Fix an invalid memory read when parsing a loop variable

2017-03-08 12:41:54 +01:00 · 2017-03-08 12:41:54 +01:00 · c63d747d11
commit c63d747d11
parent d61d60edb3
5 changed files with 239 additions and 0 deletions
--- a/perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
+++ b/perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
@ -0,0 +1,50 @@
+From 9df34f9c4701104a366e768237ca694411136d2a Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Sun, 19 Feb 2017 10:46:09 +0000
+Subject: [PATCH] update pointer into PL_linestr after lookahead
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to: 5.24.1:
+
+commit 90f2cc9a600117a49f8ee3e30cc681f062350c24
+Author: Hugo van der Sanden <hv@crypt.org>
+Date:   Sun Feb 19 10:46:09 2017 +0000
+
+    [perl #130814] update pointer into PL_linestr after lookahead
+
+    Looking ahead for the "Missing $ on loop variable" diagnostic can reallocate
+    PL_linestr, invalidating our pointer. Save the offset so we can update it
+    in that case.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ toke.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/toke.c b/toke.c
+index 630fc59..029d2ea 100644
+--- a/toke.c
+++ b/toke.c
+@@ -7565,6 +7565,7 @@ Perl_yylex(pTHX)
+ 	    s = skipspace(s);
+ 	    if (PL_expect == XSTATE && isIDFIRST_lazy_if(s,UTF)) {
+ 		char *p = s;
+                SSize_t s_off = s - SvPVX(PL_linestr);
+ 
+ 		if ((PL_bufend - p) >= 3
+                     && strnEQ(p, "my", 2) && isSPACE(*(p + 2)))
+@@ -7582,6 +7583,9 @@ Perl_yylex(pTHX)
+ 		}
+ 		if (*p != '$')
+ 		    Perl_croak(aTHX_ "Missing $ on loop variable");
+
+                /* The buffer may have been reallocated, update s */
+                s = SvPVX(PL_linestr) + s_off;
+ 	    }
+ 	    OPERATOR(FOR);
+ 
+-- 
+2.7.4
+
--- a/perl-5.25.10-fix-VMS-test-fail.patch
+++ b/perl-5.25.10-fix-VMS-test-fail.patch
@ -0,0 +1,44 @@
+From bce4a2abeb8652d19e97d3bf07dd2580a3cc2e6c Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Sat, 25 Feb 2017 10:42:17 +0000
+Subject: [PATCH] fix VMS test fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+d7186add added a runperl() test that breaks command line length limits for
+VMS. Switch to fresh_perl() instead, so the prog is put in a file for us.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/comp/parser_run.t | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
+index 2543f49..e74644d 100644
+--- a/t/comp/parser_run.t
+++ b/t/comp/parser_run.t
+@@ -14,14 +14,14 @@ plan(1);
+ 
+ # [perl #130814] can reallocate lineptr while looking ahead for
+ # "Missing $ on loop variable" diagnostic.
+-my $result = runperl(
+-    prog => " foreach m0\n\$" . ("0" x 0x2000),
+-    stderr => 1,
+my $result = fresh_perl(
+    " foreach m0\n\$" . ("0" x 0x2000),
+    { stderr => 1 },
+ );
+-is($result, <<EXPECT);
+-syntax error at -e line 3, near "foreach m0
+is($result . "\n", <<EXPECT);
+syntax error at - line 3, near "foreach m0
+ "
+-Identifier too long at -e line 3.
+Identifier too long at - line 3.
+ EXPECT
+ 
+ __END__
+-- 
+2.7.4
+
--- a/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
+++ b/perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
@ -0,0 +1,55 @@
+From d7186addd1b477f6bdcef5e9d24f2125691a9082 Mon Sep 17 00:00:00 2001
+From: Hugo van der Sanden <hv@crypt.org>
+Date: Sun, 19 Feb 2017 11:15:38 +0000
+Subject: [PATCH] [perl #130814] Add testcase, and new testfile
+ t/comp/parser_run.t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sometimes it's useful to have test.pl around, but it seems inappropriate
+to pollute the existing t/comp/parser.t with that.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/comp/parser_run.t | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+ create mode 100644 t/comp/parser_run.t
+
+diff --git a/t/comp/parser_run.t b/t/comp/parser_run.t
+new file mode 100644
+index 0000000..2543f49
+--- /dev/null
+++ b/t/comp/parser_run.t
+@@ -0,0 +1,28 @@
+#!./perl
+
+# Parser tests that want test.pl, eg to use runperl() for tests to show
+# reads through invalid pointers.
+# Note that this should still be runnable under miniperl.
+
+BEGIN {
+    @INC = qw(. ../lib );
+    chdir 't' if -d 't';
+}
+
+require './test.pl';
+plan(1);
+
+# [perl #130814] can reallocate lineptr while looking ahead for
+# "Missing $ on loop variable" diagnostic.
+my $result = runperl(
+    prog => " foreach m0\n\$" . ("0" x 0x2000),
+    stderr => 1,
+);
+is($result, <<EXPECT);
+syntax error at -e line 3, near "foreach m0
+"
+Identifier too long at -e line 3.
+EXPECT
+
+__END__
+# ex: set ts=8 sts=4 sw=4 et:
+-- 
+2.7.4
+
--- a/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
+++ b/perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
@ -0,0 +1,74 @@
+From f6203e997f3012b8aab4cd35fe49f58e4d71fb8c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sun, 10 Jul 2016 22:06:12 -0600
+Subject: [PATCH] t/test.pl: Add fresh_perl() function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This will be useful for cases where the results don't readily fall into
+fresh_perl_is and fresh_perl_like, such as when a bunch of massaging of
+the results is needed before it is convenient to test them.
+fresh_perl_like() could be used, but in the case of failure there could
+be lines and lines of noise output.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/test.pl | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/t/test.pl b/t/test.pl
+index 41b77f4..20d08e9 100644
+--- a/t/test.pl
+++ b/t/test.pl
+@@ -953,11 +953,16 @@ sub register_tempfile {
+     return $count;
+ }
+ 
+-# This is the temporary file for _fresh_perl
+# This is the temporary file for fresh_perl
+ my $tmpfile = tempfile();
+ 
+-sub _fresh_perl {
+-    my($prog, $action, $expect, $runperl_args, $name) = @_;
+sub fresh_perl {
+    my($prog, $runperl_args) = @_;
+
+    # Run 'runperl' with the complete perl program contained in '$prog', and
+    # arguments in the hash referred to by '$runperl_args'.  The results are
+    # returned, with $? set to the exit code.  Unless overridden, stderr is
+    # redirected to stdout.
+ 
+     # Given the choice of the mis-parsable {}
+     # (we want an anon hash, but a borked lexer might think that it's a block)
+@@ -975,7 +980,8 @@ sub _fresh_perl {
+     close TEST or die "Cannot close $tmpfile: $!";
+ 
+     my $results = runperl(%$runperl_args);
+-    my $status = $?;
+    my $status = $?;    # Not necessary to save this, but it makes it clear to
+                        # future maintainers.
+ 
+     # Clean up the results into something a bit more predictable.
+     $results  =~ s/\n+$//;
+@@ -994,6 +1000,17 @@ sub _fresh_perl {
+         $results =~ s/\n\n/\n/g;
+     }
+ 
+    $? = $status;
+    return $results;
+}
+
+
+sub _fresh_perl {
+    my($prog, $action, $expect, $runperl_args, $name) = @_;
+
+    my $results = fresh_perl($prog, $runperl_args);
+    my $status = $?;
+
+     # Use the first line of the program as a name if none was given
+     unless( $name ) {
+         ($first_line, $name) = $prog =~ /^((.{1,50}).*)/;
+-- 
+2.7.4
+
--- a/perl.spec
+++ b/perl.spec
@ -313,6 +313,16 @@ Patch88:        perl-5.24.1-perl-129340-copy-the-source-when-inside-the-dest-in-
 # in upstream after 5.25.10
 Patch89:        perl-5.24.1-perl-130822-fix-an-AV-leak-in-Perl_reg_named_buff_fe.patch

+# Fix an invalid memory read when parsing a loop variable, RT#130814,
+# in upstream after 5.25.10
+Patch90:        perl-5.25.10-perl-130814-Add-testcase-and-new-testfile-t-comp-par.patch
+# in upstream after 5.25.10
+Patch91:        perl-5.24.1-perl-130814-update-pointer-into-PL_linestr-after-loo.patch
+# in upstream after 5.25.2
+Patch92:        perl-5.25.2-t-test.pl-Add-fresh_perl-function.patch
+# in upstream after 5.25.10
+Patch93:        perl-5.25.10-fix-VMS-test-fail.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -3028,6 +3038,10 @@ popd
 %patch87 -p1
 %patch88 -p1
 %patch89 -p1
+%patch90 -p1
+%patch91 -p1
+%patch92 -p1
+%patch93 -p1
 %patch200 -p1
 %patch201 -p1

@ -3102,6 +3116,7 @@ perl -x patchlevel.h \
    'Fedora Patch87: Fix a null-pointer dereference on malformed code (RT#130815)' \
    'Fedora Patch88: Fix an use-after-free in substr() that modifies a magic variable (RT#129340)' \
    'Fedora Patch89: Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)' \
+    'Fedora Patch90: Fix an invalid memory read when parsing a loop variable (RT#130814)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5382,6 +5397,7 @@ popd
 - Fix a null-pointer dereference on malformed code (RT#130815)
 - Fix an use-after-free in substr() that modifies a magic variable (RT#129340)
 - Fix a memory leak leak in Perl_reg_named_buff_fetch() (RT#130822)
+- Fix an invalid memory read when parsing a loop variable (RT#130814)

 * Fri Feb 17 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-389
 - Adapt Compress::Raw::Zlib to zlib-1.2.11 (bug #1420326)