summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLee Chee Yang <chee.yang.lee@intel.com>2020-07-08 21:08:00 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-04 22:17:37 (GMT)
commit0e3b8415cfc6bfcb16cc63d6ec7a43927fd752bf (patch)
tree6060f97e640fb80fcf2a7f42090b61dd78e6dfcc
parent6cb526d6a949b9124fb1e7ee1c9ae0396f63f95f (diff)
downloadpoky-0e3b8415cfc6bfcb16cc63d6ec7a43927fd752bf.tar.gz
perl: fix CVE-2020-10543 & CVE-2020-10878
(From OE-Core rev: d9c5d9c52eb1f03ff9c907a76dda31042fb26edb) (From OE-Core rev: de3fe84fcfe3f1c3c2ad963b1fe459ccca9472a0) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/perl/files/CVE-2020-10543.patch36
-rw-r--r--meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch152
-rw-r--r--meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch36
-rw-r--r--meta/recipes-devtools/perl/perl_5.30.1.bb3
4 files changed, 227 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10543.patch b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
new file mode 100644
index 0000000..36dff0a
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10543.patch
@@ -0,0 +1,36 @@
1From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001
2From: John Lightsey <jd@cpanel.net>
3Date: Wed, 20 Nov 2019 20:02:45 -0600
4Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
5 quantifiers.
6
7(CVE-2020-10543) On 32bit systems the size calculations for nested regular
8expression quantifiers could overflow causing heap memory corruption.
9
10Fixes: Perl/perl5-security#125
11(cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71)
12
13Upstream-Status: Backport [https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed]
14CVE: CVE-2020-10543
15Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
16---
17 regcomp.c | 6 ++++++
18 1 file changed, 6 insertions(+)
19
20diff --git a/regcomp.c b/regcomp.c
21index 93c8d98fbb0..5f86be8086d 100644
22--- a/regcomp.c
23+++ b/regcomp.c
24@@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
25 RExC_precomp)));
26 }
27
28+ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
29+ || min >= SSize_t_MAX - minnext * mincount )
30+ {
31+ FAIL("Regexp out of space");
32+ }
33+
34 min += minnext * mincount;
35 is_inf_internal |= deltanext == SSize_t_MAX
36 || (maxcount == REG_INFTY && minnext + deltanext > 0);
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
new file mode 100644
index 0000000..b86085a
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_1.patch
@@ -0,0 +1,152 @@
1From 0a320d753fe7fca03df259a4dfd8e641e51edaa8 Mon Sep 17 00:00:00 2001
2From: Hugo van der Sanden <hv@crypt.org>
3Date: Tue, 18 Feb 2020 13:51:16 +0000
4Subject: [PATCH] study_chunk: extract rck_elide_nothing
5
6(CVE-2020-10878)
7
8(cherry picked from commit 93dee06613d4e1428fb10905ce1c3c96f53113dc)
9
10Upstream-Status: Backport [https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8]
11CVE: CVE-2020-10878
12Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
13---
14 embed.fnc | 1 +
15 embed.h | 1 +
16 proto.h | 3 +++
17 regcomp.c | 70 ++++++++++++++++++++++++++++++++++---------------------
18 4 files changed, 48 insertions(+), 27 deletions(-)
19
20diff --git a/embed.fnc b/embed.fnc
21index aedb4baef19..d7cd04d3fc3 100644
22--- a/embed.fnc
23+++ b/embed.fnc
24@@ -2481,6 +2481,7 @@ Es |SSize_t|study_chunk |NN RExC_state_t *pRExC_state \
25 |I32 stopparen|U32 recursed_depth \
26 |NULLOK regnode_ssc *and_withp \
27 |U32 flags|U32 depth
28+Es |void |rck_elide_nothing|NN regnode *node
29 EsR |SV * |get_ANYOFM_contents|NN const regnode * n
30 EsRn |U32 |add_data |NN RExC_state_t* const pRExC_state \
31 |NN const char* const s|const U32 n
32diff --git a/embed.h b/embed.h
33index 75c91f77f45..356a8b98d96 100644
34--- a/embed.h
35+++ b/embed.h
36@@ -1208,6 +1208,7 @@
37 #define parse_lparen_question_flags(a) S_parse_lparen_question_flags(aTHX_ a)
38 #define parse_uniprop_string(a,b,c,d,e,f,g,h,i) Perl_parse_uniprop_string(aTHX_ a,b,c,d,e,f,g,h,i)
39 #define populate_ANYOF_from_invlist(a,b) S_populate_ANYOF_from_invlist(aTHX_ a,b)
40+#define rck_elide_nothing(a) S_rck_elide_nothing(aTHX_ a)
41 #define reg(a,b,c,d) S_reg(aTHX_ a,b,c,d)
42 #define reg2Lanode(a,b,c,d) S_reg2Lanode(aTHX_ a,b,c,d)
43 #define reg_node(a,b) S_reg_node(aTHX_ a,b)
44diff --git a/proto.h b/proto.h
45index 141ddbaee6d..f316fe134e1 100644
46--- a/proto.h
47+++ b/proto.h
48@@ -5543,6 +5543,9 @@ PERL_CALLCONV SV * Perl_parse_uniprop_string(pTHX_ const char * const name, cons
49 STATIC void S_populate_ANYOF_from_invlist(pTHX_ regnode *node, SV** invlist_ptr);
50 #define PERL_ARGS_ASSERT_POPULATE_ANYOF_FROM_INVLIST \
51 assert(node); assert(invlist_ptr)
52+STATIC void S_rck_elide_nothing(pTHX_ regnode *node);
53+#define PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING \
54+ assert(node)
55 PERL_STATIC_NO_RET void S_re_croak2(pTHX_ bool utf8, const char* pat1, const char* pat2, ...)
56 __attribute__noreturn__;
57 #define PERL_ARGS_ASSERT_RE_CROAK2 \
58diff --git a/regcomp.c b/regcomp.c
59index 5f86be8086d..4ba2980db66 100644
60--- a/regcomp.c
61+++ b/regcomp.c
62@@ -4450,6 +4450,44 @@ S_unwind_scan_frames(pTHX_ const void *p)
63 } while (f);
64 }
65
66+/* Follow the next-chain of the current node and optimize away
67+ all the NOTHINGs from it.
68+ */
69+STATIC void
70+S_rck_elide_nothing(pTHX_ regnode *node)
71+{
72+ dVAR;
73+
74+ PERL_ARGS_ASSERT_RCK_ELIDE_NOTHING;
75+
76+ if (OP(node) != CURLYX) {
77+ const int max = (reg_off_by_arg[OP(node)]
78+ ? I32_MAX
79+ /* I32 may be smaller than U16 on CRAYs! */
80+ : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
81+ int off = (reg_off_by_arg[OP(node)] ? ARG(node) : NEXT_OFF(node));
82+ int noff;
83+ regnode *n = node;
84+
85+ /* Skip NOTHING and LONGJMP. */
86+ while (
87+ (n = regnext(n))
88+ && (
89+ (PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
90+ || ((OP(n) == LONGJMP) && (noff = ARG(n)))
91+ )
92+ && off + noff < max
93+ ) {
94+ off += noff;
95+ }
96+ if (reg_off_by_arg[OP(node)])
97+ ARG(node) = off;
98+ else
99+ NEXT_OFF(node) = off;
100+ }
101+ return;
102+}
103+
104 /* the return from this sub is the minimum length that could possibly match */
105 STATIC SSize_t
106 S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
107@@ -4550,28 +4588,10 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
108 */
109 JOIN_EXACT(scan,&min_subtract, &unfolded_multi_char, 0);
110
111- /* Follow the next-chain of the current node and optimize
112- away all the NOTHINGs from it. */
113- if (OP(scan) != CURLYX) {
114- const int max = (reg_off_by_arg[OP(scan)]
115- ? I32_MAX
116- /* I32 may be smaller than U16 on CRAYs! */
117- : (I32_MAX < U16_MAX ? I32_MAX : U16_MAX));
118- int off = (reg_off_by_arg[OP(scan)] ? ARG(scan) : NEXT_OFF(scan));
119- int noff;
120- regnode *n = scan;
121-
122- /* Skip NOTHING and LONGJMP. */
123- while ((n = regnext(n))
124- && ((PL_regkind[OP(n)] == NOTHING && (noff = NEXT_OFF(n)))
125- || ((OP(n) == LONGJMP) && (noff = ARG(n))))
126- && off + noff < max)
127- off += noff;
128- if (reg_off_by_arg[OP(scan)])
129- ARG(scan) = off;
130- else
131- NEXT_OFF(scan) = off;
132- }
133+ /* Follow the next-chain of the current node and optimize
134+ away all the NOTHINGs from it.
135+ */
136+ rck_elide_nothing(scan);
137
138 /* The principal pseudo-switch. Cannot be a switch, since we
139 look into several different things. */
140@@ -5745,11 +5765,7 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
141 if (data && (fl & SF_HAS_EVAL))
142 data->flags |= SF_HAS_EVAL;
143 optimize_curly_tail:
144- if (OP(oscan) != CURLYX) {
145- while (PL_regkind[OP(next = regnext(oscan))] == NOTHING
146- && NEXT_OFF(next))
147- NEXT_OFF(oscan) += NEXT_OFF(next);
148- }
149+ rck_elide_nothing(oscan);
150 continue;
151
152 default:
diff --git a/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
new file mode 100644
index 0000000..0bacd6b
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2020-10878_2.patch
@@ -0,0 +1,36 @@
1From 3295b48defa0f8570114877b063fe546dd348b3c Mon Sep 17 00:00:00 2001
2From: Karl Williamson <khw@cpan.org>
3Date: Thu, 20 Feb 2020 17:49:36 +0000
4Subject: [PATCH] regcomp: use long jumps if there is any possibility of
5 overflow
6
7(CVE-2020-10878) Be conservative for backporting, we'll aim to do
8something more aggressive for bleadperl.
9
10(cherry picked from commit 9d7759db46f3b31b1d3f79c44266b6ba42a47fc6)
11
12Upstream-Status: Backport [https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c]
13CVE: CVE-2020-10878
14Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
15---
16 regcomp.c | 7 +++++++
17 1 file changed, 7 insertions(+)
18
19diff --git a/regcomp.c b/regcomp.c
20index 4ba2980db66..73c35a67020 100644
21--- a/regcomp.c
22+++ b/regcomp.c
23@@ -7762,6 +7762,13 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
24
25 /* We have that number in RExC_npar */
26 RExC_total_parens = RExC_npar;
27+
28+ /* XXX For backporting, use long jumps if there is any possibility of
29+ * overflow */
30+ if (RExC_size > U16_MAX && ! RExC_use_BRANCHJ) {
31+ RExC_use_BRANCHJ = TRUE;
32+ flags |= RESTART_PARSE;
33+ }
34 }
35 else if (! MUST_RESTART(flags)) {
36 ReREFCNT_dec(Rx);
diff --git a/meta/recipes-devtools/perl/perl_5.30.1.bb b/meta/recipes-devtools/perl/perl_5.30.1.bb
index 149885f..b633acf 100644
--- a/meta/recipes-devtools/perl/perl_5.30.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.30.1.bb
@@ -23,6 +23,9 @@ SRC_URI = "https://www.cpan.org/src/5.0/perl-${PV}.tar.gz;name=perl \
23 file://0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch \ 23 file://0001-tests-adjust-to-correctly-exclude-unbuilt-extensions.patch \
24 file://determinism.patch \ 24 file://determinism.patch \
25 file://racefix.patch \ 25 file://racefix.patch \
26 file://CVE-2020-10543.patch \
27 file://CVE-2020-10878_1.patch \
28 file://CVE-2020-10878_2.patch \
26 " 29 "
27SRC_URI_append_class-native = " \ 30SRC_URI_append_class-native = " \
28 file://perl-configpm-switch.patch \ 31 file://perl-configpm-switch.patch \