diff options
Diffstat (limited to 'meta/recipes-devtools/perl/perl/CVE-2018-18311.patch')
-rw-r--r-- | meta/recipes-devtools/perl/perl/CVE-2018-18311.patch | 183 |
1 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch new file mode 100644 index 0000000000..ba8cf151fd --- /dev/null +++ b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch | |||
@@ -0,0 +1,183 @@ | |||
1 | From 4706b65d7c835c0bb219db160fbcdbcd98efab2d Mon Sep 17 00:00:00 2001 | ||
2 | From: David Mitchell <davem@iabyn.com> | ||
3 | Date: Fri, 29 Jun 2018 13:37:03 +0100 | ||
4 | Subject: [PATCH] Perl_my_setenv(); handle integer wrap | ||
5 | |||
6 | RT #133204 | ||
7 | |||
8 | Wean this function off int/I32 and onto UV/Size_t. | ||
9 | Also, replace all malloc-ish calls with a wrapper that does | ||
10 | overflow checks, | ||
11 | |||
12 | In particular, it was doing (nlen + vlen + 2) which could wrap when | ||
13 | the combined length of the environment variable name and value | ||
14 | exceeded around 0x7fffffff. | ||
15 | |||
16 | The wrapper check function is probably overkill, but belt and braces... | ||
17 | |||
18 | NB this function has several variant parts, #ifdef'ed by platform | ||
19 | type; I have blindly changed the parts that aren't compiled under linux. | ||
20 | |||
21 | (cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be) | ||
22 | |||
23 | CVE: CVE-2018-18311 | ||
24 | Upstream-Status: Backport | ||
25 | [https://perl5.git.perl.org/perl.git/commit/5737d31aac51360cc1eb412ef059e36147c9d6d6] | ||
26 | |||
27 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
28 | --- | ||
29 | util.c | 76 ++++++++++++++++++++++++++++++++++++++++------------------ | ||
30 | 1 file changed, 53 insertions(+), 23 deletions(-) | ||
31 | |||
32 | diff --git a/util.c b/util.c | ||
33 | index 7c3d271f51..27f4eddf3b 100644 | ||
34 | --- a/util.c | ||
35 | +++ b/util.c | ||
36 | @@ -2160,8 +2160,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits, | ||
37 | *(s+(nlen+1+vlen)) = '\0' | ||
38 | |||
39 | #ifdef USE_ENVIRON_ARRAY | ||
40 | - /* VMS' my_setenv() is in vms.c */ | ||
41 | + | ||
42 | +/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if | ||
43 | + * 'current' is non-null, with up to three sizes that are added together. | ||
44 | + * It handles integer overflow. | ||
45 | + */ | ||
46 | +static char * | ||
47 | +S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size) | ||
48 | +{ | ||
49 | + void *p; | ||
50 | + Size_t sl, l = l1 + l2; | ||
51 | + | ||
52 | + if (l < l2) | ||
53 | + goto panic; | ||
54 | + l += l3; | ||
55 | + if (l < l3) | ||
56 | + goto panic; | ||
57 | + sl = l * size; | ||
58 | + if (sl < l) | ||
59 | + goto panic; | ||
60 | + | ||
61 | + p = current | ||
62 | + ? safesysrealloc(current, sl) | ||
63 | + : safesysmalloc(sl); | ||
64 | + if (p) | ||
65 | + return (char*)p; | ||
66 | + | ||
67 | + panic: | ||
68 | + croak_memory_wrap(); | ||
69 | +} | ||
70 | + | ||
71 | + | ||
72 | +/* VMS' my_setenv() is in vms.c */ | ||
73 | #if !defined(WIN32) && !defined(NETWARE) | ||
74 | + | ||
75 | void | ||
76 | Perl_my_setenv(pTHX_ const char *nam, const char *val) | ||
77 | { | ||
78 | @@ -2177,28 +2209,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val) | ||
79 | #ifndef PERL_USE_SAFE_PUTENV | ||
80 | if (!PL_use_safe_putenv) { | ||
81 | /* most putenv()s leak, so we manipulate environ directly */ | ||
82 | - I32 i; | ||
83 | - const I32 len = strlen(nam); | ||
84 | - int nlen, vlen; | ||
85 | + UV i; | ||
86 | + Size_t vlen, nlen = strlen(nam); | ||
87 | |||
88 | /* where does it go? */ | ||
89 | for (i = 0; environ[i]; i++) { | ||
90 | - if (strnEQ(environ[i],nam,len) && environ[i][len] == '=') | ||
91 | + if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=') | ||
92 | break; | ||
93 | } | ||
94 | |||
95 | if (environ == PL_origenviron) { /* need we copy environment? */ | ||
96 | - I32 j; | ||
97 | - I32 max; | ||
98 | + UV j, max; | ||
99 | char **tmpenv; | ||
100 | |||
101 | max = i; | ||
102 | while (environ[max]) | ||
103 | max++; | ||
104 | - tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*)); | ||
105 | + /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */ | ||
106 | + tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*)); | ||
107 | for (j=0; j<max; j++) { /* copy environment */ | ||
108 | - const int len = strlen(environ[j]); | ||
109 | - tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char)); | ||
110 | + const Size_t len = strlen(environ[j]); | ||
111 | + tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1); | ||
112 | Copy(environ[j], tmpenv[j], len+1, char); | ||
113 | } | ||
114 | tmpenv[max] = NULL; | ||
115 | @@ -2217,15 +2248,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val) | ||
116 | #endif | ||
117 | } | ||
118 | if (!environ[i]) { /* does not exist yet */ | ||
119 | - environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*)); | ||
120 | + environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*)); | ||
121 | environ[i+1] = NULL; /* make sure it's null terminated */ | ||
122 | } | ||
123 | else | ||
124 | safesysfree(environ[i]); | ||
125 | - nlen = strlen(nam); | ||
126 | + | ||
127 | vlen = strlen(val); | ||
128 | |||
129 | - environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char)); | ||
130 | + environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1); | ||
131 | /* all that work just for this */ | ||
132 | my_setenv_format(environ[i], nam, nlen, val, vlen); | ||
133 | } else { | ||
134 | @@ -2250,22 +2281,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val) | ||
135 | if (environ) /* old glibc can crash with null environ */ | ||
136 | (void)unsetenv(nam); | ||
137 | } else { | ||
138 | - const int nlen = strlen(nam); | ||
139 | - const int vlen = strlen(val); | ||
140 | - char * const new_env = | ||
141 | - (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char)); | ||
142 | + const Size_t nlen = strlen(nam); | ||
143 | + const Size_t vlen = strlen(val); | ||
144 | + char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1); | ||
145 | my_setenv_format(new_env, nam, nlen, val, vlen); | ||
146 | (void)putenv(new_env); | ||
147 | } | ||
148 | # else /* ! HAS_UNSETENV */ | ||
149 | char *new_env; | ||
150 | - const int nlen = strlen(nam); | ||
151 | - int vlen; | ||
152 | + const Size_t nlen = strlen(nam); | ||
153 | + Size_t vlen; | ||
154 | if (!val) { | ||
155 | val = ""; | ||
156 | } | ||
157 | vlen = strlen(val); | ||
158 | - new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char)); | ||
159 | + new_env = S_env_alloc(NULL, nlen, vlen, 2, 1); | ||
160 | /* all that work just for this */ | ||
161 | my_setenv_format(new_env, nam, nlen, val, vlen); | ||
162 | (void)putenv(new_env); | ||
163 | @@ -2288,14 +2318,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val) | ||
164 | { | ||
165 | dVAR; | ||
166 | char *envstr; | ||
167 | - const int nlen = strlen(nam); | ||
168 | - int vlen; | ||
169 | + const Size_t nlen = strlen(nam); | ||
170 | + Size_t vlen; | ||
171 | |||
172 | if (!val) { | ||
173 | val = ""; | ||
174 | } | ||
175 | vlen = strlen(val); | ||
176 | - Newx(envstr, nlen+vlen+2, char); | ||
177 | + envstr = S_env_alloc(NULL, nlen, vlen, 2, 1); | ||
178 | my_setenv_format(envstr, nam, nlen, val, vlen); | ||
179 | (void)PerlEnv_putenv(envstr); | ||
180 | Safefree(envstr); | ||
181 | -- | ||
182 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
183 | |||