diff options
-rw-r--r-- | recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch | 148 | ||||
-rw-r--r-- | recipes-devtools/perl/perl_5.24.1.bbappend | 6 |
2 files changed, 154 insertions, 0 deletions
diff --git a/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch new file mode 100644 index 0000000..cb73e21 --- /dev/null +++ b/recipes-devtools/perl/perl/CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch | |||
@@ -0,0 +1,148 @@ | |||
1 | From a9d5c6e11891b48be06d4e06eeed18642bc98527 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tony Cook <tony@develop-help.com> | ||
3 | Date: Tue, 8 Aug 2017 09:32:58 +1000 | ||
4 | Subject: [PATCH] (perl #131844) fix various space calculation issues in | ||
5 | pp_pack.c | ||
6 | |||
7 | - for the originally reported case, if the start/cur pointer is in the | ||
8 | top 75% of the address space the add (cur) + glen addition would | ||
9 | overflow, resulting in the condition failing incorrectly. | ||
10 | |||
11 | - the addition of the existing space used to the space needed could | ||
12 | overflow, resulting in too small an allocation and a buffer overflow. | ||
13 | |||
14 | - the scaling for UTF8 could overflow. | ||
15 | |||
16 | - the multiply to calculate the space needed for many items could | ||
17 | overflow. | ||
18 | |||
19 | For the first case, do a space calculation without making new pointers. | ||
20 | |||
21 | For the other cases, detect the overflow and croak if there's an | ||
22 | overflow. | ||
23 | |||
24 | Originally this used Size_t_MAX as the maximum size of a memory | ||
25 | allocation, but for -DDEBUGGING builds realloc() throws a panic for | ||
26 | allocations over half the address space in size, changing the error | ||
27 | reported for the allocation. | ||
28 | |||
29 | For non-DEBUGGING builds the Size_t_MAX limit has the small chance | ||
30 | of finding a system that has 3GB of contiguous space available, and | ||
31 | allocating that space, which could be a denial of servce in some cases. | ||
32 | |||
33 | Unfortunately changing the limit to half the address space means that | ||
34 | the exact case with the original issue can no longer occur, so the | ||
35 | test is no longer testing against the address + length issue that | ||
36 | caused the original problem, since the allocation is failing earlier. | ||
37 | |||
38 | One option would be to change the test so the size request by pack is | ||
39 | just under 2GB, but this has a higher (but still low) probability that | ||
40 | the system has the address space available, and will actually try to | ||
41 | allocate the memory, so let's not do that. | ||
42 | |||
43 | (cherry picked from commit f5506feddde8546eabb69d71569d856c7e9c615b) | ||
44 | |||
45 | CVE: CVE-2018-131844 | ||
46 | Upstream-Status: Backport [https://rt.perl.org/Public/Ticket/Attachment/1480002/799836/0001-perl-131844-fix-various-space-calculation-issues-in-.patch] | ||
47 | |||
48 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
49 | --- | ||
50 | pp_pack.c | 25 +++++++++++++++++++++---- | ||
51 | t/op/pack.t | 24 +++++++++++++++++++++++- | ||
52 | 2 files changed, 44 insertions(+), 5 deletions(-) | ||
53 | |||
54 | diff --git a/pp_pack.c b/pp_pack.c | ||
55 | index f6964c3..c0de5ab 100644 | ||
56 | --- a/pp_pack.c | ||
57 | +++ b/pp_pack.c | ||
58 | @@ -358,11 +358,28 @@ STMT_START { \ | ||
59 | } \ | ||
60 | } STMT_END | ||
61 | |||
62 | +#define SAFE_UTF8_EXPAND(var) \ | ||
63 | +STMT_START { \ | ||
64 | + if ((var) > SSize_t_MAX / UTF8_EXPAND) \ | ||
65 | + Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ | ||
66 | + (var) = (var) * UTF8_EXPAND; \ | ||
67 | +} STMT_END | ||
68 | + | ||
69 | +#define GROWING2(utf8, cat, start, cur, item_size, item_count) \ | ||
70 | +STMT_START { \ | ||
71 | + if (SSize_t_MAX / (item_size) < (item_count)) \ | ||
72 | + Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ | ||
73 | + GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \ | ||
74 | +} STMT_END | ||
75 | + | ||
76 | #define GROWING(utf8, cat, start, cur, in_len) \ | ||
77 | STMT_START { \ | ||
78 | STRLEN glen = (in_len); \ | ||
79 | - if (utf8) glen *= UTF8_EXPAND; \ | ||
80 | - if ((cur) + glen >= (start) + SvLEN(cat)) { \ | ||
81 | + STRLEN catcur = (STRLEN)((cur) - (start)); \ | ||
82 | + if (utf8) SAFE_UTF8_EXPAND(glen); \ | ||
83 | + if (SSize_t_MAX - glen < catcur) \ | ||
84 | + Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ | ||
85 | + if (catcur + glen >= SvLEN(cat)) { \ | ||
86 | (start) = sv_exp_grow(cat, glen); \ | ||
87 | (cur) = (start) + SvCUR(cat); \ | ||
88 | } \ | ||
89 | @@ -372,7 +389,7 @@ STMT_START { \ | ||
90 | STMT_START { \ | ||
91 | const STRLEN glen = (in_len); \ | ||
92 | STRLEN gl = glen; \ | ||
93 | - if (utf8) gl *= UTF8_EXPAND; \ | ||
94 | + if (utf8) SAFE_UTF8_EXPAND(gl); \ | ||
95 | if ((cur) + gl >= (start) + SvLEN(cat)) { \ | ||
96 | *cur = '\0'; \ | ||
97 | SvCUR_set((cat), (cur) - (start)); \ | ||
98 | @@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) | ||
99 | if (props && !(props & PACK_SIZE_UNPREDICTABLE)) { | ||
100 | /* We can process this letter. */ | ||
101 | STRLEN size = props & PACK_SIZE_MASK; | ||
102 | - GROWING(utf8, cat, start, cur, (STRLEN) len * size); | ||
103 | + GROWING2(utf8, cat, start, cur, size, (STRLEN)len); | ||
104 | } | ||
105 | } | ||
106 | |||
107 | diff --git a/t/op/pack.t b/t/op/pack.t | ||
108 | index a2da636..a480c3a 100644 | ||
109 | --- a/t/op/pack.t | ||
110 | +++ b/t/op/pack.t | ||
111 | @@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : | ||
112 | my $no_signedness = $] > 5.009 ? '' : | ||
113 | "Signed/unsigned pack modifiers not available on this perl"; | ||
114 | |||
115 | -plan tests => 14712; | ||
116 | +plan tests => 14716; | ||
117 | |||
118 | use strict; | ||
119 | use warnings qw(FATAL all); | ||
120 | @@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash"); | ||
121 | is(pack("H40", $up_nul), $twenty_nuls, | ||
122 | "check pack H zero fills (utf8 source)"); | ||
123 | } | ||
124 | + | ||
125 | +SKIP: | ||
126 | +{ | ||
127 | + # [perl #131844] pointer addition overflow | ||
128 | + $Config{ptrsize} == 4 | ||
129 | + or skip "[perl #131844] need 32-bit build for this test", 4; | ||
130 | + # prevent ASAN just crashing on the allocation failure | ||
131 | + local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS}; | ||
132 | + $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1"; | ||
133 | + fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 }, | ||
134 | + "pointer addition overflow"); | ||
135 | + | ||
136 | + # integer (STRLEN) overflow from addition of glen to current length | ||
137 | + fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 }, | ||
138 | + "integer overflow calculating allocation (addition)"); | ||
139 | + | ||
140 | + fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 }, | ||
141 | + "integer overflow calculating allocation (utf8)"); | ||
142 | + | ||
143 | + fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, | ||
144 | + "integer overflow calculating allocation (multiply)"); | ||
145 | +} | ||
146 | -- | ||
147 | 2.7.4 | ||
148 | |||
diff --git a/recipes-devtools/perl/perl_5.24.1.bbappend b/recipes-devtools/perl/perl_5.24.1.bbappend new file mode 100644 index 0000000..10cfbca --- /dev/null +++ b/recipes-devtools/perl/perl_5.24.1.bbappend | |||
@@ -0,0 +1,6 @@ | |||
1 | # look for files in the layer first | ||
2 | FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" | ||
3 | |||
4 | SRC_URI += " \ | ||
5 | file://CVE-2018-6913-perl-131844-fix-various-space-calculation-issues-in-.patch \ | ||
6 | " | ||