From 34502d0ddce7e1f42243346def2b472efdfcc02a Mon Sep 17 00:00:00 2001 From: rlmenge Date: Tue, 30 Nov 2021 13:42:17 -0800 Subject: [PATCH] [dev] kernel: update to 5.10.78.1 (#1640) * Update kernel 5.10.78.1 * Add patch to fix linux license issue in headers * address additional CVE * Move patch for better readability --- SPECS-SIGNED/kernel-signed/kernel-signed.spec | 7 ++++-- .../0002-add-linux-syscall-license-info.patch | 22 +++++++++++++++++++ .../hyperv-daemons.signatures.json | 2 +- SPECS/hyperv-daemons/hyperv-daemons.spec | 8 ++++++- .../0002-add-linux-syscall-license-info.patch | 22 +++++++++++++++++++ .../kernel-headers.signatures.json | 2 +- SPECS/kernel-headers/kernel-headers.spec | 10 +++++++-- .../0002-add-linux-syscall-license-info.patch | 22 +++++++++++++++++++ SPECS/kernel-hyperv/config | 2 +- .../kernel-hyperv.signatures.json | 4 ++-- SPECS/kernel-hyperv/kernel-hyperv.spec | 10 +++++++-- .../0002-add-linux-syscall-license-info.patch | 22 +++++++++++++++++++ SPECS/kernel/CVE-2021-42327.nopatch | 3 +++ SPECS/kernel/CVE-2021-42739.nopatch | 3 +++ SPECS/kernel/CVE-2021-43267.nopatch | 3 +++ SPECS/kernel/CVE-2021-43389.nopatch | 3 +++ SPECS/kernel/config | 2 +- SPECS/kernel/config_aarch64 | 2 +- SPECS/kernel/kernel.signatures.json | 6 ++--- SPECS/kernel/kernel.spec | 15 +++++++++++-- cgmanifest.json | 16 +++++++------- .../manifests/package/pkggen_core_aarch64.txt | 2 +- .../manifests/package/pkggen_core_x86_64.txt | 2 +- .../manifests/package/toolchain_aarch64.txt | 2 +- .../manifests/package/toolchain_x86_64.txt | 2 +- .../0002-add-linux-syscall-license-info.patch | 22 +++++++++++++++++++ .../scripts/toolchain/container/Dockerfile | 3 ++- .../toolchain/container/toolchain-sha256sums | 2 +- .../container/toolchain_build_in_chroot.sh | 10 +++++---- .../container/toolchain_build_temp_tools.sh | 10 +++++---- 30 files changed, 200 insertions(+), 41 deletions(-) create mode 100644 SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch create mode 100644 SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch create mode 100644 SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch create mode 100644 SPECS/kernel/0002-add-linux-syscall-license-info.patch create mode 100644 SPECS/kernel/CVE-2021-42327.nopatch create mode 100644 SPECS/kernel/CVE-2021-42739.nopatch create mode 100644 SPECS/kernel/CVE-2021-43267.nopatch create mode 100644 SPECS/kernel/CVE-2021-43389.nopatch create mode 100644 toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec index af73957d22..5151150f81 100644 --- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -9,8 +9,8 @@ %define uname_r %{version}-%{release} Summary: Signed Linux Kernel for %{buildarch} systems Name: kernel-signed-%{buildarch} -Version: 5.10.74.1 -Release: 4%{?dist} +Version: 5.10.78.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -146,6 +146,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Tue Nov 23 2021 Rachel Menge - 5.10.78.1-1 +- Update source to 5.10.78.1 + * Mon Nov 15 2021 Thomas Crian - 5.10.74.1-4 - Bump release number to match kernel release diff --git a/SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch b/SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch new file mode 100644 index 0000000000..49982cb6b3 --- /dev/null +++ b/SPECS/hyperv-daemons/0002-add-linux-syscall-license-info.patch @@ -0,0 +1,22 @@ +From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001 +From: Rachel +Date: Tue, 9 Nov 2021 12:21:01 -0500 +Subject: [PATCH] Add license info + +--- + include/uapi/misc/d3dkmthk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h +index e752fd5c87d0..bf4fc7228bac 100644 +--- a/include/uapi/misc/d3dkmthk.h ++++ b/include/uapi/misc/d3dkmthk.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + + /* + * Copyright (c) 2019, Microsoft Corporation. +-- +2.17.1 + diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index cff15374b9..9e0e7a8941 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.74.1.tar.gz": "0e850ae317bfee49f54bb42cc4a64c6849354de1a8a6ff4b3b581dd545f5660b" + "kernel-5.10.78.1.tar.gz": "bcdac539bf4a6c5a785406336ee9347f36b9c60024f99c5097096e2ddc61842c" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index ccf594c28b..10d0ca48ab 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,7 +8,7 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.74.1 +Version: 5.10.78.1 Release: 1%{?dist} License: GPLv2+ Vendor: Microsoft Corporation @@ -28,6 +28,7 @@ Source102: hypervvss.rules Source201: hypervfcopyd.service Source202: hypervfcopy.rules Patch0: 0001-clocksource-drivers-hyper-v-Re-enable-VDSO_CLOCKMODE.patch +Patch1: 0002-add-linux-syscall-license-info.patch BuildRequires: gcc Requires: hypervfcopyd = %{version}-%{release} Requires: hypervkvpd = %{version}-%{release} @@ -106,6 +107,7 @@ Contains tools and scripts useful for Hyper-V guests. %prep %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version} %patch0 -p1 +%patch1 -p1 %build pushd tools/hv @@ -221,6 +223,10 @@ fi %{_sbindir}/lsvmbus %changelog +* Mon Nov 08 2021 Rachel Menge - 5.10.78.1-1 +- Update source to 5.10.78.1 +- Add patch to fix SPDX-License-Identifier in headers + * Tue Oct 19 2021 Rachel Menge - 5.10.74.1-1 - Update source to 5.10.74.1 - License verified diff --git a/SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch b/SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch new file mode 100644 index 0000000000..49982cb6b3 --- /dev/null +++ b/SPECS/kernel-headers/0002-add-linux-syscall-license-info.patch @@ -0,0 +1,22 @@ +From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001 +From: Rachel +Date: Tue, 9 Nov 2021 12:21:01 -0500 +Subject: [PATCH] Add license info + +--- + include/uapi/misc/d3dkmthk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h +index e752fd5c87d0..bf4fc7228bac 100644 +--- a/include/uapi/misc/d3dkmthk.h ++++ b/include/uapi/misc/d3dkmthk.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + + /* + * Copyright (c) 2019, Microsoft Corporation. +-- +2.17.1 + diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 736782125f..9191e35fc4 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.74.1.tar.gz": "0e850ae317bfee49f54bb42cc4a64c6849354de1a8a6ff4b3b581dd545f5660b" + "kernel-5.10.78.1.tar.gz": "bcdac539bf4a6c5a785406336ee9347f36b9c60024f99c5097096e2ddc61842c" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index df88d4ec81..c6853a73bf 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,7 +1,7 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.74.1 -Release: 4%{?dist} +Version: 5.10.78.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel #Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/%%{version}.tar.gz Source0: kernel-%{version}.tar.gz Patch0: 0001-clocksource-drivers-hyper-v-Re-enable-VDSO_CLOCKMODE.patch +Patch1: 0002-add-linux-syscall-license-info.patch # Historical name shipped by other distros Provides: glibc-kernheaders = %{version}-%{release} BuildArch: noarch @@ -20,6 +21,7 @@ The Linux API Headers expose the kernel's API for use by Glibc. %prep %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version} %patch0 -p1 +%patch1 -p1 %build make mrproper @@ -39,6 +41,10 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Tue Nov 23 2021 Rachel Menge - 5.10.78.1-1 +- Update source to 5.10.78.1 +- Add patch to fix SPDX-License-Identifier in headers + * Mon Nov 15 2021 Thomas Crian - 5.10.74.1-4 - Bump release number to match kernel release - Lint spec and version the glibc-kernheaders provides diff --git a/SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch b/SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch new file mode 100644 index 0000000000..49982cb6b3 --- /dev/null +++ b/SPECS/kernel-hyperv/0002-add-linux-syscall-license-info.patch @@ -0,0 +1,22 @@ +From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001 +From: Rachel +Date: Tue, 9 Nov 2021 12:21:01 -0500 +Subject: [PATCH] Add license info + +--- + include/uapi/misc/d3dkmthk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h +index e752fd5c87d0..bf4fc7228bac 100644 +--- a/include/uapi/misc/d3dkmthk.h ++++ b/include/uapi/misc/d3dkmthk.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + + /* + * Copyright (c) 2019, Microsoft Corporation. +-- +2.17.1 + diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index b99ac33f3c..db33c716ee 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.74.1 Kernel Configuration +# Linux/x86_64 5.10.78.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index 0ee0e50e70..de360ee9b6 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { "cbl-mariner-ca-20210127.pem": "82363cb44e786353936abc2e2d62d9325cacf2d9e9a8ebaf4221ea30a9e0cd7b", - "config": "71fd965c0fc1bb33be23b4ae088f9f308189360864c30a7aaaccccc4dc0d0f1b", - "kernel-5.10.74.1.tar.gz": "0e850ae317bfee49f54bb42cc4a64c6849354de1a8a6ff4b3b581dd545f5660b", + "config": "5c9cb509368cc241ceb4e6946335483ee74c6b317a5ecc3d2e046ee66cc210a7", + "kernel-5.10.78.1.tar.gz": "bcdac539bf4a6c5a785406336ee9347f36b9c60024f99c5097096e2ddc61842c", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index d43e5c1ccd..b688bbca0d 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.74.1 -Release: 3%{?dist} +Version: 5.10.78.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -17,6 +17,7 @@ Source2: sha512hmac-openssl.sh Source3: cbl-mariner-ca-20210127.pem Patch0: 0001-clocksource-drivers-hyper-v-Re-enable-VDSO_CLOCKMODE.patch Patch1: pthread_stack_min_int_cast.patch +Patch2: 0002-add-linux-syscall-license-info.patch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -94,6 +95,7 @@ This package contains the 'perf' performance analysis tools for Linux kernel. %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build make mrproper @@ -271,6 +273,10 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Tue Nov 23 2021 Rachel Menge - 5.10.78.1-1 +- Update source to 5.10.78.1 +- Add patch to fix SPDX-License-Identifier in headers + * Thu Nov 04 2021 Andrew Phelps - 5.10.74.1-3 - Bump release number to match kernel release diff --git a/SPECS/kernel/0002-add-linux-syscall-license-info.patch b/SPECS/kernel/0002-add-linux-syscall-license-info.patch new file mode 100644 index 0000000000..49982cb6b3 --- /dev/null +++ b/SPECS/kernel/0002-add-linux-syscall-license-info.patch @@ -0,0 +1,22 @@ +From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001 +From: Rachel +Date: Tue, 9 Nov 2021 12:21:01 -0500 +Subject: [PATCH] Add license info + +--- + include/uapi/misc/d3dkmthk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h +index e752fd5c87d0..bf4fc7228bac 100644 +--- a/include/uapi/misc/d3dkmthk.h ++++ b/include/uapi/misc/d3dkmthk.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + + /* + * Copyright (c) 2019, Microsoft Corporation. +-- +2.17.1 + diff --git a/SPECS/kernel/CVE-2021-42327.nopatch b/SPECS/kernel/CVE-2021-42327.nopatch new file mode 100644 index 0000000000..269521490e --- /dev/null +++ b/SPECS/kernel/CVE-2021-42327.nopatch @@ -0,0 +1,3 @@ +CVE-2021-42327 - already patched in 5.10.78.1 stable kernel +Upstream: 5afa7898ab7a0ec9c28556a91df714bf3c2f725e +Stable: c21b4002214c1c7e7b627b9b53375612f7aab6db \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-42739.nopatch b/SPECS/kernel/CVE-2021-42739.nopatch new file mode 100644 index 0000000000..8608b2fcc1 --- /dev/null +++ b/SPECS/kernel/CVE-2021-42739.nopatch @@ -0,0 +1,3 @@ +CVE-2021-42739 - already patched in 5.10.78.1 stable kernel +Upstream: 35d2969ea3c7d32aee78066b1f3cf61a0d935a4e +Stable: d7fc85f6104259541ec136199d3bf7c8a736613d \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-43267.nopatch b/SPECS/kernel/CVE-2021-43267.nopatch new file mode 100644 index 0000000000..ace4909ceb --- /dev/null +++ b/SPECS/kernel/CVE-2021-43267.nopatch @@ -0,0 +1,3 @@ +CVE-2021-43267 - already patched in 5.10.78.1 stable kernel +Upstream: fa40d9734a57bcbfa79a280189799f76c88f7bb0 +Stable: 0b1b3e086b0af2c2faa9938c4db956fe6ce5c965 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-43389.nopatch b/SPECS/kernel/CVE-2021-43389.nopatch new file mode 100644 index 0000000000..2db5ab70fd --- /dev/null +++ b/SPECS/kernel/CVE-2021-43389.nopatch @@ -0,0 +1,3 @@ +CVE-2021-43389 - already patched in 5.10.78.1 stable kernel +Upstream: 1f3e2e97c003f80c4b087092b225c8787ff91e4d +Stable: 7f221ccbee4ec662e2292d490a43ce6c314c4594 \ No newline at end of file diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 5f1dfa1bd0..8fa4b5232a 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.74.1 Kernel Configuration +# Linux/x86_64 5.10.78.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 57c714580a..5cfc1c5c62 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.74.1 Kernel Configuration +# Linux/arm64 5.10.78.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0" CONFIG_CC_IS_GCC=y diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 669b5e1adc..835dad9850 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,9 +1,9 @@ { "Signatures": { "cbl-mariner-ca-20210127.pem": "82363cb44e786353936abc2e2d62d9325cacf2d9e9a8ebaf4221ea30a9e0cd7b", - "config": "4d28f8ca5e343153336ddc8b909e66e96a61d66bea824045bab5f8c81dd8646d", - "config_aarch64": "a75ce60e164b2456fec4a3829220f7640488bc1012cad51510df24617e44be2d", - "kernel-5.10.74.1.tar.gz": "0e850ae317bfee49f54bb42cc4a64c6849354de1a8a6ff4b3b581dd545f5660b", + "config": "c8f541df81fb7f88142c1c61931b790fc2e9ec90551d8b4c7d755c92e3934107", + "config_aarch64": "cafcfdf2395aa6c1001049d6a9c68cbbd55a68cd3a0c13106e6267259fad1845", + "kernel-5.10.78.1.tar.gz": "bcdac539bf4a6c5a785406336ee9347f36b9c60024f99c5097096e2ddc61842c", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 1324c75f56..b769895ef1 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -3,8 +3,8 @@ %define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.74.1 -Release: 4%{?dist} +Version: 5.10.78.1 +Release: 1%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Source3: sha512hmac-openssl.sh Source4: cbl-mariner-ca-20210127.pem Patch0: 0001-clocksource-drivers-hyper-v-Re-enable-VDSO_CLOCKMODE.patch Patch1: pthread_stack_min_int_cast.patch +Patch2: 0002-add-linux-syscall-license-info.patch # Kernel CVEs are addressed by moving to a newer version of the stable kernel. # Since kernel CVEs are filed against the upstream kernel version and not the # stable kernel version, our automated tooling will still flag the CVE as not @@ -217,6 +218,10 @@ Patch1178: CVE-2021-3653.nopatch Patch1179: CVE-2021-42008.nopatch Patch1180: CVE-2021-41864.nopatch Patch1181: CVE-2021-42252.nopatch +Patch1182: CVE-2021-43267.nopatch +Patch1183: CVE-2021-42739.nopatch +Patch1184: CVE-2021-42327.nopatch +Patch1185: CVE-2021-43389.nopatch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -334,6 +339,7 @@ manipulation of eBPF programs and maps. %setup -q -n CBL-Mariner-Linux-Kernel-rolling-lts-mariner-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build make mrproper @@ -583,6 +589,11 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Tue Nov 23 2021 Rachel Menge - 5.10.78.1-1 +- Update source to 5.10.78.1 +- Address CVE-2021-43267, CVE-2021-42739, CVE-2021-42327, CVE-2021-43389 +- Add patch to fix SPDX-License-Identifier in headers + * Mon Nov 15 2021 Thomas Crain - 5.10.74.1-4 - Add python3-perf subpackage and add python3-devel to build-time requirements - Exclude accessibility modules from main package to avoid subpackage conflict diff --git a/cgmanifest.json b/cgmanifest.json index 96d8b44fa2..6850d5276d 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2349,8 +2349,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.74.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.74.1.tar.gz" + "version": "5.10.78.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.78.1.tar.gz" } } }, @@ -2709,8 +2709,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.74.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.74.1.tar.gz" + "version": "5.10.78.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.78.1.tar.gz" } } }, @@ -2719,8 +2719,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.74.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.74.1.tar.gz" + "version": "5.10.78.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.78.1.tar.gz" } } }, @@ -2729,8 +2729,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.74.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.74.1.tar.gz" + "version": "5.10.78.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.78.1.tar.gz" } } }, diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index dbc11b72e5..3bd0d93cc0 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,5 +1,5 @@ filesystem-1.1-8.cm2.aarch64.rpm -kernel-headers-5.10.74.1-4.cm2.noarch.rpm +kernel-headers-5.10.78.1-1.cm2.noarch.rpm glibc-2.34-2.cm2.aarch64.rpm glibc-devel-2.34-2.cm2.aarch64.rpm glibc-i18n-2.34-2.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 2f395ab0b7..98ef40418a 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,5 +1,5 @@ filesystem-1.1-8.cm2.x86_64.rpm -kernel-headers-5.10.74.1-4.cm2.noarch.rpm +kernel-headers-5.10.78.1-1.cm2.noarch.rpm glibc-2.34-2.cm2.x86_64.rpm glibc-devel-2.34-2.cm2.x86_64.rpm glibc-i18n-2.34-2.cm2.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1199e8450e..a61cafbb63 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.aarch64.rpm kbd-debuginfo-2.2.0-1.cm2.aarch64.rpm -kernel-headers-5.10.74.1-4.cm2.noarch.rpm +kernel-headers-5.10.78.1-1.cm2.noarch.rpm kmod-25-6.cm2.aarch64.rpm kmod-debuginfo-25-6.cm2.aarch64.rpm kmod-devel-25-6.cm2.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index c1c48ca04d..d68dbcb477 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -136,7 +136,7 @@ intltool-0.51.0-7.cm2.noarch.rpm itstool-2.0.6-4.cm2.noarch.rpm kbd-2.2.0-1.cm2.x86_64.rpm kbd-debuginfo-2.2.0-1.cm2.x86_64.rpm -kernel-headers-5.10.74.1-4.cm2.noarch.rpm +kernel-headers-5.10.78.1-1.cm2.noarch.rpm kmod-25-6.cm2.x86_64.rpm kmod-debuginfo-25-6.cm2.x86_64.rpm kmod-devel-25-6.cm2.x86_64.rpm diff --git a/toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch b/toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch new file mode 100644 index 0000000000..49982cb6b3 --- /dev/null +++ b/toolkit/scripts/toolchain/container/0002-add-linux-syscall-license-info.patch @@ -0,0 +1,22 @@ +From aef4c9944d4dd8f5686823aa74fb54505a6983b4 Mon Sep 17 00:00:00 2001 +From: Rachel +Date: Tue, 9 Nov 2021 12:21:01 -0500 +Subject: [PATCH] Add license info + +--- + include/uapi/misc/d3dkmthk.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/misc/d3dkmthk.h b/include/uapi/misc/d3dkmthk.h +index e752fd5c87d0..bf4fc7228bac 100644 +--- a/include/uapi/misc/d3dkmthk.h ++++ b/include/uapi/misc/d3dkmthk.h +@@ -1,4 +1,4 @@ +-/* SPDX-License-Identifier: GPL-2.0 */ ++/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ + + /* + * Copyright (c) 2019, Microsoft Corporation. +-- +2.17.1 + diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index e25758df84..096800a1cf 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -61,6 +61,7 @@ COPY [ "./toolchain-sha256sums", \ "./rpm-define-RPM-LD-FLAGS.patch", \ "./linker-script-readonly-keyword-support.patch", \ "./toolchain-jdk8-wget.sh", \ + "./0002-add-linux-syscall-license-info.patch", \ "$LFS/tools/" ] # Download source, then create lfs user and group. @@ -70,7 +71,7 @@ COPY [ "./toolchain-sha256sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.74.1.tar.gz -O kernel-5.10.74.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.78.1.tar.gz -O kernel-5.10.78.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN sha256sum -c $LFS/tools/toolchain-sha256sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums index 9ca314e68b..029957452f 100644 --- a/toolkit/scripts/toolchain/container/toolchain-sha256sums +++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums @@ -56,7 +56,7 @@ b725c9b2e9793df7bf5d4d300390db11aa27bd98df9f33021d539be9bd603846 jdk8u212-b04-j 13ae78908151ad88ee3b375c72ca3f55a82b5265a3faba97f224f2a9b9d486fc jdk8u212-b04-nashorn.tar.bz2 6d28bdd752c056de98f6faf897b338d6ce8938810d72a69c2f5c1d81d628d44a jdk8u212-b04.tar.bz2 f882210b76376e3fa006b11dbd890e56ec0942bc56e65d1249ff4af86f90b857 kbproto-1.0.7.tar.bz2 -0e850ae317bfee49f54bb42cc4a64c6849354de1a8a6ff4b3b581dd545f5660b kernel-5.10.74.1.tar.gz +bcdac539bf4a6c5a785406336ee9347f36b9c60024f99c5097096e2ddc61842c kernel-5.10.78.1.tar.gz b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176 libarchive-3.4.2.tar.gz b630b7c484271b3ba867680d6a14b10a86cfa67247a14631b14c06731d5a458b libcap-2.26.tar.xz c97da36d2e56a2d7b6e4f896241785acc95e97eb9557465fd66ba2a155a7b201 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index b32755313f..f2201a1193 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -67,14 +67,16 @@ set -e # cd /sources -echo Linux-5.10.74.1 API Headers -tar xf kernel-5.10.74.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.74.1 +echo Linux-5.10.78.1 API Headers +tar xf kernel-5.10.78.1.tar.gz +cp /tools/0002-add-linux-syscall-license-info.patch CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1/ +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1 +patch -p1 -i 0002-add-linux-syscall-license-info.patch make mrproper make headers cp -rv usr/include/* /usr/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.74.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1 touch /logs/status_kernel_headers_complete echo 6.8. Man-pages-5.02 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index ad957c88be..2e5c1e0fb6 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -114,14 +114,16 @@ rm -rf gcc-11.2.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -echo Linux-5.10.74.1 API Headers -tar xf kernel-5.10.74.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.74.1 +echo Linux-5.10.78.1 API Headers +tar xf kernel-5.10.78.1.tar.gz +cp /tools/0002-add-linux-syscall-license-info.patch CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1/ +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1 +patch -p1 -i 0002-add-linux-syscall-license-info.patch make mrproper make headers cp -rv usr/include/* /tools/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.74.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.78.1 touch $LFS/logs/temptoolchain/status_kernel_headers_complete