From f526e67959f78d36dea5aeff190718529026cd36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 15 Jan 2019 09:09:56 +0100 Subject: [PATCH] Prevent long jumps from clobbering local variables --- ...ent-set-longjmp-clobbering-locals-in.patch | 111 ++++++++++++++++++ perl.spec | 7 ++ 2 files changed, 118 insertions(+) create mode 100644 perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch diff --git a/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch b/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch new file mode 100644 index 0000000..2da159b --- /dev/null +++ b/perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch @@ -0,0 +1,111 @@ +From 35ad0133df9b65a4e32f2f07a2a05b387bd79591 Mon Sep 17 00:00:00 2001 +From: Tony Cook +Date: Thu, 3 Jan 2019 10:48:05 +1100 +Subject: [PATCH] (perl #133575) prevent set/longjmp clobbering locals in + S_fold_constants +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +My original approach moved the whole switch into the new function, +but that was a lot messier, and I don't think it's necessary. + +pad_swipe() can throw, but only for panics, and in DESTROY if +refadjust is true, which isn't the case here. + +CLEAR_ERRSV() might throw if the code called by CALLRUNOPS() +puts an object that dies in DESTROY in $@, but I think that +might cause an infinite loop in the original code. + +Signed-off-by: Petr Písař +--- + op.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/op.c b/op.c +index 146407ba70..0b46b348cb 100644 +--- a/op.c ++++ b/op.c +@@ -5464,15 +5464,34 @@ S_op_integerize(pTHX_ OP *o) + return o; + } + ++/* This function exists solely to provide a scope to limit ++ setjmp/longjmp() messing with auto variables. ++ */ ++PERL_STATIC_INLINE int ++S_fold_constants_eval(pTHX) { ++ int ret = 0; ++ dJMPENV; ++ ++ JMPENV_PUSH(ret); ++ ++ if (ret == 0) { ++ CALLRUNOPS(aTHX); ++ } ++ ++ JMPENV_POP; ++ ++ return ret; ++} ++ + static OP * + S_fold_constants(pTHX_ OP *const o) + { + dVAR; +- OP * volatile curop; ++ OP *curop; + OP *newop; +- volatile I32 type = o->op_type; ++ I32 type = o->op_type; + bool is_stringify; +- SV * volatile sv = NULL; ++ SV *sv = NULL; + int ret = 0; + OP *old_next; + SV * const oldwarnhook = PL_warnhook; +@@ -5480,7 +5499,6 @@ S_fold_constants(pTHX_ OP *const o) + COP not_compiling; + U8 oldwarn = PL_dowarn; + I32 old_cxix; +- dJMPENV; + + PERL_ARGS_ASSERT_FOLD_CONSTANTS; + +@@ -5582,15 +5600,15 @@ S_fold_constants(pTHX_ OP *const o) + assert(IN_PERL_RUNTIME); + PL_warnhook = PERL_WARNHOOK_FATAL; + PL_diehook = NULL; +- JMPENV_PUSH(ret); + + /* Effective $^W=1. */ + if ( ! (PL_dowarn & G_WARN_ALL_MASK)) + PL_dowarn |= G_WARN_ON; + ++ ret = S_fold_constants_eval(aTHX); ++ + switch (ret) { + case 0: +- CALLRUNOPS(aTHX); + sv = *(PL_stack_sp--); + if (o->op_targ && sv == PAD_SV(o->op_targ)) { /* grab pad temp? */ + pad_swipe(o->op_targ, FALSE); +@@ -5608,7 +5626,6 @@ S_fold_constants(pTHX_ OP *const o) + o->op_next = old_next; + break; + default: +- JMPENV_POP; + /* Don't expect 1 (setjmp failed) or 2 (something called my_exit) */ + PL_warnhook = oldwarnhook; + PL_diehook = olddiehook; +@@ -5616,7 +5633,6 @@ S_fold_constants(pTHX_ OP *const o) + * the stack - eg any nested evals */ + Perl_croak(aTHX_ "panic: fold_constants JMPENV_PUSH returned %d", ret); + } +- JMPENV_POP; + PL_dowarn = oldwarn; + PL_warnhook = oldwarnhook; + PL_diehook = olddiehook; +-- +2.17.2 + diff --git a/perl.spec b/perl.spec index 7334b51..e930b8a 100644 --- a/perl.spec +++ b/perl.spec @@ -239,6 +239,10 @@ Patch47: perl-5.29.6-perl-132158-abort-compilation-if-we-see-an-error-com # in upstream after 5.29.6 Patch48: perl-5.29.6-regen-warnings.pl-Fix-undefined-C-behavior.patch +# Prevent long jumps from clobbering local variables, RT#133575, +# in upstream after 5.29.6 +Patch49: perl-5.29.6-perl-133575-prevent-set-longjmp-clobbering-locals-in.patch + # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch @@ -2841,6 +2845,7 @@ Perl extension for Version Objects %patch46 -p1 %patch47 -p1 %patch48 -p1 +%patch49 -p1 %patch200 -p1 %patch201 -p1 @@ -2883,6 +2888,7 @@ perl -x patchlevel.h \ 'Fedora Patch45: Fix first eof() return value (RT#133721)' \ 'Fedora Patch47: Fix a crash when compiling a malformed form (RT#132158)' \ 'Fedora Patch48: Fix un undefined C behavior in NULL pointer arithmetics (RT#133223)' \ + 'Fedora Patch49: Prevent long jumps from clobbering local variables (RT#133575)' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ %{nil} @@ -5178,6 +5184,7 @@ popd - Fix first eof() return value (RT#133721) - Fix a crash when compiling a malformed form (RT#132158) - Fix un undefined C behavior in NULL pointer arithmetics (RT#133223) +- Prevent long jumps from clobbering local variables (RT#133575) * Mon Jan 14 2019 Björn Esser - 4:5.28.1-429 - Rebuilt for libcrypt.so.2 (#1666033)