summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--documentation/ref-manual/variables.rst2
-rw-r--r--meta-poky/conf/distro/poky.conf2
-rw-r--r--meta/conf/bitbake.conf2
-rw-r--r--meta/lib/oeqa/sdk/cases/buildcpio.py2
-rw-r--r--meta/lib/oeqa/selftest/cases/meta_ide.py2
-rw-r--r--meta/recipes-bsp/grub/grub2.inc1
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch1918
-rw-r--r--meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch129
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.2.6.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.2.4.bb)4
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch57
-rw-r--r--meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch32
-rw-r--r--meta/recipes-core/busybox/busybox_1.36.1.bb2
-rw-r--r--meta/recipes-core/expat/expat/CVE-2024-8176-03.patch35
-rw-r--r--meta/recipes-core/expat/expat/CVE-2024-8176-04.patch115
-rw-r--r--meta/recipes-core/expat/expat/CVE-2024-8176-05.patch78
-rw-r--r--meta/recipes-core/expat/expat_2.6.4.bb3
-rw-r--r--meta/recipes-core/images/build-appliance-image_15.0.0.bb2
-rw-r--r--meta/recipes-devtools/go/go-1.22.12.inc1
-rw-r--r--meta/recipes-devtools/go/go/CVE-2025-47906.patch183
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch134
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch41
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch36
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb3
-rw-r--r--meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb4
-rw-r--r--meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb19
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.6.0.bb4
-rw-r--r--meta/recipes-multimedia/pulseaudio/pulseaudio.inc2
-rwxr-xr-xscripts/install-buildtools4
28 files changed, 755 insertions, 2062 deletions
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 66410f17d1..b8ef6b1546 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -8828,7 +8828,7 @@ system and gives an overview of their function and contents.
8828 directory for the build host. 8828 directory for the build host.
8829 8829
8830 :term:`STAGING_DIR` 8830 :term:`STAGING_DIR`
8831 Helps construct the ``recipe-sysroots`` directory, which is used 8831 Helps construct the ``recipe-sysroot*`` directories, which are used
8832 during packaging. 8832 during packaging.
8833 8833
8834 For information on how staging for recipe-specific sysroots occurs, 8834 For information on how staging for recipe-specific sysroots occurs,
diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 3999c3767e..524046857d 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,6 +1,6 @@
1DISTRO = "poky" 1DISTRO = "poky"
2DISTRO_NAME = "Poky (Yocto Project Reference Distro)" 2DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
3DISTRO_VERSION = "5.0.12" 3DISTRO_VERSION = "5.0.13"
4DISTRO_CODENAME = "scarthgap" 4DISTRO_CODENAME = "scarthgap"
5SDK_VENDOR = "-pokysdk" 5SDK_VENDOR = "-pokysdk"
6SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}" 6SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index acf4e2d153..e20b17fad6 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -703,7 +703,7 @@ DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
703GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles" 703GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
704GNOME_GIT = "git://gitlab.gnome.org/GNOME" 704GNOME_GIT = "git://gitlab.gnome.org/GNOME"
705GNOME_MIRROR = "https://download.gnome.org/sources/" 705GNOME_MIRROR = "https://download.gnome.org/sources/"
706GNU_MIRROR = "https://ftp.gnu.org/gnu" 706GNU_MIRROR = "https://ftpmirror.gnu.org/gnu"
707GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt" 707GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
708GPE_MIRROR = "http://gpe.linuxtogo.org/download/source" 708GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
709KERNELORG_MIRROR = "https://cdn.kernel.org/pub" 709KERNELORG_MIRROR = "https://cdn.kernel.org/pub"
diff --git a/meta/lib/oeqa/sdk/cases/buildcpio.py b/meta/lib/oeqa/sdk/cases/buildcpio.py
index ab8fc41876..4148463267 100644
--- a/meta/lib/oeqa/sdk/cases/buildcpio.py
+++ b/meta/lib/oeqa/sdk/cases/buildcpio.py
@@ -24,7 +24,7 @@ class BuildCpioTest(OESDKTestCase):
24 24
25 def test_cpio(self): 25 def test_cpio(self):
26 with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir: 26 with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir:
27 tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftp.gnu.org/gnu/cpio/cpio-2.15.tar.gz") 27 tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.15.tar.gz")
28 28
29 dirs = {} 29 dirs = {}
30 dirs["source"] = os.path.join(testdir, "cpio-2.15") 30 dirs["source"] = os.path.join(testdir, "cpio-2.15")
diff --git a/meta/lib/oeqa/selftest/cases/meta_ide.py b/meta/lib/oeqa/selftest/cases/meta_ide.py
index 5a17ca52ea..086aac2655 100644
--- a/meta/lib/oeqa/selftest/cases/meta_ide.py
+++ b/meta/lib/oeqa/selftest/cases/meta_ide.py
@@ -44,7 +44,7 @@ class MetaIDE(OESelftestTestCase):
44 def test_meta_ide_can_build_cpio_project(self): 44 def test_meta_ide_can_build_cpio_project(self):
45 dl_dir = self.td.get('DL_DIR', None) 45 dl_dir = self.td.get('DL_DIR', None)
46 self.project = SDKBuildProject(self.tmpdir_metaideQA + "/cpio/", self.environment_script_path, 46 self.project = SDKBuildProject(self.tmpdir_metaideQA + "/cpio/", self.environment_script_path,
47 "https://ftp.gnu.org/gnu/cpio/cpio-2.15.tar.gz", 47 "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.15.tar.gz",
48 self.tmpdir_metaideQA, self.td['DATETIME'], dl_dir=dl_dir) 48 self.tmpdir_metaideQA, self.td['DATETIME'], dl_dir=dl_dir)
49 self.project.download_archive() 49 self.project.download_archive()
50 self.assertEqual(self.project.run_configure('$CONFIGURE_FLAGS'), 0, 50 self.assertEqual(self.project.run_configure('$CONFIGURE_FLAGS'), 0,
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index fd671d88ad..edb87ef2ea 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -45,6 +45,7 @@ SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154
45CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL" 45CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
46CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora" 46CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedora"
47CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora" 47CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora"
48CVE_STATUS[CVE-2024-2312] = "not-applicable-platform: Applies only to Ubuntu"
48 49
49DEPENDS = "flex-native bison-native gettext-native" 50DEPENDS = "flex-native bison-native gettext-native"
50 51
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
deleted file mode 100644
index eb3fc52dca..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-1.patch
+++ /dev/null
@@ -1,1918 +0,0 @@
1From 14ac0f0e4e1f36793d09b41ffd5e482575289ab2 Mon Sep 17 00:00:00 2001
2From: Danny Tsen <dtsen@us.ibm.com>
3Date: Tue, 11 Feb 2025 13:48:01 -0500
4Subject: [PATCH] Fix Minerva timing side-channel signal for P-384 curve on PPC
5
61. bn_ppc.c: Used bn_mul_mont_int() instead of bn_mul_mont_300_fixed_n6()
7 for Montgomery multiplication.
82. ecp_nistp384-ppc64.pl:
9 - Re-wrote p384_felem_mul and p384_felem_square for easier maintenance with
10 minumum perl wrapper.
11 - Implemented p384_felem_reduce, p384_felem_mul_reduce and p384_felem_square_reduce.
12 - Implemented p384_felem_diff64, felem_diff_128_64 and felem_diff128 in assembly.
133. ecp_nistp384.c:
14 - Added wrapper function for p384_felem_mul_reduce and p384_felem_square_reduce.
15
16Signed-off-by: Danny Tsen <dtsen@us.ibm.com>
17
18Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
19Reviewed-by: Tomas Mraz <tomas@openssl.org>
20(Merged from https://github.com/openssl/openssl/pull/26709)
21
22(cherry picked from commit 85cabd94958303859b1551364a609d4ff40b67a5)
23
24CVE: CVE-2025-27587
25Upstream-Status: Backport [https://github.com/openssl/openssl/commit/14ac0f0e4e1f36793d09b41ffd5e482575289ab2]
26Signed-off-by: Peter Marko <peter.marko@siemens.com>
27---
28 crypto/bn/bn_ppc.c | 3 +
29 crypto/ec/asm/ecp_nistp384-ppc64.pl | 1724 +++++++++++++++++++++++----
30 crypto/ec/ecp_nistp384.c | 28 +-
31 3 files changed, 1504 insertions(+), 251 deletions(-)
32
33diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c
34index 1e9421bee2..29293bad55 100644
35--- a/crypto/bn/bn_ppc.c
36+++ b/crypto/bn/bn_ppc.c
37@@ -41,12 +41,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
38 */
39
40 #if defined(_ARCH_PPC64) && !defined(__ILP32__)
41+ /* Minerva side-channel fix danny */
42+# if defined(USE_FIXED_N6)
43 if (num == 6) {
44 if (OPENSSL_ppccap_P & PPC_MADD300)
45 return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
46 else
47 return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
48 }
49+# endif
50 #endif
51
52 return bn_mul_mont_int(rp, ap, bp, np, n0, num);
53diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl
54index 28f4168e52..b663bddfc6 100755
55--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl
56+++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl
57@@ -7,13 +7,15 @@
58 # https://www.openssl.org/source/license.html
59 #
60 # ====================================================================
61-# Written by Rohan McLure <rmclure@linux.ibm.com> for the OpenSSL
62-# project.
63+# Written by Danny Tsen <dtsen@us.ibm.com> # for the OpenSSL project.
64+#
65+# Copyright 2025- IBM Corp.
66 # ====================================================================
67 #
68-# p384 lower-level primitives for PPC64 using vector instructions.
69+# p384 lower-level primitives for PPC64.
70 #
71
72+
73 use strict;
74 use warnings;
75
76@@ -21,7 +23,7 @@ my $flavour = shift;
77 my $output = "";
78 while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
79 if (!$output) {
80- $output = "-";
81+ $output = "-";
82 }
83
84 my ($xlate, $dir);
85@@ -35,271 +37,1495 @@ open OUT,"| \"$^X\" $xlate $flavour $output";
86
87 my $code = "";
88
89-my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
90-
91-my $vzero = "v32";
92-
93-sub startproc($)
94-{
95- my ($name) = @_;
96-
97- $code.=<<___;
98- .globl ${name}
99- .align 5
100-${name}:
101-
102-___
103-}
104-
105-sub endproc($)
106-{
107- my ($name) = @_;
108-
109- $code.=<<___;
110- blr
111- .size ${name},.-${name}
112-
113-___
114-}
115-
116-sub load_vrs($$)
117-{
118- my ($pointer, $reg_list) = @_;
119-
120- for (my $i = 0; $i <= 6; $i++) {
121- my $offset = $i * 8;
122- $code.=<<___;
123- lxsd $reg_list->[$i],$offset($pointer)
124-___
125- }
126-
127- $code.=<<___;
128-
129-___
130-}
131-
132-sub store_vrs($$)
133-{
134- my ($pointer, $reg_list) = @_;
135-
136- for (my $i = 0; $i <= 12; $i++) {
137- my $offset = $i * 16;
138- $code.=<<___;
139- stxv $reg_list->[$i],$offset($pointer)
140-___
141- }
142-
143- $code.=<<___;
144-
145-___
146-}
147-
148 $code.=<<___;
149-.machine "any"
150+.machine "any"
151 .text
152
153-___
154+.globl p384_felem_mul
155+.type p384_felem_mul,\@function
156+.align 4
157+p384_felem_mul:
158
159-{
160- # mul/square common
161- my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43");
162- my ($zero, $one) = ("r8", "r9");
163- my $out = "v51";
164+ stdu 1, -176(1)
165+ mflr 0
166+ std 14, 56(1)
167+ std 15, 64(1)
168+ std 16, 72(1)
169+ std 17, 80(1)
170+ std 18, 88(1)
171+ std 19, 96(1)
172+ std 20, 104(1)
173+ std 21, 112(1)
174+ std 22, 120(1)
175
176- {
177- #
178- # p384_felem_mul
179- #
180+ bl _p384_felem_mul_core
181
182- my ($in1p, $in2p) = ("r4", "r5");
183- my @in1 = map("v$_",(44..50));
184- my @in2 = map("v$_",(35..41));
185+ mtlr 0
186+ ld 14, 56(1)
187+ ld 15, 64(1)
188+ ld 16, 72(1)
189+ ld 17, 80(1)
190+ ld 18, 88(1)
191+ ld 19, 96(1)
192+ ld 20, 104(1)
193+ ld 21, 112(1)
194+ ld 22, 120(1)
195+ addi 1, 1, 176
196+ blr
197+.size p384_felem_mul,.-p384_felem_mul
198
199- startproc("p384_felem_mul");
200+.globl p384_felem_square
201+.type p384_felem_square,\@function
202+.align 4
203+p384_felem_square:
204
205- $code.=<<___;
206- vspltisw $vzero,0
207+ stdu 1, -176(1)
208+ mflr 0
209+ std 14, 56(1)
210+ std 15, 64(1)
211+ std 16, 72(1)
212+ std 17, 80(1)
213
214-___
215+ bl _p384_felem_square_core
216
217- load_vrs($in1p, \@in1);
218- load_vrs($in2p, \@in2);
219-
220- $code.=<<___;
221- vmsumudm $out,$in1[0],$in2[0],$vzero
222- stxv $out,0($outp)
223-
224- xxpermdi $t1,$in1[0],$in1[1],0b00
225- xxpermdi $t2,$in2[1],$in2[0],0b00
226- vmsumudm $out,$t1,$t2,$vzero
227- stxv $out,16($outp)
228-
229- xxpermdi $t2,$in2[2],$in2[1],0b00
230- vmsumudm $out,$t1,$t2,$vzero
231- vmsumudm $out,$in1[2],$in2[0],$out
232- stxv $out,32($outp)
233-
234- xxpermdi $t2,$in2[1],$in2[0],0b00
235- xxpermdi $t3,$in1[2],$in1[3],0b00
236- xxpermdi $t4,$in2[3],$in2[2],0b00
237- vmsumudm $out,$t1,$t4,$vzero
238- vmsumudm $out,$t3,$t2,$out
239- stxv $out,48($outp)
240-
241- xxpermdi $t2,$in2[4],$in2[3],0b00
242- xxpermdi $t4,$in2[2],$in2[1],0b00
243- vmsumudm $out,$t1,$t2,$vzero
244- vmsumudm $out,$t3,$t4,$out
245- vmsumudm $out,$in1[4],$in2[0],$out
246- stxv $out,64($outp)
247-
248- xxpermdi $t2,$in2[5],$in2[4],0b00
249- xxpermdi $t4,$in2[3],$in2[2],0b00
250- vmsumudm $out,$t1,$t2,$vzero
251- vmsumudm $out,$t3,$t4,$out
252- xxpermdi $t4,$in2[1],$in2[0],0b00
253- xxpermdi $t1,$in1[4],$in1[5],0b00
254- vmsumudm $out,$t1,$t4,$out
255- stxv $out,80($outp)
256-
257- xxpermdi $t1,$in1[0],$in1[1],0b00
258- xxpermdi $t2,$in2[6],$in2[5],0b00
259- xxpermdi $t4,$in2[4],$in2[3],0b00
260- vmsumudm $out,$t1,$t2,$vzero
261- vmsumudm $out,$t3,$t4,$out
262- xxpermdi $t2,$in2[2],$in2[1],0b00
263- xxpermdi $t1,$in1[4],$in1[5],0b00
264- vmsumudm $out,$t1,$t2,$out
265- vmsumudm $out,$in1[6],$in2[0],$out
266- stxv $out,96($outp)
267-
268- xxpermdi $t1,$in1[1],$in1[2],0b00
269- xxpermdi $t2,$in2[6],$in2[5],0b00
270- xxpermdi $t3,$in1[3],$in1[4],0b00
271- vmsumudm $out,$t1,$t2,$vzero
272- vmsumudm $out,$t3,$t4,$out
273- xxpermdi $t3,$in2[2],$in2[1],0b00
274- xxpermdi $t1,$in1[5],$in1[6],0b00
275- vmsumudm $out,$t1,$t3,$out
276- stxv $out,112($outp)
277-
278- xxpermdi $t1,$in1[2],$in1[3],0b00
279- xxpermdi $t3,$in1[4],$in1[5],0b00
280- vmsumudm $out,$t1,$t2,$vzero
281- vmsumudm $out,$t3,$t4,$out
282- vmsumudm $out,$in1[6],$in2[2],$out
283- stxv $out,128($outp)
284-
285- xxpermdi $t1,$in1[3],$in1[4],0b00
286- vmsumudm $out,$t1,$t2,$vzero
287- xxpermdi $t1,$in1[5],$in1[6],0b00
288- vmsumudm $out,$t1,$t4,$out
289- stxv $out,144($outp)
290-
291- vmsumudm $out,$t3,$t2,$vzero
292- vmsumudm $out,$in1[6],$in2[4],$out
293- stxv $out,160($outp)
294-
295- vmsumudm $out,$t1,$t2,$vzero
296- stxv $out,176($outp)
297-
298- vmsumudm $out,$in1[6],$in2[6],$vzero
299- stxv $out,192($outp)
300-___
301+ mtlr 0
302+ ld 14, 56(1)
303+ ld 15, 64(1)
304+ ld 16, 72(1)
305+ ld 17, 80(1)
306+ addi 1, 1, 176
307+ blr
308+.size p384_felem_square,.-p384_felem_square
309
310- endproc("p384_felem_mul");
311- }
312+#
313+# Felem mul core function -
314+# r3, r4 and r5 need to pre-loaded.
315+#
316+.type _p384_felem_mul_core,\@function
317+.align 4
318+_p384_felem_mul_core:
319
320- {
321- #
322- # p384_felem_square
323- #
324+ ld 6,0(4)
325+ ld 14,0(5)
326+ ld 7,8(4)
327+ ld 15,8(5)
328+ ld 8,16(4)
329+ ld 16,16(5)
330+ ld 9,24(4)
331+ ld 17,24(5)
332+ ld 10,32(4)
333+ ld 18,32(5)
334+ ld 11,40(4)
335+ ld 19,40(5)
336+ ld 12,48(4)
337+ ld 20,48(5)
338
339- my ($inp) = ("r4");
340- my @in = map("v$_",(44..50));
341- my @inx2 = map("v$_",(35..41));
342+ # out0
343+ mulld 21, 14, 6
344+ mulhdu 22, 14, 6
345+ std 21, 0(3)
346+ std 22, 8(3)
347
348- startproc("p384_felem_square");
349+ vxor 0, 0, 0
350
351- $code.=<<___;
352- vspltisw $vzero,0
353+ # out1
354+ mtvsrdd 32+13, 14, 6
355+ mtvsrdd 32+14, 7, 15
356+ vmsumudm 1, 13, 14, 0
357
358-___
359+ # out2
360+ mtvsrdd 32+15, 15, 6
361+ mtvsrdd 32+16, 7, 16
362+ mtvsrdd 32+17, 0, 8
363+ mtvsrdd 32+18, 0, 14
364+ vmsumudm 19, 15, 16, 0
365+ vmsumudm 2, 17, 18, 19
366
367- load_vrs($inp, \@in);
368+ # out3
369+ mtvsrdd 32+13, 16, 6
370+ mtvsrdd 32+14, 7, 17
371+ mtvsrdd 32+15, 14, 8
372+ mtvsrdd 32+16, 9, 15
373+ vmsumudm 19, 13, 14, 0
374+ vmsumudm 3, 15, 16, 19
375
376- $code.=<<___;
377- li $zero,0
378- li $one,1
379- mtvsrdd $t1,$one,$zero
380-___
381+ # out4
382+ mtvsrdd 32+13, 17, 6
383+ mtvsrdd 32+14, 7, 18
384+ mtvsrdd 32+15, 15, 8
385+ mtvsrdd 32+16, 9, 16
386+ mtvsrdd 32+17, 0, 10
387+ mtvsrdd 32+18, 0, 14
388+ vmsumudm 19, 13, 14, 0
389+ vmsumudm 4, 15, 16, 19
390+ vmsumudm 4, 17, 18, 4
391
392- for (my $i = 0; $i <= 6; $i++) {
393- $code.=<<___;
394- vsld $inx2[$i],$in[$i],$t1
395-___
396- }
397-
398- $code.=<<___;
399- vmsumudm $out,$in[0],$in[0],$vzero
400- stxv $out,0($outp)
401-
402- vmsumudm $out,$in[0],$inx2[1],$vzero
403- stxv $out,16($outp)
404-
405- vmsumudm $out,$in[0],$inx2[2],$vzero
406- vmsumudm $out,$in[1],$in[1],$out
407- stxv $out,32($outp)
408-
409- xxpermdi $t1,$in[0],$in[1],0b00
410- xxpermdi $t2,$inx2[3],$inx2[2],0b00
411- vmsumudm $out,$t1,$t2,$vzero
412- stxv $out,48($outp)
413-
414- xxpermdi $t4,$inx2[4],$inx2[3],0b00
415- vmsumudm $out,$t1,$t4,$vzero
416- vmsumudm $out,$in[2],$in[2],$out
417- stxv $out,64($outp)
418-
419- xxpermdi $t2,$inx2[5],$inx2[4],0b00
420- vmsumudm $out,$t1,$t2,$vzero
421- vmsumudm $out,$in[2],$inx2[3],$out
422- stxv $out,80($outp)
423-
424- xxpermdi $t2,$inx2[6],$inx2[5],0b00
425- vmsumudm $out,$t1,$t2,$vzero
426- vmsumudm $out,$in[2],$inx2[4],$out
427- vmsumudm $out,$in[3],$in[3],$out
428- stxv $out,96($outp)
429-
430- xxpermdi $t3,$in[1],$in[2],0b00
431- vmsumudm $out,$t3,$t2,$vzero
432- vmsumudm $out,$in[3],$inx2[4],$out
433- stxv $out,112($outp)
434-
435- xxpermdi $t1,$in[2],$in[3],0b00
436- vmsumudm $out,$t1,$t2,$vzero
437- vmsumudm $out,$in[4],$in[4],$out
438- stxv $out,128($outp)
439-
440- xxpermdi $t1,$in[3],$in[4],0b00
441- vmsumudm $out,$t1,$t2,$vzero
442- stxv $out,144($outp)
443-
444- vmsumudm $out,$in[4],$inx2[6],$vzero
445- vmsumudm $out,$in[5],$in[5],$out
446- stxv $out,160($outp)
447-
448- vmsumudm $out,$in[5],$inx2[6],$vzero
449- stxv $out,176($outp)
450-
451- vmsumudm $out,$in[6],$in[6],$vzero
452- stxv $out,192($outp)
453-___
454+ # out5
455+ mtvsrdd 32+13, 18, 6
456+ mtvsrdd 32+14, 7, 19
457+ mtvsrdd 32+15, 16, 8
458+ mtvsrdd 32+16, 9, 17
459+ mtvsrdd 32+17, 14, 10
460+ mtvsrdd 32+18, 11, 15
461+ vmsumudm 19, 13, 14, 0
462+ vmsumudm 5, 15, 16, 19
463+ vmsumudm 5, 17, 18, 5
464+
465+ stxv 32+1, 16(3)
466+ stxv 32+2, 32(3)
467+ stxv 32+3, 48(3)
468+ stxv 32+4, 64(3)
469+ stxv 32+5, 80(3)
470+
471+ # out6
472+ mtvsrdd 32+13, 19, 6
473+ mtvsrdd 32+14, 7, 20
474+ mtvsrdd 32+15, 17, 8
475+ mtvsrdd 32+16, 9, 18
476+ mtvsrdd 32+17, 15, 10
477+ mtvsrdd 32+18, 11, 16
478+ vmsumudm 19, 13, 14, 0
479+ vmsumudm 6, 15, 16, 19
480+ mtvsrdd 32+13, 0, 12
481+ mtvsrdd 32+14, 0, 14
482+ vmsumudm 19, 17, 18, 6
483+ vmsumudm 6, 13, 14, 19
484+
485+ # out7
486+ mtvsrdd 32+13, 19, 7
487+ mtvsrdd 32+14, 8, 20
488+ mtvsrdd 32+15, 17, 9
489+ mtvsrdd 32+16, 10, 18
490+ mtvsrdd 32+17, 15, 11
491+ mtvsrdd 32+18, 12, 16
492+ vmsumudm 19, 13, 14, 0
493+ vmsumudm 7, 15, 16, 19
494+ vmsumudm 7, 17, 18, 7
495+
496+ # out8
497+ mtvsrdd 32+13, 19, 8
498+ mtvsrdd 32+14, 9, 20
499+ mtvsrdd 32+15, 17, 10
500+ mtvsrdd 32+16, 11, 18
501+ mtvsrdd 32+17, 0, 12
502+ mtvsrdd 32+18, 0, 16
503+ vmsumudm 19, 13, 14, 0
504+ vmsumudm 8, 15, 16, 19
505+ vmsumudm 8, 17, 18, 8
506+
507+ # out9
508+ mtvsrdd 32+13, 19, 9
509+ mtvsrdd 32+14, 10, 20
510+ mtvsrdd 32+15, 17, 11
511+ mtvsrdd 32+16, 12, 18
512+ vmsumudm 19, 13, 14, 0
513+ vmsumudm 9, 15, 16, 19
514+
515+ # out10
516+ mtvsrdd 32+13, 19, 10
517+ mtvsrdd 32+14, 11, 20
518+ mtvsrdd 32+15, 0, 12
519+ mtvsrdd 32+16, 0, 18
520+ vmsumudm 19, 13, 14, 0
521+ vmsumudm 10, 15, 16, 19
522+
523+ # out11
524+ mtvsrdd 32+17, 19, 11
525+ mtvsrdd 32+18, 12, 20
526+ vmsumudm 11, 17, 18, 0
527+
528+ stxv 32+6, 96(3)
529+ stxv 32+7, 112(3)
530+ stxv 32+8, 128(3)
531+ stxv 32+9, 144(3)
532+ stxv 32+10, 160(3)
533+ stxv 32+11, 176(3)
534+
535+ # out12
536+ mulld 21, 20, 12
537+ mulhdu 22, 20, 12 # out12
538+
539+ std 21, 192(3)
540+ std 22, 200(3)
541+
542+ blr
543+.size _p384_felem_mul_core,.-_p384_felem_mul_core
544+
545+#
546+# Felem square core function -
547+# r3 and r4 need to pre-loaded.
548+#
549+.type _p384_felem_square_core,\@function
550+.align 4
551+_p384_felem_square_core:
552+
553+ ld 6, 0(4)
554+ ld 7, 8(4)
555+ ld 8, 16(4)
556+ ld 9, 24(4)
557+ ld 10, 32(4)
558+ ld 11, 40(4)
559+ ld 12, 48(4)
560+
561+ vxor 0, 0, 0
562+
563+ # out0
564+ mulld 14, 6, 6
565+ mulhdu 15, 6, 6
566+ std 14, 0(3)
567+ std 15, 8(3)
568+
569+ # out1
570+ add 14, 6, 6
571+ mtvsrdd 32+13, 0, 14
572+ mtvsrdd 32+14, 0, 7
573+ vmsumudm 1, 13, 14, 0
574+
575+ # out2
576+ mtvsrdd 32+15, 7, 14
577+ mtvsrdd 32+16, 7, 8
578+ vmsumudm 2, 15, 16, 0
579+
580+ # out3
581+ add 15, 7, 7
582+ mtvsrdd 32+13, 8, 14
583+ mtvsrdd 32+14, 15, 9
584+ vmsumudm 3, 13, 14, 0
585+
586+ # out4
587+ mtvsrdd 32+13, 9, 14
588+ mtvsrdd 32+14, 15, 10
589+ mtvsrdd 32+15, 0, 8
590+ vmsumudm 4, 13, 14, 0
591+ vmsumudm 4, 15, 15, 4
592+
593+ # out5
594+ mtvsrdd 32+13, 10, 14
595+ mtvsrdd 32+14, 15, 11
596+ add 16, 8, 8
597+ mtvsrdd 32+15, 0, 16
598+ mtvsrdd 32+16, 0, 9
599+ vmsumudm 5, 13, 14, 0
600+ vmsumudm 5, 15, 16, 5
601+
602+ stxv 32+1, 16(3)
603+ stxv 32+2, 32(3)
604+ stxv 32+3, 48(3)
605+ stxv 32+4, 64(3)
606+
607+ # out6
608+ mtvsrdd 32+13, 11, 14
609+ mtvsrdd 32+14, 15, 12
610+ mtvsrdd 32+15, 9, 16
611+ mtvsrdd 32+16, 9, 10
612+ stxv 32+5, 80(3)
613+ vmsumudm 19, 13, 14, 0
614+ vmsumudm 6, 15, 16, 19
615+
616+ # out7
617+ add 17, 9, 9
618+ mtvsrdd 32+13, 11, 15
619+ mtvsrdd 32+14, 16, 12
620+ mtvsrdd 32+15, 0, 17
621+ mtvsrdd 32+16, 0, 10
622+ vmsumudm 19, 13, 14, 0
623+ vmsumudm 7, 15, 16, 19
624+
625+ # out8
626+ mtvsrdd 32+13, 11, 16
627+ mtvsrdd 32+14, 17, 12
628+ mtvsrdd 32+15, 0, 10
629+ vmsumudm 19, 13, 14, 0
630+ vmsumudm 8, 15, 15, 19
631+
632+ # out9
633+ add 14, 10, 10
634+ mtvsrdd 32+13, 11, 17
635+ mtvsrdd 32+14, 14, 12
636+ vmsumudm 9, 13, 14, 0
637+
638+ # out10
639+ mtvsrdd 32+13, 11, 14
640+ mtvsrdd 32+14, 11, 12
641+ vmsumudm 10, 13, 14, 0
642+
643+ stxv 32+6, 96(3)
644+ stxv 32+7, 112(3)
645+
646+ # out11
647+ #add 14, 11, 11
648+ #mtvsrdd 32+13, 0, 14
649+ #mtvsrdd 32+14, 0, 12
650+ #vmsumudm 11, 13, 14, 0
651+
652+ mulld 6, 12, 11
653+ mulhdu 7, 12, 11
654+ addc 8, 6, 6
655+ adde 9, 7, 7
656+
657+ stxv 32+8, 128(3)
658+ stxv 32+9, 144(3)
659+ stxv 32+10, 160(3)
660+ #stxv 32+11, 176(3)
661+
662+ # out12
663+ mulld 14, 12, 12
664+ mulhdu 15, 12, 12
665+
666+ std 8, 176(3)
667+ std 9, 184(3)
668+ std 14, 192(3)
669+ std 15, 200(3)
670+
671+ blr
672+.size _p384_felem_square_core,.-_p384_felem_square_core
673+
674+#
675+# widefelem (128 bits) * 8
676+#
677+.macro F128_X_8 _off1 _off2
678+ ld 9,\\_off1(3)
679+ ld 8,\\_off2(3)
680+ srdi 10,9,61
681+ rldimi 10,8,3,0
682+ sldi 9,9,3
683+ std 9,\\_off1(3)
684+ std 10,\\_off2(3)
685+.endm
686+
687+.globl p384_felem128_mul_by_8
688+.type p384_felem128_mul_by_8, \@function
689+.align 4
690+p384_felem128_mul_by_8:
691+
692+ F128_X_8 0, 8
693+
694+ F128_X_8 16, 24
695+
696+ F128_X_8 32, 40
697+
698+ F128_X_8 48, 56
699+
700+ F128_X_8 64, 72
701+
702+ F128_X_8 80, 88
703+
704+ F128_X_8 96, 104
705+
706+ F128_X_8 112, 120
707+
708+ F128_X_8 128, 136
709+
710+ F128_X_8 144, 152
711+
712+ F128_X_8 160, 168
713+
714+ F128_X_8 176, 184
715+
716+ F128_X_8 192, 200
717+
718+ blr
719+.size p384_felem128_mul_by_8,.-p384_felem128_mul_by_8
720+
721+#
722+# widefelem (128 bits) * 2
723+#
724+.macro F128_X_2 _off1 _off2
725+ ld 9,\\_off1(3)
726+ ld 8,\\_off2(3)
727+ srdi 10,9,63
728+ rldimi 10,8,1,0
729+ sldi 9,9,1
730+ std 9,\\_off1(3)
731+ std 10,\\_off2(3)
732+.endm
733+
734+.globl p384_felem128_mul_by_2
735+.type p384_felem128_mul_by_2, \@function
736+.align 4
737+p384_felem128_mul_by_2:
738+
739+ F128_X_2 0, 8
740+
741+ F128_X_2 16, 24
742+
743+ F128_X_2 32, 40
744+
745+ F128_X_2 48, 56
746+
747+ F128_X_2 64, 72
748+
749+ F128_X_2 80, 88
750+
751+ F128_X_2 96, 104
752+
753+ F128_X_2 112, 120
754+
755+ F128_X_2 128, 136
756+
757+ F128_X_2 144, 152
758+
759+ F128_X_2 160, 168
760+
761+ F128_X_2 176, 184
762+
763+ F128_X_2 192, 200
764+
765+ blr
766+.size p384_felem128_mul_by_2,.-p384_felem128_mul_by_2
767+
768+.globl p384_felem_diff128
769+.type p384_felem_diff128, \@function
770+.align 4
771+p384_felem_diff128:
772+
773+ addis 5, 2, .LConst_two127\@toc\@ha
774+ addi 5, 5, .LConst_two127\@toc\@l
775+
776+ ld 10, 0(3)
777+ ld 8, 8(3)
778+ li 9, 0
779+ addc 10, 10, 9
780+ li 7, -1
781+ rldicr 7, 7, 0, 0 # two127
782+ adde 8, 8, 7
783+ ld 11, 0(4)
784+ ld 12, 8(4)
785+ subfc 11, 11, 10
786+ subfe 12, 12, 8
787+ std 11, 0(3) # out0
788+ std 12, 8(3)
789+
790+ # two127m71 = (r10, r9)
791+ ld 8, 16(3)
792+ ld 7, 24(3)
793+ ld 10, 24(5) # two127m71
794+ addc 8, 8, 9
795+ adde 7, 7, 10
796+ ld 11, 16(4)
797+ ld 12, 24(4)
798+ subfc 11, 11, 8
799+ subfe 12, 12, 7
800+ std 11, 16(3) # out1
801+ std 12, 24(3)
802+
803+ ld 8, 32(3)
804+ ld 7, 40(3)
805+ addc 8, 8, 9
806+ adde 7, 7, 10
807+ ld 11, 32(4)
808+ ld 12, 40(4)
809+ subfc 11, 11, 8
810+ subfe 12, 12, 7
811+ std 11, 32(3) # out2
812+ std 12, 40(3)
813+
814+ ld 8, 48(3)
815+ ld 7, 56(3)
816+ addc 8, 8, 9
817+ adde 7, 7, 10
818+ ld 11, 48(4)
819+ ld 12, 56(4)
820+ subfc 11, 11, 8
821+ subfe 12, 12, 7
822+ std 11, 48(3) # out3
823+ std 12, 56(3)
824+
825+ ld 8, 64(3)
826+ ld 7, 72(3)
827+ addc 8, 8, 9
828+ adde 7, 7, 10
829+ ld 11, 64(4)
830+ ld 12, 72(4)
831+ subfc 11, 11, 8
832+ subfe 12, 12, 7
833+ std 11, 64(3) # out4
834+ std 12, 72(3)
835+
836+ ld 8, 80(3)
837+ ld 7, 88(3)
838+ addc 8, 8, 9
839+ adde 7, 7, 10
840+ ld 11, 80(4)
841+ ld 12, 88(4)
842+ subfc 11, 11, 8
843+ subfe 12, 12, 7
844+ std 11, 80(3) # out5
845+ std 12, 88(3)
846+
847+ ld 8, 96(3)
848+ ld 7, 104(3)
849+ ld 6, 40(5) # two127p111m79m71
850+ addc 8, 8, 9
851+ adde 7, 7, 6
852+ ld 11, 96(4)
853+ ld 12, 104(4)
854+ subfc 11, 11, 8
855+ subfe 12, 12, 7
856+ std 11, 96(3) # out6
857+ std 12, 104(3)
858+
859+ ld 8, 112(3)
860+ ld 7, 120(3)
861+ ld 6, 56(5) # two127m119m71
862+ addc 8, 8, 9
863+ adde 7, 7, 6
864+ ld 11, 112(4)
865+ ld 12, 120(4)
866+ subfc 11, 11, 8
867+ subfe 12, 12, 7
868+ std 11, 112(3) # out7
869+ std 12, 120(3)
870+
871+ ld 8, 128(3)
872+ ld 7, 136(3)
873+ ld 6, 72(5) # two127m95m71
874+ addc 8, 8, 9
875+ adde 7, 7, 6
876+ ld 11, 128(4)
877+ ld 12, 136(4)
878+ subfc 11, 11, 8
879+ subfe 12, 12, 7
880+ std 11, 128(3) # out8
881+ std 12, 136(3)
882+
883+ ld 8, 144(3)
884+ ld 7, 152(3)
885+ addc 8, 8, 9
886+ adde 7, 7, 10
887+ ld 11, 144(4)
888+ ld 12, 152(4)
889+ subfc 11, 11, 8
890+ subfe 12, 12, 7
891+ std 11, 144(3) # out9
892+ std 12, 152(3)
893+
894+ ld 8, 160(3)
895+ ld 7, 168(3)
896+ addc 8, 8, 9
897+ adde 7, 7, 10
898+ ld 11, 160(4)
899+ ld 12, 168(4)
900+ subfc 11, 11, 8
901+ subfe 12, 12, 7
902+ std 11, 160(3) # out10
903+ std 12, 168(3)
904+
905+ ld 8, 176(3)
906+ ld 7, 184(3)
907+ addc 8, 8, 9
908+ adde 7, 7, 10
909+ ld 11, 176(4)
910+ ld 12, 184(4)
911+ subfc 11, 11, 8
912+ subfe 12, 12, 7
913+ std 11, 176(3) # out11
914+ std 12, 184(3)
915+
916+ ld 8, 192(3)
917+ ld 7, 200(3)
918+ addc 8, 8, 9
919+ adde 7, 7, 10
920+ ld 11, 192(4)
921+ ld 12, 200(4)
922+ subfc 11, 11, 8
923+ subfe 12, 12, 7
924+ std 11, 192(3) # out12
925+ std 12, 200(3)
926+
927+ blr
928+.size p384_felem_diff128,.-p384_felem_diff128
929+
930+.data
931+.align 4
932+.LConst_two127:
933+#two127
934+.long 0x00000000, 0x00000000, 0x00000000, 0x80000000
935+#two127m71
936+.long 0x00000000, 0x00000000, 0xffffff80, 0x7fffffff
937+#two127p111m79m71
938+.long 0x00000000, 0x00000000, 0xffff7f80, 0x80007fff
939+#two127m119m71
940+.long 0x00000000, 0x00000000, 0xffffff80, 0x7f7fffff
941+#two127m95m71
942+.long 0x00000000, 0x00000000, 0x7fffff80, 0x7fffffff
943+
944+.text
945+
946+.globl p384_felem_diff_128_64
947+.type p384_felem_diff_128_64, \@function
948+.align 4
949+p384_felem_diff_128_64:
950+ addis 5, 2, .LConst_128_two64\@toc\@ha
951+ addi 5, 5, .LConst_128_two64\@toc\@l
952+
953+ ld 9, 0(3)
954+ ld 10, 8(3)
955+ ld 8, 48(5) # two64p48m16
956+ li 7, 0
957+ addc 9, 9, 8
958+ li 6, 1
959+ adde 10, 10, 6
960+ ld 11, 0(4)
961+ subfc 8, 11, 9
962+ subfe 12, 7, 10
963+ std 8, 0(3) # out0
964+ std 12, 8(3)
965+
966+ ld 9, 16(3)
967+ ld 10, 24(3)
968+ ld 8, 0(5) # two64m56m8
969+ addc 9, 9, 8
970+ addze 10, 10
971+ ld 11, 8(4)
972+ subfc 11, 11, 9
973+ subfe 12, 7, 10
974+ std 11, 16(3) # out1
975+ std 12, 24(3)
976+
977+ ld 9, 32(3)
978+ ld 10, 40(3)
979+ ld 8, 16(5) # two64m32m8
980+ addc 9, 9, 8
981+ addze 10, 10
982+ ld 11, 16(4)
983+ subfc 11, 11, 9
984+ subfe 12, 7, 10
985+ std 11, 32(3) # out2
986+ std 12, 40(3)
987+
988+ ld 10, 48(3)
989+ ld 8, 56(3)
990+ #ld 9, 32(5) # two64m8
991+ li 9, -256 # two64m8
992+ addc 10, 10, 9
993+ addze 8, 8
994+ ld 11, 24(4)
995+ subfc 11, 11, 10
996+ subfe 12, 7, 8
997+ std 11, 48(3) # out3
998+ std 12, 56(3)
999+
1000+ ld 10, 64(3)
1001+ ld 8, 72(3)
1002+ addc 10, 10, 9
1003+ addze 8, 8
1004+ ld 11, 32(4)
1005+ subfc 11, 11, 10
1006+ subfe 12, 7, 8
1007+ std 11, 64(3) # out4
1008+ std 12, 72(3)
1009+
1010+ ld 10, 80(3)
1011+ ld 8, 88(3)
1012+ addc 10, 10, 9
1013+ addze 8, 8
1014+ ld 11, 40(4)
1015+ subfc 11, 11, 10
1016+ subfe 12, 7, 8
1017+ std 11, 80(3) # out5
1018+ std 12, 88(3)
1019+
1020+ ld 10, 96(3)
1021+ ld 8, 104(3)
1022+ addc 10, 10, 9
1023+ addze 9, 8
1024+ ld 11, 48(4)
1025+ subfc 11, 11, 10
1026+ subfe 12, 7, 9
1027+ std 11, 96(3) # out6
1028+ std 12, 104(3)
1029+
1030+ blr
1031+.size p384_felem_diff_128_64,.-p384_felem_diff_128_64
1032+
1033+.data
1034+.align 4
1035+.LConst_128_two64:
1036+#two64m56m8
1037+.long 0xffffff00, 0xfeffffff, 0x00000000, 0x00000000
1038+#two64m32m8
1039+.long 0xffffff00, 0xfffffffe, 0x00000000, 0x00000000
1040+#two64m8
1041+.long 0xffffff00, 0xffffffff, 0x00000000, 0x00000000
1042+#two64p48m16
1043+.long 0xffff0000, 0x0000ffff, 0x00000001, 0x00000000
1044+
1045+.LConst_two60:
1046+#two60m52m4
1047+.long 0xfffffff0, 0x0fefffff, 0x0, 0x0
1048+#two60p44m12
1049+.long 0xfffff000, 0x10000fff, 0x0, 0x0
1050+#two60m28m4
1051+.long 0xeffffff0, 0x0fffffff, 0x0, 0x0
1052+#two60m4
1053+.long 0xfffffff0, 0x0fffffff, 0x0, 0x0
1054+
1055+.text
1056+#
1057+# static void felem_diff64(felem out, const felem in)
1058+#
1059+.globl p384_felem_diff64
1060+.type p384_felem_diff64, \@function
1061+.align 4
1062+p384_felem_diff64:
1063+ addis 5, 2, .LConst_two60\@toc\@ha
1064+ addi 5, 5, .LConst_two60\@toc\@l
1065+
1066+ ld 9, 0(3)
1067+ ld 8, 16(5) # two60p44m12
1068+ li 7, 0
1069+ add 9, 9, 8
1070+ ld 11, 0(4)
1071+ subf 8, 11, 9
1072+ std 8, 0(3) # out0
1073+
1074+ ld 9, 8(3)
1075+ ld 8, 0(5) # two60m52m4
1076+ add 9, 9, 8
1077+ ld 11, 8(4)
1078+ subf 11, 11, 9
1079+ std 11, 8(3) # out1
1080+
1081+ ld 9, 16(3)
1082+ ld 8, 32(5) # two60m28m4
1083+ add 9, 9, 8
1084+ ld 11, 16(4)
1085+ subf 11, 11, 9
1086+ std 11, 16(3) # out2
1087+
1088+ ld 10, 24(3)
1089+ ld 9, 48(5) # two60m4
1090+ add 10, 10, 9
1091+ ld 12, 24(4)
1092+ subf 12, 12, 10
1093+ std 12, 24(3) # out3
1094+
1095+ ld 10, 32(3)
1096+ add 10, 10, 9
1097+ ld 11, 32(4)
1098+ subf 11, 11, 10
1099+ std 11, 32(3) # out4
1100+
1101+ ld 10, 40(3)
1102+ add 10, 10, 9
1103+ ld 12, 40(4)
1104+ subf 12, 12, 10
1105+ std 12, 40(3) # out5
1106
1107- endproc("p384_felem_square");
1108- }
1109-}
1110+ ld 10, 48(3)
1111+ add 10, 10, 9
1112+ ld 11, 48(4)
1113+ subf 11, 11, 10
1114+ std 11, 48(3) # out6
1115+
1116+ blr
1117+.size p384_felem_diff64,.-p384_felem_diff64
1118+
1119+.text
1120+#
1121+# Shift 128 bits right <nbits>
1122+#
1123+.macro SHR o_h o_l in_h in_l nbits
1124+ srdi \\o_l, \\in_l, \\nbits # shift lower right <nbits>
1125+ rldimi \\o_l, \\in_h, 64-\\nbits, 0 # insert <64-nbits> from hi
1126+ srdi \\o_h, \\in_h, \\nbits # shift higher right <nbits>
1127+.endm
1128+
1129+#
1130+# static void felem_reduce(felem out, const widefelem in)
1131+#
1132+.global p384_felem_reduce
1133+.type p384_felem_reduce,\@function
1134+.align 4
1135+p384_felem_reduce:
1136+
1137+ stdu 1, -208(1)
1138+ mflr 0
1139+ std 14, 56(1)
1140+ std 15, 64(1)
1141+ std 16, 72(1)
1142+ std 17, 80(1)
1143+ std 18, 88(1)
1144+ std 19, 96(1)
1145+ std 20, 104(1)
1146+ std 21, 112(1)
1147+ std 22, 120(1)
1148+ std 23, 128(1)
1149+ std 24, 136(1)
1150+ std 25, 144(1)
1151+ std 26, 152(1)
1152+ std 27, 160(1)
1153+ std 28, 168(1)
1154+ std 29, 176(1)
1155+ std 30, 184(1)
1156+ std 31, 192(1)
1157+
1158+ bl _p384_felem_reduce_core
1159+
1160+ mtlr 0
1161+ ld 14, 56(1)
1162+ ld 15, 64(1)
1163+ ld 16, 72(1)
1164+ ld 17, 80(1)
1165+ ld 18, 88(1)
1166+ ld 19, 96(1)
1167+ ld 20, 104(1)
1168+ ld 21, 112(1)
1169+ ld 22, 120(1)
1170+ ld 23, 128(1)
1171+ ld 24, 136(1)
1172+ ld 25, 144(1)
1173+ ld 26, 152(1)
1174+ ld 27, 160(1)
1175+ ld 28, 168(1)
1176+ ld 29, 176(1)
1177+ ld 30, 184(1)
1178+ ld 31, 192(1)
1179+ addi 1, 1, 208
1180+ blr
1181+.size p384_felem_reduce,.-p384_felem_reduce
1182+
1183+#
1184+# Felem reduction core function -
1185+# r3 and r4 need to pre-loaded.
1186+#
1187+.type _p384_felem_reduce_core,\@function
1188+.align 4
1189+_p384_felem_reduce_core:
1190+ addis 12, 2, .LConst\@toc\@ha
1191+ addi 12, 12, .LConst\@toc\@l
1192+
1193+ # load constat p
1194+ ld 11, 8(12) # hi - two124m68
1195+
1196+ # acc[6] = in[6] + two124m68;
1197+ ld 26, 96(4) # in[6].l
1198+ ld 27, 96+8(4) # in[6].h
1199+ add 27, 27, 11
1200+
1201+ # acc[5] = in[5] + two124m68;
1202+ ld 24, 80(4) # in[5].l
1203+ ld 25, 80+8(4) # in[5].h
1204+ add 25, 25, 11
1205+
1206+ # acc[4] = in[4] + two124m68;
1207+ ld 22, 64(4) # in[4].l
1208+ ld 23, 64+8(4) # in[4].h
1209+ add 23, 23, 11
1210+
1211+ # acc[3] = in[3] + two124m68;
1212+ ld 20, 48(4) # in[3].l
1213+ ld 21, 48+8(4) # in[3].h
1214+ add 21, 21, 11
1215+
1216+ ld 11, 48+8(12) # hi - two124m92m68
1217+
1218+ # acc[2] = in[2] + two124m92m68;
1219+ ld 18, 32(4) # in[2].l
1220+ ld 19, 32+8(4) # in[2].h
1221+ add 19, 19, 11
1222+
1223+ ld 11, 16+8(12) # high - two124m116m68
1224+
1225+ # acc[1] = in[1] + two124m116m68;
1226+ ld 16, 16(4) # in[1].l
1227+ ld 17, 16+8(4) # in[1].h
1228+ add 17, 17, 11
1229+
1230+ ld 11, 32+8(12) # high - two124p108m76
1231+
1232+ # acc[0] = in[0] + two124p108m76;
1233+ ld 14, 0(4) # in[0].l
1234+ ld 15, 0+8(4) # in[0].h
1235+ add 15, 15, 11
1236+
1237+ # compute mask
1238+ li 7, -1
1239+
1240+ # Eliminate in[12]
1241+
1242+ # acc[8] += in[12] >> 32;
1243+ ld 5, 192(4) # in[12].l
1244+ ld 6, 192+8(4) # in[12].h
1245+ SHR 9, 10, 6, 5, 32
1246+ ld 30, 128(4) # in[8].l
1247+ ld 31, 136(4) # in[8].h
1248+ addc 30, 30, 10
1249+ adde 31, 31, 9
1250+
1251+ # acc[7] += (in[12] & 0xffffffff) << 24;
1252+ srdi 11, 7, 32 # 0xffffffff
1253+ and 11, 11, 5
1254+ sldi 11, 11, 24 # << 24
1255+ ld 28, 112(4) # in[7].l
1256+ ld 29, 120(4) # in[7].h
1257+ addc 28, 28, 11
1258+ addze 29, 29
1259+
1260+ # acc[7] += in[12] >> 8;
1261+ SHR 9, 10, 6, 5, 8
1262+ addc 28, 28, 10
1263+ adde 29, 29, 9
1264+
1265+ # acc[6] += (in[12] & 0xff) << 48;
1266+ andi. 11, 5, 0xff
1267+ sldi 11, 11, 48
1268+ addc 26, 26, 11
1269+ addze 27, 27
1270+
1271+ # acc[6] -= in[12] >> 16;
1272+ SHR 9, 10, 6, 5, 16
1273+ subfc 26, 10, 26
1274+ subfe 27, 9, 27
1275+
1276+ # acc[5] -= (in[12] & 0xffff) << 40;
1277+ srdi 11, 7, 48 # 0xffff
1278+ and 11, 11, 5
1279+ sldi 11, 11, 40 # << 40
1280+ li 9, 0
1281+ subfc 24, 11, 24
1282+ subfe 25, 9, 25
1283+
1284+ # acc[6] += in[12] >> 48;
1285+ SHR 9, 10, 6, 5, 48
1286+ addc 26, 26, 10
1287+ adde 27, 27, 9
1288+
1289+ # acc[5] += (in[12] & 0xffffffffffff) << 8;
1290+ srdi 11, 7, 16 # 0xffffffffffff
1291+ and 11, 11, 5
1292+ sldi 11, 11, 8 # << 8
1293+ addc 24, 24, 11
1294+ addze 25, 25
1295+
1296+ # Eliminate in[11]
1297+
1298+ # acc[7] += in[11] >> 32;
1299+ ld 5, 176(4) # in[11].l
1300+ ld 6, 176+8(4) # in[11].h
1301+ SHR 9, 10, 6, 5, 32
1302+ addc 28, 28, 10
1303+ adde 29, 29, 9
1304+
1305+ # acc[6] += (in[11] & 0xffffffff) << 24;
1306+ srdi 11, 7, 32 # 0xffffffff
1307+ and 11, 11, 5
1308+ sldi 11, 11, 24 # << 24
1309+ addc 26, 26, 11
1310+ addze 27, 27
1311+
1312+ # acc[6] += in[11] >> 8;
1313+ SHR 9, 10, 6, 5, 8
1314+ addc 26, 26, 10
1315+ adde 27, 27, 9
1316+
1317+ # acc[5] += (in[11] & 0xff) << 48;
1318+ andi. 11, 5, 0xff
1319+ sldi 11, 11, 48
1320+ addc 24, 24, 11
1321+ addze 25, 25
1322+
1323+ # acc[5] -= in[11] >> 16;
1324+ SHR 9, 10, 6, 5, 16
1325+ subfc 24, 10, 24
1326+ subfe 25, 9, 25
1327+
1328+ # acc[4] -= (in[11] & 0xffff) << 40;
1329+ srdi 11, 7, 48 # 0xffff
1330+ and 11, 11, 5
1331+ sldi 11, 11, 40 # << 40
1332+ li 9, 0
1333+ subfc 22, 11, 22
1334+ subfe 23, 9, 23
1335+
1336+ # acc[5] += in[11] >> 48;
1337+ SHR 9, 10, 6, 5, 48
1338+ addc 24, 24, 10
1339+ adde 25, 25, 9
1340+
1341+ # acc[4] += (in[11] & 0xffffffffffff) << 8;
1342+ srdi 11, 7, 16 # 0xffffffffffff
1343+ and 11, 11, 5
1344+ sldi 11, 11, 8 # << 8
1345+ addc 22, 22, 11
1346+ addze 23, 23
1347+
1348+ # Eliminate in[10]
1349+
1350+ # acc[6] += in[10] >> 32;
1351+ ld 5, 160(4) # in[10].l
1352+ ld 6, 160+8(4) # in[10].h
1353+ SHR 9, 10, 6, 5, 32
1354+ addc 26, 26, 10
1355+ adde 27, 27, 9
1356+
1357+ # acc[5] += (in[10] & 0xffffffff) << 24;
1358+ srdi 11, 7, 32 # 0xffffffff
1359+ and 11, 11, 5
1360+ sldi 11, 11, 24 # << 24
1361+ addc 24, 24, 11
1362+ addze 25, 25
1363+
1364+ # acc[5] += in[10] >> 8;
1365+ SHR 9, 10, 6, 5, 8
1366+ addc 24, 24, 10
1367+ adde 25, 25, 9
1368+
1369+ # acc[4] += (in[10] & 0xff) << 48;
1370+ andi. 11, 5, 0xff
1371+ sldi 11, 11, 48
1372+ addc 22, 22, 11
1373+ addze 23, 23
1374+
1375+ # acc[4] -= in[10] >> 16;
1376+ SHR 9, 10, 6, 5, 16
1377+ subfc 22, 10, 22
1378+ subfe 23, 9, 23
1379+
1380+ # acc[3] -= (in[10] & 0xffff) << 40;
1381+ srdi 11, 7, 48 # 0xffff
1382+ and 11, 11, 5
1383+ sldi 11, 11, 40 # << 40
1384+ li 9, 0
1385+ subfc 20, 11, 20
1386+ subfe 21, 9, 21
1387+
1388+ # acc[4] += in[10] >> 48;
1389+ SHR 9, 10, 6, 5, 48
1390+ addc 22, 22, 10
1391+ adde 23, 23, 9
1392+
1393+ # acc[3] += (in[10] & 0xffffffffffff) << 8;
1394+ srdi 11, 7, 16 # 0xffffffffffff
1395+ and 11, 11, 5
1396+ sldi 11, 11, 8 # << 8
1397+ addc 20, 20, 11
1398+ addze 21, 21
1399+
1400+ # Eliminate in[9]
1401+
1402+ # acc[5] += in[9] >> 32;
1403+ ld 5, 144(4) # in[9].l
1404+ ld 6, 144+8(4) # in[9].h
1405+ SHR 9, 10, 6, 5, 32
1406+ addc 24, 24, 10
1407+ adde 25, 25, 9
1408+
1409+ # acc[4] += (in[9] & 0xffffffff) << 24;
1410+ srdi 11, 7, 32 # 0xffffffff
1411+ and 11, 11, 5
1412+ sldi 11, 11, 24 # << 24
1413+ addc 22, 22, 11
1414+ addze 23, 23
1415+
1416+ # acc[4] += in[9] >> 8;
1417+ SHR 9, 10, 6, 5, 8
1418+ addc 22, 22, 10
1419+ adde 23, 23, 9
1420+
1421+ # acc[3] += (in[9] & 0xff) << 48;
1422+ andi. 11, 5, 0xff
1423+ sldi 11, 11, 48
1424+ addc 20, 20, 11
1425+ addze 21, 21
1426+
1427+ # acc[3] -= in[9] >> 16;
1428+ SHR 9, 10, 6, 5, 16
1429+ subfc 20, 10, 20
1430+ subfe 21, 9, 21
1431+
1432+ # acc[2] -= (in[9] & 0xffff) << 40;
1433+ srdi 11, 7, 48 # 0xffff
1434+ and 11, 11, 5
1435+ sldi 11, 11, 40 # << 40
1436+ li 9, 0
1437+ subfc 18, 11, 18
1438+ subfe 19, 9, 19
1439+
1440+ # acc[3] += in[9] >> 48;
1441+ SHR 9, 10, 6, 5, 48
1442+ addc 20, 20, 10
1443+ adde 21, 21, 9
1444+
1445+ # acc[2] += (in[9] & 0xffffffffffff) << 8;
1446+ srdi 11, 7, 16 # 0xffffffffffff
1447+ and 11, 11, 5
1448+ sldi 11, 11, 8 # << 8
1449+ addc 18, 18, 11
1450+ addze 19, 19
1451+
1452+ # Eliminate acc[8]
1453+
1454+ # acc[4] += acc[8] >> 32;
1455+ mr 5, 30 # acc[8].l
1456+ mr 6, 31 # acc[8].h
1457+ SHR 9, 10, 6, 5, 32
1458+ addc 22, 22, 10
1459+ adde 23, 23, 9
1460+
1461+ # acc[3] += (acc[8] & 0xffffffff) << 24;
1462+ srdi 11, 7, 32 # 0xffffffff
1463+ and 11, 11, 5
1464+ sldi 11, 11, 24 # << 24
1465+ addc 20, 20, 11
1466+ addze 21, 21
1467+
1468+ # acc[3] += acc[8] >> 8;
1469+ SHR 9, 10, 6, 5, 8
1470+ addc 20, 20, 10
1471+ adde 21, 21, 9
1472+
1473+ # acc[2] += (acc[8] & 0xff) << 48;
1474+ andi. 11, 5, 0xff
1475+ sldi 11, 11, 48
1476+ addc 18, 18, 11
1477+ addze 19, 19
1478+
1479+ # acc[2] -= acc[8] >> 16;
1480+ SHR 9, 10, 6, 5, 16
1481+ subfc 18, 10, 18
1482+ subfe 19, 9, 19
1483+
1484+ # acc[1] -= (acc[8] & 0xffff) << 40;
1485+ srdi 11, 7, 48 # 0xffff
1486+ and 11, 11, 5
1487+ sldi 11, 11, 40 # << 40
1488+ li 9, 0
1489+ subfc 16, 11, 16
1490+ subfe 17, 9, 17
1491+
1492+ #acc[2] += acc[8] >> 48;
1493+ SHR 9, 10, 6, 5, 48
1494+ addc 18, 18, 10
1495+ adde 19, 19, 9
1496+
1497+ # acc[1] += (acc[8] & 0xffffffffffff) << 8;
1498+ srdi 11, 7, 16 # 0xffffffffffff
1499+ and 11, 11, 5
1500+ sldi 11, 11, 8 # << 8
1501+ addc 16, 16, 11
1502+ addze 17, 17
1503+
1504+ # Eliminate acc[7]
1505+
1506+ # acc[3] += acc[7] >> 32;
1507+ mr 5, 28 # acc[7].l
1508+ mr 6, 29 # acc[7].h
1509+ SHR 9, 10, 6, 5, 32
1510+ addc 20, 20, 10
1511+ adde 21, 21, 9
1512+
1513+ # acc[2] += (acc[7] & 0xffffffff) << 24;
1514+ srdi 11, 7, 32 # 0xffffffff
1515+ and 11, 11, 5
1516+ sldi 11, 11, 24 # << 24
1517+ addc 18, 18, 11
1518+ addze 19, 19
1519+
1520+ # acc[2] += acc[7] >> 8;
1521+ SHR 9, 10, 6, 5, 8
1522+ addc 18, 18, 10
1523+ adde 19, 19, 9
1524+
1525+ # acc[1] += (acc[7] & 0xff) << 48;
1526+ andi. 11, 5, 0xff
1527+ sldi 11, 11, 48
1528+ addc 16, 16, 11
1529+ addze 17, 17
1530+
1531+ # acc[1] -= acc[7] >> 16;
1532+ SHR 9, 10, 6, 5, 16
1533+ subfc 16, 10, 16
1534+ subfe 17, 9, 17
1535+
1536+ # acc[0] -= (acc[7] & 0xffff) << 40;
1537+ srdi 11, 7, 48 # 0xffff
1538+ and 11, 11, 5
1539+ sldi 11, 11, 40 # << 40
1540+ li 9, 0
1541+ subfc 14, 11, 14
1542+ subfe 15, 9, 15
1543+
1544+ # acc[1] += acc[7] >> 48;
1545+ SHR 9, 10, 6, 5, 48
1546+ addc 16, 16, 10
1547+ adde 17, 17, 9
1548+
1549+ # acc[0] += (acc[7] & 0xffffffffffff) << 8;
1550+ srdi 11, 7, 16 # 0xffffffffffff
1551+ and 11, 11, 5
1552+ sldi 11, 11, 8 # << 8
1553+ addc 14, 14, 11
1554+ addze 15, 15
1555+
1556+ #
1557+ # Carry 4 -> 5 -> 6
1558+ #
1559+ # acc[5] += acc[4] >> 56;
1560+ # acc[4] &= 0x00ffffffffffffff;
1561+ SHR 9, 10, 23, 22, 56
1562+ addc 24, 24, 10
1563+ adde 25, 25, 9
1564+ srdi 11, 7, 8 # 0x00ffffffffffffff
1565+ and 22, 22, 11
1566+ li 23, 0
1567+
1568+ # acc[6] += acc[5] >> 56;
1569+ # acc[5] &= 0x00ffffffffffffff;
1570+ SHR 9, 10, 25, 24, 56
1571+ addc 26, 26, 10
1572+ adde 27, 27, 9
1573+ and 24, 24, 11
1574+ li 25, 0
1575+
1576+ # [3]: Eliminate high bits of acc[6] */
1577+ # temp = acc[6] >> 48;
1578+ # acc[6] &= 0x0000ffffffffffff;
1579+ SHR 31, 30, 27, 26, 48 # temp = acc[6] >> 48
1580+ srdi 11, 7, 16 # 0x0000ffffffffffff
1581+ and 26, 26, 11
1582+ li 27, 0
1583+
1584+ # temp < 2^80
1585+ # acc[3] += temp >> 40;
1586+ SHR 9, 10, 31, 30, 40
1587+ addc 20, 20, 10
1588+ adde 21, 21, 9
1589+
1590+ # acc[2] += (temp & 0xffffffffff) << 16;
1591+ srdi 11, 7, 24 # 0xffffffffff
1592+ and 10, 30, 11
1593+ sldi 10, 10, 16
1594+ addc 18, 18, 10
1595+ addze 19, 19
1596+
1597+ # acc[2] += temp >> 16;
1598+ SHR 9, 10, 31, 30, 16
1599+ addc 18, 18, 10
1600+ adde 19, 19, 9
1601+
1602+ # acc[1] += (temp & 0xffff) << 40;
1603+ srdi 11, 7, 48 # 0xffff
1604+ and 10, 30, 11
1605+ sldi 10, 10, 40
1606+ addc 16, 16, 10
1607+ addze 17, 17
1608+
1609+ # acc[1] -= temp >> 24;
1610+ SHR 9, 10, 31, 30, 24
1611+ subfc 16, 10, 16
1612+ subfe 17, 9, 17
1613+
1614+ # acc[0] -= (temp & 0xffffff) << 32;
1615+ srdi 11, 7, 40 # 0xffffff
1616+ and 10, 30, 11
1617+ sldi 10, 10, 32
1618+ li 9, 0
1619+ subfc 14, 10, 14
1620+ subfe 15, 9, 15
1621+
1622+ # acc[0] += temp;
1623+ addc 14, 14, 30
1624+ adde 15, 15, 31
1625+
1626+ # Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6
1627+ #
1628+ # acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */
1629+ SHR 9, 10, 15, 14, 56
1630+ addc 16, 16, 10
1631+ adde 17, 17, 9
1632+
1633+ # acc[0] &= 0x00ffffffffffffff;
1634+ srdi 11, 7, 8 # 0x00ffffffffffffff
1635+ and 14, 14, 11
1636+ li 15, 0
1637+
1638+ # acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */
1639+ SHR 9, 10, 17, 16, 56
1640+ addc 18, 18, 10
1641+ adde 19, 19, 9
1642+
1643+ # acc[1] &= 0x00ffffffffffffff;
1644+ and 16, 16, 11
1645+ li 17, 0
1646+
1647+ # acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */
1648+ SHR 9, 10, 19, 18, 56
1649+ addc 20, 20, 10
1650+ adde 21, 21, 9
1651+
1652+ # acc[2] &= 0x00ffffffffffffff;
1653+ and 18, 18, 11
1654+ li 19, 0
1655+
1656+ # acc[4] += acc[3] >> 56;
1657+ SHR 9, 10, 21, 20, 56
1658+ addc 22, 22, 10
1659+ adde 23, 23, 9
1660+
1661+ # acc[3] &= 0x00ffffffffffffff;
1662+ and 20, 20, 11
1663+ li 21, 0
1664+
1665+ # acc[5] += acc[4] >> 56;
1666+ SHR 9, 10, 23, 22, 56
1667+ addc 24, 24, 10
1668+ adde 25, 25, 9
1669+
1670+ # acc[4] &= 0x00ffffffffffffff;
1671+ and 22, 22, 11
1672+
1673+ # acc[6] += acc[5] >> 56;
1674+ SHR 9, 10, 25, 24, 56
1675+ addc 26, 26, 10
1676+ adde 27, 27, 9
1677+
1678+ # acc[5] &= 0x00ffffffffffffff;
1679+ and 24, 24, 11
1680+
1681+ std 14, 0(3)
1682+ std 16, 8(3)
1683+ std 18, 16(3)
1684+ std 20, 24(3)
1685+ std 22, 32(3)
1686+ std 24, 40(3)
1687+ std 26, 48(3)
1688+ blr
1689+.size _p384_felem_reduce_core,.-_p384_felem_reduce_core
1690+
1691+.data
1692+.align 4
1693+.LConst:
1694+# two124m68:
1695+.long 0x0, 0x0, 0xfffffff0, 0xfffffff
1696+# two124m116m68:
1697+.long 0x0, 0x0, 0xfffffff0, 0xfefffff
1698+#two124p108m76:
1699+.long 0x0, 0x0, 0xfffff000, 0x10000fff
1700+#two124m92m68:
1701+.long 0x0, 0x0, 0xeffffff0, 0xfffffff
1702+
1703+.text
1704+
1705+#
1706+# void p384_felem_square_reduce(felem out, const felem in)
1707+#
1708+.global p384_felem_square_reduce
1709+.type p384_felem_square_reduce,\@function
1710+.align 4
1711+p384_felem_square_reduce:
1712+ stdu 1, -512(1)
1713+ mflr 0
1714+ std 14, 56(1)
1715+ std 15, 64(1)
1716+ std 16, 72(1)
1717+ std 17, 80(1)
1718+ std 18, 88(1)
1719+ std 19, 96(1)
1720+ std 20, 104(1)
1721+ std 21, 112(1)
1722+ std 22, 120(1)
1723+ std 23, 128(1)
1724+ std 24, 136(1)
1725+ std 25, 144(1)
1726+ std 26, 152(1)
1727+ std 27, 160(1)
1728+ std 28, 168(1)
1729+ std 29, 176(1)
1730+ std 30, 184(1)
1731+ std 31, 192(1)
1732+
1733+ std 3, 496(1)
1734+ addi 3, 1, 208
1735+ bl _p384_felem_square_core
1736+
1737+ mr 4, 3
1738+ ld 3, 496(1)
1739+ bl _p384_felem_reduce_core
1740+
1741+ ld 14, 56(1)
1742+ ld 15, 64(1)
1743+ ld 16, 72(1)
1744+ ld 17, 80(1)
1745+ ld 18, 88(1)
1746+ ld 19, 96(1)
1747+ ld 20, 104(1)
1748+ ld 21, 112(1)
1749+ ld 22, 120(1)
1750+ ld 23, 128(1)
1751+ ld 24, 136(1)
1752+ ld 25, 144(1)
1753+ ld 26, 152(1)
1754+ ld 27, 160(1)
1755+ ld 28, 168(1)
1756+ ld 29, 176(1)
1757+ ld 30, 184(1)
1758+ ld 31, 192(1)
1759+ addi 1, 1, 512
1760+ mtlr 0
1761+ blr
1762+.size p384_felem_square_reduce,.-p384_felem_square_reduce
1763+
1764+#
1765+# void p384_felem_mul_reduce(felem out, const felem in1, const felem in2)
1766+#
1767+.global p384_felem_mul_reduce
1768+.type p384_felem_mul_reduce,\@function
1769+.align 5
1770+p384_felem_mul_reduce:
1771+ stdu 1, -512(1)
1772+ mflr 0
1773+ std 14, 56(1)
1774+ std 15, 64(1)
1775+ std 16, 72(1)
1776+ std 17, 80(1)
1777+ std 18, 88(1)
1778+ std 19, 96(1)
1779+ std 20, 104(1)
1780+ std 21, 112(1)
1781+ std 22, 120(1)
1782+ std 23, 128(1)
1783+ std 24, 136(1)
1784+ std 25, 144(1)
1785+ std 26, 152(1)
1786+ std 27, 160(1)
1787+ std 28, 168(1)
1788+ std 29, 176(1)
1789+ std 30, 184(1)
1790+ std 31, 192(1)
1791+
1792+ std 3, 496(1)
1793+ addi 3, 1, 208
1794+ bl _p384_felem_mul_core
1795+
1796+ mr 4, 3
1797+ ld 3, 496(1)
1798+ bl _p384_felem_reduce_core
1799+
1800+ ld 14, 56(1)
1801+ ld 15, 64(1)
1802+ ld 16, 72(1)
1803+ ld 17, 80(1)
1804+ ld 18, 88(1)
1805+ ld 19, 96(1)
1806+ ld 20, 104(1)
1807+ ld 21, 112(1)
1808+ ld 22, 120(1)
1809+ ld 23, 128(1)
1810+ ld 24, 136(1)
1811+ ld 25, 144(1)
1812+ ld 26, 152(1)
1813+ ld 27, 160(1)
1814+ ld 28, 168(1)
1815+ ld 29, 176(1)
1816+ ld 30, 184(1)
1817+ ld 31, 192(1)
1818+ addi 1, 1, 512
1819+ mtlr 0
1820+ blr
1821+.size p384_felem_mul_reduce,.-p384_felem_mul_reduce
1822+___
1823
1824 $code =~ s/\`([^\`]*)\`/eval $1/gem;
1825 print $code;
1826diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
1827index 3fd7a40020..e0b5786bc1 100644
1828--- a/crypto/ec/ecp_nistp384.c
1829+++ b/crypto/ec/ecp_nistp384.c
1830@@ -252,6 +252,16 @@ static void felem_neg(felem out, const felem in)
1831 out[6] = two60m4 - in[6];
1832 }
1833
1834+#if defined(ECP_NISTP384_ASM)
1835+void p384_felem_diff64(felem out, const felem in);
1836+void p384_felem_diff128(widefelem out, const widefelem in);
1837+void p384_felem_diff_128_64(widefelem out, const felem in);
1838+
1839+# define felem_diff64 p384_felem_diff64
1840+# define felem_diff128 p384_felem_diff128
1841+# define felem_diff_128_64 p384_felem_diff_128_64
1842+
1843+#else
1844 /*-
1845 * felem_diff64 subtracts |in| from |out|
1846 * On entry:
1847@@ -369,6 +379,7 @@ static void felem_diff128(widefelem out, const widefelem in)
1848 for (i = 0; i < 2*NLIMBS-1; i++)
1849 out[i] -= in[i];
1850 }
1851+#endif /* ECP_NISTP384_ASM */
1852
1853 static void felem_square_ref(widefelem out, const felem in)
1854 {
1855@@ -503,7 +514,7 @@ static void felem_mul_ref(widefelem out, const felem in1, const felem in2)
1856 * [3]: Y = 2^48 (acc[6] >> 48)
1857 * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d)
1858 */
1859-static void felem_reduce(felem out, const widefelem in)
1860+static void felem_reduce_ref(felem out, const widefelem in)
1861 {
1862 /*
1863 * In order to prevent underflow, we add a multiple of p before subtracting.
1864@@ -682,8 +693,11 @@ static void (*felem_square_p)(widefelem out, const felem in) =
1865 static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
1866 felem_mul_wrapper;
1867
1868+static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
1869+
1870 void p384_felem_square(widefelem out, const felem in);
1871 void p384_felem_mul(widefelem out, const felem in1, const felem in2);
1872+void p384_felem_reduce(felem out, const widefelem in);
1873
1874 # if defined(_ARCH_PPC64)
1875 # include "crypto/ppc_arch.h"
1876@@ -695,6 +709,7 @@ static void felem_select(void)
1877 if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
1878 felem_square_p = p384_felem_square;
1879 felem_mul_p = p384_felem_mul;
1880+ felem_reduce_p = p384_felem_reduce;
1881
1882 return;
1883 }
1884@@ -703,6 +718,7 @@ static void felem_select(void)
1885 /* Default */
1886 felem_square_p = felem_square_ref;
1887 felem_mul_p = felem_mul_ref;
1888+ felem_reduce_p = p384_felem_reduce;
1889 }
1890
1891 static void felem_square_wrapper(widefelem out, const felem in)
1892@@ -719,10 +735,17 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
1893
1894 # define felem_square felem_square_p
1895 # define felem_mul felem_mul_p
1896+# define felem_reduce felem_reduce_p
1897+
1898+void p384_felem_square_reduce(felem out, const felem in);
1899+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
1900+
1901+# define felem_square_reduce p384_felem_square_reduce
1902+# define felem_mul_reduce p384_felem_mul_reduce
1903 #else
1904 # define felem_square felem_square_ref
1905 # define felem_mul felem_mul_ref
1906-#endif
1907+# define felem_reduce felem_reduce_ref
1908
1909 static ossl_inline void felem_square_reduce(felem out, const felem in)
1910 {
1911@@ -739,6 +762,7 @@ static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem
1912 felem_mul(tmp, in1, in2);
1913 felem_reduce(out, tmp);
1914 }
1915+#endif
1916
1917 /*-
1918 * felem_inv calculates |out| = |in|^{-1}
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
deleted file mode 100644
index 0659a9d6d9..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-27587-2.patch
+++ /dev/null
@@ -1,129 +0,0 @@
1From 6b1646e472c9e8c08bb14066ba2a7c3eed45f84a Mon Sep 17 00:00:00 2001
2From: "A. Wilcox" <AWilcox@Wilcox-Tech.com>
3Date: Thu, 17 Apr 2025 08:51:53 -0500
4Subject: [PATCH] Fix P-384 curve on lower-than-P9 PPC64 targets
5
6The change adding an asm implementation of p384_felem_reduce incorrectly
7uses the accelerated version on both targets that support the intrinsics
8*and* targets that don't, instead of falling back to the generics on older
9targets. This results in crashes when trying to use P-384 on < Power9.
10
11Signed-off-by: Anna Wilcox <AWilcox@Wilcox-Tech.com>
12Closes: #27350
13Fixes: 85cabd94 ("Fix Minerva timing side-channel signal for P-384 curve on PPC")
14
15Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
16Reviewed-by: Tomas Mraz <tomas@openssl.org>
17(Merged from https://github.com/openssl/openssl/pull/27429)
18
19(cherry picked from commit 29864f2b0f1046177e8048a5b17440893d3f9425)
20
21CVE: CVE-2025-27587
22Upstream-Status: Backport [https://github.com/openssl/openssl/commit/6b1646e472c9e8c08bb14066ba2a7c3eed45f84a]
23Signed-off-by: Peter Marko <peter.marko@siemens.com>
24---
25 crypto/ec/ecp_nistp384.c | 54 ++++++++++++++++++++++++----------------
26 1 file changed, 33 insertions(+), 21 deletions(-)
27
28diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c
29index e0b5786bc1..439b4d03a3 100644
30--- a/crypto/ec/ecp_nistp384.c
31+++ b/crypto/ec/ecp_nistp384.c
32@@ -684,6 +684,22 @@ static void felem_reduce_ref(felem out, const widefelem in)
33 out[i] = acc[i];
34 }
35
36+static ossl_inline void felem_square_reduce_ref(felem out, const felem in)
37+{
38+ widefelem tmp;
39+
40+ felem_square_ref(tmp, in);
41+ felem_reduce_ref(out, tmp);
42+}
43+
44+static ossl_inline void felem_mul_reduce_ref(felem out, const felem in1, const felem in2)
45+{
46+ widefelem tmp;
47+
48+ felem_mul_ref(tmp, in1, in2);
49+ felem_reduce_ref(out, tmp);
50+}
51+
52 #if defined(ECP_NISTP384_ASM)
53 static void felem_square_wrapper(widefelem out, const felem in);
54 static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2);
55@@ -695,10 +711,18 @@ static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) =
56
57 static void (*felem_reduce_p)(felem out, const widefelem in) = felem_reduce_ref;
58
59+static void (*felem_square_reduce_p)(felem out, const felem in) =
60+ felem_square_reduce_ref;
61+static void (*felem_mul_reduce_p)(felem out, const felem in1, const felem in2) =
62+ felem_mul_reduce_ref;
63+
64 void p384_felem_square(widefelem out, const felem in);
65 void p384_felem_mul(widefelem out, const felem in1, const felem in2);
66 void p384_felem_reduce(felem out, const widefelem in);
67
68+void p384_felem_square_reduce(felem out, const felem in);
69+void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
70+
71 # if defined(_ARCH_PPC64)
72 # include "crypto/ppc_arch.h"
73 # endif
74@@ -710,6 +734,8 @@ static void felem_select(void)
75 felem_square_p = p384_felem_square;
76 felem_mul_p = p384_felem_mul;
77 felem_reduce_p = p384_felem_reduce;
78+ felem_square_reduce_p = p384_felem_square_reduce;
79+ felem_mul_reduce_p = p384_felem_mul_reduce;
80
81 return;
82 }
83@@ -718,7 +744,9 @@ static void felem_select(void)
84 /* Default */
85 felem_square_p = felem_square_ref;
86 felem_mul_p = felem_mul_ref;
87- felem_reduce_p = p384_felem_reduce;
88+ felem_reduce_p = felem_reduce_ref;
89+ felem_square_reduce_p = felem_square_reduce_ref;
90+ felem_mul_reduce_p = felem_mul_reduce_ref;
91 }
92
93 static void felem_square_wrapper(widefelem out, const felem in)
94@@ -737,31 +765,15 @@ static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2)
95 # define felem_mul felem_mul_p
96 # define felem_reduce felem_reduce_p
97
98-void p384_felem_square_reduce(felem out, const felem in);
99-void p384_felem_mul_reduce(felem out, const felem in1, const felem in2);
100-
101-# define felem_square_reduce p384_felem_square_reduce
102-# define felem_mul_reduce p384_felem_mul_reduce
103+# define felem_square_reduce felem_square_reduce_p
104+# define felem_mul_reduce felem_mul_reduce_p
105 #else
106 # define felem_square felem_square_ref
107 # define felem_mul felem_mul_ref
108 # define felem_reduce felem_reduce_ref
109
110-static ossl_inline void felem_square_reduce(felem out, const felem in)
111-{
112- widefelem tmp;
113-
114- felem_square(tmp, in);
115- felem_reduce(out, tmp);
116-}
117-
118-static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2)
119-{
120- widefelem tmp;
121-
122- felem_mul(tmp, in1, in2);
123- felem_reduce(out, tmp);
124-}
125+# define felem_square_reduce felem_square_reduce_ref
126+# define felem_mul_reduce felem_mul_reduce_ref
127 #endif
128
129 /*-
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
index fd98b32007..4756f5aaa6 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.6.bb
@@ -13,15 +13,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
13 file://0001-Configure-do-not-tweak-mips-cflags.patch \ 13 file://0001-Configure-do-not-tweak-mips-cflags.patch \
14 file://0001-Added-handshake-history-reporting-when-test-fails.patch \ 14 file://0001-Added-handshake-history-reporting-when-test-fails.patch \
15 file://CVE-2024-41996.patch \ 15 file://CVE-2024-41996.patch \
16 file://CVE-2025-27587-1.patch \
17 file://CVE-2025-27587-2.patch \
18 " 16 "
19 17
20SRC_URI:append:class-nativesdk = " \ 18SRC_URI:append:class-nativesdk = " \
21 file://environment.d-openssl.sh \ 19 file://environment.d-openssl.sh \
22 " 20 "
23 21
24SRC_URI[sha256sum] = "b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716" 22SRC_URI[sha256sum] = "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148"
25 23
26inherit lib_package multilib_header multilib_script ptest perlnative manpages 24inherit lib_package multilib_header multilib_script ptest perlnative manpages
27MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" 25MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
new file mode 100644
index 0000000000..c95cba3c33
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-01.patch
@@ -0,0 +1,57 @@
1From f5e1bf966b19ea1821f00a8c9ecd7774598689b4 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Wed, 24 Sep 2025 03:28:47 +0200
4Subject: [PATCH] archival/libarchive: sanitize filenames on output (prevent
5 control sequence attacks
6
7This fixes CVE-2025-46394 (terminal escape sequence injection)
8
9Original credit: Ian.Norton at entrust.com
10
11function old new delta
12header_list 9 15 +6
13header_verbose_list 239 244 +5
14------------------------------------------------------------------------------
15(add/remove: 0/0 grow/shrink: 2/0 up/down: 11/0) Total: 11 bytes
16
17Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
18
19CVE: CVE-2025-46394
20Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=f5e1bf966b19ea1821f00a8c9ecd7774598689b4]
21Signed-off-by: Peter Marko <peter.marko@siemens.com>
22---
23 archival/libarchive/header_list.c | 2 +-
24 archival/libarchive/header_verbose_list.c | 4 ++--
25 2 files changed, 3 insertions(+), 3 deletions(-)
26
27diff --git a/archival/libarchive/header_list.c b/archival/libarchive/header_list.c
28index 0621aa406..9490b3635 100644
29--- a/archival/libarchive/header_list.c
30+++ b/archival/libarchive/header_list.c
31@@ -8,5 +8,5 @@
32 void FAST_FUNC header_list(const file_header_t *file_header)
33 {
34 //TODO: cpio -vp DIR should output "DIR/NAME", not just "NAME" */
35- puts(file_header->name);
36+ puts(printable_string(file_header->name));
37 }
38diff --git a/archival/libarchive/header_verbose_list.c b/archival/libarchive/header_verbose_list.c
39index a575a08a0..e7a09430d 100644
40--- a/archival/libarchive/header_verbose_list.c
41+++ b/archival/libarchive/header_verbose_list.c
42@@ -57,13 +57,13 @@ void FAST_FUNC header_verbose_list(const file_header_t *file_header)
43 ptm->tm_hour,
44 ptm->tm_min,
45 ptm->tm_sec,
46- file_header->name);
47+ printable_string(file_header->name));
48
49 #endif /* FEATURE_TAR_UNAME_GNAME */
50
51 /* NB: GNU tar shows "->" for symlinks and "link to" for hardlinks */
52 if (file_header->link_target) {
53- printf(" -> %s", file_header->link_target);
54+ printf(" -> %s", printable_string(file_header->link_target));
55 }
56 bb_putchar('\n');
57 }
diff --git a/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
new file mode 100644
index 0000000000..ec17b9285a
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2025-46394-02.patch
@@ -0,0 +1,32 @@
1From 7378db981d87b4a2264e14d60340a7fb5c67ae59 Mon Sep 17 00:00:00 2001
2From: Peter Marko <peter.marko@siemens.com>
3Date: Fri, 3 Oct 2025 16:12:56 +0200
4Subject: [PATCH] testsuite/tar.tests: fix test after CVE-2025-46394
5
6tar now sanitizes output and this test needs to expect that.
7
8Signed-off-by: Peter Marko <peter.marko@siemens.com>
9
10CVE: CVE-2025-46394
11Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-October/091743.html]
12Signed-off-by: Peter Marko <peter.marko@siemens.com>
13---
14 testsuite/tar.tests | 4 ++--
15 1 file changed, 2 insertions(+), 2 deletions(-)
16
17diff --git a/testsuite/tar.tests b/testsuite/tar.tests
18index 0f2e89112..48fc38114 100755
19--- a/testsuite/tar.tests
20+++ b/testsuite/tar.tests
21@@ -325,9 +325,9 @@ unset LANG
22 rm -rf etc usr
23 ' "\
24 etc/ssl/certs/3b2716e5.0
25-etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
26+etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.pem
27 etc/ssl/certs/f80cc7f6.0
28-usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
29+usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sa??lay??c??s??.crt
30 0
31 etc/ssl/certs/3b2716e5.0 -> EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem
32 etc/ssl/certs/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.pem -> /usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index 069544cc8a..d3f259d45b 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -59,6 +59,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
59 file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \ 59 file://0001-cut-Fix-s-flag-to-omit-blank-lines.patch \
60 file://CVE-2022-48174.patch \ 60 file://CVE-2022-48174.patch \
61 file://CVE-2023-39810.patch \ 61 file://CVE-2023-39810.patch \
62 file://CVE-2025-46394-01.patch \
63 file://CVE-2025-46394-02.patch \
62 " 64 "
63SRC_URI:append:libc-musl = " file://musl.cfg " 65SRC_URI:append:libc-musl = " file://musl.cfg "
64# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html 66# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
diff --git a/meta/recipes-core/expat/expat/CVE-2024-8176-03.patch b/meta/recipes-core/expat/expat/CVE-2024-8176-03.patch
new file mode 100644
index 0000000000..c9990d5547
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-8176-03.patch
@@ -0,0 +1,35 @@
1From ba80428c2207259103b73871d447dee34755340c Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@tum.de>
3Date: Tue, 23 Sep 2025 11:22:14 +0200
4Subject: [PATCH] lib: Fix detection of asynchronous tags in entities
5
6According to the XML standard, tags must be closed within the same
7element in which they are opened. Since the change of the entity
8processing method in version 2.7.0, violations of this rule have not
9been handled correctly for entities.
10
11This commit adds the required checks to detect any violations and
12restores the correct behaviour.
13
14CVE: CVE-2024-8176
15Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1059]
16Signed-off-by: Peter Marko <peter.marko@siemens.com>
17---
18 lib/xmlparse.c | 4 ++++
19 1 file changed, 4 insertions(+)
20
21diff --git a/lib/xmlparse.c b/lib/xmlparse.c
22index ce29ab6f..ba4e3c48 100644
23--- a/lib/xmlparse.c
24+++ b/lib/xmlparse.c
25@@ -6087,6 +6087,10 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
26 // process its possible inner entities (which are added to the
27 // m_openInternalEntities during doProlog or doContent calls above)
28 entity->hasMore = XML_FALSE;
29+ if (! entity->is_param
30+ && (openEntity->startTagLevel != parser->m_tagLevel)) {
31+ return XML_ERROR_ASYNC_ENTITY;
32+ }
33 triggerReenter(parser);
34 return result;
35 } // End of entity processing, "if" block will return here
diff --git a/meta/recipes-core/expat/expat/CVE-2024-8176-04.patch b/meta/recipes-core/expat/expat/CVE-2024-8176-04.patch
new file mode 100644
index 0000000000..9623467698
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-8176-04.patch
@@ -0,0 +1,115 @@
1From 81a114f7eebcd41a6993337128cda337986a26f4 Mon Sep 17 00:00:00 2001
2From: Sebastian Pipping <sebastian@pipping.org>
3Date: Mon, 15 Sep 2025 21:57:07 +0200
4Subject: [PATCH] tests: Cover XML_ERROR_ASYNC_ENTITY cases
5
6CVE: CVE-2024-8176
7Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1059]
8Signed-off-by: Peter Marko <peter.marko@siemens.com>
9---
10 tests/misc_tests.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++
11 1 file changed, 87 insertions(+)
12
13diff --git a/tests/misc_tests.c b/tests/misc_tests.c
14index 3346bce6..19f41df7 100644
15--- a/tests/misc_tests.c
16+++ b/tests/misc_tests.c
17@@ -621,6 +621,91 @@ START_TEST(test_misc_expected_event_ptr_issue_980) {
18 }
19 END_TEST
20
21+START_TEST(test_misc_sync_entity_tolerated) {
22+ const char *const doc = "<!DOCTYPE t0 [\n"
23+ " <!ENTITY a '<t1></t1>'>\n"
24+ " <!ENTITY b '<t2>two</t2>'>\n"
25+ " <!ENTITY c '<t3>three<t4>four</t4>three</t3>'>\n"
26+ " <!ENTITY d '<t5>&b;</t5>'>\n"
27+ "]>\n"
28+ "<t0>&a;&b;&c;&d;</t0>\n";
29+ XML_Parser parser = XML_ParserCreate(NULL);
30+
31+ assert_true(_XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc),
32+ /*isFinal=*/XML_TRUE)
33+ == XML_STATUS_OK);
34+
35+ XML_ParserFree(parser);
36+}
37+END_TEST
38+
39+START_TEST(test_misc_async_entity_rejected) {
40+ struct test_case {
41+ const char *doc;
42+ enum XML_Status expectedStatusNoGE;
43+ enum XML_Error expectedErrorNoGE;
44+ };
45+ const struct test_case cases[] = {
46+ // Opened by one entity, closed by another
47+ {"<!DOCTYPE t0 [\n"
48+ " <!ENTITY open '<t1>'>\n"
49+ " <!ENTITY close '</t1>'>\n"
50+ "]>\n"
51+ "<t0>&open;&close;</t0>\n",
52+ XML_STATUS_OK, XML_ERROR_NONE},
53+ // Opened by tag, closed by entity (non-root case)
54+ {"<!DOCTYPE t0 [\n"
55+ " <!ENTITY g0 ''>\n"
56+ " <!ENTITY g1 '&g0;</t1>'>\n"
57+ "]>\n"
58+ "<t0><t1>&g1;</t0>\n",
59+ XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH},
60+ // Opened by tag, closed by entity (root case)
61+ {"<!DOCTYPE t0 [\n"
62+ " <!ENTITY g0 ''>\n"
63+ " <!ENTITY g1 '&g0;</t0>'>\n"
64+ "]>\n"
65+ "<t0>&g1;\n",
66+ XML_STATUS_ERROR, XML_ERROR_NO_ELEMENTS},
67+ // Opened by entity, closed by tag <-- regression from 2.7.0
68+ {"<!DOCTYPE t0 [\n"
69+ " <!ENTITY g0 ''>\n"
70+ " <!ENTITY g1 '<t1>&g0;'>\n"
71+ "]>\n"
72+ "<t0>&g1;</t1></t0>\n",
73+ XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH},
74+ // Opened by tag, closed by entity; then the other way around
75+ {"<!DOCTYPE t0 [\n"
76+ " <!ENTITY open '<t1>'>\n"
77+ " <!ENTITY close '</t1>'>\n"
78+ "]>\n"
79+ "<t0><t1>&close;&open;</t1></t0>\n",
80+ XML_STATUS_OK, XML_ERROR_NONE},
81+ };
82+
83+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
84+ const struct test_case testCase = cases[i];
85+ set_subtest("cases[%d]", (int)i);
86+
87+ const char *const doc = testCase.doc;
88+#if XML_GE == 1
89+ const enum XML_Status expectedStatus = XML_STATUS_ERROR;
90+ const enum XML_Error expectedError = XML_ERROR_ASYNC_ENTITY;
91+#else
92+ const enum XML_Status expectedStatus = testCase.expectedStatusNoGE;
93+ const enum XML_Error expectedError = testCase.expectedErrorNoGE;
94+#endif
95+
96+ XML_Parser parser = XML_ParserCreate(NULL);
97+ assert_true(_XML_Parse_SINGLE_BYTES(parser, doc, (int)strlen(doc),
98+ /*isFinal=*/XML_TRUE)
99+ == expectedStatus);
100+ assert_true(XML_GetErrorCode(parser) == expectedError);
101+ XML_ParserFree(parser);
102+ }
103+}
104+END_TEST
105+
106 void
107 make_miscellaneous_test_case(Suite *s) {
108 TCase *tc_misc = tcase_create("miscellaneous tests");
109@@ -649,4 +734,6 @@ make_miscellaneous_test_case(Suite *s) {
110 tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
111 tcase_add_test__if_xml_ge(tc_misc, test_renter_loop_finite_content);
112 tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980);
113+ tcase_add_test(tc_misc, test_misc_sync_entity_tolerated);
114+ tcase_add_test(tc_misc, test_misc_async_entity_rejected);
115 }
diff --git a/meta/recipes-core/expat/expat/CVE-2024-8176-05.patch b/meta/recipes-core/expat/expat/CVE-2024-8176-05.patch
new file mode 100644
index 0000000000..063a590a11
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-8176-05.patch
@@ -0,0 +1,78 @@
1From a9aaf85cfc3025b7013b5adc4bef2ce32ecc7fb1 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@tum.de>
3Date: Tue, 23 Sep 2025 12:12:50 +0200
4Subject: [PATCH] tests: Add line/column checks to async entity tests
5
6CVE: CVE-2024-8176
7Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1059]
8Signed-off-by: Peter Marko <peter.marko@siemens.com>
9---
10 tests/misc_tests.c | 17 ++++++++++++-----
11 1 file changed, 12 insertions(+), 5 deletions(-)
12
13diff --git a/tests/misc_tests.c b/tests/misc_tests.c
14index 19f41df7..7a4d2455 100644
15--- a/tests/misc_tests.c
16+++ b/tests/misc_tests.c
17@@ -644,6 +644,8 @@ START_TEST(test_misc_async_entity_rejected) {
18 const char *doc;
19 enum XML_Status expectedStatusNoGE;
20 enum XML_Error expectedErrorNoGE;
21+ XML_Size expectedErrorLine;
22+ XML_Size expectedErrorColumn;
23 };
24 const struct test_case cases[] = {
25 // Opened by one entity, closed by another
26@@ -652,35 +654,35 @@ START_TEST(test_misc_async_entity_rejected) {
27 " <!ENTITY close '</t1>'>\n"
28 "]>\n"
29 "<t0>&open;&close;</t0>\n",
30- XML_STATUS_OK, XML_ERROR_NONE},
31+ XML_STATUS_OK, XML_ERROR_NONE, 5, 4},
32 // Opened by tag, closed by entity (non-root case)
33 {"<!DOCTYPE t0 [\n"
34 " <!ENTITY g0 ''>\n"
35 " <!ENTITY g1 '&g0;</t1>'>\n"
36 "]>\n"
37 "<t0><t1>&g1;</t0>\n",
38- XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH},
39+ XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH, 5, 8},
40 // Opened by tag, closed by entity (root case)
41 {"<!DOCTYPE t0 [\n"
42 " <!ENTITY g0 ''>\n"
43 " <!ENTITY g1 '&g0;</t0>'>\n"
44 "]>\n"
45 "<t0>&g1;\n",
46- XML_STATUS_ERROR, XML_ERROR_NO_ELEMENTS},
47+ XML_STATUS_ERROR, XML_ERROR_NO_ELEMENTS, 5, 4},
48 // Opened by entity, closed by tag <-- regression from 2.7.0
49 {"<!DOCTYPE t0 [\n"
50 " <!ENTITY g0 ''>\n"
51 " <!ENTITY g1 '<t1>&g0;'>\n"
52 "]>\n"
53 "<t0>&g1;</t1></t0>\n",
54- XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH},
55+ XML_STATUS_ERROR, XML_ERROR_TAG_MISMATCH, 5, 4},
56 // Opened by tag, closed by entity; then the other way around
57 {"<!DOCTYPE t0 [\n"
58 " <!ENTITY open '<t1>'>\n"
59 " <!ENTITY close '</t1>'>\n"
60 "]>\n"
61 "<t0><t1>&close;&open;</t1></t0>\n",
62- XML_STATUS_OK, XML_ERROR_NONE},
63+ XML_STATUS_OK, XML_ERROR_NONE, 5, 8},
64 };
65
66 for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
67@@ -701,6 +703,11 @@ START_TEST(test_misc_async_entity_rejected) {
68 /*isFinal=*/XML_TRUE)
69 == expectedStatus);
70 assert_true(XML_GetErrorCode(parser) == expectedError);
71+#if XML_GE == 1
72+ assert_true(XML_GetCurrentLineNumber(parser) == testCase.expectedErrorLine);
73+ assert_true(XML_GetCurrentColumnNumber(parser)
74+ == testCase.expectedErrorColumn);
75+#endif
76 XML_ParserFree(parser);
77 }
78 }
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index ab0b1d54c1..816beaa8a3 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -13,6 +13,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
13 file://0001-tests-Cover-indirect-entity-recursion.patch;striplevel=2 \ 13 file://0001-tests-Cover-indirect-entity-recursion.patch;striplevel=2 \
14 file://CVE-2024-8176-01.patch;striplevel=2 \ 14 file://CVE-2024-8176-01.patch;striplevel=2 \
15 file://CVE-2024-8176-02.patch;striplevel=2 \ 15 file://CVE-2024-8176-02.patch;striplevel=2 \
16 file://CVE-2024-8176-03.patch \
17 file://CVE-2024-8176-04.patch \
18 file://CVE-2024-8176-05.patch \
16 " 19 "
17 20
18GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/" 21GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index f924668792..8d97d960f4 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check
26 26
27REQUIRED_DISTRO_FEATURES += "xattr" 27REQUIRED_DISTRO_FEATURES += "xattr"
28 28
29SRCREV ?= "1df3fcb4a50be33b71ad1252672b930a288d3f5b" 29SRCREV ?= "517a1206e0e7fbb5d0f05b25a08b0f06462a4b8c"
30SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap \ 30SRC_URI = "git://git.yoctoproject.org/poky;branch=scarthgap \
31 file://Yocto_Build_Appliance.vmx \ 31 file://Yocto_Build_Appliance.vmx \
32 file://Yocto_Build_Appliance.vmxf \ 32 file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index d0ce333117..a364e1aae8 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -20,6 +20,7 @@ SRC_URI += "\
20 file://CVE-2025-4674.patch \ 20 file://CVE-2025-4674.patch \
21 file://CVE-2025-47907-pre.patch \ 21 file://CVE-2025-47907-pre.patch \
22 file://CVE-2025-47907.patch \ 22 file://CVE-2025-47907.patch \
23 file://CVE-2025-47906.patch \
23" 24"
24SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71" 25SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
25 26
diff --git a/meta/recipes-devtools/go/go/CVE-2025-47906.patch b/meta/recipes-devtools/go/go/CVE-2025-47906.patch
new file mode 100644
index 0000000000..88895f496d
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-47906.patch
@@ -0,0 +1,183 @@
1From 8fa31a2d7d9e60c50a3a94080c097b6e65773f4b Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Olivier=20Mengu=C3=A9?= <olivier.mengue@gmail.com>
3Date: Mon, 30 Jun 2025 16:58:59 +0200
4Subject: [PATCH] [release-branch.go1.23] os/exec: fix incorrect expansion of
5 "", "." and ".." in LookPath Fix incorrect expansion of "" and "." when $PATH
6 contains an executable file or, on Windows, a parent directory of a %PATH%
7 element contains an file with the same name as the %PATH% element but with
8 one of the %PATHEXT% extension (ex: C:\utils\bin is in PATH, and
9 C:\utils\bin.exe exists).
10
11Fix incorrect expansion of ".." when $PATH contains an element which is
12an the concatenation of the path to an executable file (or on Windows
13a path that can be expanded to an executable by appending a %PATHEXT%
14extension), a path separator and a name.
15
16"", "." and ".." are now rejected early with ErrNotFound.
17
18Fixes CVE-2025-47906
19Fixes #74803
20
21Change-Id: Ie50cc0a660fce8fbdc952a7f2e05c36062dcb50e
22Reviewed-on: https://go-review.googlesource.com/c/go/+/685755
23LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
24Auto-Submit: Damien Neil <dneil@google.com>
25Reviewed-by: Roland Shoemaker <roland@golang.org>
26Reviewed-by: Damien Neil <dneil@google.com>
27(cherry picked from commit e0b07dc)
28Reviewed-on: https://go-review.googlesource.com/c/go/+/691855
29Reviewed-by: Michael Knyszek <mknyszek@google.com>
30
31CVE: CVE-2025-47906
32
33Upstream-Status: Backport [https://github.com/golang/go/commit/8fa31a2d7d9e60c50a3a94080c097b6e65773f4b]
34
35Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
36---
37 src/os/exec/dot_test.go | 56 +++++++++++++++++++++++++++++++++++++++
38 src/os/exec/exec.go | 10 +++++++
39 src/os/exec/lp_plan9.go | 4 +++
40 src/os/exec/lp_unix.go | 4 +++
41 src/os/exec/lp_windows.go | 7 +++++
42 5 files changed, 81 insertions(+)
43
44diff --git a/src/os/exec/dot_test.go b/src/os/exec/dot_test.go
45index ed4bad2..86e9cbb 100644
46--- a/src/os/exec/dot_test.go
47+++ b/src/os/exec/dot_test.go
48@@ -178,4 +178,60 @@ func TestLookPath(t *testing.T) {
49 }
50 }
51 })
52+
53+ checker := func(test string) func(t *testing.T) {
54+ return func(t *testing.T) {
55+ t.Helper()
56+ t.Logf("PATH=%s", os.Getenv("PATH"))
57+ p, err := LookPath(test)
58+ if err == nil {
59+ t.Errorf("%q: error expected, got nil", test)
60+ }
61+ if p != "" {
62+ t.Errorf("%q: path returned should be \"\". Got %q", test, p)
63+ }
64+ }
65+ }
66+
67+ // Reference behavior for the next test
68+ t.Run(pathVar+"=$OTHER2", func(t *testing.T) {
69+ t.Run("empty", checker(""))
70+ t.Run("dot", checker("."))
71+ t.Run("dotdot1", checker("abc/.."))
72+ t.Run("dotdot2", checker(".."))
73+ })
74+
75+ // Test the behavior when PATH contains an executable file which is not a directory
76+ t.Run(pathVar+"=exe", func(t *testing.T) {
77+ // Inject an executable file (not a directory) in PATH.
78+ // Use our own binary os.Args[0].
79+ testenv.MustHaveExec(t)
80+ exe, err := os.Executable()
81+ if err != nil {
82+ t.Fatal(err)
83+ }
84+
85+ t.Setenv(pathVar, exe)
86+ t.Run("empty", checker(""))
87+ t.Run("dot", checker("."))
88+ t.Run("dotdot1", checker("abc/.."))
89+ t.Run("dotdot2", checker(".."))
90+ })
91+
92+ // Test the behavior when PATH contains an executable file which is not a directory
93+ t.Run(pathVar+"=exe/xx", func(t *testing.T) {
94+ // Inject an executable file (not a directory) in PATH.
95+ // Use our own binary os.Args[0].
96+ testenv.MustHaveExec(t)
97+ exe, err := os.Executable()
98+ if err != nil {
99+ t.Fatal(err)
100+ }
101+
102+ t.Setenv(pathVar, filepath.Join(exe, "xx"))
103+ t.Run("empty", checker(""))
104+ t.Run("dot", checker("."))
105+ t.Run("dotdot1", checker("abc/.."))
106+ t.Run("dotdot2", checker(".."))
107+ })
108 }
109diff --git a/src/os/exec/exec.go b/src/os/exec/exec.go
110index b8ef5a0..2c7f510 100644
111--- a/src/os/exec/exec.go
112+++ b/src/os/exec/exec.go
113@@ -1310,3 +1310,13 @@ func addCriticalEnv(env []string) []string {
114 // Code should use errors.Is(err, ErrDot), not err == ErrDot,
115 // to test whether a returned error err is due to this condition.
116 var ErrDot = errors.New("cannot run executable found relative to current directory")
117+
118+// validateLookPath excludes paths that can't be valid
119+// executable names. See issue #74466 and CVE-2025-47906.
120+func validateLookPath(s string) error {
121+ switch s {
122+ case "", ".", "..":
123+ return ErrNotFound
124+ }
125+ return nil
126+}
127diff --git a/src/os/exec/lp_plan9.go b/src/os/exec/lp_plan9.go
128index dffdbac..39f3d33 100644
129--- a/src/os/exec/lp_plan9.go
130+++ b/src/os/exec/lp_plan9.go
131@@ -36,6 +36,10 @@ func findExecutable(file string) error {
132 // As of Go 1.19, LookPath will instead return that path along with an error satisfying
133 // errors.Is(err, ErrDot). See the package documentation for more details.
134 func LookPath(file string) (string, error) {
135+ if err := validateLookPath(file); err != nil {
136+ return "", &Error{file, err}
137+ }
138+
139 // skip the path lookup for these prefixes
140 skip := []string{"/", "#", "./", "../"}
141
142diff --git a/src/os/exec/lp_unix.go b/src/os/exec/lp_unix.go
143index 3787132..2543525 100644
144--- a/src/os/exec/lp_unix.go
145+++ b/src/os/exec/lp_unix.go
146@@ -54,6 +54,10 @@ func LookPath(file string) (string, error) {
147 // (only bypass the path if file begins with / or ./ or ../)
148 // but that would not match all the Unix shells.
149
150+ if err := validateLookPath(file); err != nil {
151+ return "", &Error{file, err}
152+ }
153+
154 if strings.Contains(file, "/") {
155 err := findExecutable(file)
156 if err == nil {
157diff --git a/src/os/exec/lp_windows.go b/src/os/exec/lp_windows.go
158index 698a97c..e0b74e3 100644
159--- a/src/os/exec/lp_windows.go
160+++ b/src/os/exec/lp_windows.go
161@@ -68,6 +68,9 @@ func findExecutable(file string, exts []string) (string, error) {
162 // As of Go 1.19, LookPath will instead return that path along with an error satisfying
163 // errors.Is(err, ErrDot). See the package documentation for more details.
164 func LookPath(file string) (string, error) {
165+ if err := validateLookPath(file); err != nil {
166+ return "", &Error{file, err}
167+ }
168 return lookPath(file, pathExt())
169 }
170
171@@ -81,6 +84,10 @@ func LookPath(file string) (string, error) {
172 // "C:\foo\example.com" would be returned as-is even if the
173 // program is actually "C:\foo\example.com.exe".
174 func lookExtensions(path, dir string) (string, error) {
175+ if err := validateLookPath(path); err != nil {
176+ return "", &Error{path, err}
177+ }
178+
179 if filepath.Base(path) == path {
180 path = "." + string(filepath.Separator) + path
181 }
182--
1832.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
new file mode 100644
index 0000000000..9432126e85
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59798.patch
@@ -0,0 +1,134 @@
1From 0cae41b23a9669e801211dd4cf97b6dadd6dbdd7 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <Ken.Sharp@artifex.com>
3Date: Thu, 22 May 2025 12:25:41 +0100
4Subject: [PATCH] pdfwrite - avoid buffer overrun
5
6Bug #708539 "Buffer overflow in pdf_write_cmap"
7
8The proposed fix in the report solves the buffer overrun, but does not
9tackle a number of other problems.
10
11This commit checks the result of stream_puts() in
12pdf_write_cid_system_info_to_stream() and correctly signals an error to
13the caller if that fails.
14
15In pdf_write_cid_system_info we replace a (rather small!) fixed size
16buffer with a dynamically allocated one using the lengths of the strings
17which pdf_write_cid_system_info_to_stream() will write, and a small
18fixed overhead to deal with the keys and initial byte '/'.
19
20Because 'buf' is used in the stream 's', if it is too small to hold all
21the CIDSystemInfo then we would get an error which was simply discarded
22previously.
23
24We now should avoid the potential error by ensuring the buffer is large
25enough for all the information, and if we do get an error we no longer
26silently ignore it, which would write an invalid PDF file.
27
28CVE: CVE-2025-59798
29Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/0cae41b23a9669e801211dd4cf97b6dadd6dbdd7]
30Signed-off-by: Peter Marko <peter.marko@siemens.com>
31---
32 devices/vector/gdevpdtw.c | 52 ++++++++++++++++++++++++++++++---------
33 1 file changed, 41 insertions(+), 11 deletions(-)
34
35diff --git a/devices/vector/gdevpdtw.c b/devices/vector/gdevpdtw.c
36index ced15c9b2..fe24dd73a 100644
37--- a/devices/vector/gdevpdtw.c
38+++ b/devices/vector/gdevpdtw.c
39@@ -703,7 +703,8 @@ static int
40 pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
41 const gs_cid_system_info_t *pcidsi, gs_id object_id)
42 {
43- byte *Registry, *Ordering;
44+ byte *Registry = NULL, *Ordering = NULL;
45+ int code = 0;
46
47 Registry = gs_alloc_bytes(pdev->pdf_memory, pcidsi->Registry.size, "temporary buffer for Registry");
48 if (!Registry)
49@@ -734,14 +735,19 @@ pdf_write_cid_system_info_to_stream(gx_device_pdf *pdev, stream *s,
50 }
51 s_arcfour_process_buffer(&sarc4, Ordering, pcidsi->Ordering.size);
52 }
53- stream_puts(s, "<<\n/Registry");
54+ code = stream_puts(s, "<<\n/Registry");
55+ if (code < 0)
56+ goto error;
57 s_write_ps_string(s, Registry, pcidsi->Registry.size, PRINT_HEX_NOT_OK);
58- stream_puts(s, "\n/Ordering");
59+ code = stream_puts(s, "\n/Ordering");
60+ if(code < 0)
61+ goto error;
62 s_write_ps_string(s, Ordering, pcidsi->Ordering.size, PRINT_HEX_NOT_OK);
63+error:
64 pprintd1(s, "\n/Supplement %d\n>>\n", pcidsi->Supplement);
65 gs_free_object(pdev->pdf_memory, Registry, "free temporary Registry buffer");
66 gs_free_object(pdev->pdf_memory, Ordering, "free temporary Ordering buffer");
67- return 0;
68+ return code;
69 }
70
71 int
72@@ -786,31 +792,55 @@ pdf_write_cmap(gx_device_pdf *pdev, const gs_cmap_t *pcmap,
73 *ppres = writer.pres;
74 writer.pres->where_used = 0; /* CMap isn't a PDF resource. */
75 if (!pcmap->ToUnicode) {
76- byte buf[200];
77+ byte *buf = NULL;
78+ uint64_t buflen = 0;
79 cos_dict_t *pcd = (cos_dict_t *)writer.pres->object;
80 stream s;
81
82+ /* We use 'buf' for the stream 's' below and that needs to have some extra
83+ * space for the CIDSystemInfo. We also need an extra byte for the leading '/'
84+ * 100 bytes is ample for the overhead.
85+ */
86+ buflen = pcmap->CIDSystemInfo->Registry.size + pcmap->CIDSystemInfo->Ordering.size + pcmap->CMapName.size + 100;
87+ if (buflen > max_uint)
88+ return_error(gs_error_limitcheck);
89+
90+ buf = gs_alloc_bytes(pdev->memory, buflen, "pdf_write_cmap");
91+ if (buf == NULL)
92+ return_error(gs_error_VMerror);
93+
94 code = cos_dict_put_c_key_int(pcd, "/WMode", pcmap->WMode);
95- if (code < 0)
96+ if (code < 0) {
97+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
98 return code;
99+ }
100 buf[0] = '/';
101 memcpy(buf + 1, pcmap->CMapName.data, pcmap->CMapName.size);
102 code = cos_dict_put_c_key_string(pcd, "/CMapName",
103 buf, pcmap->CMapName.size + 1);
104- if (code < 0)
105+ if (code < 0) {
106+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
107 return code;
108+ }
109 s_init(&s, pdev->memory);
110- swrite_string(&s, buf, sizeof(buf));
111+ swrite_string(&s, buf, buflen);
112 code = pdf_write_cid_system_info_to_stream(pdev, &s, pcmap->CIDSystemInfo, 0);
113- if (code < 0)
114+ if (code < 0) {
115+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
116 return code;
117+ }
118 code = cos_dict_put_c_key_string(pcd, "/CIDSystemInfo",
119 buf, stell(&s));
120- if (code < 0)
121+ if (code < 0) {
122+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
123 return code;
124+ }
125 code = cos_dict_put_string_copy(pcd, "/Type", "/CMap");
126- if (code < 0)
127+ if (code < 0) {
128+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
129 return code;
130+ }
131+ gs_free_object(pdev->memory, buf, "pdf_write_cmap");
132 }
133 if (pcmap->CMapName.size == 0) {
134 /* Create an arbitrary name (for ToUnicode CMap). */
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
new file mode 100644
index 0000000000..9401474c47
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59799.patch
@@ -0,0 +1,41 @@
1From 6dab38fb211f15226c242ab7a83fa53e4b0ff781 Mon Sep 17 00:00:00 2001
2From: Piotr Kajda <petermasterperfect@gmail.com>
3Date: Thu, 8 May 2025 11:37:09 +0100
4Subject: [PATCH] pdfwrite - bounds check some strings
5
6Bug #708517
7
8This differs very slightly from the proposed patch in the bug report, I
9had a quick scout through the C file and found another similar case.
10
11Both fixed here.
12
13CVE: CVE-2025-59799
14Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/6dab38fb211f15226c242ab7a83fa53e4b0ff781]
15Signed-off-by: Peter Marko <peter.marko@siemens.com>
16---
17 devices/vector/gdevpdfm.c | 4 ++++
18 1 file changed, 4 insertions(+)
19
20diff --git a/devices/vector/gdevpdfm.c b/devices/vector/gdevpdfm.c
21index 5aa3644e2..4b1d7d89c 100644
22--- a/devices/vector/gdevpdfm.c
23+++ b/devices/vector/gdevpdfm.c
24@@ -199,6 +199,8 @@ pdfmark_coerce_dest(gs_param_string *dstr, char dest[MAX_DEST_STRING])
25 {
26 const byte *data = dstr->data;
27 uint size = dstr->size;
28+ if (size > MAX_DEST_STRING)
29+ return_error(gs_error_limitcheck);
30 if (size == 0 || data[0] != '(')
31 return 0;
32 /****** HANDLE ESCAPES ******/
33@@ -859,6 +861,8 @@ pdfmark_put_ao_pairs(gx_device_pdf * pdev, cos_dict_t *pcd,
34 char buf[30];
35 int d0, d1;
36
37+ if (Action[1].size > 29)
38+ return_error(gs_error_rangecheck);
39 memcpy(buf, Action[1].data, Action[1].size);
40 buf[Action[1].size] = 0;
41 if (sscanf(buf, "%d %d R", &d0, &d1) == 2)
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
new file mode 100644
index 0000000000..5d50865271
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-59800.patch
@@ -0,0 +1,36 @@
1From 176cf0188a2294bc307b8caec876f39412e58350 Mon Sep 17 00:00:00 2001
2From: Ken Sharp <Ken.Sharp@artifex.com>
3Date: Tue, 1 Jul 2025 10:31:17 +0100
4Subject: [PATCH] PDF OCR 8 bit device - avoid overflow
5
6Bug 708602 "Heap overflow in ocr_line8"
7
8Make sure the calculation of the required raster size does not overflow
9an int.
10
11CVE: CVE-2025-59800
12Upstream-Status: Backport [https://github.com/ArtifexSoftware/ghostpdl/commit/176cf0188a2294bc307b8caec876f39412e58350]
13Signed-off-by: Peter Marko <peter.marko@siemens.com>
14---
15 devices/gdevpdfocr.c | 7 +++++--
16 1 file changed, 5 insertions(+), 2 deletions(-)
17
18diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
19index f27dc11db..6362f4104 100644
20--- a/devices/gdevpdfocr.c
21+++ b/devices/gdevpdfocr.c
22@@ -521,9 +521,12 @@ ocr_line32(gx_device_pdf_image *dev, void *row)
23 static int
24 ocr_begin_page(gx_device_pdf_image *dev, int w, int h, int bpp)
25 {
26- int raster = (w+3)&~3;
27+ int64_t raster = (w + 3) & ~3;
28
29- dev->ocr.data = gs_alloc_bytes(dev->memory, raster * h, "ocr_begin_page");
30+ raster = raster * (int64_t)h;
31+ if (raster < 0 || raster > max_size_t)
32+ return gs_note_error(gs_error_VMerror);
33+ dev->ocr.data = gs_alloc_bytes(dev->memory, raster, "ocr_begin_page");
34 if (dev->ocr.data == NULL)
35 return_error(gs_error_VMerror);
36 dev->ocr.w = w;
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
index bd34058517..a48ad671c7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -25,6 +25,9 @@ def gs_verdir(v):
25SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \ 25SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \
26 file://ghostscript-9.16-Werror-return-type.patch \ 26 file://ghostscript-9.16-Werror-return-type.patch \
27 file://avoid-host-contamination.patch \ 27 file://avoid-host-contamination.patch \
28 file://CVE-2025-59798.patch \
29 file://CVE-2025-59799.patch \
30 file://CVE-2025-59800.patch \
28 " 31 "
29 32
30SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49" 33SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb
index dbd0a3f270..38c6d1f2b7 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb
@@ -50,6 +50,10 @@ CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to ffmpeg-cli-wr
50# Fixed: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43be8d07281caca2e88bfd8ee2333633e1fb1a13 50# Fixed: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/43be8d07281caca2e88bfd8ee2333633e1fb1a13
51CVE_STATUS[CVE-2025-1373] = "fixed-version: Vulnerable code not present in any release" 51CVE_STATUS[CVE-2025-1373] = "fixed-version: Vulnerable code not present in any release"
52 52
53CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_61x"
54CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585"
55CVE_STATUS_FIXED_61x[status] = "cpe-incorrect:these CVEs are fixed in 6.1.x"
56
53# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717 57# Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
54ARM_INSTRUCTION_SET:armv4 = "arm" 58ARM_INSTRUCTION_SET:armv4 = "arm"
55ARM_INSTRUCTION_SET:armv5 = "arm" 59ARM_INSTRUCTION_SET:armv5 = "arm"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb
index 3f28459e2d..5b0ba37977 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb
@@ -74,17 +74,28 @@ CVE_PRODUCT = "gstreamer"
74 74
75CVE_STATUS[CVE-2024-0444] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9" 75CVE_STATUS[CVE-2024-0444] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9"
76 76
77CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BAD"
78CVE_STATUS_PLUGINS_BAD = " \
79 CVE-2025-3887 \
80"
81CVE_STATUS_PLUGINS_BAD[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad"
82
77CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BASE" 83CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BASE"
78CVE_STATUS_PLUGINS_BASE = "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835" 84CVE_STATUS_PLUGINS_BASE = " \
79CVE_STATUS_PLUGINS_BASE[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-base" 85 CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835 \
86 CVE-2025-47806 CVE-2025-47807 CVE-2025-47808 \
87"
88CVE_STATUS_PLUGINS_BASE[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-base"
80 89
81CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_GOOD" 90CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_GOOD"
82CVE_STATUS_PLUGINS_GOOD = " \ 91CVE_STATUS_PLUGINS_GOOD = " \
83 CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \ 92 CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \
84 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \ 93 CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \
85 CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \ 94 CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \
86 CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \ 95 CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 CVE-2025-47183 CVE-2025-47219 \
87" 96"
88CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-good" 97CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-good"
98
99CVE_STATUS[CVE-2025-2759] = "not-applicable-platform: affects installation packages for non Linux OSes"
89 100
90PTEST_BUILD_HOST_FILES = "" 101PTEST_BUILD_HOST_FILES = ""
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
index 1d3d08ff9d..9957699fb2 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.6.0.bb
@@ -28,6 +28,10 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
28CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue" 28CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
29CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0" 29CVE_STATUS[CVE-2023-3164] = "cpe-incorrect: Issue only affects the tiffcrop tool not compiled by default since 4.6.0"
30 30
31CVE_STATUS_GROUPS += "CVE_STATUS_REMOVED_TOOLS"
32CVE_STATUS_REMOVED_TOOLS = "CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8851"
33CVE_STATUS_REMOVED_TOOLS[status] = "cpe-incorrect: tools affected by these CVEs are not present in this release"
34
31inherit autotools multilib_header 35inherit autotools multilib_header
32 36
33CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no" 37CACHED_CONFIGUREVARS = "ax_cv_check_gl_libgl=no"
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
index a93ef8f338..26e9e08a63 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio.inc
@@ -281,3 +281,5 @@ RDEPENDS:pulseaudio-server += "\
281RDEPENDS:pulseaudio-server += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', \ 281RDEPENDS:pulseaudio-server += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', \
282 bb.utils.contains('DISTRO_FEATURES', 'systemd', 'pulseaudio-module-systemd-login', 'pulseaudio-module-console-kit', d), \ 282 bb.utils.contains('DISTRO_FEATURES', 'systemd', 'pulseaudio-module-systemd-login', 'pulseaudio-module-console-kit', d), \
283 '', d)}" 283 '', d)}"
284
285CVE_STATUS[CVE-2024-11586] = "not-applicable-platform: specific to Ubuntu 16.04"
diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 0dd23fe0e4..a449e45cff 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
57 57
58DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools') 58DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
59DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto' 59DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
60DEFAULT_RELEASE = 'yocto-5.0.11' 60DEFAULT_RELEASE = 'yocto-5.0.12'
61DEFAULT_INSTALLER_VERSION = '5.0.11' 61DEFAULT_INSTALLER_VERSION = '5.0.12'
62DEFAULT_BUILDDATE = '202110XX' 62DEFAULT_BUILDDATE = '202110XX'
63 63
64# Python version sanity check 64# Python version sanity check
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-13 20:47:25 +0000