From 7cb6cbb4a7021c514a685b3d5f75da1228ac1c37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Wed, 8 Mar 2017 13:02:24 +0100 Subject: [PATCH] Fix a heap-use-after-free in four-arguments substr call --- ...-heap-use-after-free-in-4-arg-substr.patch | 70 +++++++++++++++++++ perl.spec | 7 ++ 2 files changed, 77 insertions(+) create mode 100644 perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch diff --git a/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch b/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch new file mode 100644 index 0000000..f018778 --- /dev/null +++ b/perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch @@ -0,0 +1,70 @@ +From 4e0fb37303b72ed9d38949139c304abdb73e223e Mon Sep 17 00:00:00 2001 +From: Aaron Crane +Date: Tue, 24 Jan 2017 23:39:40 +0000 +Subject: [PATCH] RT#130624: heap-use-after-free in 4-arg substr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Ported to 5.24.1: + +commit 41b1e858a075694f88057b9514f5fc78c80b5355 +Author: Aaron Crane +Date: Tue Jan 24 23:39:40 2017 +0000 + + RT#130624: heap-use-after-free in 4-arg substr + +Signed-off-by: Petr Písař +--- + pp.c | 4 +++- + t/op/substr.t | 14 +++++++++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/pp.c b/pp.c +index 334b353..aa6cff0 100644 +--- a/pp.c ++++ b/pp.c +@@ -3462,8 +3462,10 @@ PP(pp_substr) + tmps = SvPV_force_nomg(sv, curlen); + if (DO_UTF8(repl_sv) && repl_len) { + if (!DO_UTF8(sv)) { ++ /* Upgrade the dest, and recalculate tmps in case the buffer ++ * got reallocated; curlen may also have been changed */ + sv_utf8_upgrade_nomg(sv); +- curlen = SvCUR(sv); ++ tmps = SvPV_nomg(sv, curlen); + } + } + else if (DO_UTF8(sv)) +diff --git a/t/op/substr.t b/t/op/substr.t +index 01c36a9..f9fee48 100644 +--- a/t/op/substr.t ++++ b/t/op/substr.t +@@ -22,7 +22,7 @@ $SIG{__WARN__} = sub { + } + }; + +-plan(389); ++plan(391); + + run_tests() unless caller; + +@@ -872,3 +872,15 @@ is($destroyed, 1, 'Timely scalar destruction with lvalue substr'); + + # failed with ASAN + fresh_perl_is('$0 = "/usr/bin/perl"; substr($0, 0, 0, $0)', '', {}, "(perl #129340) substr() with source in target"); ++ ++ ++# [perl #130624] - heap-use-after-free, observable under asan ++{ ++ my $x = "\xE9zzzz"; ++ my $y = "\x{100}"; ++ my $z = substr $x, 0, 1, $y; ++ is $z, "\xE9", "RT#130624: heap-use-after-free in 4-arg substr (ret)"; ++ is $x, "\x{100}zzzz", "RT#130624: heap-use-after-free in 4-arg substr (targ)"; ++} ++ ++ +-- +2.7.4 + diff --git a/perl.spec b/perl.spec index 96d3127..e46a4c5 100644 --- a/perl.spec +++ b/perl.spec @@ -323,6 +323,10 @@ Patch92: perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch # in upstream after 5.25.10 Patch93: perl-5.25.10-fix-VMS-test-fail.patch +# Fix a heap-use-after-free in four-arguments substr call, RT#130624, +# in upstream after 5.25.10 +Patch94: perl-5.24.1-RT-130624-heap-use-after-free-in-4-arg-substr.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -3042,6 +3046,7 @@ popd %patch91 -p1 %patch92 -p1 %patch93 -p1 +%patch94 -p1 %patch200 -p1 %patch201 -p1 @@ -3117,6 +3122,7 @@ perl -x patchlevel.h \ 'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \ 'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \ 'Fedora Patch90: Fix an invalid memory read when parsing a loop variable (RT#130814)' \ + 'Fedora Patch94: Fix a heap-use-after-free in four-arguments substr call (RT#130624)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5398,6 +5404,7 @@ popd - Fix an use-after-free in substr() that modifies a magic variable (RT#129340) - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822) - Fix an invalid memory read when parsing a loop variable (RT#130814) +- Fix a heap-use-after-free in four-arguments substr call (RT#130624) * Fri Feb 17 2017 Petr Pisar - 4:5.24.1-389 - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)