From 524db8361878f74744015be0ea02d5ac064ed678 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Wed, 5 Aug 2020 13:52:40 +0200 Subject: [PATCH] Fix a buffer overread in when reallocating formats --- ...-update-SvCUR-until-after-we-ve-done.patch | 72 +++++++++++++++++++ perl.spec | 7 ++ 2 files changed, 79 insertions(+) create mode 100644 perl-5.33.0-perl-17844-don-t-update-SvCUR-until-after-we-ve-done.patch diff --git a/perl-5.33.0-perl-17844-don-t-update-SvCUR-until-after-we-ve-done.patch b/perl-5.33.0-perl-17844-don-t-update-SvCUR-until-after-we-ve-done.patch new file mode 100644 index 0000000..ce31651 --- /dev/null +++ b/perl-5.33.0-perl-17844-don-t-update-SvCUR-until-after-we-ve-done.patch @@ -0,0 +1,72 @@ +From 45f235c116d4deab95c576aff77fe46d609f8553 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Mon, 15 Apr 2019 15:23:32 +1000 +Subject: [PATCH] (perl #17844) don't update SvCUR until after we've done + moving +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +SvCUR() before the SvGROW() calls could result in reading beyond the +end of a buffer. + +It wasn't a problem in the normal case, since sv_grow() just calls +realloc() which has its own notion of how big the memory block is, but +if the SV is SvOOK() sv_backoff() tries to move SvCUR()+1 bytes, which +might be larger than the currently allocated size of the PV. + +Signed-off-by: Petr Písař +--- + doop.c | 2 +- + t/op/bop.t | 11 ++++++++++- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/doop.c b/doop.c +index 88220092c3..c9c953212e 100644 +--- a/doop.c ++++ b/doop.c +@@ -1087,7 +1087,6 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right) + lsave = lc; + rsave = rc; + +- SvCUR_set(sv, len); + (void)SvPOK_only(sv); + if (SvOK(sv) || SvTYPE(sv) > SVt_PVMG) { + dc = SvPV_force_nomg_nolen(sv); +@@ -1103,6 +1102,7 @@ Perl_do_vop(pTHX_ I32 optype, SV *sv, SV *left, SV *right) + sv_usepvn_flags(sv, dc, needlen, SV_HAS_TRAILING_NUL); + dc = SvPVX(sv); /* sv_usepvn() calls Renew() */ + } ++ SvCUR_set(sv, len); + + if (len >= sizeof(long)*4 && + !(PTR2nat(dc) % sizeof(long)) && +diff --git a/t/op/bop.t b/t/op/bop.t +index eecd90387f..07f057d0a9 100644 +--- a/t/op/bop.t ++++ b/t/op/bop.t +@@ -18,7 +18,7 @@ BEGIN { + # If you find tests are failing, please try adding names to tests to track + # down where the failure is, and supply your new names as a patch. + # (Just-in-time test naming) +-plan tests => 501; ++plan tests => 502; + + # numerics + ok ((0xdead & 0xbeef) == 0x9ead); +@@ -669,3 +669,12 @@ foreach my $op_info ([and => "&"], [or => "|"], [xor => "^"]) { + like $@, $expected, $description; + } + } ++ ++{ ++ # perl #17844 - only visible with valgrind/ASAN ++ fresh_perl_is(<<'EOS', ++formline X000n^\\0,\\0^\\0for\0,0..10 ++EOS ++ '', ++ {}, "[perl #17844] access beyond end of block"); ++} +-- +2.25.4 + diff --git a/perl.spec b/perl.spec index 32abd41..d332b84 100644 --- a/perl.spec +++ b/perl.spec @@ -201,6 +201,10 @@ Patch25: perl-5.33.0-reentr.c-Buffer-sizes-for-asctime_r-ctime_r-are-smal # in upstream after 5.33.0 Patch26: perl-5.33.0-reentr.c-Prevent-infinite-looping.patch +# Fix a buffer overread in when reallocating formats, GH#17844, +# in upstream after 5.33.0 +Patch27: perl-5.33.0-perl-17844-don-t-update-SvCUR-until-after-we-ve-done.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -4213,6 +4217,7 @@ you're not running VMS, this module does nothing. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 %patch200 -p1 %patch201 -p1 @@ -4246,6 +4251,7 @@ perl -x patchlevel.h \ 'Fedora Patch24: Fix running actions after stepping in a debugger (GH#17901)' \ 'Fedora Patch25: Fix a buffer size for asctime_r() and ctime_r() functions' \ 'Fedora Patch26: Prevent from an integer overflow in RenewDouble() macro' \ + 'Fedora Patch27: Fix a buffer overread in when reallocating formats (GH#17844)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -6974,6 +6980,7 @@ popd - Fix running actions after stepping in a debugger (GH#17901) - Fix a buffer size for asctime_r() and ctime_r() functions - Prevent from an integer overflow in RenewDouble() macro +- Fix a buffer overread in when reallocating formats (GH#17844) * Tue Jul 28 2020 Fedora Release Engineering - 4:5.32.0-458 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild