rpms/perl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Prevent from an integer overflow in POSIX::SigSet()

Browse Source
This commit is contained in:
Petr Písař 2020-03-27 14:36:23 +01:00
parent 6c3e2dc957
commit 9d89f109e7
2 changed files with 92 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
perl-5.31.7-error-check-the-calls-to-sigaddset-in-POSIX-SigSet-n.patch Normal file
View File

@ -0,0 +1,86 @@
From 3a5c73f344d9d5d89b2881b2c3569cac3ca89ad9 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 25 Nov 2019 09:27:16 +1100
Subject: [PATCH] error check the calls to sigaddset in POSIX::SigSet->new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Coverity complained that SvIV() could return negative numbers,
but doesn't complain about the similar call in the sigaddset()
method, which is error checked.
So error check sigaddset() and throw an error if it fails.
CID 244386.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
ext/POSIX/POSIX.xs | 7 +++++--
ext/POSIX/lib/POSIX.pod | 3 +++
ext/POSIX/t/sigset.t | 19 +++++++++++++++++++
3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/ext/POSIX/POSIX.xs b/ext/POSIX/POSIX.xs
index 42c4d0f4b5..03342c3ea4 100644
--- a/ext/POSIX/POSIX.xs
+++ b/ext/POSIX/POSIX.xs
@@ -1844,8 +1844,11 @@ new(packname = "POSIX::SigSet", ...)
sizeof(sigset_t),
packname);
sigemptyset(s);
- for (i = 1; i < items; i++)
- sigaddset(s, SvIV(ST(i)));
+ for (i = 1; i < items; i++) {
+ IV sig = SvIV(ST(i));
+ if (sigaddset(s, sig) < 0)
+ croak("POSIX::Sigset->new: failed to add signal %" IVdf, sig);
+ }
XSRETURN(1);
}
diff --git a/ext/POSIX/lib/POSIX.pod b/ext/POSIX/lib/POSIX.pod
index 10e12e88db..923198477d 100644
--- a/ext/POSIX/lib/POSIX.pod
+++ b/ext/POSIX/lib/POSIX.pod
@@ -2267,6 +2267,9 @@ Create a set with C<SIGUSR1>.
$sigset = POSIX::SigSet->new( &POSIX::SIGUSR1 );
+Throws an error if any of the signals supplied cannot be added to the
+set.
+
=item C<addset>
Add a signal to a SigSet object.
diff --git a/ext/POSIX/t/sigset.t b/ext/POSIX/t/sigset.t
index e65e4076b4..807aa3a1fd 100644
--- a/ext/POSIX/t/sigset.t
+++ b/ext/POSIX/t/sigset.t
@@ -93,4 +93,23 @@ foreach ([$signo[0]],
expected_signals($sigset, "new(@$_)", @$_);
}
+SKIP:
+{
+ # CID 244386
+ # linux and freebsd do validate for positive and very large signal numbers
+ # darwin uses a macro that simply ignores large signals and shifts by
+ # a negative number for negative signals, always succeeding
+ #
+ # since the idea is to validate our code rather than the implementation
+ # of sigaddset, just test the platforms we know can fail
+ skip "Not all systems validate the signal number", 2
+ unless $^O =~ /^(linux|freebsd)$/;
+ my $badsig = -1;
+ note "badsig $badsig";
+ ok(!eval{ POSIX::SigSet->new($badsig); 1 },
+ "POSIX::SigSet->new should throw on large signal number");
+ like($@."", qr/POSIX::Sigset->new: failed to add signal $badsig/,
+ "check message");
+}
+
done_testing();
--
2.21.1

6
perl.spec
View File

@ -303,6 +303,9 @@ Patch72: perl-5.31.6-PATCH-GH-17081-Workaround-glibc-bug-with-LC_MESSAGES
# Fix POSIX:setlocale() documentation, in upstream after 5.31.7 # Fix POSIX:setlocale() documentation, in upstream after 5.31.7
Patch73: perl-5.31.7-POSIX.pod-Update-setlocale-docs.patch Patch73: perl-5.31.7-POSIX.pod-Update-setlocale-docs.patch
# Prevent from an integer overflow in POSIX::SigSet(), in upstream after 5.31.7
Patch74: perl-5.31.7-error-check-the-calls-to-sigaddset-in-POSIX-SigSet-n.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -4362,6 +4365,7 @@ you're not running VMS, this module does nothing.
%patch71 -p1 %patch71 -p1
%patch72 -p1 %patch72 -p1
%patch73 -p1 %patch73 -p1
%patch74 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -4428,6 +4432,7 @@ perl -x patchlevel.h \
'Fedora Patch71: Fix a buffer overread when parsing a number (GH#17279)' \ 'Fedora Patch71: Fix a buffer overread when parsing a number (GH#17279)' \
'Fedora Patch72: Work around a glibc bug in caching LC_MESSAGES (GH#17081)' \ 'Fedora Patch72: Work around a glibc bug in caching LC_MESSAGES (GH#17081)' \
'Fedora Patch73: Fix POSIX:setlocale() documentation' \ 'Fedora Patch73: Fix POSIX:setlocale() documentation' \
'Fedora Patch74: Prevent from an integer overflow in POSIX::SigSet()' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -7189,6 +7194,7 @@ popd
- Fix a directory ownership in perl-Sys-Hostname - Fix a directory ownership in perl-Sys-Hostname
- Work around a glibc bug in caching LC_MESSAGES (GH#17081) - Work around a glibc bug in caching LC_MESSAGES (GH#17081)
- Fix POSIX:setlocale() documentation - Fix POSIX:setlocale() documentation
- Prevent from an integer overflow in POSIX::SigSet()
* Mon Mar 16 2020 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.2-452 * Mon Mar 16 2020 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.30.2-452
- 5.30.2 bump (see <https://metacpan.org/pod/release/SHAY/perl-5.30.2/pod/perldelta.pod> - 5.30.2 bump (see <https://metacpan.org/pod/release/SHAY/perl-5.30.2/pod/perldelta.pod>