perl: CVE-2018-6913

(perl #131844) fix various space calculation issues in pp_pack.c - for the originally reported case, if the start/cur pointer is in the top 75% of the address space the add (cur) + glen addition would overflow, resulting in the condition failing incorrectly. - the addition of the existing space used to the space needed could overflow, resulting in too small an allocation and a buffer overflow. - the scaling for UTF8 could overflow. - the multiply to calculate the space needed for many items could overflow. For the first case, do a space calculation without making new pointers. For the other cases, detect the overflow and croak if there's an overflow. Originally this used Size_t_MAX as the maximum size of a memory allocation, but for -DDEBUGGING builds realloc() throws a panic for allocations over half the address space in size, changing the error reported for the allocation. For non-DEBUGGING builds the Size_t_MAX limit has the small chance of finding a system that has 3GB of contiguous space available, and allocating that space, which could be a denial of servce in some cases. Unfortunately changing the limit to half the address space means that the exact case with the original issue can no longer occur, so the test is no longer testing against the address + length issue that caused the original problem, since the allocation is failing earlier. One option would be to change the test so the size request by pack is just under 2GB, but this has a higher (but still low) probability that the system has the address space available, and will actually try to allocate the memory, so let's not do that. Note: changed plan tests => 14713; to plan tests => 14712; in a/t/op/pack.t to apply this patch on perl 5.24.1. Affects perl < 5.26.2 (From OE-Core rev: 0542779d2f1a8977a732800a8998fd88971c0c1d) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 17:11:50 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29 15:23:51 +0100
commit: 4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe (patch)
tree: 50d5efd60197b24d88779e8ad8abfdda8ae84b31 /meta/recipes-devtools
parent: 69728984e3946a4f23f7c1a9c7d14da1b985fc48 (diff)
download: poky-4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe.tar.gz
2 files changed, 154 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
new file mode 100644
index 0000000000..157af7bf9f
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
@@ -0,0 +1,153 @@
+From f17fed5006177dce8ac48229c424a2da0d6ba492 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 8 Aug 2017 09:32:58 +1000
+Subject: [PATCH] (perl #131844) fix various space calculation issues in
+ pp_pack.c
+- for the originally reported case, if the start/cur pointer is in the
+  top 75% of the address space the add (cur) + glen addition would
+  overflow, resulting in the condition failing incorrectly.
+- the addition of the existing space used to the space needed could
+  overflow, resulting in too small an allocation and a buffer overflow.
+- the scaling for UTF8 could overflow.
+- the multiply to calculate the space needed for many items could
+  overflow.
+For the first case, do a space calculation without making new pointers.
+For the other cases, detect the overflow and croak if there's an
+overflow.
+Originally this used Size_t_MAX as the maximum size of a memory
+allocation, but for -DDEBUGGING builds realloc() throws a panic for
+allocations over half the address space in size, changing the error
+reported for the allocation.
+For non-DEBUGGING builds the Size_t_MAX limit has the small chance
+of finding a system that has 3GB of contiguous space available, and
+allocating that space, which could be a denial of servce in some cases.
+Unfortunately changing the limit to half the address space means that
+the exact case with the original issue can no longer occur, so the
+test is no longer testing against the address + length issue that
+caused the original problem, since the allocation is failing earlier.
+One option would be to change the test so the size request by pack is
+just under 2GB, but this has a higher (but still low) probability that
+the system has the address space available, and will actually try to
+allocate the memory, so let's not do that.
+Note: changed 
+plan tests => 14713;
+to 
+plan tests => 14712;
+in a/t/op/pack.t
+to apply this patch on perl 5.24.1.
+CVE: CVE-2018-6913
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f17fed5006177dce8ac48229c424a2da0d6ba492]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ pp_pack.c   | 25 +++++++++++++++++++++----
+ t/op/pack.t | 24 +++++++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+diff --git a/pp_pack.c b/pp_pack.c
+index 8937d6d715..5e9cc64301 100644
+--- a/pp_pack.c
+++ b/pp_pack.c
+@@ -357,11 +357,28 @@ STMT_START {                                                      \
+     }                                                          \
+ } STMT_END
+ 
+#define SAFE_UTF8_EXPAND(var)  \
+STMT_START {                           \
+    if ((var) > SSize_t_MAX / UTF8_EXPAND) \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    (var) = (var) * UTF8_EXPAND; \
+} STMT_END
+
+#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
+STMT_START {                                                   \
+    if (SSize_t_MAX / (item_size) < (item_count))              \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
+} STMT_END
+
+ #define GROWING(utf8, cat, start, cur, in_len) \
+ STMT_START {                                   \
+     STRLEN glen = (in_len);                    \
+-    if (utf8) glen *= UTF8_EXPAND;             \
+-    if ((cur) + glen >= (start) + SvLEN(cat)) {        \
+    STRLEN catcur = (STRLEN)((cur) - (start)); \
+    if (utf8) SAFE_UTF8_EXPAND(glen);          \
+    if (SSize_t_MAX - glen < catcur)           \
+        Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
+    if (catcur + glen >= SvLEN(cat)) { \
+        (start) = sv_exp_grow(cat, glen);       \
+        (cur) = (start) + SvCUR(cat);           \
+     }                                          \
+@@ -372,7 +389,7 @@ STMT_START {                                        \
+ STMT_START {                                   \
+     const STRLEN glen = (in_len);              \
+     STRLEN gl = glen;                          \
+-    if (utf8) gl *= UTF8_EXPAND;               \
+    if (utf8) SAFE_UTF8_EXPAND(gl);            \
+     if ((cur) + gl >= (start) + SvLEN(cat)) {  \
+         *cur = '\0';                           \
+         SvCUR_set((cat), (cur) - (start));     \
+@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* sym
+            if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
+                /* We can process this letter. */
+                STRLEN size = props & PACK_SIZE_MASK;
+-               GROWING(utf8, cat, start, cur, (STRLEN) len * size);
+               GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
+            }
+         }
+ 
+diff --git a/t/op/pack.t b/t/op/pack.t
+index 664aaaf1b0..cf0e286509 100644
+--- a/t/op/pack.t
+++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+   "Signed/unsigned pack modifiers not available on this perl";
+ 
+-plan tests => 14712;
+plan tests => 14717;
+ 
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash"
+     is(pack("H40", $up_nul), $twenty_nuls,
+        "check pack H zero fills (utf8 source)");
+ }
+
+SKIP:
+{
+  # [perl #131844] pointer addition overflow
+    $Config{ptrsize} == 4
+      or skip "[perl #131844] need 32-bit build for this test", 4;
+    # prevent ASAN just crashing on the allocation failure
+    local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
+    $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
+    fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
+                   "pointer addition overflow");
+
+    # integer (STRLEN) overflow from addition of glen to current length
+    fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (addition)");
+
+    fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (utf8)");
+
+    fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
+                   "integer overflow calculating allocation (multiply)");
+}
+-- 
+2.15.1-424-g9478a660812
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 882c1cf6ce..bb18c6a36d 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -69,6 +69,7 @@ SRC_URI += " \
        file://CVE-2018-6798-1.patch \
        file://CVE-2018-6798-2.patch \
        file://CVE-2018-6797.patch \
+        file://CVE-2018-6913.patch \
 "
 # Fix test case issues
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 17:11:50 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-29 15:23:51 +0100
commit	4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe (patch)
tree	50d5efd60197b24d88779e8ad8abfdda8ae84b31 /meta/recipes-devtools
parent	69728984e3946a4f23f7c1a9c7d14da1b985fc48 (diff)
download	poky-4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe.tar.gz

diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch new file mode 100644 index 0000000000..157af7bf9f --- /dev/null +++ b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
@@ -0,0 +1,153 @@
		1	From f17fed5006177dce8ac48229c424a2da0d6ba492 Mon Sep 17 00:00:00 2001
		2	From: Tony Cook <tony@develop-help.com>
		3	Date: Tue, 8 Aug 2017 09:32:58 +1000
		4	Subject: [PATCH] (perl #131844) fix various space calculation issues in
		5	pp_pack.c
		6
		7	- for the originally reported case, if the start/cur pointer is in the
		8	top 75% of the address space the add (cur) + glen addition would
		9	overflow, resulting in the condition failing incorrectly.
		10
		11	- the addition of the existing space used to the space needed could
		12	overflow, resulting in too small an allocation and a buffer overflow.
		13
		14	- the scaling for UTF8 could overflow.
		15
		16	- the multiply to calculate the space needed for many items could
		17	overflow.
		18
		19	For the first case, do a space calculation without making new pointers.
		20
		21	For the other cases, detect the overflow and croak if there's an
		22	overflow.
		23
		24	Originally this used Size_t_MAX as the maximum size of a memory
		25	allocation, but for -DDEBUGGING builds realloc() throws a panic for
		26	allocations over half the address space in size, changing the error
		27	reported for the allocation.
		28
		29	For non-DEBUGGING builds the Size_t_MAX limit has the small chance
		30	of finding a system that has 3GB of contiguous space available, and
		31	allocating that space, which could be a denial of servce in some cases.
		32
		33	Unfortunately changing the limit to half the address space means that
		34	the exact case with the original issue can no longer occur, so the
		35	test is no longer testing against the address + length issue that
		36	caused the original problem, since the allocation is failing earlier.
		37
		38	One option would be to change the test so the size request by pack is
		39	just under 2GB, but this has a higher (but still low) probability that
		40	the system has the address space available, and will actually try to
		41	allocate the memory, so let's not do that.
		42
		43	Note: changed
		44	plan tests => 14713;
		45	to
		46	plan tests => 14712;
		47	in a/t/op/pack.t
		48	to apply this patch on perl 5.24.1.
		49
		50	CVE: CVE-2018-6913
		51	Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f17fed5006177dce8ac48229c424a2da0d6ba492]
		52
		53	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		54	---
		55	pp_pack.c \| 25 +++++++++++++++++++++----
		56	t/op/pack.t \| 24 +++++++++++++++++++++++-
		57	2 files changed, 44 insertions(+), 5 deletions(-)
		58
		59	diff --git a/pp_pack.c b/pp_pack.c
		60	index 8937d6d715..5e9cc64301 100644
		61	--- a/pp_pack.c
		62	+++ b/pp_pack.c
		63	@@ -357,11 +357,28 @@ STMT_START { \
		64	} \
		65	} STMT_END
		66
		67	+#define SAFE_UTF8_EXPAND(var) \
		68	+STMT_START { \
		69	+ if ((var) > SSize_t_MAX / UTF8_EXPAND) \
		70	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
		71	+ (var) = (var) * UTF8_EXPAND; \
		72	+} STMT_END
		73	+
		74	+#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
		75	+STMT_START { \
		76	+ if (SSize_t_MAX / (item_size) < (item_count)) \
		77	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
		78	+ GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
		79	+} STMT_END
		80	+
		81	#define GROWING(utf8, cat, start, cur, in_len) \
		82	STMT_START { \
		83	STRLEN glen = (in_len); \
		84	- if (utf8) glen *= UTF8_EXPAND; \
		85	- if ((cur) + glen >= (start) + SvLEN(cat)) { \
		86	+ STRLEN catcur = (STRLEN)((cur) - (start)); \
		87	+ if (utf8) SAFE_UTF8_EXPAND(glen); \
		88	+ if (SSize_t_MAX - glen < catcur) \
		89	+ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
		90	+ if (catcur + glen >= SvLEN(cat)) { \
		91	(start) = sv_exp_grow(cat, glen); \
		92	(cur) = (start) + SvCUR(cat); \
		93	} \
		94	@@ -372,7 +389,7 @@ STMT_START { \
		95	STMT_START { \
		96	const STRLEN glen = (in_len); \
		97	STRLEN gl = glen; \
		98	- if (utf8) gl *= UTF8_EXPAND; \
		99	+ if (utf8) SAFE_UTF8_EXPAND(gl); \
		100	if ((cur) + gl >= (start) + SvLEN(cat)) { \
		101	*cur = '\0'; \
		102	SvCUR_set((cat), (cur) - (start)); \
		103	@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV cat, tempsym_t sym
		104	if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
		105	/* We can process this letter. */
		106	STRLEN size = props & PACK_SIZE_MASK;
		107	- GROWING(utf8, cat, start, cur, (STRLEN) len * size);
		108	+ GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
		109	}
		110	}
		111
		112	diff --git a/t/op/pack.t b/t/op/pack.t
		113	index 664aaaf1b0..cf0e286509 100644
		114	--- a/t/op/pack.t
		115	+++ b/t/op/pack.t
		116	@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
		117	my $no_signedness = $] > 5.009 ? '' :
		118	"Signed/unsigned pack modifiers not available on this perl";
		119
		120	-plan tests => 14712;
		121	+plan tests => 14717;
		122
		123	use strict;
		124	use warnings qw(FATAL all);
		125	@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash"
		126	is(pack("H40", $up_nul), $twenty_nuls,
		127	"check pack H zero fills (utf8 source)");
		128	}
		129	+
		130	+SKIP:
		131	+{
		132	+ # [perl #131844] pointer addition overflow
		133	+ $Config{ptrsize} == 4
		134	+ or skip "[perl #131844] need 32-bit build for this test", 4;
		135	+ # prevent ASAN just crashing on the allocation failure
		136	+ local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
		137	+ $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
		138	+ fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
		139	+ "pointer addition overflow");
		140	+
		141	+ # integer (STRLEN) overflow from addition of glen to current length
		142	+ fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
		143	+ "integer overflow calculating allocation (addition)");
		144	+
		145	+ fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
		146	+ "integer overflow calculating allocation (utf8)");
		147	+
		148	+ fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
		149	+ "integer overflow calculating allocation (multiply)");
		150	+}
		151	--
		152	2.15.1-424-g9478a660812
		153


diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb index 882c1cf6ce..bb18c6a36d 100644 --- a/meta/recipes-devtools/perl/perl_5.24.1.bb +++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -69,6 +69,7 @@ SRC_URI += " \
69	file://CVE-2018-6798-1.patch \	69	file://CVE-2018-6798-1.patch \
70	file://CVE-2018-6798-2.patch \	70	file://CVE-2018-6798-2.patch \
71	file://CVE-2018-6797.patch \	71	file://CVE-2018-6797.patch \
		72	file://CVE-2018-6913.patch \
72	"	73	"
73		74
74	# Fix test case issues	75	# Fix test case issues