1 files changed, 243 insertions, 0 deletions
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
new file mode 100644
index 0000000000..820a6decbc
--- /dev/null
+++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
@@ -0,0 +1,243 @@
+From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001
+From: Ulya Trofimovich <skvadrik@gmail.com>
+Date: Wed, 22 Apr 2020 22:37:24 +0100
+Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation).
+This is to avoid stack overflow on large RE (especially on instrumented
+builds that have larger stack frames, like AddressSanitizer).
+Partial fix for #219 "overflow-1.re test fails on system with small stack".
+Upstream-Stauts: Backport:
+https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521
+CVE: CVE-2018-21232
+Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
+---
+diff --git a/src/re/tag.cc b/src/re/tag.cc
+--- a/src/re/tag.cc     (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
+++ b/src/re/tag.cc     (date 1646986908580)
+@@ -6,7 +6,7 @@
+ {
+ 
+ const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max();
+-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max();
+const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max();
+ const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1;
+ 
+ } // namespace re2c
+diff --git a/src/re/tag.h b/src/re/tag.h
+--- a/src/re/tag.h      (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
+++ b/src/re/tag.h      (date 1646986922376)
+@@ -19,7 +19,7 @@
+ struct Tag
+ {
+        static const size_t RIGHTMOST;
+-       static const size_t VARDIST;
+    static const uint32_t VARDIST;
+        static const size_t FICTIVE;
+ 
+        const std::string *name;
+diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc
+--- a/src/re/fixed_tags.cc      (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
+++ b/src/re/fixed_tags.cc      (date 1646991137317)
+@@ -7,78 +7,131 @@
+ #include "src/re/tag.h"
+ 
+ namespace re2c {
+namespace {
+ 
+ /* note [fixed and variable tags]
+  *
+- * If distance between two tags is constant (equal for all strings that
+- * match the given regexp), then lexer only needs to track one of them:
+- * the second tag equals the first tag plus static offset.
+ * If distance between two tags is constant (equal for all strings that match
+ * the given regexp), then lexer only needs to track one of them: the second
+ * tag equals the first tag plus static offset.
+  *
+- * However, this optimization is applied only to tags in top-level
+- * concatenation, because other tags may be uninitialized and we don't
+- * want to mess with conditional calculation of fixed tags.
+- *
+ * This optimization is applied only to tags in top-level concatenation,
+ * because in other cases the base tag may be NULL, and the calculation of
+ * the fixed tag value is not as simple as substracting a fixed offset.
+  * Furthermore, fixed tags are fobidden with generic API because it cannot
+- * express fixed offsets.
+- *
+- * Tags with history also cannot be fixed.
+ * express fixed offsets. M-tags (with history) also cannot be fixed.
+  *
+  * Another special case is fictive tags (those that exist only to impose
+- * hierarchical laws of POSIX disambiguation). We treat them as fixed
+- * in order to suppress code generation.
+ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order
+ * to suppress code generation.
+  */
+ 
+-static void find_fixed_tags(RE *re, std::vector<Tag> &tags,
+-       size_t &dist, size_t &base, bool toplevel)
+struct StackItem {
+    RE       *re;       // current sub-RE
+    uint32_t  dist;     // distance backup for alternative, unused for other RE
+    uint8_t   succ;     // index of the next successor to be visited
+    bool      toplevel; // if this sub-RE is in top-level concatenation
+};
+
+static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0)
+ {
+-       switch (re->type) {
+-               case RE::NIL: break;
+-               case RE::SYM:
+-                       if (dist != Tag::VARDIST) ++dist;
+-                       break;
+-               case RE::ALT: {
+-                       size_t d1 = dist, d2 = dist;
+-                       find_fixed_tags(re->alt.re1, tags, d1, base, false);
+-                       find_fixed_tags(re->alt.re2, tags, d2, base, false);
+-                       dist = (d1 == d2) ? d1 : Tag::VARDIST;
+-                       break;
+-               }
+-               case RE::CAT:
+-                       find_fixed_tags(re->cat.re2, tags, dist, base, toplevel);
+-                       find_fixed_tags(re->cat.re1, tags, dist, base, toplevel);
+-                       break;
+-               case RE::ITER:
+-                       find_fixed_tags(re->iter.re, tags, dist, base, false);
+-                       dist = Tag::VARDIST;
+-                       break;
+-               case RE::TAG: {
+-                       // see note [fixed and variable tags]
+-                       Tag &tag = tags[re->tag.idx];
+-                       if (fictive(tag)) {
+-                               tag.base = tag.dist = 0;
+-                       } else if (toplevel && dist != Tag::VARDIST && !history(tag)) {
+-                               tag.base = base;
+-                               tag.dist = dist;
+-                       } else if (toplevel) {
+-                               base = re->tag.idx;
+-                               dist = 0;
+-                       }
+-                       if (trailing(tag)) dist = 0;
+-                       break;
+-               }
+-       }
+    static const uint32_t VARDIST = Tag::VARDIST;
+    bool toplevel = spec.opts->input_api != INPUT_CUSTOM;
+
+    // base tag, intially the fake "rightmost tag" (the end of RE)
+    size_t base = Tag::RIGHTMOST;
+
+    // the distance to the nearest top-level tag to the right (base tag)
+    uint32_t dist = 0;
+
+    const StackItem i0 = {re0, VARDIST, 0, toplevel};
+    stack.push_back(i0);
+
+    while (!stack.empty()) {
+        const StackItem i = stack.back();
+        stack.pop_back();
+        RE *re = i.re;
+
+        if (re->type == RE::SYM) {
+            if (dist != VARDIST) ++dist;
+        }
+        else if (re->type == RE::ALT) {
+            if (i.succ == 0) {
+                // save the current distance on stack (from the alternative end
+                // to base) and recurse into the left sub-RE
+                StackItem k = {re, dist, 1, i.toplevel};
+                stack.push_back(k);
+                StackItem j = {re->alt.re1, VARDIST, 0, false};
+                stack.push_back(j);
+            }
+            else if (i.succ == 1) {
+                // save the current distance on stack (from the left sub-RE to
+                // base), reset distance to the distance popped from stack (from
+                // the alternative end to base), recurse into the right sub-RE
+                StackItem k = {re, dist, 2, i.toplevel};
+                stack.push_back(k);
+                StackItem j = {re->alt.re2, VARDIST, 0, false};
+                stack.push_back(j);
+                dist = i.dist;
+            }
+            else {
+                // both sub-RE visited, compare the distance on stack (from the
+                // left sub-RE to base) to the current distance (from the right
+                // sub-RE to base), if not equal set variable distance
+                dist = (i.dist == dist) ? i.dist : VARDIST;
+            }
+        }
+        else if (re->type == RE::ITER) {
+            if (i.succ == 0) {
+                // recurse into the sub-RE
+                StackItem k = {re, VARDIST, 1, i.toplevel};
+                stack.push_back(k);
+                StackItem j = {re->iter.re, VARDIST, 0, false};
+                stack.push_back(j);
+            }
+            else {
+                // sub-RE visited, assume unknown number of iterations
+                // TODO: find precise distance for fixed repetition counter
+                dist = VARDIST;
+            }
+        }
+        else if (re->type == RE::CAT) {
+            // the right sub-RE is pushed on stack after the left sub-RE and
+            // visited earlier (because distance is computed from right to left)
+            StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel};
+            stack.push_back(j1);
+            StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel};
+            stack.push_back(j2);
+        }
+        else if (re->type == RE::TAG) {
+            // see note [fixed and variable tags]
+            Tag &tag = spec.tags[re->tag.idx];
+            if (fictive(tag)) {
+                tag.base = tag.dist = 0;
+            }
+            else if (i.toplevel && dist != VARDIST && !history(tag)) {
+                tag.base = base;
+                tag.dist = dist;
+            }
+            else if (i.toplevel) {
+                base = re->tag.idx;
+                dist = 0;
+            }
+            if (trailing(tag)) {
+                dist = 0;
+            }
+        }
+    }
+ }
+
+} // anonymous namespace
+ 
+-void find_fixed_tags(RESpec &spec)
+-{
+-       const bool generic = spec.opts->input_api == INPUT_CUSTOM;
+-       std::vector<RE*>::iterator
+-               i = spec.res.begin(),
+-               e = spec.res.end();
+-       for (; i != e; ++i) {
+-               size_t base = Tag::RIGHTMOST, dist = 0;
+-               find_fixed_tags(*i, spec.tags, dist, base, !generic);
+-       }
+-}
+    void find_fixed_tags(RESpec &spec)
+    {
+        std::vector<StackItem> stack;
+        for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) {
+            find_fixed_tags(spec, stack, *i);
+        }
+    }
+ 
+-} // namespace re2c
+} // namespace re2c
+\ No newline at end of file

diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch new file mode 100644 index 0000000000..820a6decbc --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-2.patch
@@ -0,0 +1,243 @@
	1	From 7b5643476bd99c994c4f51b8143f942982d85521 Mon Sep 17 00:00:00 2001
	2	From: Ulya Trofimovich <skvadrik@gmail.com>
	3	Date: Wed, 22 Apr 2020 22:37:24 +0100
	4	Subject: [PATCH] Rewrite recursion into iteration (fixed tags computation).
	5
	6	This is to avoid stack overflow on large RE (especially on instrumented
	7	builds that have larger stack frames, like AddressSanitizer).
	8
	9	Partial fix for #219 "overflow-1.re test fails on system with small stack".
	10
	11	Upstream-Stauts: Backport:
	12	https://github.com/skvadrik/re2c/commit/7b5643476bd99c994c4f51b8143f942982d85521
	13
	14	CVE: CVE-2018-21232
	15
	16	Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
	17	---
	18	diff --git a/src/re/tag.cc b/src/re/tag.cc
	19	--- a/src/re/tag.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
	20	+++ b/src/re/tag.cc (date 1646986908580)
	21	@@ -6,7 +6,7 @@
	22	{
	23
	24	const size_t Tag::RIGHTMOST = std::numeric_limits<size_t>::max();
	25	-const size_t Tag::VARDIST = std::numeric_limits<size_t>::max();
	26	+const uint32_t Tag::VARDIST = std::numeric_limits<uint32_t>::max();
	27	const size_t Tag::FICTIVE = Tag::RIGHTMOST - 1;
	28
	29	} // namespace re2c
	30
	31
	32	diff --git a/src/re/tag.h b/src/re/tag.h
	33	--- a/src/re/tag.h (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
	34	+++ b/src/re/tag.h (date 1646986922376)
	35	@@ -19,7 +19,7 @@
	36	struct Tag
	37	{
	38	static const size_t RIGHTMOST;
	39	- static const size_t VARDIST;
	40	+ static const uint32_t VARDIST;
	41	static const size_t FICTIVE;
	42
	43	const std::string *name;
	44
	45
	46	diff --git a/src/re/fixed_tags.cc b/src/re/fixed_tags.cc
	47	--- a/src/re/fixed_tags.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e)
	48	+++ b/src/re/fixed_tags.cc (date 1646991137317)
	49	@@ -7,78 +7,131 @@
	50	#include "src/re/tag.h"
	51
	52	namespace re2c {
	53	+namespace {
	54
	55	/* note [fixed and variable tags]
	56	*
	57	- * If distance between two tags is constant (equal for all strings that
	58	- * match the given regexp), then lexer only needs to track one of them:
	59	- * the second tag equals the first tag plus static offset.
	60	+ * If distance between two tags is constant (equal for all strings that match
	61	+ * the given regexp), then lexer only needs to track one of them: the second
	62	+ * tag equals the first tag plus static offset.
	63	*
	64	- * However, this optimization is applied only to tags in top-level
	65	- * concatenation, because other tags may be uninitialized and we don't
	66	- * want to mess with conditional calculation of fixed tags.
	67	- *
	68	+ * This optimization is applied only to tags in top-level concatenation,
	69	+ * because in other cases the base tag may be NULL, and the calculation of
	70	+ * the fixed tag value is not as simple as substracting a fixed offset.
	71	* Furthermore, fixed tags are fobidden with generic API because it cannot
	72	- * express fixed offsets.
	73	- *
	74	- * Tags with history also cannot be fixed.
	75	+ * express fixed offsets. M-tags (with history) also cannot be fixed.
	76	*
	77	* Another special case is fictive tags (those that exist only to impose
	78	- * hierarchical laws of POSIX disambiguation). We treat them as fixed
	79	- * in order to suppress code generation.
	80	+ * hierarchical laws of POSIX disambiguation). We treat them as fixed in order
	81	+ * to suppress code generation.
	82	*/
	83
	84	-static void find_fixed_tags(RE *re, std::vector<Tag> &tags,
	85	- size_t &dist, size_t &base, bool toplevel)
	86	+struct StackItem {
	87	+ RE *re; // current sub-RE
	88	+ uint32_t dist; // distance backup for alternative, unused for other RE
	89	+ uint8_t succ; // index of the next successor to be visited
	90	+ bool toplevel; // if this sub-RE is in top-level concatenation
	91	+};
	92	+
	93	+static void find_fixed_tags(RESpec &spec, std::vector<StackItem> &stack, RE *re0)
	94	{
	95	- switch (re->type) {
	96	- case RE::NIL: break;
	97	- case RE::SYM:
	98	- if (dist != Tag::VARDIST) ++dist;
	99	- break;
	100	- case RE::ALT: {
	101	- size_t d1 = dist, d2 = dist;
	102	- find_fixed_tags(re->alt.re1, tags, d1, base, false);
	103	- find_fixed_tags(re->alt.re2, tags, d2, base, false);
	104	- dist = (d1 == d2) ? d1 : Tag::VARDIST;
	105	- break;
	106	- }
	107	- case RE::CAT:
	108	- find_fixed_tags(re->cat.re2, tags, dist, base, toplevel);
	109	- find_fixed_tags(re->cat.re1, tags, dist, base, toplevel);
	110	- break;
	111	- case RE::ITER:
	112	- find_fixed_tags(re->iter.re, tags, dist, base, false);
	113	- dist = Tag::VARDIST;
	114	- break;
	115	- case RE::TAG: {
	116	- // see note [fixed and variable tags]
	117	- Tag &tag = tags[re->tag.idx];
	118	- if (fictive(tag)) {
	119	- tag.base = tag.dist = 0;
	120	- } else if (toplevel && dist != Tag::VARDIST && !history(tag)) {
	121	- tag.base = base;
	122	- tag.dist = dist;
	123	- } else if (toplevel) {
	124	- base = re->tag.idx;
	125	- dist = 0;
	126	- }
	127	- if (trailing(tag)) dist = 0;
	128	- break;
	129	- }
	130	- }
	131	+ static const uint32_t VARDIST = Tag::VARDIST;
	132	+ bool toplevel = spec.opts->input_api != INPUT_CUSTOM;
	133	+
	134	+ // base tag, intially the fake "rightmost tag" (the end of RE)
	135	+ size_t base = Tag::RIGHTMOST;
	136	+
	137	+ // the distance to the nearest top-level tag to the right (base tag)
	138	+ uint32_t dist = 0;
	139	+
	140	+ const StackItem i0 = {re0, VARDIST, 0, toplevel};
	141	+ stack.push_back(i0);
	142	+
	143	+ while (!stack.empty()) {
	144	+ const StackItem i = stack.back();
	145	+ stack.pop_back();
	146	+ RE *re = i.re;
	147	+
	148	+ if (re->type == RE::SYM) {
	149	+ if (dist != VARDIST) ++dist;
	150	+ }
	151	+ else if (re->type == RE::ALT) {
	152	+ if (i.succ == 0) {
	153	+ // save the current distance on stack (from the alternative end
	154	+ // to base) and recurse into the left sub-RE
	155	+ StackItem k = {re, dist, 1, i.toplevel};
	156	+ stack.push_back(k);
	157	+ StackItem j = {re->alt.re1, VARDIST, 0, false};
	158	+ stack.push_back(j);
	159	+ }
	160	+ else if (i.succ == 1) {
	161	+ // save the current distance on stack (from the left sub-RE to
	162	+ // base), reset distance to the distance popped from stack (from
	163	+ // the alternative end to base), recurse into the right sub-RE
	164	+ StackItem k = {re, dist, 2, i.toplevel};
	165	+ stack.push_back(k);
	166	+ StackItem j = {re->alt.re2, VARDIST, 0, false};
	167	+ stack.push_back(j);
	168	+ dist = i.dist;
	169	+ }
	170	+ else {
	171	+ // both sub-RE visited, compare the distance on stack (from the
	172	+ // left sub-RE to base) to the current distance (from the right
	173	+ // sub-RE to base), if not equal set variable distance
	174	+ dist = (i.dist == dist) ? i.dist : VARDIST;
	175	+ }
	176	+ }
	177	+ else if (re->type == RE::ITER) {
	178	+ if (i.succ == 0) {
	179	+ // recurse into the sub-RE
	180	+ StackItem k = {re, VARDIST, 1, i.toplevel};
	181	+ stack.push_back(k);
	182	+ StackItem j = {re->iter.re, VARDIST, 0, false};
	183	+ stack.push_back(j);
	184	+ }
	185	+ else {
	186	+ // sub-RE visited, assume unknown number of iterations
	187	+ // TODO: find precise distance for fixed repetition counter
	188	+ dist = VARDIST;
	189	+ }
	190	+ }
	191	+ else if (re->type == RE::CAT) {
	192	+ // the right sub-RE is pushed on stack after the left sub-RE and
	193	+ // visited earlier (because distance is computed from right to left)
	194	+ StackItem j1 = {re->cat.re1, VARDIST, 0, i.toplevel};
	195	+ stack.push_back(j1);
	196	+ StackItem j2 = {re->cat.re2, VARDIST, 0, i.toplevel};
	197	+ stack.push_back(j2);
	198	+ }
	199	+ else if (re->type == RE::TAG) {
	200	+ // see note [fixed and variable tags]
	201	+ Tag &tag = spec.tags[re->tag.idx];
	202	+ if (fictive(tag)) {
	203	+ tag.base = tag.dist = 0;
	204	+ }
	205	+ else if (i.toplevel && dist != VARDIST && !history(tag)) {
	206	+ tag.base = base;
	207	+ tag.dist = dist;
	208	+ }
	209	+ else if (i.toplevel) {
	210	+ base = re->tag.idx;
	211	+ dist = 0;
	212	+ }
	213	+ if (trailing(tag)) {
	214	+ dist = 0;
	215	+ }
	216	+ }
	217	+ }
	218	}
	219	+
	220	+} // anonymous namespace
	221
	222	-void find_fixed_tags(RESpec &spec)
	223	-{
	224	- const bool generic = spec.opts->input_api == INPUT_CUSTOM;
	225	- std::vector<RE*>::iterator
	226	- i = spec.res.begin(),
	227	- e = spec.res.end();
	228	- for (; i != e; ++i) {
	229	- size_t base = Tag::RIGHTMOST, dist = 0;
	230	- find_fixed_tags(*i, spec.tags, dist, base, !generic);
	231	- }
	232	-}
	233	+ void find_fixed_tags(RESpec &spec)
	234	+ {
	235	+ std::vector<StackItem> stack;
	236	+ for (std::vector<RE*>::iterator i = spec.res.begin(); i != spec.res.end(); ++i) {
	237	+ find_fixed_tags(spec, stack, *i);
	238	+ }
	239	+ }
	240
	241	-} // namespace re2c
	242	+} // namespace re2c
	243	\ No newline at end of file