pool/lua54
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 827619 from devel:languages:lua

Browse Source 
- Add patch for CVE-2020-15945, boo#1174540 (un-numbered)
- Add upstream patches 9,10,11,12
  * Patch 9: CVE-2020-24342, boo#1175339
  * Patch 10: CVE-2020-24371, boo#1175449
  * Patch 11: CVE-2020-24370, boo#1175448
  * Patch 12: CVE-2020-24369, boo#1175447

OBS-URL: https://build.opensuse.org/request/show/827619
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/lua54?expand=0&rev=3
This commit is contained in:
Dominique Leuenberger 2020-08-20 20:27:31 +00:00 committed by Git OBS Bridge
commit 1bdda81ebd
2 changed files with 281 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lua54.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Aug 18 14:49:56 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Add patch for CVE-2020-15945, boo#1174540 (un-numbered)
-------------------------------------------------------------------
Mon Aug 17 10:00:04 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Add upstream patches 9,10,11,12
* Patch 9: CVE-2020-24342, boo#1175339
* Patch 10: CVE-2020-24371, boo#1175449
* Patch 11: CVE-2020-24370, boo#1175448
* Patch 12: CVE-2020-24369, boo#1175447
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 20 11:00:56 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> Mon Jul 20 11:00:56 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>

287
upstream-bugs.patch
View File

@ -1,5 +1,27 @@
--- a/src/lgc.c --- a/src/lgc.c
+++ b/src/lgc.c +++ b/src/lgc.c
@@ -202,7 +205,8 @@ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) {
}
else { /* sweep phase */
lua_assert(issweepphase(g));
- makewhite(g, o); /* mark main obj. as white to avoid other barriers */
+ if (g->gckind == KGC_INC) /* incremental mode? */
+ makewhite(g, o); /* mark 'o' as white to avoid other barriers */
}
}
@@ -340,9 +349,11 @@ static int remarkupvals (global_State *g) {
p = &thread->twups; /* keep marked thread with upvalues in the list */
else { /* thread is not marked or without upvalues */
UpVal *uv;
+ lua_assert(!isold(thread) || thread->openupval == NULL);
*p = thread->twups; /* remove thread from the list */
thread->twups = thread; /* mark that it is out of list */
for (uv = thread->openupval; uv != NULL; uv = uv->u.open.next) {
+ lua_assert(getage(uv) <= getage(thread));
work++;
if (!iswhite(uv)) /* upvalue already visited? */
markvalue(g, uv->v); /* mark its value */
@@ -856,6 +856,8 @@ static void GCTM (lua_State *L) { @@ -856,6 +856,8 @@ static void GCTM (lua_State *L) {
if (unlikely(status != LUA_OK)) { /* error while running __gc? */ if (unlikely(status != LUA_OK)) { /* error while running __gc? */
luaE_warnerror(L, "__gc metamethod"); luaE_warnerror(L, "__gc metamethod");
@ -18,8 +40,44 @@
markold(g, g->finobj, g->finobjrold); markold(g, g->finobj, g->finobjrold);
atomic(L); atomic(L);
@@ -1143,6 +1157,7 @@ static void youngcollection (lua_State *L, global_State *g) {
atomic(L);
/* sweep nursery and get a pointer to its last live element */
+ g->gcstate = GCSswpallgc;
psurvival = sweepgen(L, g, &g->allgc, g->survival);
/* sweep 'survival' and 'old' */
sweepgen(L, g, psurvival, g->reallyold);
@@ -1166,6 +1181,7 @@ static void youngcollection (lua_State *L, global_State *g) {
static void atomic2gen (lua_State *L, global_State *g) {
/* sweep all elements making them old */
+ g->gcstate = GCSswpallgc;
sweep2old(L, &g->allgc);
/* everything alive now is old */
g->reallyold = g->old = g->survival = g->allgc;
--- a/src/ldo.c --- a/src/ldo.c
+++ b/src/ldo.c +++ b/src/ldo.c
@@ -327,7 +327,7 @@ static StkId rethook (lua_State *L, CallInfo *ci, StkId firstres, int nres) {
ptrdiff_t oldtop = savestack(L, L->top); /* hook may change top */
int delta = 0;
if (isLuacode(ci)) {
- Proto *p = clLvalue(s2v(ci->func))->p;
+ Proto *p = ci_func(ci)->p;
if (p->is_vararg)
delta = ci->u.l.nextraargs + p->numparams + 1;
if (L->top < ci->top)
@@ -340,8 +340,8 @@ static StkId rethook (lua_State *L, CallInfo *ci, StkId firstres, int nres) {
luaD_hook(L, LUA_HOOKRET, -1, ftransfer, nres); /* call it */
ci->func -= delta;
}
- if (isLua(ci->previous))
- L->oldpc = ci->previous->u.l.savedpc; /* update 'oldpc' */
+ if (isLua(ci = ci->previous))
+ L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p); /* update 'oldpc' */
return restorestack(L, oldtop);
}
@@ -466,13 +466,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) { @@ -466,13 +466,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) {
f = fvalue(s2v(func)); f = fvalue(s2v(func));
Cfunc: { Cfunc: {
@ -57,6 +115,25 @@
for (; narg < nfixparams; narg++) for (; narg < nfixparams; narg++)
setnilvalue(s2v(L->top++)); /* complete missing arguments */ setnilvalue(s2v(L->top++)); /* complete missing arguments */
lua_assert(ci->top <= L->stack_last); lua_assert(ci->top <= L->stack_last);
@@ -515,14 +515,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) {
/*
** Similar to 'luaD_call', but does not allow yields during the call.
-** If there is a stack overflow, freeing all CI structures will
-** force the subsequent call to invoke 'luaE_extendCI', which then
-** will raise any errors.
*/
void luaD_callnoyield (lua_State *L, StkId func, int nResults) {
incXCcalls(L);
- if (getCcalls(L) <= CSTACKERR) /* possible stack overflow? */
- luaE_freeCI(L);
+ if (getCcalls(L) <= CSTACKERR) { /* possible C stack overflow? */
+ luaE_exitCcall(L); /* to compensate decrement in next call */
+ luaE_enterCcall(L); /* check properly */
+ }
luaD_call(L, func, nResults);
decXCcalls(L);
}
@@ -674,7 +674,7 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs, @@ -674,7 +674,7 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs,
if (from == NULL) if (from == NULL)
L->nCcalls = CSTACKTHREAD; L->nCcalls = CSTACKTHREAD;
@ -79,27 +156,6 @@
f->upvalues[i].instack = loadByte(S); f->upvalues[i].instack = loadByte(S);
f->upvalues[i].idx = loadByte(S); f->upvalues[i].idx = loadByte(S);
f->upvalues[i].kind = loadByte(S); f->upvalues[i].kind = loadByte(S);
--- a/src/lvm.c
+++ b/src/lvm.c
@@ -1104,7 +1104,7 @@ void luaV_finishOp (lua_State *L) {
#define checkGC(L,c) \
- { luaC_condGC(L, L->top = (c), /* limit of live values */ \
+ { luaC_condGC(L, (savepc(L), L->top = (c)), \
updatetrap(ci)); \
luai_threadyield(L); }
@@ -1792,8 +1792,7 @@ void luaV_execute (lua_State *L, CallInfo *ci) {
vmbreak;
}
vmcase(OP_VARARGPREP) {
- luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p);
- updatetrap(ci);
+ ProtectNT(luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p));
if (trap) {
luaD_hookcall(L, ci);
L->oldpc = pc + 1; /* next opcode will be seen as a "new" line */
--- a/src/liolib.c --- a/src/liolib.c
+++ b/src/liolib.c +++ b/src/liolib.c
@@ -279,6 +279,8 @@ static int io_popen (lua_State *L) { @@ -279,6 +279,8 @@ static int io_popen (lua_State *L) {
@ -112,6 +168,169 @@
p->closef = &io_pclose; p->closef = &io_pclose;
return (p->f == NULL) ? luaL_fileresult(L, 0, filename) : 1; return (p->f == NULL) ? luaL_fileresult(L, 0, filename) : 1;
--- a/src/ldebug.c
+++ b/src/ldebug.c
@@ -33,10 +33,8 @@
#define noLuaClosure(f) ((f) == NULL || (f)->c.tt == LUA_VCCL)
-
-/* Active Lua function (given call info) */
-#define ci_func(ci) (clLvalue(s2v((ci)->func)))
-
+/* inverse of 'pcRel' */
+#define invpcRel(pc, p) ((p)->code + (pc) + 1)
static const char *funcnamefromcode (lua_State *L, CallInfo *ci,
const char **name);
@@ -127,20 +125,18 @@ static void settraps (CallInfo *ci) {
/*
** This function can be called during a signal, under "reasonable"
** assumptions.
-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by
-** 'resethookcount') are for debug only, and it is no problem if they
-** get arbitrary values (causes at most one wrong hook call). 'hookmask'
-** is an atomic value. We assume that pointers are atomic too (e.g., gcc
-** ensures that for all platforms where it runs). Moreover, 'hook' is
-** always checked before being called (see 'luaD_hook').
+** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount')
+** are for debug only, and it is no problem if they get arbitrary
+** values (causes at most one wrong hook call). 'hookmask' is an atomic
+** value. We assume that pointers are atomic too (e.g., gcc ensures that
+** for all platforms where it runs). Moreover, 'hook' is always checked
+** before being called (see 'luaD_hook').
*/
LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) {
if (func == NULL || mask == 0) { /* turn off hooks? */
mask = 0;
func = NULL;
}
- if (isLua(L->ci))
- L->oldpc = L->ci->u.l.savedpc;
L->hook = func;
L->basehookcount = count;
resethookcount(L);
@@ -188,8 +188,8 @@ static const char *upvalname (const Proto *p, int uv) {
static const char *findvararg (CallInfo *ci, int n, StkId *pos) {
if (clLvalue(s2v(ci->func))->p->is_vararg) {
int nextra = ci->u.l.nextraargs;
- if (n <= nextra) {
- *pos = ci->func - nextra + (n - 1);
+ if (n >= -nextra) { /* 'n' is negative */
+ *pos = ci->func - nextra - (n + 1);
return "(vararg)"; /* generic name for any vararg */
}
}
@@ -202,7 +202,7 @@ const char *luaG_findlocal (lua_State *L, CallInfo *ci, int n, StkId *pos) {
const char *name = NULL;
if (isLua(ci)) {
if (n < 0) /* access to vararg values? */
- return findvararg(ci, -n, pos);
+ return findvararg(ci, n, pos);
else
name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci));
}
@@ -783,11 +783,13 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) {
** previous instruction 'oldpc'.
*/
static int changedline (const Proto *p, int oldpc, int newpc) {
+ if (p->lineinfo == NULL) /* no debug information? */
+ return 0;
while (oldpc++ < newpc) {
if (p->lineinfo[oldpc] != 0)
return (luaG_getfuncline(p, oldpc - 1) != luaG_getfuncline(p, newpc));
}
- return 0; /* no line changes in the way */
+ return 0; /* no line changes between positions */
}
@@ -795,10 +791,24 @@ static int changedline (const Proto *p, int oldpc, int newpc) {
}
+/*
+** Traces the execution of a Lua function. Called before the execution
+** of each opcode, when debug is on. 'L->oldpc' stores the last
+** instruction traced, to detect line changes. When entering a new
+** function, 'npci' will be zero and will test as a new line without
+** the need for 'oldpc'; so, 'oldpc' does not need to be initialized
+** before. Some exceptional conditions may return to a function without
+** updating 'oldpc'. In that case, 'oldpc' may be invalid; if so, it is
+** reset to zero. (A wrong but valid 'oldpc' at most causes an extra
+** call to a line hook.)
+*/
int luaG_traceexec (lua_State *L, const Instruction *pc) {
CallInfo *ci = L->ci;
lu_byte mask = L->hookmask;
+ const Proto *p = ci_func(ci)->p;
int counthook;
+ /* 'L->oldpc' may be invalid; reset it in this case */
+ int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0;
if (!(mask & (LUA_MASKLINE | LUA_MASKCOUNT))) { /* no hooks? */
ci->u.l.trap = 0; /* don't need to stop again */
return 0; /* turn off 'trap' */
@@ -819,15 +829,14 @@ int luaG_traceexec (lua_State *L, const Instruction *pc) {
if (counthook)
luaD_hook(L, LUA_HOOKCOUNT, -1, 0, 0); /* call count hook */
if (mask & LUA_MASKLINE) {
- const Proto *p = ci_func(ci)->p;
int npci = pcRel(pc, p);
if (npci == 0 || /* call linehook when enter a new function, */
- pc <= L->oldpc || /* when jump back (loop), or when */
- changedline(p, pcRel(L->oldpc, p), npci)) { /* enter new line */
+ pc <= invpcRel(oldpc, p) || /* when jump back (loop), or when */
+ changedline(p, oldpc, npci)) { /* enter new line */
int newline = luaG_getfuncline(p, npci);
luaD_hook(L, LUA_HOOKLINE, newline, 0, 0); /* call line hook */
}
- L->oldpc = pc; /* 'pc' of last call to line hook */
+ L->oldpc = npci; /* 'pc' of last call to line hook */
}
if (L->status == LUA_YIELD) { /* did hook yield? */
if (counthook)
--- a/src/ldebug.h
+++ b/src/ldebug.h
@@ -13,6 +13,11 @@
#define pcRel(pc, p) (cast_int((pc) - (p)->code) - 1)
+
+/* Active Lua function (given call info) */
+#define ci_func(ci) (clLvalue(s2v((ci)->func)))
+
+
#define resethookcount(L) (L->hookcount = L->basehookcount)
/*
--- a/src/lstate.c
+++ b/src/lstate.c
@@ -301,6 +301,7 @@ static void preinit_thread (lua_State *L, global_State *g) {
L->openupval = NULL;
L->status = LUA_OK;
L->errfunc = 0;
+ L->oldpc = 0;
}
--- a/src/lstate.h
+++ b/src/lstate.h
@@ -286,7 +286,6 @@ struct lua_State {
StkId top; /* first free slot in the stack */
global_State *l_G;
CallInfo *ci; /* call info for current function */
- const Instruction *oldpc; /* last pc traced */
StkId stack_last; /* last free slot in the stack */
StkId stack; /* stack base */
UpVal *openupval; /* list of open upvalues in this stack */
@@ -297,6 +296,7 @@ struct lua_State {
volatile lua_Hook hook;
ptrdiff_t errfunc; /* current error handling function (stack index) */
l_uint32 nCcalls; /* number of allowed nested C calls - 'nci' */
+ int oldpc; /* last pc traced */
int stacksize;
int basehookcount;
int hookcount;
--- a/src/ldo.h --- a/src/ldo.h
+++ b/src/ldo.h +++ b/src/ldo.h
@@ -44,7 +44,7 @@ @@ -44,7 +44,7 @@
@ -123,3 +342,29 @@
/* type of protected functions, to be ran by 'runprotected' */ /* type of protected functions, to be ran by 'runprotected' */
--- a/src/lvm.c
+++ b/src/lvm.c
@@ -1104,7 +1104,7 @@ void luaV_finishOp (lua_State *L) {
#define checkGC(L,c) \
- { luaC_condGC(L, L->top = (c), /* limit of live values */ \
+ { luaC_condGC(L, (savepc(L), L->top = (c)), \
updatetrap(ci)); \
luai_threadyield(L); }
@@ -1792,11 +1792,10 @@
vmbreak;
}
vmcase(OP_VARARGPREP) {
- luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p);
- updatetrap(ci);
+ ProtectNT(luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p));
if (trap) {
luaD_hookcall(L, ci);
- L->oldpc = pc + 1; /* next opcode will be seen as a "new" line */
+ L->oldpc = 1; /* next opcode will be seen as a "new" line */
}
updatebase(ci); /* function has new base after adjustment */
vmbreak;