From aacf68ffaf51937cbe3fcc8e89ce857f711fe533b02ab07e28a5ceb55e294ec5 Mon Sep 17 00:00:00 2001 From: Callum Farmer Date: Mon, 17 Aug 2020 10:04:54 +0000 Subject: [PATCH 1/3] Accepting request 827293 from home:gmbr3:Lua - Add upstream patches 9,10,11,12 * Patch 9: CVE-2020-24342, boo#1175339 OBS-URL: https://build.opensuse.org/request/show/827293 OBS-URL: https://build.opensuse.org/package/show/devel:languages:lua/lua54?expand=0&rev=9 --- lua54.changes | 6 +++ upstream-bugs.patch | 96 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 101 insertions(+), 1 deletion(-) diff --git a/lua54.changes b/lua54.changes index 5a4f2fc..b640b88 100644 --- a/lua54.changes +++ b/lua54.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Aug 17 10:00:04 UTC 2020 - Callum Farmer + +- Add upstream patches 9,10,11,12 + * Patch 9: CVE-2020-24342, boo#1175339 + ------------------------------------------------------------------- Mon Jul 20 11:00:56 UTC 2020 - Callum Farmer diff --git a/upstream-bugs.patch b/upstream-bugs.patch index b0e2481..76006a3 100644 --- a/upstream-bugs.patch +++ b/upstream-bugs.patch @@ -1,5 +1,27 @@ --- a/src/lgc.c +++ b/src/lgc.c +@@ -202,7 +205,8 @@ void luaC_barrier_ (lua_State *L, GCObject *o, GCObject *v) { + } + else { /* sweep phase */ + lua_assert(issweepphase(g)); +- makewhite(g, o); /* mark main obj. as white to avoid other barriers */ ++ if (g->gckind == KGC_INC) /* incremental mode? */ ++ makewhite(g, o); /* mark 'o' as white to avoid other barriers */ + } + } + +@@ -340,9 +349,11 @@ static int remarkupvals (global_State *g) { + p = &thread->twups; /* keep marked thread with upvalues in the list */ + else { /* thread is not marked or without upvalues */ + UpVal *uv; ++ lua_assert(!isold(thread) || thread->openupval == NULL); + *p = thread->twups; /* remove thread from the list */ + thread->twups = thread; /* mark that it is out of list */ + for (uv = thread->openupval; uv != NULL; uv = uv->u.open.next) { ++ lua_assert(getage(uv) <= getage(thread)); + work++; + if (!iswhite(uv)) /* upvalue already visited? */ + markvalue(g, uv->v); /* mark its value */ @@ -856,6 +856,8 @@ static void GCTM (lua_State *L) { if (unlikely(status != LUA_OK)) { /* error while running __gc? */ luaE_warnerror(L, "__gc metamethod"); @@ -18,6 +40,22 @@ markold(g, g->finobj, g->finobjrold); atomic(L); +@@ -1143,6 +1157,7 @@ static void youngcollection (lua_State *L, global_State *g) { + atomic(L); + + /* sweep nursery and get a pointer to its last live element */ ++ g->gcstate = GCSswpallgc; + psurvival = sweepgen(L, g, &g->allgc, g->survival); + /* sweep 'survival' and 'old' */ + sweepgen(L, g, psurvival, g->reallyold); +@@ -1166,6 +1181,7 @@ static void youngcollection (lua_State *L, global_State *g) { + + static void atomic2gen (lua_State *L, global_State *g) { + /* sweep all elements making them old */ ++ g->gcstate = GCSswpallgc; + sweep2old(L, &g->allgc); + /* everything alive now is old */ + g->reallyold = g->old = g->survival = g->allgc; --- a/src/ldo.c +++ b/src/ldo.c @@ -466,13 +466,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) { @@ -57,6 +95,25 @@ for (; narg < nfixparams; narg++) setnilvalue(s2v(L->top++)); /* complete missing arguments */ lua_assert(ci->top <= L->stack_last); +@@ -515,14 +515,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) { + + /* + ** Similar to 'luaD_call', but does not allow yields during the call. +-** If there is a stack overflow, freeing all CI structures will +-** force the subsequent call to invoke 'luaE_extendCI', which then +-** will raise any errors. + */ + void luaD_callnoyield (lua_State *L, StkId func, int nResults) { + incXCcalls(L); +- if (getCcalls(L) <= CSTACKERR) /* possible stack overflow? */ +- luaE_freeCI(L); ++ if (getCcalls(L) <= CSTACKERR) { /* possible C stack overflow? */ ++ luaE_exitCcall(L); /* to compensate decrement in next call */ ++ luaE_enterCcall(L); /* check properly */ ++ } + luaD_call(L, func, nResults); + decXCcalls(L); + } @@ -674,7 +674,7 @@ LUA_API int lua_resume (lua_State *L, lua_State *from, int nargs, if (from == NULL) L->nCcalls = CSTACKTHREAD; @@ -111,7 +168,44 @@ p->f = l_popen(L, filename, mode); p->closef = &io_pclose; return (p->f == NULL) ? luaL_fileresult(L, 0, filename) : 1; - + +--- a/src/ldebug.c ++++ b/src/ldebug.c +@@ -188,8 +188,8 @@ static const char *upvalname (const Proto *p, int uv) { + static const char *findvararg (CallInfo *ci, int n, StkId *pos) { + if (clLvalue(s2v(ci->func))->p->is_vararg) { + int nextra = ci->u.l.nextraargs; +- if (n <= nextra) { +- *pos = ci->func - nextra + (n - 1); ++ if (n >= -nextra) { /* 'n' is negative */ ++ *pos = ci->func - nextra - (n + 1); + return "(vararg)"; /* generic name for any vararg */ + } + } +@@ -202,7 +202,7 @@ const char *luaG_findlocal (lua_State *L, CallInfo *ci, int n, StkId *pos) { + const char *name = NULL; + if (isLua(ci)) { + if (n < 0) /* access to vararg values? */ +- return findvararg(ci, -n, pos); ++ return findvararg(ci, n, pos); + else + name = luaF_getlocalname(ci_func(ci)->p, n, currentpc(ci)); + } +@@ -783,11 +783,13 @@ l_noret luaG_runerror (lua_State *L, const char *fmt, ...) { + ** previous instruction 'oldpc'. + */ + static int changedline (const Proto *p, int oldpc, int newpc) { ++ if (p->lineinfo == NULL) /* no debug information? */ ++ return 0; + while (oldpc++ < newpc) { + if (p->lineinfo[oldpc] != 0) + return (luaG_getfuncline(p, oldpc - 1) != luaG_getfuncline(p, newpc)); + } +- return 0; /* no line changes in the way */ ++ return 0; /* no line changes between positions */ + } + + --- a/src/ldo.h +++ b/src/ldo.h @@ -44,7 +44,7 @@ From 8c8dfec46675948222ef299e266c029aef97e996c64ae9a81d25cc9d9d108eda Mon Sep 17 00:00:00 2001 From: Callum Farmer Date: Tue, 18 Aug 2020 14:15:55 +0000 Subject: [PATCH 2/3] Accepting request 827609 from home:gmbr3:Lua - Add upstream patches 9,10,11,12 * Patch 9: CVE-2020-24342, boo#1175339 * Patch 10: CVE-2020-24371, boo#1175449 * Patch 11: CVE-2020-24370, boo#1175448 * Patch 12: CVE-2020-24369, boo#1175447 - Add upstream patches 7 & 8 * Patch 8: CVE-2020-15945, boo#1174540 OBS-URL: https://build.opensuse.org/request/show/827609 OBS-URL: https://build.opensuse.org/package/show/devel:languages:lua/lua54?expand=0&rev=10 --- lua54.changes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lua54.changes b/lua54.changes index b640b88..0b66a63 100644 --- a/lua54.changes +++ b/lua54.changes @@ -3,11 +3,15 @@ Mon Aug 17 10:00:04 UTC 2020 - Callum Farmer - Add upstream patches 9,10,11,12 * Patch 9: CVE-2020-24342, boo#1175339 + * Patch 10: CVE-2020-24371, boo#1175449 + * Patch 11: CVE-2020-24370, boo#1175448 + * Patch 12: CVE-2020-24369, boo#1175447 ------------------------------------------------------------------- Mon Jul 20 11:00:56 UTC 2020 - Callum Farmer - Add upstream patches 7 & 8 + * Patch 8: CVE-2020-15945, boo#1174540 ------------------------------------------------------------------- Sat Jul 18 09:51:00 UTC 2020 - Callum Farmer From 3abc4d9f9d333ac59ed8585760e1f82d6801d803c95616fdf4b62a5c8572174a Mon Sep 17 00:00:00 2001 From: Callum Farmer Date: Tue, 18 Aug 2020 14:51:13 +0000 Subject: [PATCH 3/3] Accepting request 827618 from home:gmbr3:Lua - Add patch for CVE-2020-15945, boo#1174540 (un-numbered) OBS-URL: https://build.opensuse.org/request/show/827618 OBS-URL: https://build.opensuse.org/package/show/devel:languages:lua/lua54?expand=0&rev=11 --- lua54.changes | 6 +- upstream-bugs.patch | 193 +++++++++++++++++++++++++++++++++++++++----- 2 files changed, 177 insertions(+), 22 deletions(-) diff --git a/lua54.changes b/lua54.changes index 0b66a63..b5023df 100644 --- a/lua54.changes +++ b/lua54.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Aug 18 14:49:56 UTC 2020 - Callum Farmer + +- Add patch for CVE-2020-15945, boo#1174540 (un-numbered) + ------------------------------------------------------------------- Mon Aug 17 10:00:04 UTC 2020 - Callum Farmer @@ -11,7 +16,6 @@ Mon Aug 17 10:00:04 UTC 2020 - Callum Farmer Mon Jul 20 11:00:56 UTC 2020 - Callum Farmer - Add upstream patches 7 & 8 - * Patch 8: CVE-2020-15945, boo#1174540 ------------------------------------------------------------------- Sat Jul 18 09:51:00 UTC 2020 - Callum Farmer diff --git a/upstream-bugs.patch b/upstream-bugs.patch index 76006a3..6804f39 100644 --- a/upstream-bugs.patch +++ b/upstream-bugs.patch @@ -58,6 +58,26 @@ g->reallyold = g->old = g->survival = g->allgc; --- a/src/ldo.c +++ b/src/ldo.c +@@ -327,7 +327,7 @@ static StkId rethook (lua_State *L, CallInfo *ci, StkId firstres, int nres) { + ptrdiff_t oldtop = savestack(L, L->top); /* hook may change top */ + int delta = 0; + if (isLuacode(ci)) { +- Proto *p = clLvalue(s2v(ci->func))->p; ++ Proto *p = ci_func(ci)->p; + if (p->is_vararg) + delta = ci->u.l.nextraargs + p->numparams + 1; + if (L->top < ci->top) +@@ -340,8 +340,8 @@ static StkId rethook (lua_State *L, CallInfo *ci, StkId firstres, int nres) { + luaD_hook(L, LUA_HOOKRET, -1, ftransfer, nres); /* call it */ + ci->func -= delta; + } +- if (isLua(ci->previous)) +- L->oldpc = ci->previous->u.l.savedpc; /* update 'oldpc' */ ++ if (isLua(ci = ci->previous)) ++ L->oldpc = pcRel(ci->u.l.savedpc, ci_func(ci)->p); /* update 'oldpc' */ + return restorestack(L, oldtop); + } + @@ -466,13 +466,13 @@ void luaD_call (lua_State *L, StkId func, int nresults) { f = fvalue(s2v(func)); Cfunc: { @@ -136,27 +156,6 @@ f->upvalues[i].instack = loadByte(S); f->upvalues[i].idx = loadByte(S); f->upvalues[i].kind = loadByte(S); ---- a/src/lvm.c -+++ b/src/lvm.c -@@ -1104,7 +1104,7 @@ void luaV_finishOp (lua_State *L) { - - - #define checkGC(L,c) \ -- { luaC_condGC(L, L->top = (c), /* limit of live values */ \ -+ { luaC_condGC(L, (savepc(L), L->top = (c)), \ - updatetrap(ci)); \ - luai_threadyield(L); } - -@@ -1792,8 +1792,7 @@ void luaV_execute (lua_State *L, CallInfo *ci) { - vmbreak; - } - vmcase(OP_VARARGPREP) { -- luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p); -- updatetrap(ci); -+ ProtectNT(luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p)); - if (trap) { - luaD_hookcall(L, ci); - L->oldpc = pc + 1; /* next opcode will be seen as a "new" line */ --- a/src/liolib.c +++ b/src/liolib.c @@ -279,6 +279,8 @@ static int io_popen (lua_State *L) { @@ -171,6 +170,46 @@ --- a/src/ldebug.c +++ b/src/ldebug.c +@@ -33,10 +33,8 @@ + + #define noLuaClosure(f) ((f) == NULL || (f)->c.tt == LUA_VCCL) + +- +-/* Active Lua function (given call info) */ +-#define ci_func(ci) (clLvalue(s2v((ci)->func))) +- ++/* inverse of 'pcRel' */ ++#define invpcRel(pc, p) ((p)->code + (pc) + 1) + + static const char *funcnamefromcode (lua_State *L, CallInfo *ci, + const char **name); +@@ -127,20 +125,18 @@ static void settraps (CallInfo *ci) { + /* + ** This function can be called during a signal, under "reasonable" + ** assumptions. +-** Fields 'oldpc', 'basehookcount', and 'hookcount' (set by +-** 'resethookcount') are for debug only, and it is no problem if they +-** get arbitrary values (causes at most one wrong hook call). 'hookmask' +-** is an atomic value. We assume that pointers are atomic too (e.g., gcc +-** ensures that for all platforms where it runs). Moreover, 'hook' is +-** always checked before being called (see 'luaD_hook'). ++** Fields 'basehookcount' and 'hookcount' (set by 'resethookcount') ++** are for debug only, and it is no problem if they get arbitrary ++** values (causes at most one wrong hook call). 'hookmask' is an atomic ++** value. We assume that pointers are atomic too (e.g., gcc ensures that ++** for all platforms where it runs). Moreover, 'hook' is always checked ++** before being called (see 'luaD_hook'). + */ + LUA_API void lua_sethook (lua_State *L, lua_Hook func, int mask, int count) { + if (func == NULL || mask == 0) { /* turn off hooks? */ + mask = 0; + func = NULL; + } +- if (isLua(L->ci)) +- L->oldpc = L->ci->u.l.savedpc; + L->hook = func; + L->basehookcount = count; + resethookcount(L); @@ -188,8 +188,8 @@ static const char *upvalname (const Proto *p, int uv) { static const char *findvararg (CallInfo *ci, int n, StkId *pos) { if (clLvalue(s2v(ci->func))->p->is_vararg) { @@ -206,6 +245,92 @@ } +@@ -795,10 +791,24 @@ static int changedline (const Proto *p, int oldpc, int newpc) { + } + + ++/* ++** Traces the execution of a Lua function. Called before the execution ++** of each opcode, when debug is on. 'L->oldpc' stores the last ++** instruction traced, to detect line changes. When entering a new ++** function, 'npci' will be zero and will test as a new line without ++** the need for 'oldpc'; so, 'oldpc' does not need to be initialized ++** before. Some exceptional conditions may return to a function without ++** updating 'oldpc'. In that case, 'oldpc' may be invalid; if so, it is ++** reset to zero. (A wrong but valid 'oldpc' at most causes an extra ++** call to a line hook.) ++*/ + int luaG_traceexec (lua_State *L, const Instruction *pc) { + CallInfo *ci = L->ci; + lu_byte mask = L->hookmask; ++ const Proto *p = ci_func(ci)->p; + int counthook; ++ /* 'L->oldpc' may be invalid; reset it in this case */ ++ int oldpc = (L->oldpc < p->sizecode) ? L->oldpc : 0; + if (!(mask & (LUA_MASKLINE | LUA_MASKCOUNT))) { /* no hooks? */ + ci->u.l.trap = 0; /* don't need to stop again */ + return 0; /* turn off 'trap' */ +@@ -819,15 +829,14 @@ int luaG_traceexec (lua_State *L, const Instruction *pc) { + if (counthook) + luaD_hook(L, LUA_HOOKCOUNT, -1, 0, 0); /* call count hook */ + if (mask & LUA_MASKLINE) { +- const Proto *p = ci_func(ci)->p; + int npci = pcRel(pc, p); + if (npci == 0 || /* call linehook when enter a new function, */ +- pc <= L->oldpc || /* when jump back (loop), or when */ +- changedline(p, pcRel(L->oldpc, p), npci)) { /* enter new line */ ++ pc <= invpcRel(oldpc, p) || /* when jump back (loop), or when */ ++ changedline(p, oldpc, npci)) { /* enter new line */ + int newline = luaG_getfuncline(p, npci); + luaD_hook(L, LUA_HOOKLINE, newline, 0, 0); /* call line hook */ + } +- L->oldpc = pc; /* 'pc' of last call to line hook */ ++ L->oldpc = npci; /* 'pc' of last call to line hook */ + } + if (L->status == LUA_YIELD) { /* did hook yield? */ + if (counthook) +--- a/src/ldebug.h ++++ b/src/ldebug.h +@@ -13,6 +13,11 @@ + + #define pcRel(pc, p) (cast_int((pc) - (p)->code) - 1) + ++ ++/* Active Lua function (given call info) */ ++#define ci_func(ci) (clLvalue(s2v((ci)->func))) ++ ++ + #define resethookcount(L) (L->hookcount = L->basehookcount) + + /* +--- a/src/lstate.c ++++ b/src/lstate.c +@@ -301,6 +301,7 @@ static void preinit_thread (lua_State *L, global_State *g) { + L->openupval = NULL; + L->status = LUA_OK; + L->errfunc = 0; ++ L->oldpc = 0; + } + + +--- a/src/lstate.h ++++ b/src/lstate.h +@@ -286,7 +286,6 @@ struct lua_State { + StkId top; /* first free slot in the stack */ + global_State *l_G; + CallInfo *ci; /* call info for current function */ +- const Instruction *oldpc; /* last pc traced */ + StkId stack_last; /* last free slot in the stack */ + StkId stack; /* stack base */ + UpVal *openupval; /* list of open upvalues in this stack */ +@@ -297,6 +296,7 @@ struct lua_State { + volatile lua_Hook hook; + ptrdiff_t errfunc; /* current error handling function (stack index) */ + l_uint32 nCcalls; /* number of allowed nested C calls - 'nci' */ ++ int oldpc; /* last pc traced */ + int stacksize; + int basehookcount; + int hookcount; --- a/src/ldo.h +++ b/src/ldo.h @@ -44,7 +44,7 @@ @@ -217,3 +342,29 @@ /* type of protected functions, to be ran by 'runprotected' */ + +--- a/src/lvm.c ++++ b/src/lvm.c +@@ -1104,7 +1104,7 @@ void luaV_finishOp (lua_State *L) { + + + #define checkGC(L,c) \ +- { luaC_condGC(L, L->top = (c), /* limit of live values */ \ ++ { luaC_condGC(L, (savepc(L), L->top = (c)), \ + updatetrap(ci)); \ + luai_threadyield(L); } + +@@ -1792,11 +1792,10 @@ + vmbreak; + } + vmcase(OP_VARARGPREP) { +- luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p); +- updatetrap(ci); ++ ProtectNT(luaT_adjustvarargs(L, GETARG_A(i), ci, cl->p)); + if (trap) { + luaD_hookcall(L, ci); +- L->oldpc = pc + 1; /* next opcode will be seen as a "new" line */ ++ L->oldpc = 1; /* next opcode will be seen as a "new" line */ + } + updatebase(ci); /* function has new base after adjustment */ + vmbreak;