Fix an integer wrap when allocating memory for an environment variable

2018-07-09 17:06:15 +02:00 · 2018-07-09 17:06:15 +02:00 · 9710c0391a
parent 81b715af2e
commit 9710c0391a
2 changed files with 188 additions and 0 deletions
--- a/perl-5.29.0-Perl_my_setenv-handle-integer-wrap.patch
+++ b/perl-5.29.0-Perl_my_setenv-handle-integer-wrap.patch
@ -0,0 +1,180 @@
+From 34716e2a6ee2af96078d62b065b7785c001194be Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 29 Jun 2018 13:37:03 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RT #133204
+
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+
+The wrapper check function is probably overkill, but belt and braces...
+
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ util.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 53 insertions(+), 23 deletions(-)
+
+diff --git a/util.c b/util.c
+index 7282dd9cfe..c5c7becc0f 100644
+--- a/util.c
+++ b/util.c
+@@ -2061,8 +2061,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+    *(s+(nlen+1+vlen)) = '\0'
+ 
+ #ifdef USE_ENVIRON_ARRAY
+-       /* VMS' my_setenv() is in vms.c */
+
+/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
+ * 'current' is non-null, with up to three sizes that are added together.
+ * It handles integer overflow.
+ */
+static char *
+S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
+{
+    void *p;
+    Size_t sl, l = l1 + l2;
+
+    if (l < l2)
+        goto panic;
+    l += l3;
+    if (l < l3)
+        goto panic;
+    sl = l * size;
+    if (sl < l)
+        goto panic;
+
+    p = current
+            ? safesysrealloc(current, sl)
+            : safesysmalloc(sl);
+    if (p)
+        return (char*)p;
+
+  panic:
+    croak_memory_wrap();
+}
+
+
+/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
+
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+@@ -2078,28 +2110,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+     if (!PL_use_safe_putenv) {
+         /* most putenv()s leak, so we manipulate environ directly */
+-        I32 i;
+-        const I32 len = strlen(nam);
+-        int nlen, vlen;
+        UV i;
+        Size_t vlen, nlen = strlen(nam);
+ 
+         /* where does it go? */
+         for (i = 0; environ[i]; i++) {
+-            if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
+            if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+                 break;
+         }
+ 
+         if (environ == PL_origenviron) {   /* need we copy environment? */
+-            I32 j;
+-            I32 max;
+            UV j, max;
+             char **tmpenv;
+ 
+             max = i;
+             while (environ[max])
+                 max++;
+-            tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
+            /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
+            tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+             for (j=0; j<max; j++) {         /* copy environment */
+-                const int len = strlen(environ[j]);
+-                tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
+                const Size_t len = strlen(environ[j]);
+                tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+                 Copy(environ[j], tmpenv[j], len+1, char);
+             }
+             tmpenv[max] = NULL;
+@@ -2118,15 +2149,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #endif
+         }
+         if (!environ[i]) {                 /* does not exist yet */
+-            environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
+            environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+             environ[i+1] = NULL;    /* make sure it's null terminated */
+         }
+         else
+             safesysfree(environ[i]);
+-        nlen = strlen(nam);
+
+         vlen = strlen(val);
+ 
+-        environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
+        environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(environ[i], nam, nlen, val, vlen);
+     } else {
+@@ -2150,22 +2181,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+             if (environ) /* old glibc can crash with null environ */
+                 (void)unsetenv(nam);
+         } else {
+-	    const int nlen = strlen(nam);
+-	    const int vlen = strlen(val);
+-	    char * const new_env =
+-                (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
+	    const Size_t nlen = strlen(nam);
+	    const Size_t vlen = strlen(val);
+	    char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+             my_setenv_format(new_env, nam, nlen, val, vlen);
+             (void)putenv(new_env);
+         }
+ #   else /* ! HAS_UNSETENV */
+         char *new_env;
+-	const int nlen = strlen(nam);
+-	int vlen;
+	const Size_t nlen = strlen(nam);
+	Size_t vlen;
+         if (!val) {
+ 	   val = "";
+         }
+         vlen = strlen(val);
+-        new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
+        new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(new_env, nam, nlen, val, vlen);
+         (void)putenv(new_env);
+@@ -2187,14 +2217,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+     dVAR;
+     char *envstr;
+-    const int nlen = strlen(nam);
+-    int vlen;
+    const Size_t nlen = strlen(nam);
+    Size_t vlen;
+ 
+     if (!val) {
+        val = "";
+     }
+     vlen = strlen(val);
+-    Newx(envstr, nlen+vlen+2, char);
+    envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+     my_setenv_format(envstr, nam, nlen, val, vlen);
+     (void)PerlEnv_putenv(envstr);
+     Safefree(envstr);
+-- 
+2.14.4
+
--- a/perl.spec
+++ b/perl.spec
@ -153,6 +153,10 @@ Patch14:        perl-5.27.8-hints-linux-Add-lphtread-to-lddlflags.patch
 # Adjust tests to gdbm-1.15, RT#133295
 Patch15:        perl-5.29.0-Remove-ext-GDBM_File-t-fatal.t.patch

+# Fix an integer wrap when allocating memory for an environment variable,
+# RT#133204, in upstream after 5.29.0
+Patch16:        perl-5.29.0-Perl_my_setenv-handle-integer-wrap.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -2722,6 +2726,7 @@ Perl extension for Version Objects
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 %patch200 -p1
 %patch201 -p1

@ -2744,6 +2749,7 @@ perl -x patchlevel.h \
    'Fedora Patch13: Fix executing arybase::_tie_it() in Safe compartement (RT#131588)' \
    'Fedora Patch14: Link XS modules to pthread library to fix linking with -z defs' \
    'Fedora Patch15: Adjust tests to gdbm-1.15 (RT#133295)' \
+    'Fedora Patch16: Fix an integer wrap when allocating memory for an environment variable (RT#133204)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5034,6 +5040,8 @@ popd
 %changelog
 * Mon Jul 09 2018 Petr Pisar <ppisar@redhat.com> - 4:5.28.0-417
 - Adjust tests to gdbm-1.15 (RT#133295)
+- Fix an integer wrap when allocating memory for an environment variable
+  (RT#133204)

 * Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.28.0-416
 - Stop providing old perl(MODULE_COMPAT_5.26.*)