perl: CVE-2018-6798

* CVE-2018-6798-1 The proximal cause is several instances in regexec.c of the code assuming that the input was valid UTF-8, whereas the input was too short for what the start byte claimed it would be. I grepped through the core for any other similar uses, and did not find any. (cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84) * CVE-2018-6798-2 The first patch for 132063 prevented the buffer read overflow when dumping the warning but didn't fix the underlying problem. The next change treats the supplied buffer correctly, preventing the non-UTF-8 SV from being treated as UTF-8, preventing the warning. (cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f) Affects perl >= 5.22 && perl <= 5.26 (From OE-Core rev: 4aaf09b9d657b1c2df85bf509008beacd6a00342) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> 2018-08-22 17:11:43 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29 15:23:51 +0100
commit: 7273f1183faee42e2da82ecdb3056312043e01a0 (patch)
tree: 7e17c32b5aa4b471c0ca26271d59157583d2b168 /meta/recipes-devtools
parent: d82d8d431544225d7f664b16dd34878d71e86a4f (diff)
download: poky-7273f1183faee42e2da82ecdb3056312043e01a0.tar.gz
3 files changed, 169 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
new file mode 100644
index 0000000000..34771624f7
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
@@ -0,0 +1,130 @@
+From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 6 Feb 2018 14:50:48 -0700
+Subject: [PATCH] [perl #132063]: Heap buffer overflow
+The proximal cause is several instances in regexec.c of the code
+assuming that the input was valid UTF-8, whereas the input was too short
+for what the start byte claimed it would be.
+I grepped through the core for any other similar uses, and did not find
+any.
+(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ regexec.c              | 29 ++++++++++++++++-------------
+ t/lib/warnings/regexec |  7 +++++++
+ 2 files changed, 23 insertions(+), 13 deletions(-)
+diff --git a/regexec.c b/regexec.c
+index 5735b997fd..ea432c39d3 100644
+--- a/regexec.c
+++ b/regexec.c
+@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_
+                                            ? trie_utf8_fold                         \
+                                            :   trie_latin_utf8_fold)))
+ 
+-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
+/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is
+ * 'foldbuf+sizeof(foldbuf)' */
+#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
+ STMT_START {                                                                        \
+     STRLEN skiplen;                                                                 \
+     U8 flags = FOLD_FLAGS_FULL;                                                     \
+@@ -1474,7 +1476,7 @@ STMT_START {
+     case trie_flu8:                                                                 \
+         _CHECK_AND_WARN_PROBLEMATIC_LOCALE;                                         \
+         if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) {                             \
+-            _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc));          \
+            _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc);                \
+         }                                                                           \
+         goto do_trie_utf8_fold;                                                     \
+     case trie_utf8_exactfa_fold:                                                    \
+@@ -1483,7 +1485,7 @@ STMT_START {
+     case trie_utf8_fold:                                                            \
+       do_trie_utf8_fold:                                                            \
+         if ( foldlen>0 ) {                                                          \
+-            uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
+            uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags );     \
+             foldlen -= len;                                                         \
+             uscan += len;                                                           \
+             len=0;                                                                  \
+@@ -1500,7 +1502,7 @@ STMT_START {
+         /* FALLTHROUGH */                                                           \
+     case trie_latin_utf8_fold:                                                      \
+         if ( foldlen>0 ) {                                                          \
+-            uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
+            uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags );     \
+             foldlen -= len;                                                         \
+             uscan += len;                                                           \
+             len=0;                                                                  \
+@@ -1519,7 +1521,7 @@ STMT_START {
+         }                                                                           \
+         /* FALLTHROUGH */                                                           \
+     case trie_utf8:                                                                 \
+-        uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags );        \
+        uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags );        \
+         break;                                                                      \
+     case trie_plain:                                                                \
+         uvc = (UV)*uc;                                                              \
+@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s,
+                     }
+                     points[pointpos++ % maxlen]= uc;
+                     if (foldlen || uc < (U8*)strend) {
+-                        REXEC_TRIE_READ_CHAR(trie_type, trie,
+-                                         widecharmap, uc,
+-                                         uscan, len, uvc, charid, foldlen,
+-                                         foldbuf, uniflags);
+                        REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
+                                             (U8 *) strend, uscan, len, uvc,
+                                             charid, foldlen, foldbuf,
+                                             uniflags);
+                         DEBUG_TRIE_EXECUTE_r({
+                             dump_exec_pos( (char *)uc, c, strend,
+                                         real_start, s, utf8_target, 0);
+@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+                    if ( base && (foldlen || uc < (U8*)(reginfo->strend))) {
+                        I32 offset;
+                        REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
+-                                            uscan, len, uvc, charid, foldlen,
+-                                            foldbuf, uniflags);
+                                             (U8 *) reginfo->strend, uscan,
+                                             len, uvc, charid, foldlen,
+                                             foldbuf, uniflags);
+                        charcount++;
+                        if (foldlen>0)
+                            ST.longfold = TRUE;
+@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+                        while (foldlen) {
+                            if (!--chars)
+                                break;
+-                           uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len,
+-                                           uniflags);
+                           uvc = utf8n_to_uvchr(uscan, foldlen, &len,
+                                                 uniflags);
+                            uscan += len;
+                            foldlen -= len;
+                        }
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 900dd6ee7f..6635142dea 100644
+--- a/t/lib/warnings/regexec
+++ b/t/lib/warnings/regexec
+@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ "k" =~ /(?[ \N{KELVIN SIGN} ])/i;
+ ":" =~ /(?[ \: ])/;
+ EXPECT
+########
+# NAME perl #132063, read beyond buffer end
+# OPTION fatal
+"\xff" =~ /(?il)\x{100}|\x{100}/;
+EXPECT
+Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
+Malformed UTF-8 character (fatal) at - line 2.
+-- 
+2.15.1-424-g9478a660812
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
new file mode 100644
index 0000000000..fb9b41a5ed
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
@@ -0,0 +1,37 @@
+From f65da1ca2eee74696d9c120e9d69af37b4fa1920 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Mon, 19 Feb 2018 15:11:42 +1100
+Subject: [PATCH] (perl #132063) we should no longer warn for this code
+The first patch for 132063 prevented the buffer read overflow when
+dumping the warning but didn't fix the underlying problem.
+The next change treats the supplied buffer correctly, preventing the
+non-UTF-8 SV from being treated as UTF-8, preventing the warning.
+(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ t/lib/warnings/regexec | 3 ---
+ 1 file changed, 3 deletions(-)
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 6635142dea..c370ddc3c7 100644
+--- a/t/lib/warnings/regexec
+++ b/t/lib/warnings/regexec
+@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ EXPECT
+ ########
+ # NAME perl #132063, read beyond buffer end
+-# OPTION fatal
+ "\xff" =~ /(?il)\x{100}|\x{100}/;
+ EXPECT
+-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
+-Malformed UTF-8 character (fatal) at - line 2.
+-- 
+2.15.1-424-g9478a660812
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 91f310d421..311df4003e 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -66,6 +66,8 @@ SRC_URI += " \
        file://perl-5.26.1-guard_old_libcrypt_fix.patch \
        file://CVE-2017-12883.patch \
        file://CVE-2017-12837.patch \
+        file://CVE-2018-6798-1.patch \
+        file://CVE-2018-6798-2.patch \
 "
 # Fix test case issues
author	Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>	2018-08-22 17:11:43 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-08-29 15:23:51 +0100
commit	7273f1183faee42e2da82ecdb3056312043e01a0 (patch)
tree	7e17c32b5aa4b471c0ca26271d59157583d2b168 /meta/recipes-devtools
parent	d82d8d431544225d7f664b16dd34878d71e86a4f (diff)
download	poky-7273f1183faee42e2da82ecdb3056312043e01a0.tar.gz

diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch new file mode 100644 index 0000000000..34771624f7 --- /dev/null +++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
@@ -0,0 +1,130 @@
		1	From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001
		2	From: Karl Williamson <khw@cpan.org>
		3	Date: Tue, 6 Feb 2018 14:50:48 -0700
		4	Subject: [PATCH] [perl #132063]: Heap buffer overflow
		5
		6	The proximal cause is several instances in regexec.c of the code
		7	assuming that the input was valid UTF-8, whereas the input was too short
		8	for what the start byte claimed it would be.
		9
		10	I grepped through the core for any other similar uses, and did not find
		11	any.
		12
		13	(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
		14
		15	CVE: CVE-2018-6798
		16	Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff]
		17
		18	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		19	---
		20	regexec.c \| 29 ++++++++++++++++-------------
		21	t/lib/warnings/regexec \| 7 +++++++
		22	2 files changed, 23 insertions(+), 13 deletions(-)
		23
		24	diff --git a/regexec.c b/regexec.c
		25	index 5735b997fd..ea432c39d3 100644
		26	--- a/regexec.c
		27	+++ b/regexec.c
		28	@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_
		29	? trie_utf8_fold \
		30	: trie_latin_utf8_fold)))
		31
		32	-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
		33	+/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is
		34	+ * 'foldbuf+sizeof(foldbuf)' */
		35	+#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
		36	STMT_START { \
		37	STRLEN skiplen; \
		38	U8 flags = FOLD_FLAGS_FULL; \
		39	@@ -1474,7 +1476,7 @@ STMT_START {
		40	case trie_flu8: \
		41	_CHECK_AND_WARN_PROBLEMATIC_LOCALE; \
		42	if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \
		43	- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \
		44	+ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \
		45	} \
		46	goto do_trie_utf8_fold; \
		47	case trie_utf8_exactfa_fold: \
		48	@@ -1483,7 +1485,7 @@ STMT_START {
		49	case trie_utf8_fold: \
		50	do_trie_utf8_fold: \
		51	if ( foldlen>0 ) { \
		52	- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
		53	+ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
		54	foldlen -= len; \
		55	uscan += len; \
		56	len=0; \
		57	@@ -1500,7 +1502,7 @@ STMT_START {
		58	/* FALLTHROUGH */ \
		59	case trie_latin_utf8_fold: \
		60	if ( foldlen>0 ) { \
		61	- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
		62	+ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
		63	foldlen -= len; \
		64	uscan += len; \
		65	len=0; \
		66	@@ -1519,7 +1521,7 @@ STMT_START {
		67	} \
		68	/* FALLTHROUGH */ \
		69	case trie_utf8: \
		70	- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \
		71	+ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \
		72	break; \
		73	case trie_plain: \
		74	uvc = (UV)*uc; \
		75	@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode c, char s,
		76	}
		77	points[pointpos++ % maxlen]= uc;
		78	if (foldlen \|\| uc < (U8*)strend) {
		79	- REXEC_TRIE_READ_CHAR(trie_type, trie,
		80	- widecharmap, uc,
		81	- uscan, len, uvc, charid, foldlen,
		82	- foldbuf, uniflags);
		83	+ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
		84	+ (U8 *) strend, uscan, len, uvc,
		85	+ charid, foldlen, foldbuf,
		86	+ uniflags);
		87	DEBUG_TRIE_EXECUTE_r({
		88	dump_exec_pos( (char *)uc, c, strend,
		89	real_start, s, utf8_target, 0);
		90	@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info reginfo, char startpos, regnode *prog)
		91	if ( base && (foldlen \|\| uc < (U8*)(reginfo->strend))) {
		92	I32 offset;
		93	REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
		94	- uscan, len, uvc, charid, foldlen,
		95	- foldbuf, uniflags);
		96	+ (U8 *) reginfo->strend, uscan,
		97	+ len, uvc, charid, foldlen,
		98	+ foldbuf, uniflags);
		99	charcount++;
		100	if (foldlen>0)
		101	ST.longfold = TRUE;
		102	@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info reginfo, char startpos, regnode *prog)
		103	while (foldlen) {
		104	if (!--chars)
		105	break;
		106	- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len,
		107	- uniflags);
		108	+ uvc = utf8n_to_uvchr(uscan, foldlen, &len,
		109	+ uniflags);
		110	uscan += len;
		111	foldlen -= len;
		112	}
		113	diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
		114	index 900dd6ee7f..6635142dea 100644
		115	--- a/t/lib/warnings/regexec
		116	+++ b/t/lib/warnings/regexec
		117	@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
		118	"k" =~ /(?[ \N{KELVIN SIGN} ])/i;
		119	":" =~ /(?[ \: ])/;
		120	EXPECT
		121	+########
		122	+# NAME perl #132063, read beyond buffer end
		123	+# OPTION fatal
		124	+"\xff" =~ /(?il)\x{100}\|\x{100}/;
		125	+EXPECT
		126	+Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
		127	+Malformed UTF-8 character (fatal) at - line 2.
		128	--
		129	2.15.1-424-g9478a660812
		130


diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch new file mode 100644 index 0000000000..fb9b41a5ed --- /dev/null +++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
@@ -0,0 +1,37 @@
		1	From f65da1ca2eee74696d9c120e9d69af37b4fa1920 Mon Sep 17 00:00:00 2001
		2	From: Tony Cook <tony@develop-help.com>
		3	Date: Mon, 19 Feb 2018 15:11:42 +1100
		4	Subject: [PATCH] (perl #132063) we should no longer warn for this code
		5
		6	The first patch for 132063 prevented the buffer read overflow when
		7	dumping the warning but didn't fix the underlying problem.
		8
		9	The next change treats the supplied buffer correctly, preventing the
		10	non-UTF-8 SV from being treated as UTF-8, preventing the warning.
		11
		12	(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
		13
		14	CVE: CVE-2018-6798
		15	Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920]
		16
		17	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		18	---
		19	t/lib/warnings/regexec \| 3 ---
		20	1 file changed, 3 deletions(-)
		21
		22	diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
		23	index 6635142dea..c370ddc3c7 100644
		24	--- a/t/lib/warnings/regexec
		25	+++ b/t/lib/warnings/regexec
		26	@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
		27	EXPECT
		28	########
		29	# NAME perl #132063, read beyond buffer end
		30	-# OPTION fatal
		31	"\xff" =~ /(?il)\x{100}\|\x{100}/;
		32	EXPECT
		33	-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
		34	-Malformed UTF-8 character (fatal) at - line 2.
		35	--
		36	2.15.1-424-g9478a660812
		37


diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb index 91f310d421..311df4003e 100644 --- a/meta/recipes-devtools/perl/perl_5.24.1.bb +++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -66,6 +66,8 @@ SRC_URI += " \
66	file://perl-5.26.1-guard_old_libcrypt_fix.patch \	66	file://perl-5.26.1-guard_old_libcrypt_fix.patch \
67	file://CVE-2017-12883.patch \	67	file://CVE-2017-12883.patch \
68	file://CVE-2017-12837.patch \	68	file://CVE-2017-12837.patch \
		69	file://CVE-2018-6798-1.patch \
		70	file://CVE-2018-6798-2.patch \
69	"	71	"
70		72
71	# Fix test case issues	73	# Fix test case issues