if it exists */
if (ctx->msgs) {
memset(&temporary_chunk, 0, sizeof(struct em_chunk));
@@ -161,8 +170,7 @@ int in_emitter_add_record(const char *tag, int tag_len,
/* Append raw msgpack data */
msgpack_sbuffer_write(&ec->mp_sbuf, buf_data, buf_size);
-
- return do_in_emitter_add_record(ec, in);
+ return 0;
}
/*
@@ -191,6 +199,34 @@ static int in_emitter_ingest_ring_buffer(struct flb_input_instance *in,
return ret;
}
+static int cb_queue_chunks(struct flb_input_instance *in,
+ struct flb_config *config, void *data)
+{
+ int ret;
+ struct mk_list *tmp;
+ struct mk_list *head;
+ struct em_chunk *echunk;
+ struct flb_emitter *ctx;
+
+ /* Get context */
+ ctx = (struct flb_emitter *) data;
+
+ /* Try to enqueue chunks under our limits */
+ mk_list_foreach_safe(head, tmp, &ctx->chunks) {
+ echunk = mk_list_entry(head, struct em_chunk, _head);
+
+ /* Associate this backlog chunk to this instance into the engine */
+ ret = do_in_emitter_add_record(echunk, in);
+ if (ret == -1) {
+ flb_error("[in_emitter] error registering chunk with tag: %s",
+ echunk->tag);
+ continue;
+ }
+ }
+
+ return 0;
+}
+
static int in_emitter_start_ring_buffer(struct flb_input_instance *in, struct flb_emitter *ctx)
{
if (ctx->ring_buffer_size <= 0) {
@@ -257,6 +293,15 @@ static int cb_emitter_init(struct flb_input_instance *in,
return -1;
}
}
+ else{
+ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config);
+ if (ret < 0) {
+ flb_error("[in_emitter] could not create collector");
+ flb_free(ctx);
+ return -1;
+ }
+ ctx->coll_fd = ret;
+ }
/* export plugin context */
flb_input_set_context(in, ctx);
@@ -264,6 +309,18 @@ static int cb_emitter_init(struct flb_input_instance *in,
return 0;
}
+static void cb_emitter_pause(void *data, struct flb_config *config)
+{
+ struct flb_emitter *ctx = data;
+ flb_input_collector_pause(ctx->coll_fd, ctx->ins);
+}
+
+static void cb_emitter_resume(void *data, struct flb_config *config)
+{
+ struct flb_emitter *ctx = data;
+ flb_input_collector_resume(ctx->coll_fd, ctx->ins);
+}
+
static int cb_emitter_exit(void *data, struct flb_config *config)
{
struct mk_list *tmp;
@@ -312,8 +369,8 @@ struct flb_input_plugin in_emitter_plugin = {
.cb_ingest = NULL,
.cb_flush_buf = NULL,
.config_map = config_map,
- .cb_pause = NULL,
- .cb_resume = NULL,
+ .cb_pause = cb_emitter_pause,
+ .cb_resume = cb_emitter_resume,
.cb_exit = cb_emitter_exit,
/* This plugin can only be configured and invoked by the Engine only */
From 37826b66b29d1ad867d220313178c3feac9b792a Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Thu, 11 Apr 2024 23:53:10 +0200
Subject: [PATCH 2/6] filter_multiline: Pause source input plugins on filter
pause This commit will pause the inputs (sending to multiline) to not loose
any in-flight records.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
plugins/filter_multiline/ml.c | 14 ++++++++++++--
plugins/filter_multiline/ml.h | 4 +++-
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/plugins/filter_multiline/ml.c b/plugins/filter_multiline/ml.c
index 41b1b8a4d64..ced8ec83739 100644
--- a/plugins/filter_multiline/ml.c
+++ b/plugins/filter_multiline/ml.c
@@ -176,7 +176,7 @@ static int flush_callback(struct flb_ml_parser *parser,
/* Emit record with original tag */
flb_plg_trace(ctx->ins, "emitting from %s to %s", stream->input_name, stream->tag);
ret = in_emitter_add_record(stream->tag, flb_sds_len(stream->tag), buf_data, buf_size,
- ctx->ins_emitter);
+ ctx->ins_emitter, ctx->i_ins);
return ret;
}
@@ -526,7 +526,8 @@ static void partial_timer_cb(struct flb_config *config, void *data)
ret = in_emitter_add_record(packer->tag, flb_sds_len(packer->tag),
packer->log_encoder.output_buffer,
packer->log_encoder.output_length,
- ctx->ins_emitter);
+ ctx->ins_emitter,
+ ctx->i_ins);
if (ret < 0) {
/* this shouldn't happen in normal execution */
flb_plg_warn(ctx->ins,
@@ -741,6 +742,15 @@ static int cb_ml_filter(const void *data, size_t bytes,
return FLB_FILTER_NOTOUCH;
}
+ if (ctx->i_ins == NULL){
+ ctx->i_ins = i_ins;
+ }
+ if (ctx->i_ins != i_ins) {
+ flb_plg_trace(ctx->ins, "input instance changed from %s to %s",
+ ctx->i_ins->name, i_ins->name);
+ ctx->i_ins = i_ins;
+ }
+
/* 'partial_message' mode */
if (ctx->partial_mode == FLB_TRUE) {
return ml_filter_partial(data, bytes, tag, tag_len,
diff --git a/plugins/filter_multiline/ml.h b/plugins/filter_multiline/ml.h
index 59bf6c7e826..cae8fb64166 100644
--- a/plugins/filter_multiline/ml.h
+++ b/plugins/filter_multiline/ml.h
@@ -73,6 +73,7 @@ struct ml_ctx {
size_t emitter_mem_buf_limit; /* Emitter buffer limit */
struct flb_input_instance *ins_emitter; /* emitter input plugin instance */
struct flb_config *config; /* Fluent Bit context */
+ struct flb_input_instance *i_ins; /* Fluent Bit input instance (last used)*/
#ifdef FLB_HAVE_METRICS
struct cmt_counter *cmt_emitted;
@@ -82,6 +83,7 @@ struct ml_ctx {
/* Register external function to emit records, check 'plugins/in_emitter' */
int in_emitter_add_record(const char *tag, int tag_len,
const char *buf_data, size_t buf_size,
- struct flb_input_instance *in);
+ struct flb_input_instance *in,
+ struct flb_input_instance *i_ins);
#endif
From 2087601806b39719ac64c2862f81e7c5222efd3a Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Thu, 11 Apr 2024 23:55:40 +0200
Subject: [PATCH 3/6] filter_rewrite_tag: Pause source input plugins on filter
pause This commit will pause the inputs (sending to rewrite_tag) to not loose
any in-flight records.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
plugins/filter_rewrite_tag/rewrite_tag.c | 7 ++++---
plugins/filter_rewrite_tag/rewrite_tag.h | 3 ++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/plugins/filter_rewrite_tag/rewrite_tag.c b/plugins/filter_rewrite_tag/rewrite_tag.c
index 01b0f168fe2..c8bfe029350 100644
--- a/plugins/filter_rewrite_tag/rewrite_tag.c
+++ b/plugins/filter_rewrite_tag/rewrite_tag.c
@@ -355,7 +355,8 @@ static int ingest_inline(struct flb_rewrite_tag *ctx,
*/
static int process_record(const char *tag, int tag_len, msgpack_object map,
const void *buf, size_t buf_size, int *keep,
- struct flb_rewrite_tag *ctx, int *matched)
+ struct flb_rewrite_tag *ctx, int *matched,
+ struct flb_input_instance *i_ins)
{
int ret;
flb_sds_t out_tag;
@@ -404,7 +405,7 @@ static int process_record(const char *tag, int tag_len, msgpack_object map,
if (!ret) {
/* Emit record with new tag */
ret = in_emitter_add_record(out_tag, flb_sds_len(out_tag), buf, buf_size,
- ctx->ins_emitter);
+ ctx->ins_emitter, i_ins);
}
else {
ret = 0;
@@ -489,7 +490,7 @@ static int cb_rewrite_tag_filter(const void *data, size_t bytes,
* If a record was emitted, the variable 'keep' will define if the record must
* be preserved or not.
*/
- is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched);
+ is_emitted = process_record(tag, tag_len, map, (char *) data + pre, off - pre, &keep, ctx, &is_matched, i_ins);
if (is_emitted == FLB_TRUE) {
/* A record with the new tag was emitted */
emitted_num++;
diff --git a/plugins/filter_rewrite_tag/rewrite_tag.h b/plugins/filter_rewrite_tag/rewrite_tag.h
index 11c0535fde1..d73b49f12eb 100644
--- a/plugins/filter_rewrite_tag/rewrite_tag.h
+++ b/plugins/filter_rewrite_tag/rewrite_tag.h
@@ -57,7 +57,8 @@ struct flb_rewrite_tag {
/* Register external function to emit records, check 'plugins/in_emitter' */
int in_emitter_add_record(const char *tag, int tag_len,
const char *buf_data, size_t buf_size,
- struct flb_input_instance *in);
+ struct flb_input_instance *in,
+ struct flb_input_instance *i_ins);
int in_emitter_get_collector_id(struct flb_input_instance *in);
From 64214ada1ded5afc1dae042473b50fa1f8dc9467 Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Thu, 11 Apr 2024 23:57:15 +0200
Subject: [PATCH 4/6] in_emitter: Pause source input plugins on in_emitter
pause This commit will pause all known inputs (sending to multiline) to not
loose any in-flight records. in_emitter will keep track of all sending input
plugins and actively pause/resume them in case in_emitter is paused/resumed.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
plugins/in_emitter/emitter.c | 77 ++++++++++++++++++++++++++++++++++--
1 file changed, 73 insertions(+), 4 deletions(-)
diff --git a/plugins/in_emitter/emitter.c b/plugins/in_emitter/emitter.c
index 532a629b924..8092a7954ee 100644
--- a/plugins/in_emitter/emitter.c
+++ b/plugins/in_emitter/emitter.c
@@ -32,7 +32,7 @@
#define DEFAULT_EMITTER_RING_BUFFER_FLUSH_FREQUENCY 2000
/* return values */
-#define FLB_EMITTER_BUSY 3
+#define FLB_EMITTER_BUSY -2
struct em_chunk {
flb_sds_t tag;
@@ -41,12 +41,18 @@ struct em_chunk {
struct mk_list _head;
};
+struct input_ref {
+ struct flb_input_instance *i_ins;
+ struct mk_list _head;
+};
+
struct flb_emitter {
int coll_fd; /* collector id */
struct mk_list chunks; /* list of all pending chunks */
struct flb_input_instance *ins; /* input instance */
struct flb_ring_buffer *msgs; /* ring buffer for cross-thread messages */
int ring_buffer_size; /* size of the ring buffer */
+ struct mk_list i_ins_list; /* instance list of linked/sending inputs */
};
struct em_chunk *em_chunk_create(const char *tag, int tag_len,
@@ -89,6 +95,12 @@ int static do_in_emitter_add_record(struct em_chunk *ec,
struct flb_emitter *ctx = (struct flb_emitter *) in->context;
int ret;
+ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) {
+ flb_plg_debug(ctx->ins, "_emitter %s paused. Not processing records.",
+ ctx->ins->name);
+ return FLB_EMITTER_BUSY;
+ }
+
/* Associate this backlog chunk to this instance into the engine */
ret = flb_input_log_append(in,
ec->tag, flb_sds_len(ec->tag),
@@ -111,15 +123,45 @@ int static do_in_emitter_add_record(struct em_chunk *ec,
*/
int in_emitter_add_record(const char *tag, int tag_len,
const char *buf_data, size_t buf_size,
- struct flb_input_instance *in)
+ struct flb_input_instance *in,
+ struct flb_input_instance *i_ins)
{
struct em_chunk temporary_chunk;
struct mk_list *head;
+ struct input_ref *i_ref;
+ bool ref_found;
+ struct mk_list *tmp;
+
struct em_chunk *ec;
struct flb_emitter *ctx;
ctx = (struct flb_emitter *) in->context;
ec = NULL;
+ /* Iterate over list of already known (source) inputs */
+ /* If new, add it to the list to be able to pause it later on */
+ ref_found = false;
+ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) {
+ i_ref = mk_list_entry(head, struct input_ref, _head);
+ if(i_ref->i_ins == i_ins){
+ ref_found = true;
+ break;
+ }
+ }
+ if (!ref_found) {
+ i_ref = flb_malloc(sizeof(struct input_ref));
+ if (!i_ref) {
+ flb_errno();
+ return FLB_FILTER_NOTOUCH;
+ }
+ i_ref->i_ins = i_ins;
+ mk_list_add(&i_ref->_head, &ctx->i_ins_list);
+ /* If in_emitter is paused, but new input plugin is not paused, pause it */
+ if (flb_input_buf_paused(ctx->ins) == FLB_TRUE &&
+ flb_input_buf_paused(i_ins) == FLB_FALSE) {
+ flb_input_pause(i_ins);
+ }
+ }
+
/* Restricted by mem_buf_limit */
if (flb_input_buf_paused(ctx->ins) == FLB_TRUE) {
@@ -268,6 +310,8 @@ static int cb_emitter_init(struct flb_input_instance *in,
ctx->ins = in;
mk_list_init(&ctx->chunks);
+ mk_list_init(&ctx->i_ins_list);
+
ret = flb_input_config_map_set(in, (void *) ctx);
if (ret == -1) {
@@ -294,7 +338,7 @@ static int cb_emitter_init(struct flb_input_instance *in,
}
}
else{
- ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 50000000, config);
+ ret = flb_input_set_collector_time(in, cb_queue_chunks, 0, 25000000, config);
if (ret < 0) {
flb_error("[in_emitter] could not create collector");
flb_free(ctx);
@@ -312,13 +356,31 @@ static int cb_emitter_init(struct flb_input_instance *in,
static void cb_emitter_pause(void *data, struct flb_config *config)
{
struct flb_emitter *ctx = data;
+ struct mk_list *tmp;
+ struct mk_list *head;
+ struct input_ref *i_ref;
+
+ /* Pause all known senders */
flb_input_collector_pause(ctx->coll_fd, ctx->ins);
+ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) {
+ i_ref = mk_list_entry(head, struct input_ref, _head);
+ flb_input_pause(i_ref->i_ins);
+ }
}
static void cb_emitter_resume(void *data, struct flb_config *config)
{
struct flb_emitter *ctx = data;
+ struct mk_list *tmp;
+ struct mk_list *head;
+ struct input_ref *i_ref;
+
+ /* Resume all known senders */
flb_input_collector_resume(ctx->coll_fd, ctx->ins);
+ mk_list_foreach_safe(head, tmp, &ctx->i_ins_list) {
+ i_ref = mk_list_entry(head, struct input_ref, _head);
+ flb_input_resume(i_ref->i_ins);
+ }
}
static int cb_emitter_exit(void *data, struct flb_config *config)
@@ -328,9 +390,9 @@ static int cb_emitter_exit(void *data, struct flb_config *config)
struct flb_emitter *ctx = data;
struct em_chunk *echunk;
struct em_chunk ec;
+ struct input_ref *i_ref;
int ret;
-
mk_list_foreach_safe(head, tmp, &ctx->chunks) {
echunk = mk_list_entry(head, struct em_chunk, _head);
mk_list_del(&echunk->_head);
@@ -346,6 +408,13 @@ static int cb_emitter_exit(void *data, struct flb_config *config)
flb_ring_buffer_destroy(ctx->msgs);
}
+ mk_list_foreach_safe(head,tmp, &ctx->i_ins_list) {
+ i_ref = mk_list_entry(head, struct input_ref, _head);
+ mk_list_del(&i_ref->_head);
+ flb_free(i_ref);
+ }
+
+
flb_free(ctx);
return 0;
}
From f6137ec60bdffc6f5c80e491b463541702438772 Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Fri, 12 Apr 2024 00:00:39 +0200
Subject: [PATCH 5/6] flb_input: Add missing input resume message This commit
will add a resume message, when a paused input plugin is resumed.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
src/flb_input.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/flb_input.c b/src/flb_input.c
index a990a9d2805..7b614ccdb44 100644
--- a/src/flb_input.c
+++ b/src/flb_input.c
@@ -1729,6 +1729,7 @@ int flb_input_resume(struct flb_input_instance *ins)
flb_input_thread_instance_resume(ins);
}
else {
+ flb_info("[input] resume %s", flb_input_name(ins));
ins->p->cb_resume(ins->context, ins->config);
}
}
From 3162d0c3db2f7df9392c6d880280b923002066b1 Mon Sep 17 00:00:00 2001
From: Richard Treu <richard.treu@sap.com>
Date: Fri, 12 Apr 2024 00:02:03 +0200
Subject: [PATCH 6/6] tests: filter_multiline: Add test for in_emitter pause by
using multiline This commit will add a test for pause functionality of
in_emitter. The test uses a small emitter buffer size, so the in_emitter will
definitely be paused.
Signed-off-by: Richard Treu <richard.treu@sap.com>
---
tests/runtime/filter_multiline.c | 124 +++++++++++++++++++++++++++++++
1 file changed, 124 insertions(+)
diff --git a/tests/runtime/filter_multiline.c b/tests/runtime/filter_multiline.c
index 18253a5b2c7..ed6ffb6b7cb 100644
--- a/tests/runtime/filter_multiline.c
+++ b/tests/runtime/filter_multiline.c
@@ -2,6 +2,7 @@
#include <fluent-bit.h>
#include <fluent-bit/flb_sds.h>
+#include <fluent-bit/flb_time.h>
#include "flb_tests_runtime.h"
struct filter_test {
@@ -120,7 +121,34 @@ static int cb_check_str_list(void *record, size_t size, void *data)
return 0;
}
+void wait_with_timeout(uint32_t timeout_ms, int *output_num, int expected)
+{
+ struct flb_time start_time;
+ struct flb_time end_time;
+ struct flb_time diff_time;
+ uint64_t elapsed_time_flb = 0;
+
+ flb_time_get(&start_time);
+
+ while (true) {
+ *output_num = get_output_num();
+
+ if (*output_num == expected) {
+ break;
+ }
+
+ flb_time_msleep(100);
+ flb_time_get(&end_time);
+ flb_time_diff(&end_time, &start_time, &diff_time);
+ elapsed_time_flb = flb_time_to_nanosec(&diff_time) / 1000000;
+ if (elapsed_time_flb > timeout_ms) {
+ flb_warn("[timeout] elapsed_time: %ld", elapsed_time_flb);
+ // Reached timeout.
+ break;
+ }
+ }
+}
static struct filter_test *filter_test_create(struct flb_lib_out_cb *data)
{
@@ -682,6 +710,100 @@ static void flb_test_ml_buffered_16_streams()
filter_test_destroy(ctx);
}
+/* This test will test the pausing of in_emitter */
+static void flb_test_ml_buffered_16_streams_pausing()
+{
+ struct flb_lib_out_cb cb_data;
+ struct filter_test *ctx;
+ int i_ffds[16] = {0};
+ int ffd_num = sizeof(i_ffds)/sizeof(int);
+ int ret;
+ int i;
+ int j;
+ int bytes;
+ int len;
+ char line_buf[2048] = {0};
+ char tag_buf[32] = {0};
+ int line_num;
+ int num;
+
+ char *expected_strs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property\\n at com.example.myproject.Author.getBookIds(xx.java:38)\\n at com.example.myproject.Bootstrap.main(Bootstrap.java:14)\\nCaused by: java.lang.NullPointerException\\n at com.example.myproject.Book.getId(Book.java:22)\\n at com.example.myproject.Author.getBookIds(Author.java:35)\\n ... 1 more"};
+
+ struct str_list expected = {
+ .size = sizeof(expected_strs)/sizeof(char*),
+ .lists = &expected_strs[0],
+ .ignore_min_line_num = 64,
+ };
+
+ char *ml_logs[] = {"Exception in thread main java.lang.IllegalStateException: ..null property",
+ " at com.example.myproject.Author.getBookIds(xx.java:38)",
+ " at com.example.myproject.Bootstrap.main(Bootstrap.java:14)",
+ "Caused by: java.lang.NullPointerException",
+ " at com.example.myproject.Book.getId(Book.java:22)",
+ " at com.example.myproject.Author.getBookIds(Author.java:35)",
+ " ... 1 more",
+ "single line"};
+
+ cb_data.cb = cb_check_str_list;
+ cb_data.data = (void *)&expected;
+
+ clear_output_num();
+
+ line_num = sizeof(ml_logs)/sizeof(char*);
+
+ /* Create test context */
+ ctx = filter_test_create((void *) &cb_data);
+ if (!ctx) {
+ exit(EXIT_FAILURE);
+ }
+ flb_service_set(ctx->flb,
+ "Flush", "0.100000000",
+ "Grace", "2",
+ NULL);
+
+ i_ffds[0] = ctx->i_ffd;
+ for (i=1; i<ffd_num; i++) {
+ i_ffds[i] = flb_input(ctx->flb, (char *) "lib", NULL);
+ TEST_CHECK(i_ffds[i] >= 0);
+ sprintf(&tag_buf[0], "test%d", i);
+ flb_input_set(ctx->flb, i_ffds[i], "tag", tag_buf, NULL);
+ }
+
+ /* Configure filter */
+ /* Set mem_buf_limit small, so in_emitter will be paused */
+ ret = flb_filter_set(ctx->flb, ctx->f_ffd,
+ "multiline.key_content", "log",
+ "multiline.parser", "java",
+ "buffer", "on",
+ "debug_flush", "on",
+ "emitter_mem_buf_limit", "1k",
+ NULL);
+ TEST_CHECK(ret == 0);
+
+
+ /* Start the engine */
+ ret = flb_start(ctx->flb);
+ TEST_CHECK(ret == 0);
+
+ for (i=0; i<line_num; i++) {
+ sprintf(&line_buf[0], "[%d, {\"log\":\"%s\"}]", i, ml_logs[i]);
+ len = strlen(line_buf);
+ for (j=0; j<ffd_num; j++) {
+ bytes = flb_lib_push(ctx->flb, i_ffds[j], &line_buf[0], len);
+ TEST_CHECK(bytes == len);
+ }
+ }
+ wait_with_timeout(20000, &num, ffd_num);
+
+ if (!TEST_CHECK(num > 0)) {
+ TEST_MSG("output error. got %d expect more than 0 records.", num);
+ /* The internal flb_lib_push cannot be paused, so records may be lost */
+ /* However, there should be at least some records */
+ }
+
+ filter_test_destroy(ctx);
+}
+
@@ -695,5 +817,7 @@ TEST_LIST = {
{"flb_test_multiline_partial_message_concat" , flb_test_multiline_partial_message_concat },
{"flb_test_multiline_partial_message_concat_two_ids" , flb_test_multiline_partial_message_concat_two_ids },
+
+ {"ml_buffered_16_streams_pausing" , flb_test_ml_buffered_16_streams_pausing },
{NULL, NULL}
};

2
SPECS/hvloader/hvloader.signatures.json
Просмотреть файл

@ -1,7 +1,7 @@
{
"Signatures": {
"hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba",
"edk2-stable202302-submodules.tar.gz": "6e0c992145070d4f9e907a2baf9441b264927902537e888d20d2749055d52f20",
"edk2-stable202305-submodules.tar.gz": "98ad582dde1cedaa1d0767d92968c47c7102a94b1ab1cd6ca5c95eee2acbaa71",
"target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8"
}
}

9
SPECS/hvloader/hvloader.spec
Просмотреть файл

@ -1,10 +1,10 @@
%define debug_package %{nil}
%define name_github HvLoader
%define edk2_tag edk2-stable202302
%define edk2_tag edk2-stable202305
Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader.
Name: hvloader
Version: 1.0.1
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
@ -58,6 +58,11 @@ cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{
/boot/efi/HvLoader.efi
%changelog
* Fri May 31 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-3
- Update edk2_tag to edk2-stable202305
- Publish edk2-stable202305-submodules source
- Correct the resolution of openssl related CVEs (CVE-2023-0286, CVE-2023-0215, CVE-2022-4450, CVE-2022-4304) that were not successfully addressed in the previous update
* Wed May 08 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-2
- Update edk2_tag to edk2-stable202302
- Publish edk2-stable202302-submodules source

3
SPECS/hyperv-daemons/CVE-2024-26951.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26951 - in version 5.15.154.1
upstream: 55b6c738673871c9b0edae05d0c97995c1ff08c4
stable: 710a177f347282eea162aec8712beb1f42d5ad87

3
SPECS/hyperv-daemons/CVE-2024-26961.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26961 - in version 5.15.154.1
upstream: e8a1e58345cf40b7b272e08ac7b32328b2543e40
stable: d3d858650933d44ac12c1f31337e7110c2071821

3
SPECS/hyperv-daemons/CVE-2024-26965.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26965 - in version 5.15.154.1
upstream: e2c02a85bf53ae86d79b5fccf0a75ac0b78e0c96
stable: 8f562f3b25177c2055b20fd8cf000496f6fa9194

3
SPECS/hyperv-daemons/CVE-2024-26966.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26966 - in version 5.15.154.1
upstream: a903cfd38d8dee7e754fb89fd1bebed99e28003d
stable: 3aedcf3755c74dafc187eb76acb04e3e6348b1a9

3
SPECS/hyperv-daemons/CVE-2024-26973.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26973 - in version 5.15.154.1
upstream: fde2497d2bc3a063d8af88b258dbadc86bd7b57c
stable: b7fb63e807c6dadf7ecc1d43448c4f1711d7eeee

3
SPECS/hyperv-daemons/CVE-2024-26977.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26977 - in version 5.15.154.1
upsream: 7626913652cc786c238e2dd7d8740b17d41b2637
stable: 5e4b23e7a7b33a1e56bfa3e5598138a2234d55b6

3
SPECS/hyperv-daemons/CVE-2024-26984.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26984 - in version 5.15.157.1
upstream: fff1386cc889d8fb4089d285f883f8cba62d82ce
stable: 3ab056814cd8ab84744c9a19ef51360b2271c572

3
SPECS/hyperv-daemons/CVE-2024-26993.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26993 - in version 5.15.157.1
upstream: a90bca2228c0646fc29a72689d308e5fe03e6d78
stable: 43f00210cb257bcb0387e8caeb4b46375d67f30c

3
SPECS/hyperv-daemons/CVE-2024-27000.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27000 - in version 5.15.158.1
upstream: 54c4ec5f8c471b7c1137a1f769648549c423c026
stable: 479244d68f5d94f3903eced52b093c1e01ddb495

3
SPECS/hyperv-daemons/CVE-2024-27018.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27018 - in version 5.15.157.1
upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178
stable: dceb683ab87ca3666a9bb5c0158528b646faedc4

3
SPECS/hyperv-daemons/CVE-2024-35912.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35912 - in version 5.15.154.1
upstream: 06a093807eb7b5c5b29b6cff49f8174a4e702341
stable: 28db0ae86cb91a4ab0e855cff779daead936b7d5

3
SPECS/hyperv-daemons/CVE-2024-36008.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-36008 - in version 5.15.158.1
upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1
stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1

2
SPECS/hyperv-daemons/hyperv-daemons.signatures.json
Просмотреть файл

@ -7,6 +7,6 @@
"hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
"hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
"hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
"kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5"
"kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d"
}
}

8
SPECS/hyperv-daemons/hyperv-daemons.spec
Просмотреть файл

@ -8,7 +8,7 @@
%global udev_prefix 70
Summary: Hyper-V daemons suite
Name: hyperv-daemons
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2+
Vendor: Microsoft Corporation
@ -219,6 +219,12 @@ fi
%{_sbindir}/lsvmbus
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

4
SPECS/kata-containers-cc/kata-containers-cc.signatures.json
Просмотреть файл

@ -1,7 +1,7 @@
{
"Signatures": {
"mariner-coco-build-uvm.sh": "4f2be6965d8c4d7919fd201a68160fc8ab02a1be50a336abbfea13f16a6ffb89",
"kata-containers-cc-3.2.0.azl1-cargo.tar.gz": "e9225097732f0e9be4da806dac9189c94b43e76dc54b964d1c07beaf8ea65e36",
"kata-containers-cc-3.2.0.azl1.tar.gz": "1c0461a0bcb6920888955ad54c6542b8adfce939e008e6c89f102cf4baeb74a4"
"kata-containers-cc-3.2.0.azl2.tar.gz": "49265e0ecd21af4ed8f23398d1e46ef9961786cb44f40fe582abff06c1c1a873",
"kata-containers-cc-3.2.0.azl2-cargo.tar.gz": "ddf919a672200f0fb53d1cb6c66d6b1c401cf26368541c750d9a12e62da605a1"
}
}

9
SPECS/kata-containers-cc/kata-containers-cc.spec
Просмотреть файл

@ -12,7 +12,7 @@
%global debug_package %{nil}
Name: kata-containers-cc
Version: 3.2.0.azl1
Version: 3.2.0.azl2
Release: 1%{?dist}
Summary: Kata Confidential Containers package developed for Confidential Containers on AKS
License: ASL 2.0
@ -158,10 +158,9 @@ mkdir -p %{buildroot}%{share_kata}
mkdir -p %{buildroot}%{coco_path}/libexec
mkdir -p %{buildroot}/etc/systemd/system/containerd.service.d/
# for testing policy/snapshotter without SEV SNP we use CH (with kernel-uvm and initrd) instead of CH-CVM with IGVM
# Note: our kata-containers config toml expects cloud-hypervisor and kernel under a certain path/name, so we align this through symlinks here
ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor
ln -s /usr/bin/cloud-hypervisor-cvm %{buildroot}%{coco_bin}/cloud-hypervisor-snp
ln -s /usr/bin/cloud-hypervisor %{buildroot}%{coco_bin}/cloud-hypervisor-snp
# this is again for testing without SEV SNP
ln -s /usr/share/cloud-hypervisor/vmlinux.bin %{buildroot}%{share_kata}/vmlinux.container
@ -289,6 +288,10 @@ install -D -m 0755 %{_builddir}/%{name}-%{version}/tools/osbuilder/image-builder
%exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
%changelog
* Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
- Auto-upgrade to 3.2.0.azl2
- Update cloud-hypervisor-snp symlink to also point to /usr/bin/cloud-hypervisor
* Thu May 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl1-1
- Auto-upgrade to 3.2.0.azl1
- Remove opa

4
SPECS/kata-containers/kata-containers.signatures.json
Просмотреть файл

@ -2,7 +2,7 @@
"Signatures": {
"50-kata": "fb108c6337b3d3bf80b43ab04f2bf9a3bdecd29075ebd16320aefe8f81c502a7",
"mariner-build-uvm.sh": "a0fbee4def82ee492eab64a8b5a948c2fef125fa1ca5686aafa0a80c64144068",
"kata-containers-3.2.0.azl1-cargo.tar.gz": "9fb37f5141d09d359f9ddbd6588ddc0f0a58c20e7d8da3e96037f6549b283015",
"kata-containers-3.2.0.azl1.tar.gz": "140118610896fd3ef6c63649e06a9a4d2380dc1fbf2d82ec676245c06ffb6f36"
"kata-containers-3.2.0.azl2-cargo.tar.gz": "830c90cc6e44f492e6366012f8834ae6fc84bd790edf678c23003368c288b98c",
"kata-containers-3.2.0.azl2.tar.gz": "ab65f23787347fae11cf07e0a380e925e9f7b6f0f862ef6440a683b816206011"
}
}

5
SPECS/kata-containers/kata-containers.spec
Просмотреть файл

@ -38,7 +38,7 @@
Summary: Kata Containers
Name: kata-containers
Version: 3.2.0.azl1
Version: 3.2.0.azl2
Release: 1%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
@ -215,6 +215,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
%exclude %{kataosbuilderdir}/rootfs-builder/ubuntu
%changelog
* Wed May 29 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl2-1
- Auto-upgrade to 3.2.0.azl2
* Thu May 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.2.0.azl1-1
- Auto-upgrade to 3.2.0.azl1

2
SPECS/kernel-azure/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.158.1 Kernel Configuration
# Linux/x86_64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

2
SPECS/kernel-azure/config_aarch64
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 5.15.158.1 Kernel Configuration
# Linux/arm64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

6
SPECS/kernel-azure/kernel-azure.signatures.json
Просмотреть файл

@ -1,9 +1,9 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "30028d043a482088df75ef6a96a133e40fec8688cada0f9ec500859a64d29d1a",
"config_aarch64": "cbab8c30dee0480e67d0a61282b9eafb9e5aadb08e468074f454e8d0644ec801",
"config": "7650bca555140f8b2c2e6b03709da0a8d730993215e9d28751068c799100c7bf",
"config_aarch64": "1c9733a974fa2aa7f38ae3c05887921cb7e94db0f2d5e37f85780da5824dab38",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
"kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5"
"kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d"
}
}

8
SPECS/kernel-azure/kernel-azure.spec
Просмотреть файл

@ -27,7 +27,7 @@
Summary: Linux Kernel
Name: kernel-azure
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -420,6 +420,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

2
SPECS/kernel-hci/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.158.1 Kernel Configuration
# Linux/x86_64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

4
SPECS/kernel-hci/kernel-hci.signatures.json
Просмотреть файл

@ -1,7 +1,7 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "f471f62f07544a9a4fff98e849cb66d2cc47373f541129546efa19033b8bae4e",
"kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5"
"config": "c8c6eb36480dc13723e2c29f8df52b2557c88c5fd2c6b28acedd763f90954855",
"kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d"
}
}

8
SPECS/kernel-hci/kernel-hci.spec
Просмотреть файл

@ -17,7 +17,7 @@
%define config_source %{SOURCE1}
Summary: Linux Kernel for HCI
Name: kernel-hci
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -547,6 +547,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

2
SPECS/kernel-headers/kernel-headers.signatures.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"Signatures": {
"kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5"
"kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d"
}
}

8
SPECS/kernel-headers/kernel-headers.spec
Просмотреть файл

@ -11,7 +11,7 @@
Summary: Linux API header files
Name: kernel-headers
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -73,6 +73,12 @@ done
%endif
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

2
SPECS/kernel-mos/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.158.1 Kernel Configuration
# Linux/x86_64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

4
SPECS/kernel-mos/kernel-mos.signatures.json
Просмотреть файл

@ -1,8 +1,8 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "5d89baeb6cecb07e605145ff17b896602368f56ab5e4e57130d85e284f515379",
"config": "4b6c625c8ac2a089f19b185efe07d0590be5733162ea7eb9b43f89c27ec4f451",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
"kernel-mos-5.15.158.1.tar.gz": "04e24215aca4887807e0aa04e546b6b05c9bd6fc689eedf37b221a82757c05a9"
"kernel-mos-5.15.158.2.tar.gz": "e55dcfc84a66b80fdeb3629daa38855b8ab9d9e567929ea13243be7194e66317"
}
}

5
SPECS/kernel-mos/kernel-mos.spec
Просмотреть файл

@ -18,7 +18,7 @@
%define config_source %{SOURCE1}
Summary: Linux Kernel for MOS
Name: kernel-mos
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -377,6 +377,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Jun 07 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.158.2-1
- Update to 5.15.158.2
* Wed May 08 2024 Gary Swalling <gaswal@microsoft.com> - 5.15.158.1-1
- Update to 5.15.158.1

39
SPECS/kernel-mshv/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.126.mshv9 Kernel Configuration
# Linux/x86_64 5.15.157.mshv1 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y
@ -491,6 +491,8 @@ CONFIG_CPU_IBPB_ENTRY=y
CONFIG_CPU_IBRS_ENTRY=y
CONFIG_CPU_SRSO=y
# CONFIG_GDS_FORCE_MITIGATION is not set
CONFIG_MITIGATION_RFDS=y
CONFIG_MITIGATION_SPECTRE_BHI=y
CONFIG_ARCH_HAS_ADD_PAGES=y
CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
CONFIG_USE_PERCPU_NUMA_NODE_ID=y
@ -768,6 +770,9 @@ CONFIG_GCC_PLUGINS=y
# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
# CONFIG_GCC_PLUGIN_RANDSTRUCT is not set
CONFIG_FUNCTION_ALIGNMENT_4B=y
CONFIG_FUNCTION_ALIGNMENT_16B=y
CONFIG_FUNCTION_ALIGNMENT=16
# end of General architecture-dependent options
CONFIG_RT_MUTEXES=y
@ -1161,6 +1166,7 @@ CONFIG_NFT_HASH=m
CONFIG_NFT_TPROXY=m
# CONFIG_NFT_SYNPROXY is not set
# CONFIG_NF_FLOW_TABLE is not set
CONFIG_NF_FLOW_TABLE_PROCFS=y
CONFIG_NETFILTER_XTABLES=y
#
@ -1458,7 +1464,6 @@ CONFIG_NET_SCHED=y
#
# Queueing/Scheduling
#
CONFIG_NET_SCH_CBQ=m
CONFIG_NET_SCH_HTB=m
CONFIG_NET_SCH_HFSC=m
CONFIG_NET_SCH_PRIO=m
@ -1472,7 +1477,6 @@ CONFIG_NET_SCH_TBF=m
CONFIG_NET_SCH_ETF=m
# CONFIG_NET_SCH_TAPRIO is not set
CONFIG_NET_SCH_GRED=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_NET_SCH_NETEM=m
CONFIG_NET_SCH_DRR=m
CONFIG_NET_SCH_MQPRIO=m
@ -1500,8 +1504,6 @@ CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
CONFIG_CLS_U32_PERF=y
CONFIG_CLS_U32_MARK=y
CONFIG_NET_CLS_RSVP=m
CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_CGROUP=m
CONFIG_NET_CLS_BPF=m
@ -3649,7 +3651,6 @@ CONFIG_MFD_INTEL_LPSS_PCI=m
# CONFIG_MFD_SM501 is not set
# CONFIG_MFD_SKY81452 is not set
# CONFIG_MFD_SYSCON is not set
# CONFIG_MFD_TI_AM335X_TSCADC is not set
# CONFIG_MFD_LP3943 is not set
# CONFIG_MFD_LP8788 is not set
# CONFIG_MFD_TI_LMU is not set
@ -5164,18 +5165,28 @@ CONFIG_VIRTIO_PCI_LIB=y
CONFIG_VIRTIO_MENU=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_PCI_LEGACY=y
# CONFIG_VIRTIO_VDPA is not set
# CONFIG_VIRTIO_PMEM is not set
CONFIG_VIRTIO_BALLOON=y
CONFIG_VIRTIO_MEM=m
# CONFIG_VIRTIO_INPUT is not set
CONFIG_VIRTIO_MMIO=y
# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
# CONFIG_VDPA is not set
CONFIG_VDPA=m
CONFIG_VDPA_SIM=m
CONFIG_VDPA_SIM_NET=m
CONFIG_VDPA_SIM_BLOCK=m
# CONFIG_VDPA_USER is not set
# CONFIG_IFCVF is not set
# CONFIG_MLX5_VDPA_NET is not set
# CONFIG_VP_VDPA is not set
CONFIG_VHOST_IOTLB=m
CONFIG_VHOST_RING=m
CONFIG_VHOST=m
CONFIG_VHOST_MENU=y
CONFIG_VHOST_NET=m
CONFIG_VHOST_VSOCK=m
CONFIG_VHOST_VDPA=m
# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
#
@ -5185,6 +5196,7 @@ CONFIG_HYPERV=y
CONFIG_HYPERV_TIMER=y
CONFIG_HYPERV_UTILS=y
CONFIG_HYPERV_BALLOON=y
CONFIG_HYPERV_NONTLFS_HEADERS=y
CONFIG_MSHV=y
CONFIG_MSHV_ROOT=y
# CONFIG_MSHV_VTL is not set
@ -5472,12 +5484,17 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m
# CONFIG_MAX9611 is not set
# CONFIG_MCP3422 is not set
# CONFIG_NAU7802 is not set
# CONFIG_STX104 is not set
# CONFIG_TI_ADC081C is not set
# CONFIG_TI_ADS1015 is not set
# CONFIG_XILINX_XADC is not set
# end of Analog to digital converters
#
# Analog to digital and digital to analog converters
#
# CONFIG_STX104 is not set
# end of Analog to digital and digital to analog converters
#
# Analog Front Ends
#
@ -6071,8 +6088,7 @@ CONFIG_NFS_DEBUG=y
CONFIG_NFS_DISABLE_UDP_SUPPORT=y
# CONFIG_NFS_V4_2_READ_PLUS is not set
CONFIG_NFSD=m
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3=y
# CONFIG_NFSD_V2 is not set
CONFIG_NFSD_V3_ACL=y
CONFIG_NFSD_V4=y
CONFIG_NFSD_PNFS=y
@ -6670,8 +6686,9 @@ CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT=y
# CONFIG_DEBUG_INFO_DWARF4 is not set
# CONFIG_DEBUG_INFO_DWARF5 is not set
# CONFIG_DEBUG_INFO_BTF is not set
CONFIG_DEBUG_INFO_BTF=y
CONFIG_PAHOLE_HAS_SPLIT_BTF=y
CONFIG_DEBUG_INFO_BTF_MODULES=y
# CONFIG_GDB_SCRIPTS is not set
CONFIG_FRAME_WARN=2048
CONFIG_STRIP_ASM_SYMS=y

12
SPECS/kernel-mshv/kernel-mshv.signatures.json
Просмотреть файл

@ -1,8 +1,8 @@
{
"Signatures": {
"kernel-mshv-5.15.126.mshv9.tar.gz": "3ed864ec26340e02b95696784f870eee53ad1e0ba1f30bd9545704bb45a5a2f2",
"50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369",
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "b266255bd7dfef022aabb578cf928f3435025562a723a95fab6c2ee62acd00ea"
}
"Signatures": {
"50_mariner_mshv.cfg": "0a5fcad1efb1fd37f910f675c5303210a2aeeef9e089d804510ce40ff9b26369",
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "a83f8b5ccf093bae011d89575b410418e31f8705f6cf9ed291b0cfe1ea5896c9",
"kernel-mshv-5.15.157.mshv1.tar.gz": "8240745a0820ee383ebaf8750877c1189772dc0253cd0658deab199fb2140a4b"
}
}

7
SPECS/kernel-mshv/kernel-mshv.spec
Просмотреть файл

@ -10,8 +10,8 @@
Summary: Mariner kernel that has MSHV Host support
Name: kernel-mshv
Version: 5.15.126.mshv9
Release: 3%{?dist}
Version: 5.15.157.mshv1
Release: 1%{?dist}
License: GPLv2
Group: Development/Tools
Vendor: Microsoft Corporation
@ -248,6 +248,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg
%{_includedir}/perf/perf_dlfilter.h
%changelog
* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.157.mshv1-1
- Auto-upgrade to 5.15.157.mshv1
* Mon Apr 01 2024 Cameron Baird <cameronbaird@microsoft.com> - 5.15.126.mshv9-3
- Bump release to match kernel-mshv-signed package

25
SPECS/kernel-uvm/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 6.1.0.mshv16 Kernel Configuration
# Linux/x86_64 6.1.58.mshv4 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y
@ -170,7 +170,8 @@ CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y
CONFIG_CC_HAS_INT128=y
CONFIG_CC_IMPLICIT_FALLTHROUGH="-Wimplicit-fallthrough=5"
CONFIG_GCC12_NO_ARRAY_BOUNDS=y
CONFIG_GCC11_NO_ARRAY_BOUNDS=y
CONFIG_CC_NO_ARRAY_BOUNDS=y
CONFIG_ARCH_SUPPORTS_INT128=y
# CONFIG_NUMA_BALANCING is not set
CONFIG_CGROUPS=y
@ -440,6 +441,8 @@ CONFIG_RETHUNK=y
CONFIG_CPU_UNRET_ENTRY=y
CONFIG_CPU_IBPB_ENTRY=y
CONFIG_CPU_IBRS_ENTRY=y
CONFIG_CPU_SRSO=y
# CONFIG_GDS_FORCE_MITIGATION is not set
CONFIG_ARCH_HAS_ADD_PAGES=y
CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
@ -596,6 +599,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_ARCH_HAS_SET_MEMORY=y
CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y
CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
CONFIG_ARCH_WANTS_NO_INSTR=y
@ -870,6 +874,7 @@ CONFIG_SECRETMEM=y
# CONFIG_ANON_VMA_NAME is not set
# CONFIG_USERFAULTFD is not set
# CONFIG_LRU_GEN is not set
CONFIG_LOCK_MM_AND_FIND_VMA=y
#
# Data Access Monitoring
@ -919,6 +924,7 @@ CONFIG_SYN_COOKIES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
CONFIG_INET_TABLE_PERTURB_ORDER=16
# CONFIG_INET_DIAG is not set
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
@ -1268,12 +1274,9 @@ CONFIG_NET_SCH_FQ=y
#
CONFIG_NET_CLS=y
# CONFIG_NET_CLS_BASIC is not set
# CONFIG_NET_CLS_TCINDEX is not set
# CONFIG_NET_CLS_ROUTE4 is not set
# CONFIG_NET_CLS_FW is not set
# CONFIG_NET_CLS_U32 is not set
# CONFIG_NET_CLS_RSVP is not set
# CONFIG_NET_CLS_RSVP6 is not set
# CONFIG_NET_CLS_FLOW is not set
CONFIG_NET_CLS_CGROUP=y
# CONFIG_NET_CLS_BPF is not set
@ -1573,7 +1576,9 @@ CONFIG_VIRTIO_BLK=y
# CONFIG_MISC_RTSX_PCI is not set
# CONFIG_HABANA_AI is not set
# CONFIG_UACCE is not set
# CONFIG_PVPANIC is not set
CONFIG_PVPANIC=y
# CONFIG_PVPANIC_MMIO is not set
CONFIG_PVPANIC_PCI=y
# end of Misc devices
#
@ -2265,6 +2270,7 @@ CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y
CONFIG_HYPERV=y
CONFIG_HYPERV_TIMER=y
# CONFIG_HYPERV_BALLOON is not set
# CONFIG_DXGKRNL is not set
# end of Microsoft Hyper-V guest support
# CONFIG_GREYBUS is not set
@ -2589,7 +2595,7 @@ CONFIG_CIFS_STATS2=y
# CONFIG_CIFS_SWN_UPCALL is not set
# CONFIG_CIFS_ROOT is not set
# CONFIG_SMB_SERVER is not set
CONFIG_SMBFS_COMMON=y
CONFIG_SMBFS=y
# CONFIG_CODA_FS is not set
# CONFIG_AFS_FS is not set
CONFIG_9P_FS=y
@ -3060,7 +3066,10 @@ CONFIG_OBJTOOL=y
#
# Generic Kernel Debugging Instruments
#
# CONFIG_MAGIC_SYSRQ is not set
CONFIG_MAGIC_SYSRQ=y
CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x1
CONFIG_MAGIC_SYSRQ_SERIAL=y
CONFIG_MAGIC_SYSRQ_SERIAL_SEQUENCE=""
# CONFIG_DEBUG_FS is not set
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set

10
SPECS/kernel-uvm/kernel-uvm.signatures.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Signatures": {
"config": "875ddf9294126989d10aeae4ab0fb31c0e4152d3f15c0a6fe8db29540576bd7c",
"kernel-uvm-6.1.0.mshv16.tar.gz": "f0453c3665387a2a87743782347dbccb6c0a2da1f1e9f35c04acd6ba9a9fd92c"
}
}
"Signatures": {
"config": "f94bc8a7c5e0507b3a19e0771ff0798862bac30aa5ababc0cc05ce60e3fdf9de",
"kernel-uvm-6.1.58.mshv4.tar.gz": "81ac99ab06cf7df0845f0bd596b394658fb3f1801d0ad985f5b64ffa3d90e80a"
}
}

7
SPECS/kernel-uvm/kernel-uvm.spec
Просмотреть файл

@ -10,8 +10,8 @@
Summary: Linux Kernel for Kata UVM
Name: kernel-uvm
Version: 6.1.0.mshv16
Release: 2%{?dist}
Version: 6.1.58.mshv4
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
Distribution: Mariner
@ -154,6 +154,9 @@ find %{buildroot}/lib/modules -name '*.ko' -exec chmod u+x {} +
%{_prefix}/src/linux-headers-%{uname_r}
%changelog
* Tue May 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.1.58.mshv4-1
- Auto-upgrade to 6.1.58.mshv4
* Wed Mar 27 2024 Archana Choudhary <archana1@microsoft.com> - 6.1.0.mshv16-2
- Enable CIFS modules

3
SPECS/kernel/CVE-2022-38096.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2022-38096 - in version 5.15.154.1
upstream: 517621b7060096e48e42f545fa6646fc00252eac
stable: 899e154f9546fcae18065d74064889d08fff62c2

3
SPECS/kernel/CVE-2023-47233.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2023-47233 - in version 5.15.158.1
upstream: 0f7352557a35ab7888bc7831411ec8a3cbe20d78
stable: 8c36205123dc57349b59b4f1a2301eb278cbc731

3
SPECS/kernel/CVE-2023-52827.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2023-52827 - ath12k driver support is not in 5.15.X
upstream introducing commit: d889913205cf7ebda905b1e62c5867ed4e39f6c2
upstream fix commit: 1bc44a505a229bb1dd4957e11aa594edeea3690e

3
SPECS/kernel/CVE-2024-25739.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-25739 - in version 5.15.158.1
upstream: 68a24aba7c593eafa8fd00f2f76407b9b32b47a9
stable: 8ce982285414b741e2dd6ebb5a62e79dede44f7f

3
SPECS/kernel/CVE-2024-26902.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26902 - 5.15.X does not support RISCV_PMU_SBI
upstream introducing commit: e9991434596f5373dfd75857b445eb92a9253c56
upstream fix commit: 34b567868777e9fd39ec5333969728a7f0cf179c

3
SPECS/kernel/CVE-2024-26929.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26929 - in version 5.15.158.1
upstream: 82f522ae0d97119a43da53e0f729275691b9c525
stable: b03e626bd6d3f0684f56ee1890d70fc9ca991c04

3
SPECS/kernel/CVE-2024-26934.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26934 - in version 5.15.158.1
upstream: 80ba43e9f799cbdd83842fc27db667289b3150f5
stable: 1b175bc579f46520b11ecda443bcd2ee4904f66a

4
SPECS/kernel/CVE-2024-26949.nopatch Normal file
Просмотреть файл

@ -0,0 +1,4 @@
CVE-2024-26949 - introducing commit not present in 5.15.159.1
(5.15.X does not support for getting power1_cap_min value for drm/amd/pm)
upstream introducing commit: 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb
upstream fix commit: 08ae9ef829b8055c2fdc8cfee37510c1f4721a07

2
SPECS/kernel/CVE-2024-26952.nopatch Normal file
Просмотреть файл

@ -0,0 +1,2 @@
CVE-2024-26952 - Mariner does not enable ksmbd at this time (5.15.159.1-1)
Upstream commit: c6cd2e8d2d9aa7ee35b1fa6a668e32a22a9753da

3
SPECS/kernel/CVE-2024-26979.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-26979 - in version 5.15.158.1
upstream: 517621b7060096e48e42f545fa6646fc00252eac
stable: 899e154f9546fcae18065d74064889d08fff62c2

3
SPECS/kernel/CVE-2024-27013.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27013 - in version 5.15.158.1
upstream: f8bbc07ac535593139c875ffa19af924b1084540
stable: a50dbeca28acf7051dfa92786b85f704c75db6eb

3
SPECS/kernel/CVE-2024-27015.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27015 - in version 5.15.158.1
upstream: 6db5dc7b351b9569940cd1cf445e237c42cd6d27
stable: e719b52d0c56989b0f3475a03a6d64f182c85b56

3
SPECS/kernel/CVE-2024-27016.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27016 - in version 5.15.158.1
upstream: 87b3593bed1868b2d9fe096c01bcdf0ea86cbebf
stable: d06977b9a4109f8738bb276125eb6a0b772bc433

3
SPECS/kernel/CVE-2024-27018.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27018 - in version 5.15.157.1
upstream: 751de2012eafa4d46d8081056761fa0e9cc8a178
stable: dceb683ab87ca3666a9bb5c0158528b646faedc4

3
SPECS/kernel/CVE-2024-27019.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27019 - in version 5.15.158.1
upstream: d78d867dcea69c328db30df665be5be7d0148484
stable: 379bf7257bc5f2a1b1ca8514e08a871b7bf6d920

3
SPECS/kernel/CVE-2024-27020.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-27020 - in version 5.15.158.1
upstream: f969eb84ce482331a991079ab7a5c4dc3b7f89bf
stable: 0b6de00206adbbfc6373b3ae38d2a6f197987907

3
SPECS/kernel/CVE-2024-35978.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35978 - in version 5.15.158.1
upstream: 45d355a926ab40f3ae7bc0b0a00cb0e3e8a5a810
stable: 75193678cce993aa959e7764b6df2f599886dd06

3
SPECS/kernel/CVE-2024-35982.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35982 - in version 5.15.158.1
upstream: b1f532a3b1e6d2e5559c7ace49322922637a28aa
stable: 87b6af1a7683e021710c08fc0551fc078346032f

3
SPECS/kernel/CVE-2024-35984.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35984 - in version 5.15.158.1
upstream: 91811a31b68d3765b3065f4bb6d7d6d84a7cfc9f
stable: 5a09eae9a7db597fe0c1fc91636205b4a25d2620

3
SPECS/kernel/CVE-2024-35990.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35990 - in version 5.15.158.1
upstream: 244296cc3a155199a8b080d19e645d7d49081a38
stable: 0ccac964520a6f19e355652c8ca38af2a7f27076

3
SPECS/kernel/CVE-2024-35997.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-35997 - in version 5.15.158.1
upstream: 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e
stable: b65fb50e04a95eec34a9d1bc138454a98a5578d8

3
SPECS/kernel/CVE-2024-36008.nopatch Normal file
Просмотреть файл

@ -0,0 +1,3 @@
CVE-2024-36008 - in version 5.15.158.1
upstream: 58a4c9b1e5a3e53c9148e80b90e1e43897ce77d1
stable: 03b5a9b2b526862b21bcc31976e393a6e63785d1

2
SPECS/kernel/config
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86_64 5.15.158.1 Kernel Configuration
# Linux/x86_64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

2
SPECS/kernel/config_aarch64
Просмотреть файл

@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
# Linux/arm64 5.15.158.1 Kernel Configuration
# Linux/arm64 5.15.158.2 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y

6
SPECS/kernel/kernel.signatures.json
Просмотреть файл

@ -1,9 +1,9 @@
{
"Signatures": {
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
"config": "ee6ff87ddcfc431a089479d1971e30bb0bc0498c4ec95a788460e5eac26f16f2",
"config_aarch64": "6fdb0d7e5d04ab07df019f15c6e2706450d456db8c3057fec3b90514597cdc93",
"config": "4c524dadcc8f306d8cd9e34ba5aa03cf1fb6b1f40fca0b811861ac09d916f4a8",
"config_aarch64": "764d801459dd24b7676b30a6fa05c68bf544ff8b577bd8085adbe01d56b8c697",
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
"kernel-5.15.158.1.tar.gz": "e0620c81b0e04721afc8213b596ea76d14b3270e902012bc602e3d55934360b5"
"kernel-5.15.158.2.tar.gz": "f1cd19f50f1f182f61cbaebfee52f344708b0a71bce03eabaf3772d4ecf05c8d"
}
}

8
SPECS/kernel/kernel.spec
Просмотреть файл

@ -27,7 +27,7 @@
Summary: Linux Kernel
Name: kernel
Version: 5.15.158.1
Version: 5.15.158.2
Release: 1%{?dist}
License: GPLv2
Vendor: Microsoft Corporation
@ -426,6 +426,12 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
%{_sysconfdir}/bash_completion.d/bpftool
%changelog
* Fri Jun 07 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.15.158.2-1
- Revert to 5.15.158.2
* Wed May 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.159.1-1
- Auto-upgrade to 5.15.159.1
* Fri May 10 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.15.158.1-1
- Auto-upgrade to 5.15.158.1

200
SPECS/moby-engine/CVE-2023-44487.patch Normal file
Просмотреть файл

@ -0,0 +1,200 @@
From acdb7b9731b3d1eb14352328d2976d4b7baaafea Mon Sep 17 00:00:00 2001
From: Mitch Zhu <mitchzhu@microsoft.com>
Date: Fri, 31 May 2024 17:00:00 +0000
Subject: [PATCH] Address CVE-2023-44487
---
.../grpc/internal/transport/http2_server.go | 11 +--
vendor/google.golang.org/grpc/server.go | 77 +++++++++++++------
2 files changed, 57 insertions(+), 31 deletions(-)
diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
index 3dd1564..9d9a3fd 100644
--- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go
+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go
@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
ID: http2.SettingMaxFrameSize,
Val: http2MaxFrameLen,
}}
- // TODO(zhaoq): Have a better way to signal "no limit" because 0 is
- // permitted in the HTTP2 spec.
- maxStreams := config.MaxStreams
- if maxStreams == 0 {
- maxStreams = math.MaxUint32
- } else {
+ if config.MaxStreams != math.MaxUint32 {
isettings = append(isettings, http2.Setting{
ID: http2.SettingMaxConcurrentStreams,
- Val: maxStreams,
+ Val: config.MaxStreams,
})
}
dynamicWindow := true
@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport,
framer: framer,
readerDone: make(chan struct{}),
writerDone: make(chan struct{}),
- maxStreams: maxStreams,
+ maxStreams: config.MaxStreams,
inTapHandle: config.InTapHandle,
fc: &trInFlow{limit: uint32(icwz)},
state: reachable,
diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go
index f4dde72..17d39cf 100644
--- a/vendor/google.golang.org/grpc/server.go
+++ b/vendor/google.golang.org/grpc/server.go
@@ -115,12 +115,6 @@ type serviceInfo struct {
mdata interface{}
}
-type serverWorkerData struct {
- st transport.ServerTransport
- wg *sync.WaitGroup
- stream *transport.Stream
-}
-
// Server is a gRPC server to serve RPC requests.
type Server struct {
opts serverOptions
@@ -145,7 +139,7 @@ type Server struct {
channelzID *channelz.Identifier
czData *channelzData
- serverWorkerChannels []chan *serverWorkerData
+ serverWorkerChannel chan func()
}
type serverOptions struct {
@@ -177,6 +171,7 @@ type serverOptions struct {
}
var defaultServerOptions = serverOptions{
+ maxConcurrentStreams: math.MaxUint32,
maxReceiveMessageSize: defaultServerMaxReceiveMessageSize,
maxSendMessageSize: defaultServerMaxSendMessageSize,
connectionTimeout: 120 * time.Second,
@@ -387,6 +382,9 @@ func MaxSendMsgSize(m int) ServerOption {
// MaxConcurrentStreams returns a ServerOption that will apply a limit on the number
// of concurrent streams to each ServerTransport.
func MaxConcurrentStreams(n uint32) ServerOption {
+ if n == 0 {
+ n = math.MaxUint32
+ }
return newFuncServerOption(func(o *serverOptions) {
o.maxConcurrentStreams = n
})
@@ -565,35 +563,31 @@ const serverWorkerResetThreshold = 1 << 16
// re-allocations (see the runtime.morestack problem [1]).
//
// [1] https://github.com/golang/go/issues/18138
-func (s *Server) serverWorker(ch chan *serverWorkerData) {
+func (s *Server) serverWorker() {
// To make sure all server workers don't reset at the same time, choose a
// random number of iterations before resetting.
threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold)
for completed := 0; completed < threshold; completed++ {
- data, ok := <-ch
+ f, ok := <-s.serverWorkerChannel
if !ok {
return
}
- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream))
- data.wg.Done()
+ f()
}
- go s.serverWorker(ch)
+ go s.serverWorker()
}
// initServerWorkers creates worker goroutines and channels to process incoming
// connections to reduce the time spent overall on runtime.morestack.
func (s *Server) initServerWorkers() {
- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers)
+ s.serverWorkerChannel = make(chan func())
for i := uint32(0); i < s.opts.numServerWorkers; i++ {
- s.serverWorkerChannels[i] = make(chan *serverWorkerData)
- go s.serverWorker(s.serverWorkerChannels[i])
+ go s.serverWorker()
}
}
func (s *Server) stopServerWorkers() {
- for i := uint32(0); i < s.opts.numServerWorkers; i++ {
- close(s.serverWorkerChannels[i])
- }
+ close(s.serverWorkerChannel)
}
// NewServer creates a gRPC server which has no service registered and has not
@@ -945,13 +939,20 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
defer st.Close()
var wg sync.WaitGroup
- var roundRobinCounter uint32
+ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams)
st.HandleStreams(func(stream *transport.Stream) {
wg.Add(1)
+
+ streamQuota.acquire()
+ f := func() {
+ defer streamQuota.release()
+ defer wg.Done()
+ s.handleStream(st, stream, s.traceInfo(st, stream))
+ }
+
if s.opts.numServerWorkers > 0 {
- data := &serverWorkerData{st: st, wg: &wg, stream: stream}
select {
- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data:
+ case s.serverWorkerChannel <- f:
default:
// If all stream workers are busy, fallback to the default code path.
go func() {
@@ -961,8 +962,7 @@ func (s *Server) serveStreams(st transport.ServerTransport) {
}
} else {
go func() {
- defer wg.Done()
- s.handleStream(st, stream, s.traceInfo(st, stream))
+ go f()
}()
}
}, func(ctx context.Context, method string) context.Context {
@@ -1978,3 +1978,34 @@ type channelzServer struct {
func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric {
return c.s.channelzMetric()
}
+
+// atomicSemaphore implements a blocking, counting semaphore. acquire should be
+// called synchronously; release may be called asynchronously.
+type atomicSemaphore struct {
+ n atomic.Int64
+ wait chan struct{}
+}
+
+func (q *atomicSemaphore) acquire() {
+ if q.n.Add(-1) < 0 {
+ // We ran out of quota. Block until a release happens.
+ <-q.wait
+ }
+}
+
+func (q *atomicSemaphore) release() {
+ // N.B. the "<= 0" check below should allow for this to work with multiple
+ // concurrent calls to acquire, but also note that with synchronous calls to
+ // acquire, as our system does, n will never be less than -1. There are
+ // fairness issues (queuing) to consider if this was to be generalized.
+ if q.n.Add(1) <= 0 {
+ // An acquire was waiting on us. Unblock it.
+ q.wait <- struct{}{}
+ }
+}
+
+func newHandlerQuota(n uint32) *atomicSemaphore {
+ a := &atomicSemaphore{wait: make(chan struct{}, 1)}
+ a.n.Store(int64(n))
+ return a
+}
--
2.34.1

6
SPECS/moby-engine/moby-engine.spec
Просмотреть файл

@ -3,7 +3,7 @@
Summary: The open-source application container engine
Name: moby-engine
Version: 24.0.9
Release: 3%{?dist}
Release: 4%{?dist}
License: ASL 2.0
Group: Tools/Container
URL: https://mobyproject.org
@ -21,6 +21,7 @@ Patch1: CVE-2024-23651.patch
# Remove once we upgrade this package at least to version 25.0+.
Patch2: CVE-2024-23652.patch
Patch3: CVE-2023-45288.patch
Patch4: CVE-2023-44487.patch
%{?systemd_requires}
@ -126,6 +127,9 @@ fi
%{_unitdir}/*
%changelog
* Fri May 31 2024 Mitch Zhu <mitchzhu@microsoft.com> - 24.0.9-4
- Fix for CVE-2023-44487
* Fri May 03 2024 Chris Gunn <chrisgun@microsoft.com> - 24.0.9-3
- Fix for CVE-2023-45288

50
SPECS/nodejs/CVE-2023-21100.patch Normal file
Просмотреть файл

@ -0,0 +1,50 @@
From 901960817a6dc7b40c68c47bcd77037d5fc5d1ea Mon Sep 17 00:00:00 2001
From: Mitch Zhu <mitchzhu@microsoft.com>
Date: Wed, 29 May 2024 19:11:14 +0000
Subject: [PATCH] Address CVE-2023-21100
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
deps/v8/third_party/zlib/contrib/optimizations/inflate.c | 5 +++--
deps/v8/third_party/zlib/inflate.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
index 4841cd96..1007f062 100644
--- a/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
+++ b/deps/v8/third_party/zlib/contrib/optimizations/inflate.c
@@ -772,8 +772,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
diff --git a/deps/v8/third_party/zlib/inflate.c b/deps/v8/third_party/zlib/inflate.c
index 7543c33d..384af93f 100644
--- a/deps/v8/third_party/zlib/inflate.c
+++ b/deps/v8/third_party/zlib/inflate.c
@@ -761,8 +761,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.34.1

111
SPECS/nodejs/CVE-2023-42282.patch
Просмотреть файл

@ -1,111 +0,0 @@
From 32f468f1245574785ec080705737a579be1223aa Mon Sep 17 00:00:00 2001
From: Luke McFarlane <luke@innoware.com.au>
Date: Mon, 12 Feb 2024 13:22:18 +1100
Subject: [PATCH] lib: fixed CVE-2023-42282 and added unit test
Unit test code is not applicable for NodeJS sources hence not included.
diff --git a/deps/npm/node_modules/ip/lib/ip.js b/deps/npm/node_modules/ip/lib/ip.js
index 4b2adb5add..9022443ae5 100644
--- a/deps/npm/node_modules/ip/lib/ip.js
+++ b/deps/npm/node_modules/ip/lib/ip.js
@@ -306,12 +306,26 @@ ip.isEqual = function (a, b) {
};
ip.isPrivate = function (addr) {
- return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
- .test(addr)
+ // check loopback addresses first
+ if (ip.isLoopback(addr)) {
+ return true;
+ }
+
+ // ensure the ipv4 address is valid
+ if (!ip.isV6Format(addr)) {
+ const ipl = ip.normalizeToLong(addr);
+ if (ipl < 0) {
+ throw new Error('invalid ipv4 address');
+ }
+ // normalize the address for the private range checks that follow
+ addr = ip.fromLong(ipl);
+ }
+
+ // check private ranges
+ return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
|| /^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
|| /^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
.test(addr)
- || /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
|| /^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr)
|| /^f[cd][0-9a-f]{2}:/i.test(addr)
|| /^fe80:/i.test(addr)
@@ -324,9 +338,16 @@ ip.isPublic = function (addr) {
};
ip.isLoopback = function (addr) {
+ // If addr is an IPv4 address in long integer form (no dots and no colons), convert it
+ if (!/\./.test(addr) && !/:/.test(addr)) {
+ addr = ip.fromLong(Number(addr));
+ }
+
return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/
.test(addr)
- || /^fe80::1$/.test(addr)
+ || /^0177\./.test(addr)
+ || /^0x7f\./i.test(addr)
+ || /^fe80::1$/i.test(addr)
|| /^::1$/.test(addr)
|| /^::$/.test(addr);
};
@@ -420,3 +441,51 @@ ip.fromLong = function (ipl) {
ipl >> 8 & 255}.${
ipl & 255}`);
};
+
+ip.normalizeToLong = function (addr) {
+ const parts = addr.split('.').map(part => {
+ // Handle hexadecimal format
+ if (part.startsWith('0x') || part.startsWith('0X')) {
+ return parseInt(part, 16);
+ }
+ // Handle octal format (strictly digits 0-7 after a leading zero)
+ else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) {
+ return parseInt(part, 8);
+ }
+ // Handle decimal format, reject invalid leading zeros
+ else if (/^[1-9]\d*$/.test(part) || part === '0') {
+ return parseInt(part, 10);
+ }
+ // Return NaN for invalid formats to indicate parsing failure
+ else {
+ return NaN;
+ }
+ });
+
+ if (parts.some(isNaN)) return -1; // Indicate error with -1
+
+ let val = 0;
+ const n = parts.length;
+
+ switch (n) {
+ case 1:
+ val = parts[0];
+ break;
+ case 2:
+ if (parts[0] > 0xff || parts[1] > 0xffffff) return -1;
+ val = (parts[0] << 24) | (parts[1] & 0xffffff);
+ break;
+ case 3:
+ if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1;
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff);
+ break;
+ case 4:
+ if (parts.some(part => part > 0xff)) return -1;
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
+ break;
+ default:
+ return -1; // Error case
+ }
+
+ return val >>> 0;
+};

144
SPECS/nodejs/CVE-2024-22025.patch
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

31
SPECS/nodejs/CVE-2024-24806.patch
Просмотреть файл

@ -1,31 +0,0 @@
From 9c2cf90e5b3952a202a0fb8435470eaa527d3f63 Mon Sep 17 00:00:00 2001
From: Suresh Thelkar <sthelkar@microsoft.com>
Date: Tue, 27 Feb 2024 10:24:03 +0530
Subject: [PATCH] Patch CVE-2024-24806
Upstream patch details are given below.
https://github.com/libuv/libuv/commit/0f2d7e784a256b54b2385043438848047bc2a629
---
deps/uv/src/idna.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/deps/uv/src/idna.c b/deps/uv/src/idna.c
index 93d982ca..197650af 100644
--- a/deps/uv/src/idna.c
+++ b/deps/uv/src/idna.c
@@ -308,8 +308,10 @@ long uv__idna_toascii(const char* s, const char* se, char* d, char* de) {
return rc;
}
- if (d < de)
- *d++ = '\0';
+ if (d >= de)
+ return UV_EINVAL;
+
+ *d++ = '\0';
return d - ds; /* Number of bytes written. */
}
--
2.34.1

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше