lua: Security fix for CVE-2019-6706

Source: lua.org MR: 97553 Type: Security Fix Disposition: Backport from http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html ChangeID: c939b7edcb54274ab0aeebcb7e3dc9f17cc09c2d Description: Affects < 5.3.5 Fixes: CVE-2019-6706 Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2019-05-31 18:00:01 -0700
committer: Armin Kuster <akuster808@gmail.com> 2019-09-02 19:54:39 -0700
commit: aaa6eb0bb5da516373aa9e8c1dde8fdf85a54e95 (patch)
tree: 08677c048ffdd86495f8dbdf99710624ac39f902
parent: 05360c2a74c62d39818bbbdc4fb7ec18bb6e83ff (diff)
download: meta-openembedded-aaa6eb0bb5da516373aa9e8c1dde8fdf85a54e95.tar.gz
2 files changed, 33 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
new file mode 100644
index 000000000..cfe48af5a
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
@@ -0,0 +1,32 @@
+CVE-2019-6706: use-after-free in lua_upvaluejoin function 
+Upstream-Status: Backport
+http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
+CVE: CVE-2019-6706
+Affects < 5.3.5
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: lua-5.3.4/src/lapi.c
+===================================================================
+--- lua-5.3.4.orig/src/lapi.c
+++ lua-5.3.4/src/lapi.c
+@@ -1285,14 +1285,14 @@ LUA_API void *lua_upvalueid (lua_State *
+ 
+ LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
+                                             int fidx2, int n2) {
+-  LClosure *f1;
+-  UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
+  UpVal **up1 = getupvalref(L, fidx1, n1, NULL); /* the last parameter not needed */
+   UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
+  if (*up1 == *up2) return; /* Already joined */
+  (*up2)->refcount++;
+  if (upisopen(*up2)) (*up2)->u.open.touched = 1;
+  luaC_upvalbarrier(L, *up2);
+   luaC_upvdeccount(L, *up1);
+   *up1 = *up2;
+-  (*up1)->refcount++;
+-  if (upisopen(*up1)) (*up1)->u.open.touched = 1;
+-  luaC_upvalbarrier(L, *up1);
+ }
+ 
+ 
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.4.bb b/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
index 8f4e8fe68..978c2033e 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
@@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/"
 DEPENDS = "readline"
 SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
           file://lua.pc.in \
+           file://CVE-2019-6706.patch \
           "
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \
           'http://www.lua.org/tests/lua-${PV}-tests.tar.gz;name=tarballtest \
author	Armin Kuster <akuster808@gmail.com>	2019-05-31 18:00:01 -0700
committer	Armin Kuster <akuster808@gmail.com>	2019-09-02 19:54:39 -0700
commit	aaa6eb0bb5da516373aa9e8c1dde8fdf85a54e95 (patch)
tree	08677c048ffdd86495f8dbdf99710624ac39f902
parent	05360c2a74c62d39818bbbdc4fb7ec18bb6e83ff (diff)
download	meta-openembedded-aaa6eb0bb5da516373aa9e8c1dde8fdf85a54e95.tar.gz

diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch new file mode 100644 index 000000000..cfe48af5a --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2019-6706.patch
@@ -0,0 +1,32 @@
		1	CVE-2019-6706: use-after-free in lua_upvaluejoin function
		2
		3	Upstream-Status: Backport
		4	http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
		5	CVE: CVE-2019-6706
		6	Affects < 5.3.5
		7	Signed-off-by: Armin Kuster <akuster@mvista.com>
		8
		9	Index: lua-5.3.4/src/lapi.c
		10	===================================================================
		11	--- lua-5.3.4.orig/src/lapi.c
		12	+++ lua-5.3.4/src/lapi.c
		13	@@ -1285,14 +1285,14 @@ LUA_API void lua_upvalueid (lua_State
		14
		15	LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
		16	int fidx2, int n2) {
		17	- LClosure *f1;
		18	- UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
		19	+ UpVal *up1 = getupvalref(L, fidx1, n1, NULL); / the last parameter not needed */
		20	UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
		21	+ if (up1 == up2) return; /* Already joined */
		22	+ (*up2)->refcount++;
		23	+ if (upisopen(up2)) (up2)->u.open.touched = 1;
		24	+ luaC_upvalbarrier(L, *up2);
		25	luaC_upvdeccount(L, *up1);
		26	up1 = up2;
		27	- (*up1)->refcount++;
		28	- if (upisopen(up1)) (up1)->u.open.touched = 1;
		29	- luaC_upvalbarrier(L, *up1);
		30	}
		31
		32


diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.4.bb b/meta-oe/recipes-devtools/lua/lua_5.3.4.bb index 8f4e8fe68..978c2033e 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.4.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.4.bb
@@ -7,6 +7,7 @@ HOMEPAGE = "http://www.lua.org/"
7	DEPENDS = "readline"	7	DEPENDS = "readline"
8	SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \	8	SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
9	file://lua.pc.in \	9	file://lua.pc.in \
		10	file://CVE-2019-6706.patch \
10	"	11	"
11	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \	12	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', \
12	'http://www.lua.org/tests/lua-${PV}-tests.tar.gz;name=tarballtest \	13	'http://www.lua.org/tests/lua-${PV}-tests.tar.gz;name=tarballtest \