From: "akuster" <akuster808@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [dunfell 15/28] lua: fix CVE-2020-15945
Date: Sun, 17 Jan 2021 09:46:13 -0800 [thread overview]
Message-ID: <61922b26e0a7a36a9367590a82c3871feb855fc8.1610905441.git.akuster808@gmail.com> (raw)
In-Reply-To: <cover.1610905441.git.akuster808@gmail.com>
From: Wenlin Kang <wenlin.kang@windriver.com>
Source: openembedded.org
MR: 104897
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded gatesgarth
ChangeID: 6c43941d116bbb9f0d62ca5376da24ae03eb9eab
Description:
Fixes CVE-2020-15945
Backport with modifications to apply successfully.
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../lua/lua/CVE-2020-15945.patch | 167 ++++++++++++++++++
meta-oe/recipes-devtools/lua/lua_5.3.5.bb | 1 +
2 files changed, 168 insertions(+)
create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
new file mode 100644
index 0000000000..89ce491487
--- /dev/null
+++ b/meta-oe/recipes-devtools/lua/lua/CVE-2020-15945.patch
@@ -0,0 +1,167 @@
+From d8d344365945a534f700c82c5dd26f704f89fef3 Mon Sep 17 00:00:00 2001
+From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
+Date: Wed, 5 Aug 2020 16:59:58 +0800
+Subject: [PATCH] Fixed bug: invalid 'oldpc' when returning to a function
+
+The field 'L->oldpc' is not always updated when control returns to a
+function; an invalid value can seg. fault when computing 'changedline'.
+(One example is an error in a finalizer; control can return to
+'luaV_execute' without executing 'luaD_poscall'.) Instead of trying to
+fix all possible corner cases, it seems safer to be resilient to invalid
+values for 'oldpc'. Valid but wrong values at most cause an extra call
+to a line hook.
+
+CVE: CVE-2020-15945
+
+[Adjust the code to be applicable to the tree]
+
+Upstream-Status: Backport [https://github.com/lua/lua/commit/a2195644d89812e5b157ce7bac35543e06db05e3]
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+Signed-off-by: Joe Slater <joe.slater@@windriver.com>
+
+---
+ src/ldebug.c | 30 +++++++++++++++---------------
+ src/ldebug.h | 4 ++++
+ src/ldo.c | 2 +-
+ src/lstate.c | 1 +
+ src/lstate.h | 2 +-
+ 5 files changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/src/ldebug.c b/src/ldebug.c
+index 239affb..832b16c 100644
+--- a/src/ldebug.c
++++ b/src/ldebug.c
+@@ -34,9 +34,8 @@
+ #define noLuaClosure(f) ((f) == NULL || (f)->c.tt == LUA_TCCL)
+
+
+-/* Active Lua function (given call info) */
+-#define ci_func(ci) (clLvalue((ci)->func))
+-
++/* inverse of 'pcRel' */
++#define invpcRel(pc, p) ((p)->code + (pc) + 1)
+
+ static const char *funcnamefromcode (lua_State *L, CallInfo *ci,
+ const char **name);
+@@ -71,20 +70,18 @@ static void swapextra (lua_State *L) {
+
+ /*
+ ** This function can be called asynchronously (e.g. during a signal).
+-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by
+-** 'resethookcount') are for debug only, and it is no problem if they
+-** get arbitrary values (causes at most one wrong hook call). 'hookmask'
+-** is an atomic value. We assume that pointers are atomic too (e.g., gcc
+-** ensures that for all platforms where it runs). Moreover, 'hook' is
+-** always checked before being called (see 'luaD_hook').
++** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount')
++** are for debug only, and it is no problem if they get arbitrary
++** values (causes at most one wrong hook call). 'hookmask' is an atomic
++** value. We assume that pointers are atomic too (e.g., gcc ensures that
++** for all platforms where it runs). Moreover, 'hook' is always checked
++** before being called (see 'luaD_hook').
+ */
+ LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) {
+ if (func == NULL || mask == 0) { /* turn off hooks? */
+ mask = 0;
+ func = NULL;
+ }
+- if (isLua(L->ci))
+- L->oldpc = L->ci->u.l.savedpc;
+ L->hook = func;
+ L->basehookcount = count;
+ resethookcount(L);
+@@ -665,7 +662,10 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) {
+ void luaG_traceexec (lua_State *L) {
+ CallInfo *ci = L->ci;
+ lu_byte mask = L->hookmask;
++ const Proto *p = ci_func(ci)->p;
+ int counthook = (--L->hookcount == 0 && (mask & LUA_MASKCOUNT));
++ /* 'L->oldpc' may be invalid; reset it in this case */
++ int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0;
+ if (counthook)
+ resethookcount(L); /* reset count */
+ else if (!(mask & LUA_MASKLINE))
+@@ -677,15 +677,15 @@ void luaG_traceexec (lua_State *L) {
+ if (counthook)
+ luaD_hook(L, LUA_HOOKCOUNT, -1); /* call count hook */
+ if (mask & LUA_MASKLINE) {
+- Proto *p = ci_func(ci)->p;
+ int npc = pcRel(ci->u.l.savedpc, p);
+ int newline = getfuncline(p, npc);
+ if (npc == 0 || /* call linehook when enter a new function, */
+- ci->u.l.savedpc <= L->oldpc || /* when jump back (loop), or when */
+- newline != getfuncline(p, pcRel(L->oldpc, p))) /* enter a new line */
++ ci->u.l.savedpc <= invpcRel(oldpc, p) || /* when jump back (loop), or when */
++ newline != getfuncline(p, oldpc)) /* enter a new line */
+ luaD_hook(L, LUA_HOOKLINE, newline); /* call line hook */
++
++ L->oldpc = npc; /* 'pc' of last call to line hook */
+ }
+- L->oldpc = ci->u.l.savedpc;
+ if (L->status == LUA_YIELD) { /* did hook yield? */
+ if (counthook)
+ L->hookcount = 1; /* undo decrement to zero */
+diff --git a/src/ldebug.h b/src/ldebug.h
+index 0e31546..c224cc4 100644
+--- a/src/ldebug.h
++++ b/src/ldebug.h
+@@ -13,6 +13,10 @@
+
+ #define pcRel(pc, p) (cast(int, (pc) - (p)->code) - 1)
+
++/* Active Lua function (given call info) */
++#define ci_func(ci) (clLvalue((ci)->func))
++
++
+ #define getfuncline(f,pc) (((f)->lineinfo) ? (f)->lineinfo[pc] : -1)
+
+ #define resethookcount(L) (L->hookcount = L->basehookcount)
+diff --git a/src/ldo.c b/src/ldo.c
+index 90b695f..f66ac1a 100644
+--- a/src/ldo.c
++++ b/src/ldo.c
+@@ -382,7 +382,7 @@ int luaD_poscall (lua_State *L, CallInfo *ci, StkId firstResult, int nres) {
+ luaD_hook(L, LUA_HOOKRET, -1);
+ firstResult = restorestack(L, fr);
+ }
+- L->oldpc = ci->previous->u.l.savedpc; /* 'oldpc' for caller function */
++ L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p); /* 'oldpc' for caller function */
+ }
+ res = ci->func; /* res == final position of 1st result */
+ L->ci = ci->previous; /* back to caller */
+diff --git a/src/lstate.c b/src/lstate.c
+index 9194ac3..3573e36 100644
+--- a/src/lstate.c
++++ b/src/lstate.c
+@@ -236,6 +236,7 @@ static void preinit_thread (lua_State *L, global_State *g) {
+ L->nny = 1;
+ L->status = LUA_OK;
+ L->errfunc = 0;
++ L->oldpc = 0;
+ }
+
+
+diff --git a/src/lstate.h b/src/lstate.h
+index a469466..d75eadf 100644
+--- a/src/lstate.h
++++ b/src/lstate.h
+@@ -164,7 +164,6 @@ struct lua_State {
+ StkId top; /* first free slot in the stack */
+ global_State *l_G;
+ CallInfo *ci; /* call info for current function */
+- const Instruction *oldpc; /* last pc traced */
+ StkId stack_last; /* last free slot in the stack */
+ StkId stack; /* stack base */
+ UpVal *openupval; /* list of open upvalues in this stack */
+@@ -174,6 +173,7 @@ struct lua_State {
+ CallInfo base_ci; /* CallInfo for first level (C calling Lua) */
+ volatile lua_Hook hook;
+ ptrdiff_t errfunc; /* current error handling function (stack index) */
++ int oldpc; /* last pc traced */
+ int stacksize;
+ int basehookcount;
+ int hookcount;
+--
+2.13.3
+
diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
index d3461b06de..4f89579c78 100644
--- a/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
+++ b/meta-oe/recipes-devtools/lua/lua_5.3.5.bb
@@ -8,6 +8,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \
file://lua.pc.in \
file://0001-Allow-building-lua-without-readline-on-Linux.patch \
file://CVE-2020-15888.patch \
+ file://CVE-2020-15945.patch \
"
# if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release.
--
2.17.1
next prev parent reply other threads:[~2021-01-17 17:46 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-17 17:45 [dunfell 00/28] Patch review Jan 17th akuster
2021-01-17 17:45 ` [dunfell 01/28] tcpdump: Patch for CVE-2020-8037 akuster
2021-01-17 17:46 ` [dunfell 02/28] dlt-daemon: add upstream patch to fix CVE-2020-29394 akuster
2021-01-17 17:46 ` [dunfell 03/28] pcsc-lite: provide pcsc-lite-lib-native explicitly for native build akuster
2021-01-17 17:46 ` [dunfell 04/28] wireguard-module: fix build issue with 5.4 kernel akuster
2021-01-17 17:46 ` [dunfell 05/28] mcpp: Normalize the patch format of CVE akuster
2021-01-17 17:46 ` [dunfell 06/28] zabbix: CVE-2020-15803 Security Advisory akuster
2021-01-17 17:46 ` [dunfell 07/28] samba: CVE-2020-14318 " akuster
2021-01-17 17:46 ` [dunfell 08/28] samba: CVE-2020-14383 " akuster
2021-01-17 17:46 ` [dunfell 09/28] php: Upgrade 7.4.4 -> 7.4.9 akuster
2021-01-17 17:46 ` [dunfell 10/28] php: remove the failing ${D}/${TMPDIR} code akuster
2021-01-17 17:46 ` [dunfell 11/28] php: CVE-2020-7070 akuster
2021-01-17 17:46 ` [dunfell 12/28] php: CVE-2020-7069 akuster
2021-01-17 17:46 ` [dunfell 13/28] apache2: upgrade v2.4.43 -> v2.4.46 akuster
2021-01-17 17:46 ` [dunfell 14/28] mariadb: update to 10.4.17 for cve fixes akuster
2021-01-17 17:46 ` akuster [this message]
2021-01-17 17:46 ` [dunfell 16/28] lua: fix CVE-2020-24371 akuster
2021-01-17 17:46 ` [dunfell 17/28] lua: update to 5.3.6 akuster
2021-01-17 17:46 ` [dunfell 18/28] nss: Security fix CVE-2020-12401 akuster
2021-01-17 17:46 ` [dunfell 19/28] wireshark: Several securtiy fixes akuster
2021-01-17 17:46 ` [dunfell 20/28] nodejs: Fix build with icu 67.1 akuster
2021-01-17 17:46 ` [dunfell 21/28] nodejs: Upgrade to 12.18.3 akuster
2021-01-17 17:46 ` [dunfell 22/28] nodejs: Fix arm32/thumb builds with clang akuster
2021-01-17 17:46 ` [dunfell 23/28] nodejs: Update to 12.19.0 akuster
2021-01-17 17:46 ` [dunfell 24/28] nodejs: 12.19.0 -> 12.19.1 akuster
2021-01-17 17:46 ` [dunfell 25/28] nodejs: 12.19.1 -> 12.20.1 akuster
2021-01-17 17:46 ` [dunfell 26/28] libsdl2-mixer: Fix ogg/vorbis support in libsdl2-mixer akuster
2021-01-17 17:46 ` [dunfell 27/28] libsdl2-mixer: set --disable-music-ogg-shared to link statically akuster
2021-01-17 17:46 ` [dunfell 28/28] geoclue: select avahi-daemon if nmea enabled akuster
2021-01-17 20:38 ` [oe] [dunfell 00/28] Patch review Jan 17th Andreas Müller
2021-01-18 4:09 ` akuster
2021-01-18 10:12 ` Diego Santa Cruz
2021-01-18 16:34 ` akuster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=61922b26e0a7a36a9367590a82c3871feb855fc8.1610905441.git.akuster808@gmail.com \
--to=akuster808@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.